XP exploit on either Torrentz or TorrentSpy

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Matt 26z
    So Fucking Banned
    • Apr 2002
    • 18481

    #1

    XP exploit on either Torrentz or TorrentSpy

    First I went to TorrentSpy and then Torrentz.

    Upon loading torrentz.com my firewall immediately caught mshtml2.exe attempting to connect to the internet.

    The file was located in C:\Documents and Settings\Owner\Local Settings\Temp and it was just created, but I went immediately from TorrentSpy to Torrentz so I don't know which one put it there.


    Here is the IP info it was trying to connect to:

    Search results for: 63.251.135.24

    Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
    63.251.0.0 - 63.251.255.255
    ClickSpring LLC INAP-BSN-CLICKSPRING-0971 (NET-63-251-135-0-1)
    63.251.135.0 - 63.251.135.63


    I have XP all up to date, so I'm not sure how this got on there and ran on it's own.
  • Matt 26z
    So Fucking Banned
    • Apr 2002
    • 18481

    #2
    Looks like I posted too soon.

    "C:\Program Files\ISM" was also created by this and the following files tried to connect:

    ism.exe
    abacus.isprime.com

    ismmodule3.exe
    76.9.9.190

    76.9.9.190 also goes to
    OrgName: ISPrime, Inc.
    OrgID: IPRM
    Address: 25 Broadway
    Address: 6th Floor, Suite #2
    City: New York
    StateProv: NY
    PostalCode: 10004-1086
    Country: US

    Comment

    • Klen
      • Aug 2006
      • 32235

      #3
      No such things here,i double checked all system folders and cant found anything.Probaly beacuse nod32 kills such things.

      Comment

      • KimJI
        Confirmed User
        • May 2007
        • 1839

        #4
        mshtml2.exe is a ad-ware. You must have installed it at some point prior to this
        Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

        Comment

        • StuartD
          Sofa King Band
          • Jul 2002
          • 29903

          #5
          Either you downloaded those files or you're using IE and your security settings are seriously slacking!
          This is me on facebook
          This is me on twitter

          Comment

          • Matt 26z
            So Fucking Banned
            • Apr 2002
            • 18481

            #6
            Originally posted by KimJI
            mshtml2.exe is a ad-ware. You must have installed it at some point prior to this
            No, the file creation date is right then.

            This might be from a rogue advertiser in the rotation, so it's not going to happen on every single visit. I recall the same thing happening on MySpace some time ago. Millions were infected.

            Comment

            • headless ghost
              Confirmed User
              • May 2005
              • 893

              #7
              you are in some seriously deep shit
              go here
              http://www.google.com/search?hl=en&q...=Google+Search
              you may need to replace the hard drive or even the computer.
              don't forget to have your ISP reverse flush the lines to be sure you get rid of all of it.

              Comment

              • Matt 26z
                So Fucking Banned
                • Apr 2002
                • 18481

                #8
                Originally posted by StuartD
                or you're using IE and your security settings are seriously slacking!
                I don't even remember when the last time was that this happned to me, so if my settings are so unsecure you'd think this would be an often occurance.

                Everything is marked either prompt or disable except these....


                Run ActiveX controls and plug-ins: Enable

                Script ActiveX controls marked safe for scripting: Enable

                Active scripting: Enable

                Allow paste operations via script: Enable

                Scripting of Java applets: Enable


                Should I set the first one to prompt instead?

                Comment

                • StuartD
                  Sofa King Band
                  • Jul 2002
                  • 29903

                  #9
                  Originally posted by Matt 26z
                  I don't even remember when the last time was that this happned to me, so if my settings are so unsecure you'd think this would be an often occurance.

                  Everything is marked either prompt or disable except these....


                  Run ActiveX controls and plug-ins: Enable

                  Script ActiveX controls marked safe for scripting: Enable

                  Active scripting: Enable

                  Allow paste operations via script: Enable

                  Scripting of Java applets: Enable


                  Should I set the first one to prompt instead?
                  You should NEVER have "run activex controls" set to enable.... sites can just do as they please with your system the moment you hit them. They can essentially take full control!

                  Anything to do with active x should be by prompt only.
                  This is me on facebook
                  This is me on twitter

                  Comment

                  • KimJI
                    Confirmed User
                    • May 2007
                    • 1839

                    #10
                    Originally posted by Matt 26z


                    Should I set the first one to prompt instead?

                    always, same goes for
                    Scripting of Java applets: Enable
                    and
                    Active scripting: Enable

                    and make sure you PC is updated with the latest patches, including your IE
                    Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

                    Comment

                    • potter
                      Confirmed User
                      • Dec 2004
                      • 6559

                      #11
                      Originally posted by headless ghost
                      you are in some seriously deep shit
                      go here
                      http://www.google.com/search?hl=en&q...=Google+Search
                      you may need to replace the hard drive or even the computer.
                      don't forget to have your ISP reverse flush the lines to be sure you get rid of all of it.
                      ??? You don't know very much about computers do you? No software can ruin a hard drive or entire computer. Software cannot "infect" hardware.

                      Comment

                      • Matt 26z
                        So Fucking Banned
                        • Apr 2002
                        • 18481

                        #12
                        Now that I think about it, I had to switch at least one of those to enable to get an online virus sanner to work. I'm pretty sure it was Norton's, because I had never used that one before. It wasn't Kaspersky, Panda, BitDefender or TrendMicro. I had always used those without problems.

                        So it's ironic that a security company would say their online scan doesn't work with your current settings (I had it/them on prompt), then you make the changes to get the virus scanner to work and you get infected. That right there is evidence that the security companies WANT you to get infected so you'll buy their products.
                        Last edited by Matt 26z; 09-01-2007, 05:33 AM.

                        Comment

                        • KimJI
                          Confirmed User
                          • May 2007
                          • 1839

                          #13
                          Originally posted by potter
                          ??? You don't know very much about computers do you? No software can ruin a hard drive or entire computer. Software cannot "infect" hardware.

                          Welcome to 2004, the year "root kits" were discovered.
                          Trafficadept | Best traffic I have ever tested | web "@t" cuul.org

                          Comment

                          Working...