XP exploit on either Torrentz or TorrentSpy
 

First I went to TorrentSpy and then Torrentz.

Upon loading torrentz.com my firewall immediately caught mshtml2.exe attempting to connect to the internet.

The file was located in C:\Documents and Settings\Owner\Local Settings\Temp and it was just created, but I went immediately from TorrentSpy to Torrentz so I don't know which one put it there.


Here is the IP info it was trying to connect to:

Search results for: 63.251.135.24

Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1)
63.251.0.0 - 63.251.255.255
ClickSpring LLC INAP-BSN-CLICKSPRING-0971 (NET-63-251-135-0-1)
63.251.135.0 - 63.251.135.63


I have XP all up to date, so I'm not sure how this got on there and ran on it's own.

Looks like I posted too soon.

"C:\Program Files\ISM" was also created by this and the following files tried to connect:

ism.exe
abacus.isprime.com

ismmodule3.exe
76.9.9.190

76.9.9.190 also goes to
OrgName: ISPrime, Inc.
OrgID: IPRM
Address: 25 Broadway
Address: 6th Floor, Suite #2
City: New York
StateProv: NY
PostalCode: 10004-1086
Country: US

No such things here,i double checked all system folders and cant found anything.Probaly beacuse nod32 kills such things.

mshtml2.exe is a ad-ware. You must have installed it at some point prior to this

Either you downloaded those files or you're using IE and your security settings are seriously slacking!

No, the file creation date is right then.

This might be from a rogue advertiser in the rotation, so it's not going to happen on every single visit. I recall the same thing happening on MySpace some time ago. Millions were infected.

you are in some seriously deep shit
go here
http://www.google.com/search?hl=en&q...=Google+Search
you may need to replace the hard drive or even the computer.
don't forget to have your ISP reverse flush the lines to be sure you get rid of all of it.

I don't even remember when the last time was that this happned to me, so if my settings are so unsecure you'd think this would be an often occurance.

Everything is marked either prompt or disable except these....


Run ActiveX controls and plug-ins: Enable

Script ActiveX controls marked safe for scripting: Enable

Active scripting: Enable

Allow paste operations via script: Enable

Scripting of Java applets: Enable


Should I set the first one to prompt instead?

You should NEVER have "run activex controls" set to enable.... sites can just do as they please with your system the moment you hit them. They can essentially take full control!

Anything to do with active x should be by prompt only.

always, same goes for
Scripting of Java applets: Enable
and
Active scripting: Enable

and make sure you PC is updated with the latest patches, including your IE

??? You don't know very much about computers do you? No software can ruin a hard drive or entire computer. Software cannot "infect" hardware.

Now that I think about it, I had to switch at least one of those to enable to get an online virus sanner to work. I'm pretty sure it was Norton's, because I had never used that one before. It wasn't Kaspersky, Panda, BitDefender or TrendMicro. I had always used those without problems.

So it's ironic that a security company would say their online scan doesn't work with your current settings (I had it/them on prompt), then you make the changes to get the virus scanner to work and you get infected. That right there is evidence that the security companies WANT you to get infected so you'll buy their products.

Welcome to 2004, the year "root kits" were discovered.