mIRC Home    About    Download    Register    News    Help

Print Thread
#12512 22/02/03 08:21 PM
Joined: Feb 2003
Posts: 4
Z
zidion Offline OP
Self-satisified door
OP Offline
Self-satisified door
Z
Joined: Feb 2003
Posts: 4
I visited Irc.Saltek.Net and some butthead sent me somekind of script or something without me knowing it. Now when I restart my computer a window pops up and says Petrol Owns, Tibilisi owns you with a OK button. When I click OK, it says Petrol Rushia Babe and asks me, You like Georgia? With an option of YES or No, I click on no and it says Tibilisi Owns You boy! I click on yes and it says, Russian girls for you, With an OK button. I click on OK and it tells me Nov.18 2002 by Petrol. With an OK button. I click on ok and it dissapears. But it still runs in the background as run= zeiqc.33.vbs. I don't want this utility or whatever it is and I would like to remove it from my computer, But I cant find it and have no idea what it is. Can you please help me with this and to avoid future problems like this, is there a security patch or something I can get for these buttheads that do this to people?

#12513 22/02/03 08:45 PM
Joined: Dec 2002
Posts: 843
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 843
It's not a utility, it's some sort of virus. I'd suggest going here and running their free online virus scan. You can't run a new script on irc without knowing about it. Did you click on a url that someone had told you to? That is the fastest way to get yourself a virus on irc.


Never compare yourself to others - they're more screwed up than you think.
#12514 22/02/03 08:45 PM
Joined: Feb 2003
Posts: 4
Z
zidion Offline OP
Self-satisified door
OP Offline
Self-satisified door
Z
Joined: Feb 2003
Posts: 4
Ran a virus scan and came up with infected file name:
C:\ROL.VBS
virus file name:
VBS/Dismissed.gen
This needs to be looked into for others sakes this is a butthead whoever does this has problems and way too much time on his hands to create these things. I think I found a home page for this butthead
[deleleted by moderator]

Last edited by ParaBrat; 23/02/03 06:24 AM.
#12515 22/02/03 08:47 PM
Joined: Dec 2002
Posts: 843
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 843
I wouldn't spam that person's homepage on here, just in case it's infected. You never know, someone might just click on it and get themselves into trouble.


Never compare yourself to others - they're more screwed up than you think.
#12516 22/02/03 08:58 PM
Joined: Feb 2003
Posts: 4
Z
zidion Offline OP
Self-satisified door
OP Offline
Self-satisified door
Z
Joined: Feb 2003
Posts: 4

Virus type: JavaScript

Destructive: No

Pattern file needed: 184

Scan engine needed: 5.200

Description:

Once executed, this JavaScript drops a Visual Basic Script (VBS) file ROL.VBS in the C:\ directory. The dropped file then executes. Trend Micro antivirus detects the dropped file as VBS_KARMAHOTEL.A. The VBScript drops a SERVER.INI file in the MIRC directory. After doing this, it deletes itself. Trend Micro antivirus detects the SERVER.INI file as IRC_OTAG.A.


I just tried to enter a #room of some kind I don't know what one then the thing said petrol owns me.

It's not hard to get rid of though.

#12517 22/02/03 11:22 PM
Joined: Feb 2003
Posts: 4
Z
zidion Offline OP
Self-satisified door
OP Offline
Self-satisified door
Z
Joined: Feb 2003
Posts: 4
After hours of research, I have finally found out how to remove this bug.

The JS_DISMISSED drops this non-destructive Visual Basic Script (VBScript) virus. It modifies the Internet Explorer (IE) of an infected system to connect to the site:

Solution:



Click Start>Run, type REGEDIT then hit the Enter key.
Double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
>Windows>CurrentVersion>Run
On the right panel, right-click and then delete the value:
TkBellExe

Then start, find, files or folders in C: drive and delete the following named:
zeiqc33
sfuvh66
mihcc24
sfnak35
icucy78
Reboot and to make shure the message does not appear again.
Run a virus scan for C: to make shure there are no more infected files.

#12518 23/02/03 07:07 AM
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
the js_karmahotel also " modify the MIRC.INI and store its contents in a WINAMOD.DAT file in the Hard Drive C:\. It then enables a hacker access to the infected system when the infected user connects to an MIRC channel."

I deleted your url links, as Poppy said, they may be infected. Realize that the only way someone could send this to you "without your knowledge" is if you have autoget on in your dcc options. If you click on an infected url, open an email attachment (altho now with some all you need do is open the blasted email), accept a file (or set autoget on) you are at risk. Security patch? yep.. dont do the above. keep your virus scanner up to date. keep up with windows updates. this web page has lots of good tips for helping you secure your puter.

Glad you got yours cleaned smile


ParaBrat @#mIRCAide DALnet

Link Copied to Clipboard