-1

I have found some unknown .php files in Soultion Explorer of asp.net website while running locally.

When ever i navigate between pages it dynamically created two files in the name of 1. eval code and 2. jsc3.js.php

i understood this is malicious intrusion in my system and i need to over come this.

please help me.

Thanks in advance.

lollol
  • 95
  • 1
  • 2
  • 13
  • It appears in solution explorer? This means that your .sln file must have also been modified. – m.edmondson Jun 10 '12 at 17:32
  • is it ? how could i test it ... right now i am not facing any issues in my application. but when i use browsers to surf sites, new browser window is opening and automatically navigates to some sites like; http://11649.bodisparking.com/iwanktube.com?szcp=58 http://52664.bestfastget.com/xtr_new?q=Wanktube&enk=hslmkcbBJuNGgY+Jj6lGscahj4lmmSeZZpkmuWbjJg== http://frankfinn.in/lms/air-hostess-training-af.php http://www.insideentrepreneurs.com/ http://crazypoppingmusicvideos.com/?subid=x2r15 – lollol Jun 10 '12 at 17:36
  • Sounds like a virus... except you use some kind of plugin that made them for some reason... you do not give enough information's for help. – Aristos Jun 10 '12 at 17:46
  • Whats on this auto created files ? – Aristos Jun 10 '12 at 17:53
  • there are 6 pages full of php coding; one file called "eval code" which is generated under .aspx page, which has nothing and another file under it called as "jsc3.js.php" is having this; function FixMargins() { return; } – lollol Jun 11 '12 at 04:07

1 Answers1

0

The above is a Internet Explorer Add-On was downloaded and installed automatically from a malicious website.

Add-On Name - PeteBH Class (related DLL - yayWmKee.dll in c:\windows\system32)

For Complete information about this threat please refer - http://www.threatexpert.com/report.aspx?md5=da146c6c26ac0ef5d26dbe571e32008a

How to remove : 1. Disable this add-on in Internet explorer Manage -addons option. 2. Remove the registry entries specified in the bove link (carefully and on your own risk). 3. Log in as Administrator in Safe Mode and delete the yayWmKee.dll from "C:\Windows\System32".

Always be sure about the pages visited and things downloaded.

Thanks for all the replies.

lollol
  • 95
  • 1
  • 2
  • 13