OT: Microsoft is really annoying

Bob Sneidar bobs at twft.com
Wed Apr 21 16:57:21 EDT 2010

Hi Wilhelm. 

I checked the URL with our corporate content filtering system and it came up clean, so the site seems reputable. However, I just read an article about how reputable sites are getting compromised, and either a redirect is put in place, or the site itself is being compromised. Simply visiting a compromised site can infect an unpatched machine. So it does not surprise me that your visiting a reputable site resulted in an infection. What DOES surprise me is that your antivirus (assuming it is up to date) did not catch it. Perhaps this happened before you installed the antivirus? 

The hsyfea.exe looks like a random file name, which was typical of a particularly nasty bit of malware I came across a while back called coolwebsearch. The installer installed several variants of itself using random file names, which required a program called HijackThis and a series of safe boots to remove the hijacker. Even then, with some flavors of the "adware" you never got all the pieces, and the recommendation at that point was a clean reinstall. 

The other one turned up some interesting google hits. I believe this to be a particularly nasty one, but if your Antivirus found it, then it should have prevented it, unless as I said, you got it before you installed Antivirus. If you got it first, then there is a possibility it installed a rootkit, in which case nothing but a wipe and reinstall to a new partition, and to be safe, a reset of the CMOS first, will guarantee it's removal. 

My condolences. 


On Apr 20, 2010, at 1:55 PM, Wilhelm Sanke wrote:

> I tried to recapitulate what I could have done "terribly wrong". First, I have got both a virus scanner running in the background and one which I invoke manually from time to time.
> I was searching for programs that use the Gluas-plugin for embedding the Lua language for image processing and - among other sites - arrived at
> <http://www.thebest3d.com/gluas/>
> which seems to be safe.
> From there I clicked the link to "Pixarra TwistedBrush Pro" and that seems to me to be the source of all the trouble, meaning simply just going to that site. I did not download anything from the TwistedBrush site. This happened twice, I will not test this a third time. Maybe anybody else could check?
> The following malware was then installed on my WindowsXP computer:
> Hsyfea.exe (in C:Windows)
> sshanas21.dll (in C:windows\system32)
> which then seems to have launched the Microsoft Internet Explorer about every 5 minutes (until I "disassembled" the Internet Explorer).--
> Wilhelm Sanke

More information about the Use-livecode mailing list