The other day Catherine received an MSN message from a friend with a website link. After clicking on the link (which looked perfectly valid) the website she went to ran a zero-day exploit on her machine and installed a nasty trojan.

The trojan proceeded to message everyone in her contact list with the link. I probably would have clicked it but when it messaged me no one was sitting at her computer, it seemed a little strange to me.

I went over to her computer to take a look and it was going wild! It was opening up windows by itself and messaging people and killing applications I was trying to run. After running her Anti-Virus I was able to successfully find the trojan but the anti-virus could not delete it.

I went straight to download TCPView, Process Explorer and AutoRuns from Sysinternals (now hosted at Microsoft) and used Scott Hanselman's post as a guide.

The first thing I checked was TCPView to see if the trojan was calling home, luckily it was not, so the next step was to check out what was being run at startup. The first thing I noticed in Autoruns was a weird entry called explorer:

 I also noticed a weird guid being loaded at startup:

If you check out the IE Toolbars and the Browser Helper Objects you can see that an entry for the 888Bar has also been created:

I located all the offending assemblies and registry entries, deleted them and now her computer seems to be fine. I find it very interesting that all of this crazyness happened from clicking a link to a website.