Stubborn Virus/Trojan/BHO Whatever

R

Rustynuts

[H]F Junkie
Joined
Feb 6, 2003
Messages
10,346
My Mom's PC keeps getting this pron website popup everytime she logs in. I've deleted it through AdAware, Spybot, Spywareblaster, and deleted all temp files through Safe Boot. The PC looks clean upon booting, but as soon as I log onto the internet it reloads itself as a plugin!!! I've also run Hijackthis and deleted all suspicious entries.

It installs itself in a folder called "Webviewer" and open a website for "Tainted Teens". The info says it's from the UK from a company called Smooth Content. Not sure if it's related, but I also get some malware in the locals/temp folder called MSHTM.EXE that alos keeps coming back.

One other annoyance is a big screen over the top of my desktop after logging off the internet that is mostly black and state that I have spyware on the PC (no shite)! and to click on the link to clean it (scumware most likely, but don't have the IP jotted down).

Also when trying to run Norton AV, it starts and then crashes to desktop almost
immediately! Before that happened I also got a NAV warning about "Bloodhound.explot.6" that it couldn't delete.

HELP!!! Or do I just nuke the HD and start over.
 
I also noted a process running when the pron site pops up and when I end process, the browser window closes. It's "124462.dlr". Google shows nothing!
 
Are you hopping online using IE? It may be a IE plug in thats doing its dirty work. I've seen this happen before. Try a different browser i.e. Firefox.
 
If it's an exe you're deleting, then there's probably a DLL associated with it which is running the EXE and creating it again when you delete it. You need to find that DLL and remove it.

I like using a tool called Security Task Manager for this.

It's going to be harder now since you've deleted the original exe it made, because now you can't comapre file creation date/time between the exe and dll.

I've seen spyware like this where tit identifies running AV software and kills it, so you might be seeing that.
 
I believe I have run it in safe mode. I think the mshtm.exe is what loads it. I've been watching task mgr and it runs during the plugin load, then the dlr shows until I kill the window. I can run Firefox once I'm logged, but I have to initially go through Juno's browser to get to the internet.

Doesn't matter waht I delete, it reloads the entire batch each time! including desktop and start button shortcuts. Really annoying. I think it also includes the "Secure Yourself" shortcuts from "http://213.159.117.130/?affid=NAT-12"
 
I think I did it! Not sure exactly how, but here's what I did.

Booted to safe mode, ran Spybot, AdAware. Hijackthis.
Then switched user accounts and ran them again. They found a few more items which didn't make sense. SHouldn't those programs scan the WHOLE computer and not just the User logged in?
Then, which may be what did it, I uninstalled and reinstalled Juno which uses it's own browser, not a pure IE.

That seems to have done the trick, even after severl reboots and internet sessions!

For good measure I got rid of NAV and downloaded NOD32 and Sygate firewall. NOD found 13 virii that NAV didn't, P.O.S.!!
 
You must log in or register to reply here.
Back
Top