Trojan? Virus? Help please!

Discussion in 'Computing' started by Crash Lander, Apr 7, 2008.

  1. Crash Lander

    Crash Lander Guest

    I have a bit of a problem with my computer. Every now and then, a small
    browser window will flash up in the top left hand corner of the screen.
    It's not there long enough to see what it is, or where it's directed,
    and Spybot Search and Destroy, and Adaware find nothing. Nothing shown
    up on virus scan so far either.
    This is a pain in the butt, as if I'm playing a game or running an app
    in ful screen mode, ir instantly minimises to the tray because of
    this...whatever it is! Earlier, I cold hear the 'activation click' you
    know, the click you hear when you click a link on a web page, every
    minute or so, as if something was doing something it shouldn't, and
    this was even happening when nobody was touching the computer at all.
    Also, twice today, I would get an audio advertisement telling me about
    some Rally that goes through Russia and Mongolia!! No window open to
    play it or anything! Nothing! I did find a DSS Agent on the system, but
    I removed that successfully, and I think that may have taken care of
    the clicking for no reason, as I haven't heard it since, but this
    browser quickly flashing up is still happening. Any ideas guys?
    Thanks.
     
    Crash Lander, Apr 7, 2008
    #1
    1. Advertisements

  2. Crash Lander

    Know1 Guest


    http://www.mvps.org/winhelp2002/hosts.htm
     
    Know1, Apr 7, 2008
    #2
    1. Advertisements

  3. Crash Lander

    Crash Lander Guest

    Thanks,
    OK, so I downloaded and installed it. Makes some sense to me what it
    does, but do I have to do anything to/with it, or it should just stop
    the trouble now it's installed?
    Apologies if I'm displaying too much ignorance here guys. Thanks.
     
    Crash Lander, Apr 7, 2008
    #3
  4. Crash Lander

    Know1 Guest

    It may stop the pop-up window from going anywhere;
    if it`s one of the sites in the hosts file.

    But if not; we`ll need to ID what that url might be,
    and from where on your system it`s originating from.

    You could clear your internet cache; then make a note of
    any new occurances, after that.
    C:\Documents and Settings\username\Local SettingsTemporary Internet Files

    Then edit the hosts file with notepad,
    to include the nuisance website
    C:\WINDOWS\system32\drivers\etc\hosts


    As for the minimising poblem;
    you might try autosizer; and set IE
    to auto-minimise.
    http://www.southbaypc.com/autosizer/
    I`m sure there`ll be an easier solution; so hopefully
    some-one`ll come up with one.
     
    Know1, Apr 7, 2008
    #4
  5. Crash Lander

    Rod Speed Guest

    Looks like I am getting the same problem myself.

    AVG and Defender cant see any problem.

    Here is the detail. After a reboot, with no browser windows open, no problem for a
    considerable time, just trying to time how long it takes now, but its something like an hour.

    The first thing you notice with no browser windows open is that you get what Crash Lander
    calls the 'activation click' above. That happens at quite a high rate, every couple of seconds
    or so. No visible effect for quite a while, just the clicks. You then get a slight screen effect,
    difficult to describe, basically just some vertical bar effects very briefly flashing over the top
    of the current window. Then eventually it will open a browser window with an advert in it.

    If you have any browser windows open, it appears to try to overlay an ad over
    the window and doesnt alway succeed, quite often crashing the browser window.

    Seems pretty clear its a deliberate infection with an ad server, the main oddity is that
    none of the major anti virus and anti spy systems can see anything. In my case I have
    just tried AVG and Defender, but Crash Lander has tried the other obvious candidates.

    It also molests the taskbars in Explorer, minimising the address and links
    taskbars, presumably so you cant see the addresses its using or something.

    Thats on XP Pro, Internet Explorer 6.0.xxxx with very few updates since SP2.
     
    Rod Speed, Apr 7, 2008
    #5
  6. Crash Lander

    Crash Lander Guest

    I think I may have solved it. So far no more activation clicking, and no
    flashing browser windows popping up.
    I downloaded and used this:
    http://www.majorgeeks.com/download3550.html
    It's a program called BHO Demon.
    It found several things, some of which I was happy to leave there, but one
    was called sprt_ad.dll, which is a baddie.
    Now, the program enables you to disable these nasties by unclicking the tick
    box, but you cannot do it if you have internet explorer open, or windows
    explorer open. Unfortunately, this baddie seems to make these things appear
    open, so you cannot disable them.
    What I did was run the BHO Demon in safe mode, and it did disable them, but
    when I rebooted them, they were enabled again. Instead, if you double click
    the name of the file, rather than untick the box, it brings up more options.
    One of which is to open the folder that contains the file in question. From
    there I just deleted the sprt_ad.dll and rebooted. Windows screamed saying
    it couldn't find the required dll, but a quick search through the registry
    found it and I simply deleted the entry. So far no more problems.
    One little annoyinmg thing with this BHO Demon is that it starts up with
    windows and I found that a pain, so I just uninstalled it, but kept the
    installation file for use any time I may need it later.
    Hopefully this has fixed it, and hopefully it might fix it for you too. I'd
    be iunterested to hear how you go.

    Did you get the voice ads too? Something about a rally in Russia?
    Crash Lander
     
    Crash Lander, Apr 8, 2008
    #6
  7. Crash Lander

    Crash Lander Guest

    Well, it certainly blocks ads in the tops of things like forums and stuff,
    but it leaves you with a "Page not found" error, which detracts from the
    look of the sites etc, and didn't let me see where the ad was directed. A
    good file to have but didn't solve my problem. I have reverted back to my
    original HOST file now, but have kept this one in case I need it again.
    Thanks.
    Crash Lander
     
    Crash Lander, Apr 8, 2008
    #7
  8. Crash Lander

    Rod Speed Guest

    Mine continues as before.
    OK, I'll try that thanks.
    No, just a very ocassional new browser window.
    One of them was a normal Aust site interestingly enough.
    Another I just got a while ago was some russian site, then the browser crashed.
    No it wasnt a rally.

     
    Rod Speed, Apr 8, 2008
    #8
  9. Crash Lander

    Rod Speed Guest

    Didnt find anything to worry about on mine, only found 4, all benign.

    Thats with the included list, havent tried the updated list tho.
     
    Rod Speed, Apr 8, 2008
    #9
  10. Crash Lander

    Crash Lander Guest

    Crash Lander, Apr 8, 2008
    #10
  11. Crash Lander

    Crash Lander Guest

    Interesting to note (possibly not) that when I emptied that temporary
    Internet Files folder, about 5 files would not delete, saying they were in
    use by another program.
    Crash Lander
     
    Crash Lander, Apr 8, 2008
    #11
  12. Crash Lander

    Crash Lander Guest

    Someone else also suggested to turn off your modem, and maybe when the
    browser pops open, it may stay there as it won't be able to reach it's
    intended address. Might at least enable you to see where it's headed.
    Crash Lander
     
    Crash Lander, Apr 8, 2008
    #12
  13. Crash Lander

    Rod Speed Guest

    Yeah, the other similar approach would be to keep track of what is
    browsing out, particularly when I dont have any browser windows open.

    I did try SuperAntiSpyware, but that didnt turn up anything obvious with its quick scan.

    Tried a system restore, but was stupid enough to leave that too
    late and so couldnt restore to before the problem showed up.

    Just had one browser window open by itself, Webfetti this time. The
    windows almost always crash as soon as they open and this one did too.
    This one happened much sooner after a reboot than usual, so likely the
    hour or so delay before you start getting the clicks is variable too.

    I'll likely try a repair install if someone doesnt suggest anything that works.
     
    Rod Speed, Apr 8, 2008
    #13
  14. Crash Lander

    Rob. Guest

    you can download an Unlocker and then your able to delete those files.
    http://ccollomb.free.fr/unlocker/


    Its not a root kit virus?

    "Also known as "kernel mode Trojans," root kits are far more
    sophisticated than the usual batch of Windows backdoor programs that irk
    network administrators today."

    Do you have any of these files?
    Delete the following files:
    * VMM32421.EXE
    * IERK8243.SYS
    * IPSECHLP.DLL
     
    Rob., Apr 8, 2008
    #14
  15. Crash Lander

    Crash Lander Guest

    No, I don't seem to have any of those.
     
    Crash Lander, Apr 8, 2008
    #15
  16. The only way to trash these is to close Internet Exploiter.
    "C:\Documents and >Settings\username\LocalSettings\Temporary Internet
    Files" is only cookies

    what you want is to nuke this muther
    "C:\Documents and >Settings\username\LocalSettings\Temporary Internet
    Files\content.ie5"

    content.ie5 is normally hidden, Microsnot decided for you that you
    really don't need to go in there or even acknowledge it's there!

    And you really need to nuke all files in the temp directory
    some legit progy's live in there ie: realrek, creative
    but everything else it's out the door they go.
     
    son of a bitch, Apr 8, 2008
    #16
  17. Crash Lander

    z1 Guest


    go to packs.google.com
    download spyware doctor
    run it

    or get
    superantispyware free edition

    or both.
     
    z1, Apr 8, 2008
    #17
  18. Crash Lander

    Fred Guest

    Perhaps you could run Hijackthis
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    and submit the log to http://www.hijackthis.de/#anl
    See if anything shows up.
     
    Fred, Apr 8, 2008
    #18
  19. Crash Lander

    Crash Lander Guest

    Crash Lander, Apr 8, 2008
    #19
  20. Crash Lander

    canetoad Guest


    Could be a nasty called Virtumonde. Free removal tool
    F-Vmonde halfway down this page
    http://www.f-secure.com/download-purchase/tools.shtml
     
    canetoad, Apr 8, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.