TechSpot

Exploit-ObscuredHtml Trojan Help

By AMG
Dec 19, 2005
  1. I have XP SP2 IE6 Mcafee, Spybot, Adaware, MS Antispyware beta and Zonealarm

    Short Version
    How do I get rid of Exploit-ObscuredHtml? It keeps coming back even if I delete it after turning off system restore.




    Long Version
    While visiting a website IE hung a bit, I didn't think much of it, waited a while and IE was working again, finished what I was doing and shut down the laptop. Few hours later I started it up and saw the icons in the notification were missing and it was running just slightly slower.

    I updated and ran all the above programs but didn't come up with anything. I then did a few online scans, one of which was Trend Micro. This is the weird part, the online Trend Micro scan didn't find anything but about 70% through the online scan, my installed Mcafee On Access scan did find and delete Exploit-ObscuredHtml from the Temp folder. I let the online scan finish and restarted the PC and did another TM Mcafee combo scan and it was back in Temp under another name.

    I messed around with it some more but finally decided reinstall XP Home. But even after a reformat it still shows up during a Trend Micro and Mcafee combo scan. I also noticed that everytime I go into "Local Settings" folder this dialog box pops up, this never happened before and a few days ago Zonealarm caught "LSA Shell" requesting access to the internet, ZA said this was a Windows NT or 2000 component so I gave it access, but then a login dialog box poped up with link to www.sunshinehid.com. I've never even heard of that site before.

    I've also tried going into the temp folder to look for the trojan myself but I can never find it. So one time I decided to watch the temp folder while doing a simultaneous scan, I noticed the trojan icon would appear and disappear from the temp folder every few seconds. I tried deleting the icon but couldn't.



    Thanks and sorry for the long post.
     
  2. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    read this - it may be a bug in McAfee

    http://forums.tomcoyote.org/index.php?showtopic=51881

    The latest version of McAfee Anti-Virus software is erroneously detecting the "Exploit-ObscuredHtml" virus in the A9 Toolbar. The A9 Toolbar does not contain a virus and your computer has not been infected.
     
  3. AMG

    AMG TS Rookie Topic Starter Posts: 32

    Thanks but I have never downloaded any extra toolbars. Plus that can't explain the 2 login dialog boxes.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

  5. AMG

    AMG TS Rookie Topic Starter Posts: 32

    Spysweeper
    2 cookies. One under "pop up ads", one under "Surveillance"

    Spyware Eliminator
    7 "Suspect Files"
     
  6. mookitty

    mookitty TS Rookie

    Exploit-Obscured and Trend Micro

    I ama computer novice. I discovered this site because of this Exploit -Obscured post.

    I also had a problem with IE. It was opening tens of windows when I clicked on a link from Outlook. It's happened three times and crashed the computer over a few days. I was suspscious that my McAfee and Ad-aware weren't catching something malicious. I read that a problem had happened with IE and switched to Firefox. (but that's beside the point) I remembered Trend Micro had an online scan and I ran it. Just as with the other person McAfee reported this Trojan during the scan. Twice. First I didn't take a note and just deleted it.

    I ran the regular McAfee scan after and it found nothing. A day later, feeling a little uncomfortable about the trojan detection, I ran the trend micro scan again and the same thing happened. Subsequent scans with McAfee alone haven't uncovered it and security response websites other than McAfee have no information on this trojan. Is it that something in the Trend Micro scan process is detected by McAfee as a trojan?

    4-3-06
    C:\Documents and Settings\Tuesday\localsettings\temp\V1HSFHa03736
    Exploit-ObscuredHtml trojan was found and cleaned

    4-4-06 also while running trend micro
    C:\Documents and Settings\Tuesday\localsettings\temp\V16GFHb02840
    Exploit-ObscuredHtml trojan was found and cleaned
    C:\Documents and Settings\Tuesday\localsettings\temp\V16GFHa02840
    Exploit-ObscuredHtml trojan was found and cleaned

    Any input would be appreciated. Outlook IE link multiple window opening and this trend micro scan question.

    Thanks in advance.
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    D/L, install and run CrapCleaner http://www.ccleaner.com/
    It will empty your Temp directories where the bastards are lurking.
    Make sure to read the instructions first.
     
  8. AMG

    AMG TS Rookie Topic Starter Posts: 32

    Hi mookitty

    I downloaded a bunch of programs to try to track it down and delete it but none of them worked so I finally decided to go to the extreme.

    I converted my laptop from NTFS to FAT32, did 2 formats with a Win98 floppy, removed the ram for about 24 hours, did 2 more formats with the floppy, one more format with the OEM XP CD, and then reinstalled everything.

    I think it worked, I haven't seen anthing weird since. Sorry this isn't a simple solution though.

    Good luck to you
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.