Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


requesting assistance - Exploit-ObscuredHtml not sure what else

  • Please log in to reply
3 replies to this topic

#1 websitewendy


  • Members
  • 23 posts
  • Local time:02:50 AM

Posted 29 January 2011 - 11:01 AM

Vista Home Premium / 64 bit / SP1
TREND Internet Security
Prevx add on for browsers
Malware Bytes run weekly
ESET Online Scanner - don't run often enough

friend said they went to a common site and got a warning from their AV of Exploit-ObscuredHtml ..
scanned found nothing with Trend or MB .. couple days later prevx kept telling me it wouldn't allow me to go to a particular site because of a hosts file entry.. but there were none for that domain, and I scanned the html for the page on the server (I built/host the site) and found no weird code.
(These 2 sites in question are not hosted on the same server.)
Yesterday decided to run a manual scan and found Trend was not running.

ran MB and got this ...

---------------------------------// MB ------------------------------------
Database version: 5632

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

1/28/2011 5:28:02 PM
mbam-log-2011-01-28 (17-28-02).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|)
Objects scanned: 1008617
Time elapsed: 3 hour(s), 30 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\websitewendy\AppData\Local\Temp\0.7692605857286333.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
---------------------------------// MB ------------------------------------

---------------------------------// TREND ------------------------------------

found and quarantined java_loader.hll

---------------------------------// TREND ------------------------------------

Running ESET now and it has already reported
Threats found!
probably a variant of Win32/Agent.HZHBURL trojan

total scan time so far is 2.5 hours and it is only 23% ..
I will post the results here when it completes

I am supposed to be moving my office today, but am obviously concerned about rebooting and activating something.

restore/recovery is still enabled.
last known clean scan was Jan 20 .. and I have a restore point of Jan 19
.. any chance running that restore would be a good idea ?

Any advice for next steps I should take appreciated.

Thank you for doing what you do.

Edited by hamluis, 29 January 2011 - 01:30 PM.
Moved from Vista to Am i Infected.

BC AdBot (Login to Remove)


#2 websitewendy

  • Topic Starter

  • Members
  • 23 posts
  • Local time:02:50 AM

Posted 29 January 2011 - 07:36 PM

eset finished and this was the threat deleted
C:\SwSetup\AOLIMS\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined

these were in the quarantine list

recommendations appreciated.


#3 websitewendy

  • Topic Starter

  • Members
  • 23 posts
  • Local time:02:50 AM

Posted 01 February 2011 - 12:43 PM

i had to move my office and the machine booted up..
trend ran a clean scan .
but of course i don't trust it :)
any recommendations on how to make sure the machine is clean ?

thanks in advance.


#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,771 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 AM

Posted 01 February 2011 - 01:44 PM

Try doing another online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator.
    To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished. If that's the case, please refer to How To Temporarily Disable Your Anti-virus.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users