Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mshta.exe Asian porn popup hell.


  • Please log in to reply
8 replies to this topic

#1 Nzug

Nzug

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 30 July 2014 - 06:28 AM

First off, if I could find the person responsible for making this malware, I guarantee you he'd wish he never made it.

Constantly I'm suffering from some Asian porn ad that pops up in the lower right of my screen. Even efforts to move it the %#* out of the way don't work as it takes 5 seconds for it to pop back into position. It disappears every time I delete mshta.exe from my processes, but of course it proves it has far more control over my computer than I do and comes back.

This morning I've downloaded and ran the most recent and up to date - Security Check, Malwarebytes, mbar, CCleaner, JRT, rkill.exe, IObit Malware Fighter, and some online security scan I found linked here somewhere. I've been running these, and again in safe mode, with and without command prompt and networking.

Every one of these slams me with a congratulatory clean system message with 0 infections. I can't tell you how infuriating this experience is.

I've found this exact issue was first mentioned in 2010, and I'm surprised it's still dominating after nearly 5 years.

The hell do I do?

BC AdBot (Login to Remove)

 


#2 McSheHe

McSheHe

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 30 July 2014 - 08:04 AM

Have you checked your startup programs in msconfig if it's windows 7? It's possible it's set to run as soon as your computer starts, the exe is most likely located in the appdata folder.

  • Open a run box with the windows key+R
  • Type in msconfig
  • Navigate to the Startup tab
  • Expand the "Command" column which should allow you to see exactly what is running
  • Locate the mshta.exe file and un-check it, if you can make a note of the path (i.e. C:\Users\"Username"\Appdata\Roaming\..."
  • You should reboot the computer as the program will no longer run on start-up
  • If you noted where the program path was you can now navigate to the containing folder and delete it


#3 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:37 AM

Posted 30 July 2014 - 08:14 AM

Make sure that MBAM is allowed to scan for rootkits. Check settings, update and rescan. Tell us if it found and removed a rootkit or

other malware. You can copy and paste the log back here.

 

download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
You will be prompted to restart your computer. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • Run the ESET Online Scanner.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 Nzug

Nzug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 30 July 2014 - 08:42 AM

It was there, and I unchecked it. It still pops up and says I need permission from TrustedInstaller to make changes.

#5 McSheHe

McSheHe

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 AM

Posted 30 July 2014 - 09:28 AM

Did you happen to make a note of the containing folder? I can walk you through correcting the permissions of the folder to allow you to delete it



#6 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:37 AM

Posted 30 July 2014 - 09:32 AM

The Asian porn popup is often associated with a rootkit. That is why I have asked you to make sure MBAM is scanning

for rootkits. If it does not find any then follow the directiions below along with doing the other scans I requested.

 

Download TDSSKiller and save it to your desktop.

  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Nzug

Nzug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 31 July 2014 - 12:25 AM

No malware found.

Avast
SecurityCheck
Malwarebytes Anti-Malware
CCleaner
JRT
rkill
mbar
IObit Malware fighter
AdwCleaner.
Wise Registry Cleaner
Hijack This

Pop up keeps winning.

#8 Nzug

Nzug
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 31 July 2014 - 12:34 AM

I forgot to add, I changed permissions for it and managed to delete it. Yet it keeps coming back under TrustedInstaller permissions only.

My IE wouldn't open, but a single click opened over 10 instances of IE in processes.

Uninstalled IE, downloaded and reinstalled IE.

Still pop up.

#9 buddy215

buddy215

  • Moderator
  • 13,261 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:37 AM

Posted 31 July 2014 - 05:07 AM

You should uninstall all IObit programs and Wise Registry Cleaner.

 

Did you allow MBAM to scan for rootkits?

Have you scanned using the TDSS Killer?

 

If you have done the above and still see the popup you will need to start a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs Forum - BleepingComputer.com Forum.

Follow these instructions for posting a DDS log in that forum: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help - Virus, Trojan, Spyware, and Malware Removal Logs

 

Once you have posted the DDS log in that forum, do not bump your topic. Wait for a response. It may be a few days wait...not sure how long.

 

EDIT: IF TDSS Killer and MBAM did not find a rootkit, there is another possibility to remove the

popups. Do a System Restore using a restore point made prior to getting the popups.

System Restore - Microsoft Windows


Edited by buddy215, 31 July 2014 - 05:36 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users