BHO causing trouble

Discussion in 'malware problems & news' started by lildill, Sep 4, 2005.

Thread Status:
Not open for further replies.
  1. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    A BHO has been downloaded to my system and keeps popping up random things. I have no idea how to get rid of it. I scanned it through hijack this, found it, and clicked repair... but it comes back. Its REALLY annoying and I'd GREATLY appreciate it if someone could give me a hand!

    Thanks,
    Dylan
     
  2. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Did you run a scan with SPybot or Adaware or Spyware Doctor?? Run an anti spyware scan to see if it can be fixed in a simple way.
    Remember to update your Anti-spyware definitions before scanning.

    Get back to us with what you see.
     
  3. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    What happened? Any new developments?
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Can you give the full file path?

    What is the file, is it a .dll file?

    Are there any other associated files/auto-runs etc?

    You should give yourself an online scan here:-

    http://www.ewido.net/en/onlinescan/run/
     
  5. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
  6. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    Sorry guys i was running some other programs

    umm its in my system 32...

    C:\WINDOWS\system32\ssttt.dll

    thats the one! its still here after numerous scans with many different programs.
     
  7. abhi_mittal

    abhi_mittal Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    887
    Location:
    Bangalore
    Which programso_O Can you elaborate?
     
  8. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    sure

    I used:

    Ad-aware
    Spybot Search and Destroy
    Ewido Security Suit
    CWShredder
    Hi Jack This
    Stinger
    VX2 Finder

    umm i think thats pretty much it, im doing the online ewido scan right now as we speak
     
  9. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Use Unlocker to delete C:\WINDOWS\system32\ssttt.dll (rightclick on the file and choose Unlocker. Then run online-scans with Bitdefender, Trend-micro housecall from & Panda from my signature, as well as Ad-aware & Spybot Search and Destroy again. :)
     
  10. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    Hey,

    Ya I did that unlocker thing, and basically the first time I tried it, my computer crashed... so I did it again, computer crashed again, but this time.... the thing was deleted off my system.

    So I dunno what all the crashes were about.. but I'll keep you posted if anything pops up again

    Thanks for all your help guys!
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You would need to select 'delete' in the drop-down box on the LHS of Unlocker. You would also need to click 'Unlock All'. Did you do that on the first occasion?

    You've probably got some cleaning-up to do in the C:\WINDOWS\system32 folder. Look out for any files labelled ssttt; and for good measure look out for tttss files as well! If you find anything check out the properties 'cos any other files with the same date and time stamp will be suspect.

    You've probably got some Reg cleaning to do as well, but HJT should help.
     
  12. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    Oh ya I found a tttss.ini file in my system32 folder. Should I unlock it?
    I also found a tttss.bak1 right beside it...

    Both files were created on the same day as the BHO was added.

    Im guessing I should unlock them.. but just to be sure I wanna ask you guys first before I go and do anything.
     
  13. Get

    Get Guest

    It's not very usefull doing things this way. You could better post your (recent!) hijackthis-logfile, after registering, Here (Malware Removal).
     
  14. lildill

    lildill Registered Member

    Joined:
    May 25, 2004
    Posts:
    34
    I'll just wait until they tell me to delete these files.... It's cleared up (not giving me any trouble anymore) but these files are looking suspicious.
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I doubt that you will need to unlock the tttss file, just delete it. But before you do that bring up its Property box and note the date and time stamp of its creation. You are bound to have other 'bad' files with the same cedentials (ie created at the same moment) that you should search for.

    When you used Unlocker did you note what processes the ssttt.dll file were hooked to? It probably would have been Winlogon and/or Explorer. In which case have a look in your HJT log for something like:-

    O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\msagent\ssttt.dll (No File)

    If you have anything like that fix it.

    Else you could bring up Regedit and search for entries relating to ssttt and/or tttss.
     
  16. Get

    Get Guest

    Well, good luck then, but it's not a wise decision. This is just guessing and hoping you fixed everything while at the link I gave you people will see the facts (hjt-log etc.) and then fix everything.
     
Thread Status:
Not open for further replies.