[drago_d]

I have a dell 1501 laptop with Vista 32 basic.2 days ago i executed a file with extension .hta.As far as i know mshta.exe is a windows system file used to execute that type of files.Untill today i got warning from my ESET smart security when i was on the megaupload website.When i was about to download a file pop up window showed up and the mozilla closed by itself.Then tried again with Opera,the same.Then eset notfied me about the warnings and 2 processes asked permission to start as admin i canceled it.I had 3 or 4 processes in the task manager and terminated them immediately and
submited them to virus-total.Switched firewall to block all traffic and disconected from the network.I red about the mshta.exe and some people saying this process is not supposed to be on a vista machine,only on xp.Lets say i will get rid off the files in the temp folder.But what if the mshta.exe should exist on Vista and its hijacked?
The Eset log says:

**********************************
2/13/2010 9:56:36 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\monserwxac.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:34 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mwonacersx.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:33 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\nxreawmcso.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:31 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xrsownecma.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:27 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xmwosanecr.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:26 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxcrsoaenw.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mnxcwosaer.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\sxmerowacn.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:06 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\omwxnarcse.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:04 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scnmweaxro.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:01 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scanoxwerm.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:59 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\waenocrxms.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\exncwmarso.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxrsonwaec.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:24 PM, on 2/13/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
--
End of file - 5659 bytes
**************************

Any help is appreciated