Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Search Search
Search for:
Tech Support Guy > > >

mshta.exe

(New)
(!)

drago_d's Avatar
drago_d drago_d is offline
Junior Member with 7 posts.
THREAD STARTER
 
Join Date: Oct 2008
13-Feb-2010, 11:27 PM #1
mshta.exe
I have a dell 1501 laptop with Vista 32 basic.2 days ago i executed a file with extension .hta.As far as i know mshta.exe is a windows system file used to execute that type of files.Untill today i got warning from my ESET smart security when i was on the megaupload website.When i was about to download a file pop up window showed up and the mozilla closed by itself.Then tried again with Opera,the same.Then eset notfied me about the warnings and 2 processes asked permission to start as admin i canceled it.I had 3 or 4 processes in the task manager and terminated them immediately and
submited them to virus-total.Switched firewall to block all traffic and disconected from the network.I red about the mshta.exe and some people saying this process is not supposed to be on a vista machine,only on xp.Lets say i will get rid off the files in the temp folder.But what if the mshta.exe should exist on Vista and its hijacked?
The Eset log says:

**********************************
2/13/2010 9:56:36 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\monserwxac.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:34 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mwonacersx.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:33 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\nxreawmcso.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:31 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xrsownecma.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:27 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xmwosanecr.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:26 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxcrsoaenw.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mnxcwosaer.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\sxmerowacn.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:06 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\omwxnarcse.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:04 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scnmweaxro.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:56:01 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scanoxwerm.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:59 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\waenocrxms.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\exncwmarso.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxrsonwaec.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.

**********************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:24 PM, on 2/13/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\conime.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
--
End of file - 5659 bytes
**************************

Any help is appreciated
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
mshta.exe

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑