1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mshta.exe

Discussion in 'Virus & Other Malware Removal' started by drago_d, Feb 13, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. drago_d

    drago_d Thread Starter

    Joined:
    Oct 27, 2008
    Messages:
    7
    I have a dell 1501 laptop with Vista 32 basic.2 days ago i executed a file with extension .hta.As far as i know mshta.exe is a windows system file used to execute that type of files.Untill today i got warning from my ESET smart security when i was on the megaupload website.When i was about to download a file pop up window showed up and the mozilla closed by itself.Then tried again with Opera,the same.Then eset notfied me about the warnings and 2 processes asked permission to start as admin i canceled it.I had 3 or 4 processes in the task manager and terminated them immediately and
    submited them to virus-total.Switched firewall to block all traffic and disconected from the network.I red about the mshta.exe and some people saying this process is not supposed to be on a vista machine,only on xp.Lets say i will get rid off the files in the temp folder.But what if the mshta.exe should exist on Vista and its hijacked?
    The Eset log says:

    **********************************
    2/13/2010 9:56:36 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\monserwxac.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:34 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mwonacersx.exe a variant of Win32/Kryptik.CFG trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:33 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\nxreawmcso.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:31 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xrsownecma.exe Win32/TrojanDownloader.FakeAlert.AUC trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:27 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\xmwosanecr.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:26 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxcrsoaenw.exe Win32/TrojanDownloader.FakeAlert.ATS trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mnxcwosaer.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:10 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\sxmerowacn.exe a variant of Win32/Cimag.BR trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:06 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\omwxnarcse.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:04 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scnmweaxro.exe a variant of Win32/Olmarik.UE trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:56:01 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\scanoxwerm.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:55:59 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\waenocrxms.exe Win32/TrojanDownloader.Delf.PFZ trojan cleaned by deleting - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\exncwmarso.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.
    2/13/2010 9:55:54 PM Real-time file system protection file C:\Users\dddd\AppData\Local\Temp\mxrsonwaec.exe a variant of Win32/TrojanClicker.Punad.AA trojan cleaned by deleting (after the next restart) - quarantined Event occurred on a new file created by the application: C:\Windows\system32\mshta.exe.

    **********************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:24 PM, on 2/13/2010
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16764)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Opera\opera.exe
    C:\Program Files\Internet Explorer\IEUser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
    O2 - BHO: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\pdfforgeToolbarIE.dll
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O13 - Gopher Prefix:
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
    --
    End of file - 5659 bytes
    **************************

    Any help is appreciated
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/902811