Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

mshta.exe virus! can you help pls TB-Psychotic or anyone? [Solved


  • This topic is locked This topic is locked
72 replies to this topic

#31 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 22 June 2014 - 07:20 AM

OK, just run a new scan, not the fix and post the new log



 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#32 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 22 June 2014 - 07:22 AM

still there :(



#33 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 22 June 2014 - 07:25 AM

still there :(

 

ok just saw your post I will scan with frst 64

 

attached is the latest frst fixlog

Attached Files



#34 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 22 June 2014 - 07:36 AM

here is the frst lof   after a scan

Attached Files

  • Attached File  FRST.txt   61.81KB   200 downloads


#35 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 22 June 2014 - 07:45 AM

Looking over your new FRST , those entries have been removed and are gone

 

Lets check the actual file and see if its infected

 

You need to enable windows to show all files and folders, instructions Here
 
Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.
 
C:\Windows\System32\mshta.exe
 
If the site is busy you can try this one


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#36 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 22 June 2014 - 08:55 AM

https://www.virustot...60820/analysis/



#37 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 22 June 2014 - 09:00 AM

The file is fine and its needed by windows.  Mshta showed up on your original DDS log, I would like you to run Combofix as its written by the same author and may pick up that virus

 

 

Download ComboFix from one of these locations:
 
 
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop
 
 
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link  for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.
  •  
  • Double click on ComboFix.exe & follow the prompts.
  •  
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. 
  •  
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  •  
     
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     
     

    RC1.png

     
     
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    RC2-1.png

     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
     
    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


     
     
    The forum is staffed by volunteers who donate their time and expertise.
    If you feel you have been helped, please consider a donation.
    donate.gif
     
    Find us on Facebook
    Please LIKE and SHARE
     
     
    Just a reminder that threads will be closed if no reply in 3 days.

    #38 kunash

    kunash

      Authentic Member

    • Authentic Member
    • PipPip
    • 73 posts

    Posted 22 June 2014 - 09:50 AM

    hi, there were no messages to install the Microsoft Windows Recovery Console.  the log is attached

     

     

    Attached File  log.txt   37.98KB   213 downloads



    #39 kunash

    kunash

      Authentic Member

    • Authentic Member
    • PipPip
    • 73 posts

    Posted 22 June 2014 - 10:07 AM

    on a side note I wonder if you can help me.  my wife has windows 8.   she keeps getting the same pop ups - reg clean pro  , clean your registry.   we uninstall the program but it keeps coming back. 

     

    the pop ups pop up very frequently and are annoying.

     

    can you help pls, suggest a good program to install to remove the pop ups

     

    I have looked in the settings

     

    she has Norton 360 but no other firewalls or antvirus.

     

    my wife is thai and our 2 children do use her computer. when they download a program they want they may not always look at the boxes that pop up after, which asks do you want to install ask.com, or searchdial etc etc.  I know it is important to read all these boxes carefully, but I don't think she does

     

    any help pls with a program please?  and I will ask her to be more careful when downloading

     

     



    #40 ken545

    ken545

      Forum God

    • Retired Classroom Teacher
    • 23,225 posts
    • Interests:Fighting Malware and cooking some great Italian and TexMex food
    • MVP

    Posted 22 June 2014 - 10:12 AM

    Your system is fairly new so most new computers have a recovery console installed by the manufacturer

     

     

    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above Registry::
     
     
     
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
    "RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
     
    DDS::
    uRun: [SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] mshta.exe http://gbc.psiuyfbe....yJP8FDAh2&log=1
    uRun: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] mshta.exe http://gbc.psiuyfbe....uq9jR1yJP8FDAh2
    uRunOnce: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] mshta.exe http://gbc.psiuyfbe....uq9jR1yJP8FDAh2
    
     
    Save this as CFScript to your desktop.
     
    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
     
    CFScriptB-4.gif
     
     
    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


     
     
    The forum is staffed by volunteers who donate their time and expertise.
    If you feel you have been helped, please consider a donation.
    donate.gif
     
    Find us on Facebook
    Please LIKE and SHARE
     
     
    Just a reminder that threads will be closed if no reply in 3 days.

      Advertisements

    Register to Remove


    #41 ken545

    ken545

      Forum God

    • Retired Classroom Teacher
    • 23,225 posts
    • Interests:Fighting Malware and cooking some great Italian and TexMex food
    • MVP

    Posted 22 June 2014 - 10:21 AM

    Sorry, we crossed posts, what you need to do is start a new topic for your wifes computer, DDS may not run on Win 8 so have her download and run FRST and post the log also explaining her problems, you can do this for her no problem, just name the reply Wifes Computer.  We can use FRST to uninstall and remove RegCleanPro

     

     

    shopsave toolbar  <  CF also found this if you can I would uninstall it



     
     
    The forum is staffed by volunteers who donate their time and expertise.
    If you feel you have been helped, please consider a donation.
    donate.gif
     
    Find us on Facebook
    Please LIKE and SHARE
     
     
    Just a reminder that threads will be closed if no reply in 3 days.

    #42 kunash

    kunash

      Authentic Member

    • Authentic Member
    • PipPip
    • 73 posts

    Posted 22 June 2014 - 11:11 AM

    here is the log from the combo fix

     

    Attached File  log combofix.txt   37.56KB   186 downloads



    #43 kunash

    kunash

      Authentic Member

    • Authentic Member
    • PipPip
    • 73 posts

    Posted 22 June 2014 - 11:16 AM

    sorry I cannot find shop save toolbar  - I cannot search for it or find it on uninstall programs

     

    thanks for reply for my wife.  I will start a new topic maybe tomorrow.


    Edited by kunash, 22 June 2014 - 11:17 AM.


    #44 ken545

    ken545

      Forum God

    • Retired Classroom Teacher
    • 23,225 posts
    • Interests:Fighting Malware and cooking some great Italian and TexMex food
    • MVP

    Posted 22 June 2014 - 11:17 AM

    I no longer see mshta starting up in the new CF log, CF removed it, are you still getting those pop ups ?



     
     
    The forum is staffed by volunteers who donate their time and expertise.
    If you feel you have been helped, please consider a donation.
    donate.gif
     
    Find us on Facebook
    Please LIKE and SHARE
     
     
    Just a reminder that threads will be closed if no reply in 3 days.

    #45 ken545

    ken545

      Forum God

    • Retired Classroom Teacher
    • 23,225 posts
    • Interests:Fighting Malware and cooking some great Italian and TexMex food
    • MVP

    Posted 22 June 2014 - 11:29 AM

    If you still have OTL on your desktop we can remove shop saver

     

    Open OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  •  
     
    :OTL
     
     
    :Services
     
    :Reg
     
    :Files
    c:\program files (x86)\shopsave toolbar
    ipconfig /flushdns /c
     
     
    :Commands
    [purity]
    [resethosts]
    [EMPTYJAVA] 
    [emptytemp]
    [start explorer]
    [Reboot]
     
  • Then click the Run Fix button at the top. <--Not run Scan
  • Let the program run unhindered, reboot when it is done
  • Then post the results of the log it produces


     
     
    The forum is staffed by volunteers who donate their time and expertise.
    If you feel you have been helped, please consider a donation.
    donate.gif
     
    Find us on Facebook
    Please LIKE and SHARE
     
     
    Just a reminder that threads will be closed if no reply in 3 days.

    Related Topics



    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users