This topic is lockedsadly, yes I am still getting the pop ups. I will run the fix for the shop saver later this morning
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
mshta.exe virus! can you help pls TB-Psychotic or anyone? [Solved
Started by
kunash
, Jun 15 2014 06:38 AM
72 replies to this topic
Register to Remove
#47
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 23 June 2014 - 01:35 AM
here is the otl log
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\program files (x86)\shopsave toolbar folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Public
User: Simon
->Java cache emptied: 860 bytes
Total Java Files Cleaned = 0.00 mb
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Simon
->Temp folder emptied: 236096 bytes
->Temporary Internet Files folder emptied: 3059822 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 540 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7580 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 3.00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 06232014_083038
Files\Folders moved on Reboot...
C:\Users\Simon\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\DhmkJ2TR0QN[2].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\DhmkJ2TR0QN[3].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\EvPKapBawcLZ3hbihjhqAT8E0i7KZn-EPnyo3HZu7kw[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\fastbutton[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\HqHm7BVC_nzzTui2lzQTDT8E0i7KZn-EPnyo3HZu7kw[1].woff moved successfully.
File\Folder C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\rs=AItRSTNgkFTGNv6LMThqCTzx60dwtZJn5A[1].js not found!
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\s-BiyweUPV0v-yRb-cjciBsxEYwM7FgeyaSgU71cLG0[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\sp1_LTSOMWWV0K5VTuZzvQ[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T4MYC7CD\A4RWZsncmJ25G8iqn2EHN_esZW2xOQ-xsNqO47m55DA[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T4MYC7CD\xIAtSaglM8LZOYdGmG1JqQ[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JRDKL8Q2\index[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JRDKL8Q2\postmessageRelay[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3WZMZ5KX\like[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F46ZT980\reg2[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
#48
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 05:51 AM
Good morning,
I spent the better part of an hour searching for a cure for this virus and it looks like all we have done so far has gotten rid of it, thanks for hanging in there with me.
Why dont you run a new scan with FRST and post the log please, then do this
You will need the 64 bit version of this program
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind mshta.exe
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#50
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
#51
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 09:24 AM
I am going to post two fixes, lets do the one with FRST first and then a new script with Combofix
If you still have a fixlist and CFScript still on your desktop delete them both
Open notepad (Start =>All Programs => Accessories => Notepad).
Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
StartHKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\Run: [SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] => mshta.exe http://gmk.ubosnejs....yJP8FDAh2&log=1HKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\Run: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] => mshta.exe http://gmk.ubosnejs....uq9jR1yJP8FDAh2HKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\RunOnce: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] - mshta.exe http://gmk.ubosnejs....uq9jR1yJP8FDAh2Hosts::End
Then open frst.exe (or frst64.exe) and click on Fix, then post the log it produces please
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#52
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 09:28 AM
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::
Registry:: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=- "RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce] "RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=- [HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\Run] "SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=- [HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\Run] "RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=- [HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\runonce] "RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#53
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
#55
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 10:44 AM
Logs look like they done there job. Reboot and see if this pest is gone
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Register to Remove
#56
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
#57
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 23 June 2014 - 11:00 AM
the pop up seems as if it is super glued to my computer.
rebooted and still there, sadly
#58
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 11:01 AM
Look for it in these folders and delete it if found
Your personal startup folder should be C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
The All Users startup folder should be C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#59
kunash
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 23 June 2014 - 12:04 PM
looked in both and nothing there
#60
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 23 June 2014 - 12:57 PM
OK, just hang in and let me get another pair of eyes to look this over
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
