Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91984 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

mshta.exe virus! can you help pls TB-Psychotic or anyone? [Solved


  • This topic is locked This topic is locked
72 replies to this topic

#46 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 22 June 2014 - 11:57 PM

sadly, yes I am still getting the pop ups.   I will run the fix for the shop saver later this morning


    Advertisements

Register to Remove


#47 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 01:35 AM

here is the otl log

 

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\program files (x86)\shopsave toolbar folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Simon\Desktop\cmd.bat deleted successfully.
C:\Users\Simon\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYJAVA]
 
User: All Users
 
User: Default
 
User: Default User
 
User: Public
 
User: Simon
->Java cache emptied: 860 bytes
 
Total Java Files Cleaned = 0.00 mb
 
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: Simon
->Temp folder emptied: 236096 bytes
->Temporary Internet Files folder emptied: 3059822 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 540 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7580 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 3.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 06232014_083038

Files\Folders moved on Reboot...
C:\Users\Simon\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\DhmkJ2TR0QN[2].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\DhmkJ2TR0QN[3].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\EvPKapBawcLZ3hbihjhqAT8E0i7KZn-EPnyo3HZu7kw[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\fastbutton[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\HqHm7BVC_nzzTui2lzQTDT8E0i7KZn-EPnyo3HZu7kw[1].woff moved successfully.
File\Folder C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\rs=AItRSTNgkFTGNv6LMThqCTzx60dwtZJn5A[1].js not found!
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\s-BiyweUPV0v-yRb-cjciBsxEYwM7FgeyaSgU71cLG0[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UCPEWH3Z\sp1_LTSOMWWV0K5VTuZzvQ[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T4MYC7CD\A4RWZsncmJ25G8iqn2EHN_esZW2xOQ-xsNqO47m55DA[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T4MYC7CD\xIAtSaglM8LZOYdGmG1JqQ[1].woff moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JRDKL8Q2\index[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JRDKL8Q2\postmessageRelay[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3WZMZ5KX\like[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F46ZT980\reg2[1].htm moved successfully.
C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...



#48 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 05:51 AM

Good morning,

 

I spent the better part of an hour searching for a cure for this virus and it looks like all we have done so far has gotten rid of it, thanks for hanging in there with me.

 

Why dont you run a new scan with FRST and post the log please, then do this

 

You will need the 64 bit version of this program

 

Download and Run SystemLook
 
Please download SystemLook from one of the links below and save it to your Desktop.
 
  •  
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:regfind
mshta.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#49 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 08:45 AM

hi thanks for hanging in there with me also

 

here is the frst log

 

Attached File  FRST.txt   63.22KB   44 downloads



#50 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 08:49 AM

systemlook log

 

Attached File  SystemLooklog.txt   6.99KB   101 downloads



#51 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 09:24 AM

I am going to post two fixes, lets do the one with FRST first and then a new script with Combofix

 

If you still have a fixlist and CFScript still on your desktop delete them both

 

 

 
Open notepad (Start =>All Programs => Accessories => Notepad).
Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.
 

Start
HKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\Run: [SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] => mshta.exe http://gmk.ubosnejs....yJP8FDAh2&log=1
HKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\Run: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] => mshta.exe http://gmk.ubosnejs....uq9jR1yJP8FDAh2
HKU\S-1-5-21-2615214989-2497064625-3642582449-1000\...\RunOnce: [RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2] - mshta.exe http://gmk.ubosnejs....uq9jR1yJP8FDAh2
Hosts::
End
 
Then open frst.exe (or frst64.exe) and click on Fix, then post the log it produces please

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#52 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 09:28 AM

 
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard,  then paste it into Notepad, make sure there is no space before and above Registry::
 
 
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
"RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce]
"RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
[HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemBooteHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
[HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
[HKEY_USERS\S-1-5-21-2615214989-2497064625-3642582449-1000\Software\Microsoft\Windows\CurrentVersion\runonce]
"RegWriteeHQ088Vh8yxWhinGduq9jR1yJP8FDAh2"=-
 
Save this as CFScript to your desktop.
 
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
 
CFScriptB-4.gif
 
 
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#53 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 10:13 AM

frst log

 

Attached File  Fixlog.txt   1.41KB   59 downloads

 

 



#54 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 10:29 AM

combofix log

 

 



#55 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 10:44 AM

Logs look like they done there job.  Reboot and see if this pest is gone 


Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#56 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 10:55 AM

combofix log

 

 

Attached Files



#57 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 11:00 AM

the pop up seems as if it is super glued to my computer.

 

rebooted and still there, sadly



#58 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 11:01 AM

Look for it in these folders and delete it if found

 

Your personal startup folder should be C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
 
The All Users startup folder should be C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.


#59 kunash

kunash

    Authentic Member

  • Authentic Member
  • PipPip
  • 73 posts

Posted 23 June 2014 - 12:04 PM

looked in both and nothing there



#60 ken545

ken545

    Forum God

  • Classroom Teacher
  • 23,207 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 23 June 2014 - 12:57 PM

OK, just hang in and let me get another pair of eyes to look this over


Jeffce_zpsa19ee2e6.png

 

 

 

Want to help others, Join our Malware Removal Classroom  HERE

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif

 

Find us on Facebook
Please LIKE and SHARE

 

 

Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users