mshta.exe virus?
Welcome, Guest. Please login or register. Did you miss your activation email?


Pages: [1]
« previous next »
  Print  
Author Topic: mshta.exe virus?  (Read 191 times)
fpswillerd
Newbie
*
Posts: 14


View Profile
« on: June 29, 2011, 09:21:46 PM »
So, I was surfing the internet, trying to watch a movie from a website and I clicked on one of the links or websites to watch the movie. Like always, several advertisements popped up(likely the source of the virus). The movie was removed, so I just left it and did something else when a window popped up from my ISP's Anti-Virus which they provide for free. It said a suspicious file named "mshta.exe" was trying to access something in my computer. Before I chose what rule to set it to, I googled it and the general consensus was that if it's in the system32 folder it's fine, and it's used to run HTML files or something like that. I thought this was strange considering it came so randomly, but sure enough, it was in my system32 folder so I chose to allow once.

So, here's where things happen:
1. I update MBAM real quick incase it's a virus and just as it finishes, my ISP's Anti-Virus crashes.
2. MBAM finds this file to be suspicious C:\Users\(USER\AppData\Local\Temp\omrxwnesac.exe
3. Now, I know it's a virus, but I already quarantined it and my computer is still obviously using up CPU.
4. Check my task manager and I see two processes with a name similar to the above running.
5. I end the processes, and check my Temp folder and all three are there.
6. Downloaded SAS and it found nothing.
7. MBAM only had 2 of the 3(the one mentioned above, and one of the others that I closed), however one still remains.


My issue is that the virus seemed to either originate from mshta.exe(located in system32), or was opened/executed by mshta.exe. Does that mean mshta.exe is part of the virus? And there seem to be one or more of these files. I see at least one called "mrwscaonxe.exe" in the same folder but I don't know how to delete it myself if MBAM doesn't catch it.


Please help,
Willy

P.S. Hopefully you can give me instructions that don't require me to shut down my computer. Last time I shut down and I had a virus things went south. And I won't be on for a good 9 hours so please don't be upset if I don't reply.
Logged
Britec
Administrator
Hero Member
*****
Posts: 3497



View Profile
« Reply #1 on: June 30, 2011, 03:31:13 AM »
Getting Hijackthis and installing it correctly

Click here to download HJTsetup.exe

•   Save HJTsetup.exe to your desktop.
•   Double click on the HJTsetup.exe icon on your desktop.
•   By default it will install to C:\Program Files\Hijack This.
•   Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
•   Put a check by Create a desktop icon then click Next again.
•   Continue to follow the rest of the prompts from there.
•   At the final dialogue box click Finish and it will launch Hijack This.
•   Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
•   Click Save to save the log file and then the log will open in notepad.
•   Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
•   Paste the log in your next reply.
•   If you haven't already posted then start a new thread in the Virus/Trojan/Spyware/Malware forum
•   DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logged


fpswillerd
Newbie
*
Posts: 14


View Profile
« Reply #2 on: June 30, 2011, 07:07:46 AM »
There was an issue saving the log file in HJT, but I looked over the scan and all the executable files were ones I'd seen on the computer before, and some of them were used. I restarted the computer btw, and nothing seems to have happened but the file I mentioned in my previous post remains.(Side note, it says the date modified is 1/5/2011, but the date created and last accessed was 29/6/2011 11:15PM which is the same time the virus started.)
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to: