Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Solved: Malicious Script found

3591 Views 26 Replies 3 Participants Last post by  Mosaic1
T
NAV pops up with this box each time I start my computer. It says my computer is halted because it found a malicious script. The script is found in

C:documents and settings/all users/startmenu/programs/startup/

The file is called "microsoft windows.hta"

I am using WinXP. What do I do? Do I manually delete this file? When I run a scan using NAV, it says it's clean. I also used Kaspersky Lab online scan and it says "clean."

Is it a virus? How do I get rid of the popup box from NAV?

Thanks so much. I read this forum quite frequently but never had a problem until now.
Save
Like
Status
Not open for further replies.
1 - 7 of 27 Posts
M
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize and make sure teatimer is enabled

Do these and reboot before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
See less See more
Save
Like
M
Mosaic1 said:
I disagree. Do not reboot and run that hta in the process. An HTA at startup is suspicious. Do this. Run hijackthis and post that log. Then move that hta out of the startup folder and rename it as a text file. Post the contents of that text file in your next reply here. Someone will tell you what it was doing exactly and help you decide which steps to take next.
Click to expand...
I might agree with you but the OP said "each time", meaning it has been there a while, so the OP needs to do some cleaning and then get the global startup entry if still there
Save
Like
M
SpyBot 1.3 - AA SE - with current updates???

Post a HJT log
Save
Like
M
You never verified the versions but

First move the HiJack exe to a permanent file like C:\HJT

Add/Remove programs – remove, if present

Viewpoint – Windows ControlAd - Admanager Controller

Print this out and boot to safe mode

Fix thes and only these in HiJack

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Delete these folders
C:\Program Files\Viewpoint
C:\Program Files\Windows ControlAd
C:\Program Files\Admanager Controller

Empty the recycle bin

Boot and post a new log
See less See more
Save
Like
M
Mosaic1 said:
MFDnSC isn't here at the moment. I'll answer this part for you

Run Hijackthis.Put a check next to this entry:
O4 - Global Startup: Microsoft Windows.hta

Press the fix checked button.

For information on RamAsst look here:
http://www.liutilities.com/products/wintaskspro/processlibrary/RAMASST/
Click to expand...
After all that I missed the infamous entry :mad: :mad: Thanks Mosaic :up:

Post a new log please
Save
Like
M
That looks good!!

If you close you browser (IE) and fix this one it should go away, but it is just a clean up item.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

If you feel you are fixed, mark it solved via thread tools above.
Save
Like
M
It was here and yes delete it but I doubt it is there

C:documents and settings/all users/startmenu/programs/startup/ but that was the startup entry

Do a search for the file and delete

To remove all traces of what you went through turn off and then turn on restore points

Restore points

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
See less See more
Save
Like
1 - 7 of 27 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top