Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

Solved: Malicious Script found

3590 Views 26 Replies 3 Participants Last post by  Mosaic1
NAV pops up with this box each time I start my computer. It says my computer is halted because it found a malicious script. The script is found in

C:documents and settings/all users/startmenu/programs/startup/

The file is called "microsoft windows.hta"

I am using WinXP. What do I do? Do I manually delete this file? When I run a scan using NAV, it says it's clean. I also used Kaspersky Lab online scan and it says "clean."

Is it a virus? How do I get rid of the popup box from NAV?

Thanks so much. I read this forum quite frequently but never had a problem until now.
Not open for further replies.
1 - 8 of 27 Posts
I disagree. Do not reboot and run that hta in the process. An HTA at startup is suspicious. Do this. Run hijackthis and post that log. Then move that hta out of the startup folder and rename it as a text file. Post the contents of that text file in your next reply here. Someone will tell you what it was doing exactly and help you decide which steps to take next.
Youdo have Spyware there and it needs to be removed. Let;'s translate the code in the hta first and then I will bow out.

Go to your start button. Right click on it and choose open All Users.
When that opens, Click the programs folderm then the Startup folder and finally right click on Microsoft Windows.hta
Select all of the text there and then copy and paste it into your next post here.

After we know what that is doing then you can proceed.
When you right click do you have Send to? If so, then send to >>compressed. This will create a compressed file in that same folder. REmove that zip to your desktop and Attach it here and I'll look. I want to decode this to see what it was doing.
The attachment worked. Do not run that hta. Let script blockiong continue to protect you. For safety look in your system32 folder and be sure there is not a file named msupdate.cmd present. There shouldn't be because the hta has not run. It creates and runs that file in system32. I am trying to decipher it now. I will send it out for analysis if I need to.

In the meantime, you have other Spyware to remove. I'll hand it back over to


Please edit your post and remove that attachment. I have it now and will let you know if I find anything definite.

EDIT: So far I uploaded to an online scanner and it may well be malware. Am sending to a Pro for analysis. In the meantime, remove it from your startups.

Hi. I edited my prior post. Please have another look. I am in the process of emailing a friend to look into the exact nature of the file this creates.

You can use Hijackthis to do that. It makes backups of anything it removes. I doubt you will want to restore this file though.
MFDnSC isn't here at the moment. I'll answer this part for you

Run Hijackthis.Put a check next to this entry:
O4 - Global Startup: Microsoft Windows.hta

Press the fix checked button.

For information on RamAsst look here:
You're welcome.

To remove a backup file, open Hijackthis and press the config button. Then when the new page comes up press the Backups button.

A list of all backups will be found on the next page. Find the backup you want to delete and highlight. Then press Delete.
1 - 8 of 27 Posts
Not open for further replies.