Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspicious pop-up window from mshta.exe in SysWOW64


  • Please log in to reply
12 replies to this topic

#1 kunwan

kunwan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 05:23 PM

Hi everybody,
 
I believe windows/SysWOW64/mshta.exe is a virus. I got a popup saying to update a file, after not using chrome for weeks, and knowing that chrome updates automatically and chromium is a separate browser that I have never used.
Links to the pop-up window: http://imgur.com/a/l9Xud 
 
Any ideas if it is a virus? I believe it is but I can't be sure. Do tou know how to remove it? 
 
Thanks in advance for the replies!


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:39 PM

Posted 03 April 2017 - 05:58 PM

You need to follow up with your other topic in the Malware Removal Forum. You can request it be reopened.

HijackThis Log: Please help Diagnose - Virus, Trojan, Spyware, and Malware Removal Logs


Edited by buddy215, 03 April 2017 - 06:04 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:39 PM

Posted 03 April 2017 - 06:05 PM

I edited my last post...I see you are online so you may have missed the edit.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:15 PM

@buddy215

 

I was away from my computer last week, and I found my older post was closed when I connect back.

 

Btw, I was following the instructions on this post but it seems that it had been deleted, is is possible to dispaly it again ?



#5 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:18 PM

Here is the malwarebytes report:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 4/4/17
Scan Time: 1:07 AM
Logfile: 
Administrator: Yes
 
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1655
License: Trial
 
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-E8DRDV9\Fran\u00c3\u00a7ois
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 446177
Time Elapsed: 2 min, 10 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 3
PUP.Optional.WinYahoo.Generic, C:\PROGRAMDATA\{A2A067C3-28E2-ED05-AE24-73473466F889}, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\USERS\FRAN\u00c3\u00a7OIS\APPDATA\LOCAL\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}, Delete-on-Reboot, [117], [246924],1.0.1655
 
File: 33
PUP.Optional.AshampooRegistryCleaner, C:\PROGRAMDATA\ASHAMPOO\ICO_ASHAMPOO_MARKETPLACE.ICO, Delete-on-Reboot, [2977], [355157],1.0.1655
HackTool.AutoKMS, C:\PROGRAMDATA\KMSAUTOS\BIN\KMSSS.EXE, Delete-on-Reboot, [2454], [370307],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\PROGRAMDATA\{A2A067C3-28E2-ED05-AE24-73473466F889}\TEDA.TXT, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\AhUBi, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\aowLC, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\hdat1, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\hdat2, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\lete, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\rasire, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo.Generic, C:\ProgramData\{A2A067C3-28E2-ED05-AE24-73473466F889}\rofadar, Delete-on-Reboot, [2067], [341897],1.0.1655
PUP.Optional.WinYahoo, C:\USERS\FRAN\u00c3\u00a7OIS\APPDATA\LOCAL\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\NATO, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\chromium-min.jpg, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\control panel-min-min.JPG, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\down.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\ff menu.JPG, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\ff search engine-min.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\HowToRemove.html, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\hp-min ff.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\hp-min ie.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\search engine.gif, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\setup pages.gif, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\sp-min.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\start-min.jpg, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\HowToRemove\up.png, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\bapi_ff.dat, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\bapi_ie.dat, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\install.log, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\meco, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\sofi, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\Sqlite3.dll, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\uninst.dat, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.WinYahoo, C:\Users\Fran\u00c3\u00a7ois\AppData\Local\{CBE2FDBE-EF4A-9106-82D2-B4EEA6BA4876}\uninst.exe, Delete-on-Reboot, [117], [246924],1.0.1655
PUP.Optional.SearchManager, C:\USERS\FRAN\u00c3\u00a7OIS\APPDATA\LOCAL\CHROMIUM\USER DATA\DEFAULT\LOCAL STORAGE\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage, Delete-on-Reboot, [651], [260989],1.0.1655
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#6 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:25 PM

Here is the ADWcleaner report: 

 

# AdwCleaner v6.045 - Logfile created 04/04/2017 at 01:23:55
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-03.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : François - DESKTOP-E8DRDV9
# Running from : C:\Users\François\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [6285 Bytes] - [20/03/2017 18:49:22]
C:\AdwCleaner\AdwCleaner[C2].txt - [834 Bytes] - [04/04/2017 01:23:55]
C:\AdwCleaner\AdwCleaner[S0].txt - [5553 Bytes] - [20/03/2017 18:47:22]
C:\AdwCleaner\AdwCleaner[S1].txt - [1299 Bytes] - [04/04/2017 01:23:43]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1052 Bytes] ##########


#7 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:31 PM

Here is the JRT file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Home x64 
Ran by Fran‡ois (Administrator) on 04/04/2017 at  1:26:53,63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 04/04/2017 at  1:30:50,77
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#8 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:39 PM

Posted 03 April 2017 - 06:42 PM

Did you allow MBAM to remove what it found? Did you reboot when the scan finished?

 

You likely have a pirated version of a Windows program such as Windows 10 or Word installed on that computer.

 

Since you have run some scans then run the Eset scan. If the problems aren't solved then you best ask your other topic to be reopened. The

instructions for doing that are in that topic...the last post.

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 03 April 2017 - 06:44 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:47 PM

Yes, I allow MBAM to remove what it found and after the scan my computer has been rebooted

 

My uncle install me an Office Version, I thought that he use one of his license key but actually it seems that it was a cracked version...

 

Do you mean that if ESET create a logfile, I had to create another topic ?

 

Thanks a lot for your help buddy  :thumbup2:


Edited by kunwan, 03 April 2017 - 06:48 PM.


#10 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:39 PM

Posted 03 April 2017 - 06:50 PM

Let me know what if anything Eset found and if you are still experiencing problems caused by malware or adware...especially the popup.

 

If the popup or other problems are still happening then you will need to ask your other topic to be reopened.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 03 April 2017 - 06:52 PM

Okay thak you, currently Eset scan is at 35%

 

I text you back when finished. Thanks



#12 kunwan

kunwan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 04 April 2017 - 05:10 AM

That's what ESET show me:

 

 

C:\Users\François\AppData\Roaming\{CBBFFD04-EEED-9072-85DB-B7A059094A9E}\trz5D0B.tmp a variant of Win32/DealPly.DY potentially unwanted application cleaned by deleting
C:\Users\François\AppData\Roaming\{CBBFFD04-EEED-9072-85DB-B7A059094A9E}\trz68B6.tmp a variant of Win32/DealPly.FD.gen potentially unwanted application cleaned by deleting
D:\Games\Ripstone\Pure Chess Grandmaster Edition\win32\steam_api.dll a variant of Win32/Packed.VMProtect.ABO trojan cleaned by deleting
D:\Games\Ripstone\Pure Chess Grandmaster Edition\win64\steam_api64.dll a variant of Win32/Packed.VMProtect.ABO trojan cleaned by deleting
D:\ISO\Echecs.iso a variant of Win32/Packed.VMProtect.ABO trojan deleted


#13 buddy215

buddy215

  • Moderator
  • 13,130 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:39 PM

Posted 04 April 2017 - 06:00 AM

Is the Pure Chess Grandmaster game now broken...unable to play?

 

Is the popup ad still appearing?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users