Jump to content

Change Mode

Browser Hijack And Now Blue Screen Errors And Unknown Processes Runnin


Recommended Posts

Hi all-


I initially posted this in the Hijack This forum but many new problems have popped up since that post, so I'm reposting here with the additional info.

Iwas browsing online the other day and my browser was redirected to some site with all sorts of pop-up ads and I knew at that moment that something bad had happened. I got the TaskPoint virus which took over my system, looking suspiciously like Microsoft Security Essentials and telling me that I had infections but I needed to upgrade from their "paid" version. I knew this was a scam and did some further surfing which guided me through uninstalling the virus. I ran malwarebytes and found the following:


mbam-log-2010-11-21 (09-00-01).txt

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10


Memory Processes Infected:

(No malicious items detected)


Memory Modules Infected:

(No malicious items detected)


Registry Keys Infected:

(No malicious items detected)


Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{053911d7-db40-5afe-b491-03958fb6511a} (Trojan.ZbotR.Gen) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\06144 (Trojan.SCTool.Gen) -> No action taken.


Registry Data Items Infected:

(No malicious items detected)


Folders Infected:

(No malicious items detected)


Files Infected:

C:\Documents and Settings\Administrator\Application Data\hotfix.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\Administrator\Desktop\stuff\apps\Acrobat Pro 8\Acrobat 8.exe (Backdoor.Bot) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MLZZH2EV\21[1].exe (Trojan.FakeAlert) -> No action taken.

C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP243\A0052644.exe (Backdoor.Bot) -> No action taken.

C:\Documents and Settings\Administrator\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.

C:\Documents and Settings\Administrator\Application Data\Etac\ykxy.exe (Trojan.ZbotR.Gen) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Application Data\06144.exe (Trojan.SCTool.Gen) -> No action taken.

C:\Documents and Settings\Administrator\Desktop\ThinkPoint.lnk (Rogue.ThinkPoint) -> No action taken.

C:\Documents and Settings\Administrator\Start Menu\Programs\ThinkPoint.lnk (Rogue.ThinkPoint) -> No action taken.


I've been struggling ever since. I re-ran malwarebytes and found no infections and microsoft security essentials hasn't given me any warnings of an infection. But now I notice in my task manager that I have multiple (20 or so) cases of mshta.exe running at the same time, taking up system resources. I found some info at bleepingcomputer.com and following the advice I installed Process Explorer. I've clicked on each of the mshta.exe files that are running and found the following:


Microsoft ® HTML Application host

(Not verified) Microsoft Corporation

Version: 8.0.6001.18702

Time: 3/8/2009 3:31 AM

Path: C:\WINDOWS\System32\mshta.exe

Command Line: http://funnymonkeyss...487903102104515

Current Directory: C:\WINDOWS\system32\

Parent: svchost.exe(1188)


Started: 4:43:00 AM 11/22/2010

I know this isn't good but none of my antivirus software is picking it up and I can't kill the processes as they just seem to reappear. How do I get rid of this thing and make sure nothing else is lurking on my computer? I've attached a HijackThis report where I've marked the mshta.exe processes in bold.


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:35:50 AM, on 11/24/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:






c:\Program Files\Microsoft Security Essentials\MsMpEng.exe





C:\Program Files\Common Files\Apple\Mobile Device



C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe


C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Documents and Settings\Administrator\Desktop\stuff\apps\Apple\applekeys2.exe

C:\Program Files\Mozilla Firefox\firefox.exe




C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\iPod\bin\iPodService.exe




C:\Program Files\Adobe\Adobe Photoshop CS\Photoshop.exe


C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
















C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet




C:\Documents and Settings\Administrator\Desktop\procexp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =



R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =



O2 - BHO: Adobe PDF Reader Link Helper -


{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer -


{3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -


{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\avgssie.dll


(file missing)

O2 - BHO: Adobe PDF Conversion Toolbar Helper -


{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector -


{CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper -


{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}


- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -


C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone



O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security


Essentials\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program



O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common


Files\Real\Update_OB\realsched.exe" -osboot

O4 - Startup: Applekeys2.lnk = C:\Documents and Settings\Administrator\Desktop\stuff\apps\Apple\applekeys2.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -



O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner -


{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -



O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -


C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -


{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -



O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)


- http://download.eset...lineScanner.cab

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common


Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common


Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program



O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -


C:\Program Files\Common Files\Macrovision Shared\FLEXnet



O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision


Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program



O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun


Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program



O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common



O23 - Service: SupportSoft Sprocket Service (DellSupportCenter)


(sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell


Support Center\bin\sprtsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software


Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



End of file - 6918 bytes


I've read that mshta.exe could be a legitimate windows process so I uploaded my file to VirusTotal for a scan. I've listed those results below...


VirusTotal Report

File name: mshta.exe

Submission date: 2010-11-24 07:45:09 (UTC)

Current status: finished

Result: 0 /43 (0.0%)

VT Community



Safety score: 0.0%


AhnLab-V3 2010.11.24.00 2010.11.23 -

AntiVir 2010.11.23 -

Antiy-AVL 2010.11.24 -

Avast 4.8.1351.0 2010.11.24 -

Avast5 5.0.594.0 2010.11.24 -

AVG 2010.11.24 -

BitDefender 7.2 2010.11.24 -

CAT-QuickHeal 11.00 2010.11.09 -

ClamAV 2010.11.24 -

Command 2010.11.24 -

Comodo 6827 2010.11.24 -

DrWeb 2010.11.23 -

Emsisoft 2010.11.24 -

eSafe 2010.11.23 -

eTrust-Vet 36.1.7996 2010.11.23 -

F-Prot 2010.11.23 -

F-Secure 9.0.16160.0 2010.11.24 -

Fortinet 2010.11.23 -

GData 21 2010.11.24 -

Ikarus T3. 2010.11.24 -

Jiangmin 13.0.900 2010.11.20 -

K7AntiVirus 9.68.3065 2010.11.24 -

Kaspersky 2010.11.24 -

McAfee 5.400.0.1158 2010.11.24 -

McAfee-GW-Edition 2010.1C 2010.11.24 -

Microsoft 1.6402 2010.11.24 -

NOD32 5643 2010.11.23 -

Norman 6.06.10 2010.11.24 -

nProtect 2010-11-23.02 2010.11.23 -

Panda 2010.11.23 -

PCTools 2010.11.24 -

Prevx 3.0 2010.11.24 -

Rising 2010.11.24 -

Sophos 4.59.0 2010.11.24 -

SUPERAntiSpyware 2010.11.24 -

Symantec 20101.2.0.161 2010.11.24 -

TheHacker 2010.11.23 -

TrendMicro 2010.11.24 -

TrendMicro-HouseCall 2010.11.24 -

VBA32 2010.11.23 -

VIPRE 7395 2010.11.24 -

ViRobot 2010.11.20.4158 2010.11.24 -

VirusBuster 2010.11.23 -


Additional information

MD5 : ad8f83f16a3ce2b093b38b279b419387

SHA1 : 5924007afda4703e2add2c44507cfcbfa98a55b7

SHA256: 22b96b75ce5407de1bdaedeba57b9a1cf9fe99964b7e07965e21ab5d35bca299

ssdeep: 768:HzN+AoaTcN0B0u37GmGHqn3kBJro7NQRdbJ:HhUqO0qurHNn3kOQRdl

File size : 45568 bytes

First seen: 2009-03-23 17:46:43

Last seen : 2010-11-24 07:45:09

Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit


Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)


publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Windows_ Internet Explorer

description..: Microsoft ® HTML Application host

original name: MSHTA.EXE

internal name: MSHTA.EXE

file version.: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned


PEiD: -

PEInfo: PE structure information


[[ basic data ]]

entrypointaddress: 0x2847

timedatestamp....: 0x49B3AC74 (Sun Mar 08 11:31:00 2009)

machinetype......: 0x14C (Intel I386)


[[ 4 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x7FA6, 0x8000, 6.56, 4be8b33f6db6076bc4b21e430a667030

.data, 0x9000, 0x1840, 0xE00, 2.35, 5aabcd88536c75844ae931fa2dc9cbb5

.rsrc, 0xB000, 0x11C0, 0x1200, 3.96, 8aa8f7cefc7ac295f77826ad56eb2eb6

.reloc, 0xD000, 0xC46, 0xE00, 4.06, 85f0b5c2e293da83cddab3502b5dab6d


[[ 2 import(s) ]]

advapi32.dll: RegQueryValueExA, RegCloseKey, RegOpenKeyExA

kernel32.dll: GetVersion, GetModuleHandleW, GetProcAddress, ExpandEnvironmentStringsA, LoadLibraryA, lstrlenA, MultiByteToWideChar, FreeLibrary, GetCommandLineA, GetVersionExA, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, Sleep, VirtualAlloc, HeapReAlloc, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo, VirtualQuery




ExifTool: file metadata

CharacterSet: Unicode

CodeSize: 32768

CompanyName: Microsoft Corporation

EntryPoint: 0x2847

FileDescription: Microsoft ® HTML Application host

FileFlagsMask: 0x003f

FileOS: Windows NT 32-bit

FileSize: 44 kB

FileSubtype: 0

FileType: Win32 EXE

FileVersion: 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

FileVersionNumber: 8.0.6001.18702

ImageVersion: 6.0

InitializedDataSize: 14848

InternalName: MSHTA.EXE

LanguageCode: English (U.S.)

LegalCopyright: Microsoft Corporation. All rights reserved.

LinkerVersion: 8.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 6.0

ObjectFileType: Executable application

OriginalFilename: MSHTA.EXE

PEType: PE32

ProductName: Windows Internet Explorer

ProductVersion: 8.00.6001.18702

ProductVersionNumber: 8.0.6001.18702

Subsystem: Windows GUI

SubsystemVersion: 5.1

TimeStamp: 2009:03:08 12:31:00+01:00

UninitializedDataSize: 0


Comment date:2010-11-06 20:51:14 (UTC)


Tags: Malware,


Comment date:2010-11-15 22:06:44 (UTC)

Hiloti Dropper

Tags: Malware, DriveByDownload,


Comment date:2010-11-18 10:33:37 (UTC)

Looks likt it loads trojans and uses security holes in Adobe Acrobat / Reader / Flash

Tags: Malware, DriveByDownload,


Comment date:2010-11-18 13:23:32 (UTC)


Tags: Malware, DriveByDownload,

So it looks like the process is most definitely not required for windows and is probably some sort of malware. But I can't get rid of it! And now I keep getting blue screen errors saying "STOP: c0000b5e unknown Hard Error". Each time the c0000.... is a different number and I can't find evidence of any of them online. I don't know if the computer is actually having these errors or if this is some fake thing generated by the malware on my system. Its happened several times, usually after an hour or so of having the computer on. I have to turn off the power and manually reboot the machine, which takes forever to get to my desktop. I'm sure its loading stuff but I don't know what and I don't know how to make it stop.


I am thinking about reinstalling windows but I need to save some data off my drive first. I know this will take several hours to save everything and I'm afraid the computer will freeze in the middle of the transfer and/or transfer the infection along with my data.


Please reply soon, I really need help on this one!


Link to comment
Share on other sites

If you have another PC that you can slave the HDD to, I'd go that route and scan it w/ a different AV and scan it w/ MBAM to see if they are able to clean it up for you. If not, since you have the drive slaved, copy the data off that you need and then do your reinstall.


You might be able to boot into safe mode and back up that way since Windows only loads what's needed to run and nothing else.

Link to comment
Share on other sites

Hi Tx-


Thanks for the reply. I haven't wiped my hard drive just yet because I don't have a spare drive lying around to transfer my data. :( And to be honest, it is a huge pain having to reinstall windows, so I'm not exactly looking forward to it. I'd like to try to clean any infections before resorting to a total reinstall, so any suggestions?



Link to comment
Share on other sites

Hi again-


A few updates since my last post. I managed to find a good deal on a 1.5 TB hard drive in the black Friday sales so I now have another hdd installed. I've been installing XP on the new drive which I set up in partitions. My idea was rather than wipe the first drive clean, I will simply drag what I want to keep onto one of the unused partitions, scan it for malware, move it onto a different partition, and then reformat both the old drive and the first partition. By keeping things partitioned, like using one partition strictly for the OS I can avoid infecting multiple areas of my computer, correct? The question is, how do I scan the files I want to keep to make sure I dont infect the new drive? and then how do I make sure I don't end up in this predicament again? I have both an antivirus and firewall and I know this infection came from a legit website that was somehow hijacked. It's not as though the antivirus or firewall alerted me to the malware - clicked on the domain name and it was too late. This has truly been a nightmare trying to get everything back in order.


Any suggestions would be appreciated!



Link to comment
Share on other sites

Having multiple partitions would help in not infecting everything but it's not fool proof. As far as scanning what you wanna keep, just use a good AV and scan it. The consensus on keeping from being infected is to setup a limited user account for general use and an admin for software and update installs.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...