Forums - View Single Post

*Japo* · 30-01-2011, 03:01 AM

There's a legit mshta.exe, but virus makers like to name their creations after system files, and from your symptoms it looks likely you have one. The malicious mshta.exe may be installed in a different location than the legit one, or it may have even replaced it.

First of all run some scans with anti-virus programs, as many as you please--but make sure they're reputable, since there are many anti-virus programs that are actually trojans. See what they manage to clean. Make sure you use some with "anti-rootkit" capabilities.

Here's some useful experience from a guy who cleaned something similar or the same exact thing by hand:

http://social.answers.microsoft.com/...f-44e9c5abfcd5

That i386 folder is a copy of the Windows installation disk (whole or service pack) that sometimes is in the hard disk. You needn't have the same path, you can take the legit file from your Windows installation disk. Actually Windows has a tool to check and re-install if necessary system files, press the Windows key + R or go to the start menu > "run..."; enter "cmd"; in the ensuing console enter "sfc /scannow". Since you're having trouble with mshta.exe, stick to it and don't worry about warnings for other files, depending on the installation disk that you use they may be legit more recent versions.

You may be more successful doing this in "safe mode", where the virus should be inactive. To start Windows in safe mode, press F8 repeatedly while booting before Windows kicks in.

I recommend you also use this program

http://technet.microsoft.com/en-us/s...rnals/bb963902

to see what programs are set to start with Windows, and disable them if necessary (this program will remember the entries for you, in case you find something was legit and you need to enable it back, just check it again). Go directly to the logon tab, although there's more, specially in services, and drivers. You should be able to tell what's legit. It may point you to the starter, which needn't be mshta.exe, but another program that calls it in the first place and re-starts it when you finish it.