Appletax
Well-Known Member
- Reaction score
- 394
- Location
- Northern Michigan
Solution: delete the files or nuke and pave.
Edit: I don't think that this is a legitimate virus. I scanned the system using multiple programs including offline boot scanning. For all AV to not flag this suggests to me that it's just simply an annoying batch script being ran. I would be surprised if these hackers are using real viruses that AV is unaware of due to using unpatched exploit / zero day exploit.
The "hacker" put a 'Windows Defender.hta' file into the Startup Menu folder and then used that mshta.exe service to run a batch script labeled 'Defender.bat.'
The contents of the batch script when viewed with Notepad:
"Shutdown.exe -r-t 60 -c "Your System Has Been Blocked Due To Unusual Activities. It Might Harm Your Computer Data And Track Your Financial Activities.Computer Will Shutdown in 1 Minute. Please Contact Microsoft Support For Help 1-860-410-6020(Toll Free)"
I deleted them both and the issue went away.
----
After about a minute, the laptop will briefly display a fake BSOD trying to get the user to contact "Microsoft Support", and then it reboots the laptop. Did various malware scans including offline scans using my bench computer. I noticed that mshta.exe shows up in Task Manager when the BSOD starts. It appears that the "hacker" that messed with this laptop must've used mshta.exe to run a script to display this. It's apparently not malicious in a way that would trigger the antivirus.
How do I stop this thing?
Edit: I don't think that this is a legitimate virus. I scanned the system using multiple programs including offline boot scanning. For all AV to not flag this suggests to me that it's just simply an annoying batch script being ran. I would be surprised if these hackers are using real viruses that AV is unaware of due to using unpatched exploit / zero day exploit.
The "hacker" put a 'Windows Defender.hta' file into the Startup Menu folder and then used that mshta.exe service to run a batch script labeled 'Defender.bat.'
The contents of the batch script when viewed with Notepad:
"Shutdown.exe -r-t 60 -c "Your System Has Been Blocked Due To Unusual Activities. It Might Harm Your Computer Data And Track Your Financial Activities.Computer Will Shutdown in 1 Minute. Please Contact Microsoft Support For Help 1-860-410-6020(Toll Free)"
I deleted them both and the issue went away.
----
After about a minute, the laptop will briefly display a fake BSOD trying to get the user to contact "Microsoft Support", and then it reboots the laptop. Did various malware scans including offline scans using my bench computer. I noticed that mshta.exe shows up in Task Manager when the BSOD starts. It appears that the "hacker" that messed with this laptop must've used mshta.exe to run a script to display this. It's apparently not malicious in a way that would trigger the antivirus.
How do I stop this thing?
Last edited:
