BleepingComputer.com: Need assistance - redirected from the HJT forum

Hi there. To summarize: I have been recieving assistance from PropagandaPanda in the HJT forum. he was unable to locate and fix the source of my problems and he directed me over here to see if anyone can shed some light on my problem.

In a nutshell: I have a problem with mshta.exe. every 15 minutes, it creates a new process in the task manager. I have seen well over 20 mshta.exe processes running at once, depending on how long i have the computer running for. each process eats up around 12,000k of ram, but when i turn on HTAStop (and block HTA applications), it reduces the memory used to around 2,500k of ram. The processes don't use CPU time but over a while they can start to eat up my ram and slow my system down.

I know mshta.exe is a legit windows app. HOWEVER - i have built several XP machines in the past and I have never seen this happen. all my virus scans / malware scans / spyware scans turn up negative. please see the thread for further details:

mshta.exe topic

Thanks in advance.

System specs:

Windows XP SP3
EVGA nForce 750i FTW mobo
Intel Core2Duo E8400 @3ghz
4gb Patriot Viper DDR2 @ 1066
500Gb WD Caviar
EVGA Geforce 9800GT

Some malware camouflage themselves as mshta.exe, particularly if they are located in c:\windows or c:\windows\system32 folder.

Please go to the Windows System directory, C:\Windows\System32 and check the file version of mshta.exe -MS Hypertext App

The info that I would like to see is Date and file size!

Also, check permissions on this file. Do you need help checking the permissions on this file?

Mshta.exe is not required for Windows to work correctly. If it is causing problems in your system, you should terminate it.
mshta.exe is flagged as a system process and does not appear to be a security risk. However, removing Microsoft HTML Applications may adversly impact your system.

There is a file located in my database that states the file size should be near 45 KB.

Hi Jay, the file version is: 5.1.2600.5512, it shows up as a Notepad document (but is blank). Its size is 67kb. Created on April 15, 2007 / Modified April 14, 2008.

I'm not sure how to check the permissions on this file. Some help would be appreciated! Thanks for your quick reply.

Maybe you are using a different version of XP than I am, I am using XP Home Edition and my mshta.exe file does not show as a notepad file, it shows as an application. It is only 29 kb and is version 6.0.2900.2180 created on August 23, 2001 last modified on August 03, 2004. I am not up to date on windows updates and you are so maybe you dl'd a windows update that modified it at a later date, but it seems odd that your version is older than mine yet was created and modified at a later date.

This post has been edited by Stang777: 27 February 2009 - 07:59 PM

You probably have the legit version of mshta.exe, stang. I believe i picked up some sort of malware through IE7 that hijacked my mshta.exe file and probably has some sort of backup system attached to it. Every time i try to delete mshta.exe, it re-appears in the folder seconds later. all i know is that something is starting a new process of mshta.exe every 15 minutes lol.

milofficer, on Feb 27 2009, 06:40 PM, said:

Yes, that is what I am thinking too but since you already went through the hijack this forum and they could not find anything causing it, it seems you don't have any malware. It seems odd that malwareware is not causing this, but with all the things they had you do in that other forum to find it and it was not found, I don't know how it could be. Unfortunately, I do not know of anything else that could be either.

Instead of deleting the file, have you tried replacing it with a copy that is known to be good?

Hello again. Before we jump to conclusions, I need more data to help you diagnose this issue.

The deal about the difference between the two of you in that file is that One of you has Windows XP SP2 (Stang) and the other has Windows XP SP3 (milofficer).

In my database, the correct file versions are

6.0.2600.0
6.0.2900.2180 (Stang's version)
5.0.2920.0
5.0.3700.6699
6.0.2800.1106
6.0.3790.0
7.0.6000.16386

Quote

This is Windows XP Pro SP3 Windows Build, not the version of the file. Right click on the file and click properties. The please click the details tab. You will see the file version listed! What is that file version?

Does the file itself read MSHTA.exe? Or does it have a different suffix?

Please tell me that info. After you do, I will ask you to make a backup of that file and then rename the original version with the suffix of .exe

This post has been edited by Jay-P VIP: 27 February 2009 - 10:15 PM

I think i see a potential problem here; my mshta.exe file does not have a 'details' tab in it. I have the following tabs: general, version, compatibility, summary. i grabbed the aforementioned number from the version tab. the file itself IS called mshta.exe, although it is all lowercase, and i'm not sure if that makes a difference.

The version tab is the details tab.

We are going to check the version of this file and make sure it is in place and correct using an advanced online database. Please do the following:

• Please go to Program Checker Analyzer and make sure the ActiveX is installed and is running.
  
• You will see a box that says Select File to Scan. Please click the select button and point the checker to C:\Windows\System32\mshta.exe and click Open.
  
• Then in the Let ProgramChecker analyze your file box, please click the Check Button.
  
• You will then get a results page. Please tell me if you have one of two messages show up in the "Exact Matches" area.
  • There are no exact matches in ProgramChecker's database
    
  • You will get a listing thast shows it as exact match

Just a reminder that some versions of XP files change with SP-level installed.

Louis

Download ProcessExplorer: http://download.sysinternals.com/Files/ProcessExplorer.zip

In the ProcessExplorer, choose to verify digital signatures (In Menu click Options - >Verifiy Image Signatures) to see if you are running legitimate programs. All Microsoft apps are digitally signed.

Make sure you are online and ProcessExplorer can access internet.

Now in the ProcessExplorer window, locate mshta.exe. Right-click on it and select Properties. You can see verified if this is legitimate Microsoft program.


Look what program is running mshta.exe, by finding out its parent process. The parent program is on left top side of the child process in the treeview. Most programs have Explorer.exe as parent program.

Please post this parent program and its details here. (Better take a snapshot)

Jay - In my version tab of mshta.exe, there are no headings or submenus with 'details' in it. I have clicked every heading or submenu available and all correspond with the version number i posted earlier. I've uploaded a picture of what it looks like.

According to program checker, there were no exact matches.

Romeo - the second attachment is a screenshot of the process explorer findings. It was not a verified file.

You had a hacker invade your system. Their ID was listed in the target. Whenever this process was updated in Windows, the website that you were on attempted to go to

Quote

(removed http:// prefix to avoid link conflict).

To take care of the hacker, please go in to that same properties box that you were in and please delete the digital identity in the command line parameter box, that is the line that starts with http and ends with php.
Please fix your operating system by running System File Checker. I suggest that this does two runs, not just one. Therefore, after the first run, please run it a second time. This will take care of the hacked (damaged) file, and not recognize the hacker's file, so the hacker's file will be removed.

Why was it a hacker?
There are two processes listed in your process explorer, with two different digital identities. The one is how the hacker keeps track of your information, the other is the damaged file which points to the hacked file!

Process 3720 is described as

Process ID: 3720
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE


The Unverified file listed in the picture was using this Process (3720) to help attack and hack your system. This is why I labeled it a hacker.


Process ID: 3044
Process name: mshta.exe
Account name: NT AUTHORITY\SYSTEM

This post has been edited by Jay-P VIP: 01 March 2009 - 08:53 AM

In the screenshot of ProcessExplorer, the Verify button is still enabled which means you have not selected to verify the file. Just click on Verify button in the Properties. I may be wrong.

So far, it appears to be a good process(mshta.exe) running from System32 folder. But the command its giving is trouble, its contacting a chinese website ( probably more than one) after specified intervals. This sounds like a malware. It can be really bad, beacuse this way a malware can download another malware and soon your computer can become full of many types of malwares.

The Process (mshta) is being started as a service. So when you turn on ur computer this malware starts its work.

Use HijackIt tool to find out which programs are being started on boot.


Edit: I was reading your HJT forum posts, you say you are using IE7. mshta version for IE7 is 7.00.5730 (see my screenshot). But you mshta version is 5.1.2600. This made me think. Now look at the icon and Description in ProcessExplorer - what do you see? Its not mshta.exe its Windows Notepad. Some malware has copied notepad.exe over your good copy of mshta.exe. Now its giving command so notepad.exe (renamed to mshta.exe and copied to System32 folder) can download code from the chinese website.

Verifiy :
Open StartMeny->Run. Type cmd.
Give command:
fc /B c:\windows\notepad.exe c:\windows\system32\mshta.exe

If you see No file differences found. Then its confiremd.

You can follow JAY-P's directions to run System File Checker to restore original system files. Also run IE7 installation again.

This post has been edited by Romeo29: 01 March 2009 - 10:18 PM