Multiple Mshta.exe Processes Running in Task Mnager, What Are They??

Started by Ricamundo, September 15, 2010, 08:51:33 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ricamundo

Multiple Mshta.exe running in my Task Manager, What Are They??

--------------------------------------------------------------------------------

We've had a bit of an issue with our PC lately, and im stumped. About a week ago while my Wife was playing one of those logic games you can access from Facebook, a window popped up saying the usual BS that our PC was infected with a long list of viruses, trojans etc and press THIS button, and all would be magically removed. Riiiight.

It blocked internet access, task manager access, so it siounds like a DOS trojan from the description ive read, anyways, i had Malwarebytes free version already installed, but i had to run Rkill first to stop the Trojan from stopping Malwarebytes from running.

OK, so MWB seemed to take care of the immediate threat. I could acces IE, and so on, so after a little reasearch, i decided to buy the full version of Malwarebytes. After running that it, along with SB S&D, Ad Aware, and HiJack This, and a full scan from my AVG i think we've got the thing pretty much cleaned up.

I have been corresponding with someone from MS as to my last remaining issue, and nothing ive been asked to try has worked.

I have in my task manager, multiple "mshta.exe" processes running. When i boot up in the morning, there are none, but over the day, as i use the internet, more and more of these processes using about 10 mg of memory each. My normal task manager is about 26-28 processes, but last night there were about 15 or more Mshta.exe in there for a total of about 40. Right now there are 10 of the damned things.

As i mentioned, ive run all kinds of anti virus, anti malware stuff, Hijack This, a copy of the logfile of HJT ive sent to the MS tech along with a log file of SB S&D. I posted my HJT logfile in the online scanner @ the HJT site and all the things it listed were green or at worst neutral.

She suggested i try creating a new User Account, which i did, but the Mshta.exe processes show up under the System column, so they are there anyway. When i reboot they are all gone, so i can control them in the short term, but it is annoying.

Here's what im running...

Win XP 32 bit all updates as of today.
Router(im assuming it has a HW firewall)
AVG free edition
Malwarebytes registered version
Spybot S&D
Ad-Aware
HiJack This
Ive also run the newest MS Malicious Software Removal Tool

Would a Sys Restore do any good? Since all this started over a week ago, im not sure it would be a good idea. Any suggestions from you snart folks would be apprecitaed, but keep it simple please.

Thx in advance,
Ric

Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

Art Blade

QuoteUnless mshta.exe  is not found within the SYSTEM32 folder of your XP/2000 based system YOU SHOULD NOT DELETE IT. This file is used by your OS to read HTA files it is non essential but deleting will screw your system up. If you find an instance of this file outside the system32 folder then it is an imposter, mshta.exe will only run in the system32 folder.

upload it to

http://www.virustotal.com/
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

Dweller_Benthos

Yeah, mshta.exe is a valid windows file, but like Art says, it should only be in windows/system32 and a couple of IE folders, judging by what's on my system. File size is 45k, version 8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) (for Win XP, might be different on Vista or win 7). MD5 hash is ad8f83f16a3ce2b093b38b279b419387 *mshta.exe

If the programs you've already mentioned don't clean it, boot to safe mode, find all copies of the files and move them to a floppy (HAHA did I just say floppy??!?!!? I MEAN another folder or if you can get a thumb drive working in safe mode) and reboot. IE probably will have some problems, but you can then copy a good file from a system you know is clean and reboot. Then you can delete the bad copies of it, but that might not solve your problem, you may still have the original trojan in memory and every time you delete or create a new good file, it just gets infected again. Malwarebytes should really be able to handle that hopefully, but you never know. A nuke and pave with dban might be needed.
"You've read it, you can't un-read it."
D_B

Art Blade

the http://www.virustotal.com/ link offers an AV scan by 40+ AV programs if you upload files there. I'd check what they come up with :)
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

PZ

Sorry to hear about your PC woes, Ric.  In my experience, it depends on how the malware was written - our entire organization was affected by malware that was affecting our domain controller, and therefore spread to every computer that logged into the domain.  None of the typical anti-malware packages were able to remove the infection - our IT department had to create a custom removal tool with the help of Microsoft engineers.

The bottom line - if the infection is bad, and you have exhausted all other means, the best option (as painful as it sounds) is to reinstall the OS from scratch - deleting the existing partition and starting over - it makes for a PC that runs as fast as when it was new.

Ricamundo

Just a little update. The issue is still ongoing, although since its more of a minor irritant than a major problem, i havent done anything drastic like reinstalling windows. All i do is open up task manager and kill the mshta.exe's that are running in there every few hours, or before a gaming session, so its not a huge issue, although i would like to fix it once and for all.

I did copy/paste my mshta.exe and mshta mui.exe files to that virus check site, and they were clean. I have been communicating with an MS tech who has recommended i do a windows repair using my CD, but im reluctant in case it wipes out all the installed windows updates and service packs, or affects my email, or installed program files, etc.

He said i might have to phone a toll free # to reactivate windows afterwards.

Do you guys think a win repair would do the trick?
Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

JRD

Its kind of painful, but I try to re-install my OS every 2-3 years... it takes a whole weekend as I have to backup all I need and it also makes me organize all the crap I have on my PC, deleting old files like images, crappy photos, mp3, etc... When it`s finished, it`s time to sort what I need and re-install  :-(  but in the end its worth the effort.  :-X

So I carefully prepare myself with a stash of beer and snacks, a book, good CDs and DVDs at hand and, preferably, the wife out for the weekend  :-()

Performance wise, I always see a big improvement in a before/after comparison.

Think about it... how many years a OS will run on your PC/Laptop? if you do it every 2 or 3 years, it means only a couple times on a OS lifetime, then it`s upgrade.
Artificial Intelligence is no match for Natural Stupidity

PZ

I'd agree with JRD - although Windows repair is supposed to fix problems, it works more like a band-aid on a bleed out - mostly ineffective in my experience.  A fresh OS install will certainly improve your performance while a repair will not.  However, you might try the repair first and then if that does not w@&k, do a fresh install.  One warning though, depending on what repair is "fixing", you might need to do the service packs, updates, etc.  Repair will not affect your current email or other settings (unless something goes terribly wrong)

Art Blade

I haven't made that experience yet. Usually I install software I really want to use and then keep it. I never install demo versions or uninstall programs. That means that my registry actually works because there are no "dead" entries. If I delete anything at all, it will be something like a few screenshots or perhaps some savegames. What might happen is that I decide to move folders which basically is the same as deleting a lot of files which will cause a fragmentation. So I run a defragmentation program once in a very long while. I basically never had to re-install my OS (I think except once). If I read "every 2-3 years" hehe, that makes me smile.. because every 2-3 years I get a new PC anyway.  ;D
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

Ricamundo

I dont feel comfortable re installing my OS. it would seem like using a cannon to kill a fly. You know that old expression "Don't fix it if it ain't broke". Well, even tho i have to open the task manager every so often, and before any gaming session, and kill the mshta's, it isnt as if the PC is running slow or unstable, it isnt. it's just a pain, but doing anything drastic like a reinstall of windows ,especially if i then must re update it with all thoe service packs and security updates just sounds like more aggro than its worth.

I may try the repair at some point, if i get up the courage. :-[ Thx anyways giuys for your advice. I'll let you know if anything changes.
Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

Art Blade

If I were in your shoes (erm.. yuck  ;D ) I'd do a re-install. I mean, your system is broke and it needs fixing ;)
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

Dweller_Benthos

Post your Hijack this log, something might pop out at me. You say you're already running malwarebytes & spybot (do you have teatimer running as well?) so can't suggest anything else, since that combination has always fixed anything I've come across in the past.

There is also the chance that you might have a corrupted version of the file and since it doesn't w@&k, it keeps trying to load a new copy - try getting a copy of the file from another computer and placing it in the system folder, replacing the version of the file you have. Probably have to do that in safe mode I imagine.

Could also be whatever is calling the file to run is getting a return it doesn't expect or can't understand, and just keeps calling it again and again until it does, leaving the others in memory.
"You've read it, you can't un-read it."
D_B

PZ

I read that mshta.exe  executes .hta files, which are HTML files rendered by the Internet Explorer engine with extra markup to control things like application title and application icon.  The program runs HTML and Javascript code as an application.  While normal, .hta files could be infected by viruses, trojan horses, exploits.  An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application.  I just opened IE8 on an XP machine and kept the task manager running while I went to a dozen or so places on the Internet - not once did the mshta.exe process start when I browsed to my normal sites like OWG.

Good luck in figuring out the issue, but I probably wouldn't do online banking or display other sensitive information if you feel uncomfortable about where your computer might have visited.

Ricamundo

I have a HJT log on my desktop, but ive forgotten how to post here with attachments. :-[  Dweller, i think you might be right about the corrupted file. it makes sense. If it were something sinister, i dont think i'd be able to simply open up the task manager and kill the mshta processes.

I would have tried copying an mshta.exe file from another XP machine and installing it on this one, but the only other working computer here is my Daughter's iBook. Our other laptop is an intel, but totally fubar'd. ::)

BTW, i have malwarebytes(full version) and AVG free running at all times, and other freebies like ad aware, HJT, Spybot (no tea timer) and Super anti spyware available when i want to run them. I also have Security Task manager, and it shows the mshta process(s) as a normal MS thing and harmless.

Every scan lately has come up clean, and really, as ive said, the PC is running as smoothly as it ever has(its 2 yrs old) except for these annoying mshta thingies.

I remember you guys singing the praises of Firefox. out of curiousity, would installing that fix the mshta  issue, since it seems to be related to IE? How hard is it to install on an IE machine?

Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

deadman1

Quote from: Ricamundo on October 14, 2010, 04:59:42 AM

I remember you guys singing the praises of Firefox. out of curiousity, would installing that fix the mshta  issue, since it seems to be related to IE? How hard is it to install on an IE machine?

It´s dead easy, just DL the program here: http://www.mozilla.com/en-US/ and install. After that you can import your saved links (favorites) from IE and set up FF as you default browser. Then you just have to get used to a new browser as FF does things a little different from IE. Don´t forget to check out this thread: http://openworldgames.org/owg/forums/index.php?topic=33.0 for some suggestions on which plugins you need with FF. Good luck mate  :)

PZ

Although I can't give you a definitive answer (maybe someone that knows more can), it doesn't seem like a browser change will halt these issues because mshta.exe is a system file that is executing the .hta files that the browser encounters - I'm not sure it would really make any difference which browser. 

However, changing to Firefox and installing some of the security addons will at least help prevent potential future problems when visiting sites you know nothing about.  As I've mentioned in another thread, Internet Explorer has no problems letting me visit malware sites (without notification of any kind) - sites that Firefox warns me about before entering and executing code of any kind.  In my opinion, browsing with Internet Explorer is like skydiving without a parachute.

Art Blade

[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

Dweller_Benthos

A Hijack this log file is just text, open it in notepad and copy/paste to a reply here, it will be long, usually they are, but there may be something of value in there.

I can upload a copy of the mshta file if you want, should be no problem, I have win xp sp3 all updated since it's only 45k, an attachment here should do fine. Let me know. More I think of it, though, and with PZ's explanation of what it does, I think something is calling it to run and not working right. I've been surfing the web all day and don't have one copy running. I don't think it should get called all that often.
"You've read it, you can't un-read it."
D_B

Ricamundo

Thx again Dweller, here it is. Hmmm if you wouldnt mind posting a copy of your  XP mshta.exe, i'd like to try it. BTW these mshta's show up about every 20 minutes, whether im web surfing or not, it doesnt seem to make any difference. As i said, i can either  kill them in task manager, or re boot and theyre all gone.








Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:33:08 AM, on 14/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229609580707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283951592234
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {c249ad02-0cb5-431d-a37c-1ae515962267} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4834 bytes
Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

PZ

There are three things in your list that I won't ever run because of the way they bog-down the system (mine at least).  One is MS Messenger, and the other two are Apple services - Bonjour, and AppleMobileDevice.  One thing you could try is disabling these services one at a time to see how it affects mshta.exe - maybe not at all (I don't know what they do well enough), but it might be worth a try just to see what happens.

Ricamundo

The Bonjour and Apple mobile device are both set to manual and not started automatically. i believe i need them to use iTunes. As for MS messenger, afaik no one here uses it anymore because we now have Skype. I dont even see it in my Services list, although there is something called "Messenger" which is disabled.
Are you listening to the wind now? Tell the wind to bring me some beer. F*ck the beer, we need women!

PZ

Quote from: Ricamundo on October 14, 2010, 11:46:18 AM
BTW these mshta's show up about every 20 minutes...
From this description, something appears to be attempting to update on a regular basis - something that has an option set to "Allow connections to the Internet" or "Update automatically" or words to that effect.  However, this still should not run multiple instances of mshta - the cause could be a corrupt copy of mshta.exe, or perhaps the actual .hta file (wherever it is located) mshta is running was poorly written causing a new instance each time the file is executed.

Have you checked the event viewer to see if there are errors?  Start --> Control panel --> Administrative tools --> Event viewer

There are a handful of event logs you can examine by point and click - look for something suspicious.

Art Blade

Those 20-minutes-intervals may be something "calling home" which could be a trojan used to tell its creator "this PC is ready" for anything like a DoS attack (denial of service, taking down servers) or a spam distribution platform.. not so cool.
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

PZ

Quote from: Dweller_Benthos on October 14, 2010, 11:27:55 AM
... I've been surfing the web all day and don't have one copy running. I don't think it should get called all that often.
Not only that, when mshta.exe is called, it should typically be released when the .hta execution has completed rather than remaining memory resident - having multiple mshta.exe process implies that there are multiple .hta files continuing to run, or sloppy code has caused a single .hta to open a new instance of mshta.exe in each of your 20 minute cycles.

Art Blade

just for your information, since Ricamundo asked in another topic..

Quote from: Art Blade on October 17, 2010, 08:57:52 AM
Quote from: Ricamundo on October 17, 2010, 04:00:08 AMI still would like to try a clean mshta.exe, if someone could post a copy of one for me. Thanks in advance. :)

http://openworldgames.org/owg/forums/index.php?action=downloads;sa=view;down=147

I had it scanned through virustotal.com first, clean. :)
[titlebar]Vision without action is a daydream. Action without vision is a nightmare.[/titlebar]What doesn't kill us, makes us weirder.

Tags:
🡱 🡳