Multiple Mshta.exe Processes Running in Task Mnager, What Are They??

Ricamundo · October 17, 2010, 12:29:47 PM

Thanks Art. I did try it and its still reproducing. :( Oh well back to the drawing board.

Art Blade · October 17, 2010, 03:24:32 PM

Would be fun to see what happens if you delete that file.

PZ · October 17, 2010, 06:35:41 PM

That's not a bad idea - delete mshta.exe and then see what error pops up when your system tries to run the hta files. Of course, you'd want to keep a backup copy so you can put it back into it's original folder after the test. The error will probably be something along the lines of not being able to run an hta file, but you might get an idea what program is trying to run those files to see what you might inactivate/uninstall. You can always add the mshta.exe back again.

Ricamundo · October 19, 2010, 03:59:16 AM

I did take out the mshta.exe from my windows/system32 folder, and put it, and my original(renamed xx.bak) in a folder on my desktop. I rebooted and sure enough, a little while later, they started to re apppear 1 by 1. ::)

JRD · October 19, 2010, 04:21:12 AM

Quote from: Ricamundo on October 19, 2010, 03:59:16 AM
I rebooted and sure enough, a little while later, they started to re apppear 1 by 1. ::)

In that case someone is feeding them after midnight or getting them wet... in any case, you better run! ;D ;D ;D

Art Blade · October 19, 2010, 09:31:28 AM

??? :o

Now if you deleted (renamed and moved) your original mshta.exe but still got to see it reappear, it cannot be the same mshta.exe. It has to be something else which pretends to be that file. Try to find out where it is located.. check processes etc..

that sounds alarming to me.

Dweller_Benthos · October 19, 2010, 01:22:33 PM

Yes, if it's automatically reappearing by itself with no complaints from the OS, then it's a trojan or something loaded in memory that is recreating the file for it's own nefarious purposes. You definitely have a critter running around.

Ricamundo · October 23, 2010, 03:48:25 AM

Guys, i think i've cracked it. ;D I had looked at the schedualed task folder before, and noticed a large number of tasks that didnt seem to do anything. There were almost 100 of them all identical, named simply "At1" to At95" or so. They were schedualed to start up 7 days a week, but each had thier own specific time to run.

This time, i actually right clicked on one and went to its properties. And there, greyed out but still visible in the name was "mshta.exe" followed by a weird url like "oiebu.com" or something. I simply started deleting them, and once i had cleared everything out, i rebbooted, and ran all my ant virus, and anti malware programs.

That was yesterday, and to my relief, no more mshta's. 8)

Art Blade · October 23, 2010, 05:40:15 AM

Well done :) Let's just hope that whatever caused those entries isn't on board any more.

Since you had had deleted the original mshta.exe, did you find out where that mshta.exe was located? You should delete that version. And, using windows firewall or whatever you use, block that url so it can't reload anything.