Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: mshta.exe repeatedly appearing in Task Manager

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    27

    Default mshta.exe repeatedly appearing in Task Manager

    For a few days now, the program mshta.exe has been appearing multiple times in my Task Manager, even if I end them all at any given time. I've seen as many as a couple dozen instances of the program. While it hasn't caused too many major problems yet, at least that I can tell, the file size seems to be getting larger. The smallest I've seen it is around 8 K. A few minutes ago, each instance was at 13 K. I don't like this trend.

    I've tried looking up a solution on the interwebs myself, and deleted over a thousand tracking cookies and at least one legit piece of malware in the process, but to no avail. From what I've read so far, the two things that leaped out at me the most are:
    1) mshta.exe is a legit system32 file, and its repeated appearance may be a bug with my operating system in conjuction with the Add or Remove Programs tool, and
    2) mshta.exe 's repeated appearance may be a symptom of something that doesn't belong; if not 1), then something worse.

    I think that the most significant thing I (intentionally) did before this started happening was that I installed a new version of AIM without uninstalling the old version first; I didn't like the new version, so I uninstalled it using the uninstaller that came with it.

    Anyway, a friend vouched for this board and I'm giving it a shot. Halp.



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Erick at 16:23:04.03 on Sun 12/26/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2650 [GMT -6:00]

    AV: AVG Anti-Virus *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINNT\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINNT\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINNT\system32\LxrJD31s.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINNT\system32\svchost.exe -k imgsvc
    C:\WINNT\Explorer.EXE
    C:\Program Files\SmartDisk\Flash Media Reader\shwicon.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
    C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINNT\system32\devldr32.exe
    C:\WINNT\system32\ctfmon.exe
    C:\program files\steam\steam.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AIM\aim.exe
    C:\WINNT\System32\mshta.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\mshta.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\System32\mshta.exe
    C:\Documents and Settings\Erick\Local Settings\Temporary Internet

    Files\Content.IE5\JRV62GV1\dds[1].scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.hotmail.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} -

    c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} -

    c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

    files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program

    files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program

    files\spybot - search & destroy\SDHelper.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

    files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

    files\java\jre6\bin\jp2ssv.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program

    files\avg\avg9\toolbar\IEToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [LightScribe Control Panel] "c:\program files\common

    files\lightscribe\LightScribeControlPanel.exe" -hidden
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [ShowIcon_SmartDisk Corporation_SmartDisk Flash Media Reader Support 2.1]

    "c:\program files\smartdisk\flash media reader\shwicon.exe" -t"smartdisk

    corporation\SmartDisk Flash Media Reader Support 2.1"
    mRun: [SW20] "c:\winnt\system32\sw20.exe"
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
    mRun: [SecurDisc] "c:\program files\nero\nero 7\incd\NBHGui.exe"
    mRun: [InCD] "c:\program files\nero\nero 7\incd\InCD.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [GEST] ]
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [<NO NAME>]
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection

    wizard\icwconn1.exe /desktop
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    StartupFolder: c:\docume~1\erick\startm~1\programs\startup\adobeg~1.lnk - c:\program

    files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\erick\startm~1\programs\startup\erunta~1.lnk - c:\program

    files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program

    files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program

    files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program

    files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program

    files\microsoft office\office\OSA9.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} -

    c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: cityofheroes.com\boards
    Trusted Zone: sun.com\java
    DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
    DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

    hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -

    hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

    hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/Legit

    CheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} -

    hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

    hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/Qui

    ckTimeInstaller.exe
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -

    hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -

    hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

    hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?11

    47640637654
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -

    hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

    hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

    1148195024359
    DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

    hxxp://download.shockwave.com/pub/otoy/OTOYAX.cab
    DPF: {7C6E92FA-4429-4FB6-909B-798E2EFFAEF0} - hxxp://www.coh.co.kr/common/ocx/ncweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

    hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.4437847222
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -

    hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} -

    hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
    DPF: {CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA} -

    hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

    hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

    hxxp://www.popcap.com/games/popcaploader_v6.cab
    DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -

    hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
    DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -

    hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program

    files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program

    files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program

    files\superantispyware\SASSEH.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common

    files\lightscribe\LSRunOnce.exe"
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath -

    c:\docume~1\erick\applic~1\mozilla\firefox\profiles\neepi7vu.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage -

    hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============

    R0 AvgRkx86;avgrkx86.sys;c:\winnt\system32\drivers\avgrkx86.sys [2009-5-28 52872]
    R0 JAHCI;JAHCI;c:\winnt\system32\drivers\JAHCI.sys [2006-5-15 33280]
    R0 uliagpkx;ULi AGP Bus Filter Driver;c:\winnt\system32\drivers\AGPKX.SYS [2006-5-14

    45056]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-5-28

    216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver

    x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-5-28 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-5-28

    243024]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
    R2 LBeepKE;Logitech Beep Suppression Driver;c:\winnt\system32\drivers\LBeepKE.sys

    [2010-6-19 10448]
    S3 Afdfprmnnp;Afdfprmnnp; [x]
    S3 AvFlt;Antivirus Filter Driver;c:\winnt\system32\drivers\av5flt.sys -->

    c:\winnt\system32\drivers\av5flt.sys [?]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program

    files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
    S3 Ms_mdsvr;Ms_mdsvr; [x]
    S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
    S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys

    [2003-10-28 820858]
    S3 Sybsaccegw;Sybsaccegw; [x]
    S3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\winnt\system32\drivers\ULILAN51.SYS

    [2006-5-14 28672]
    S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-7-14

    49776]

    =============== Created Last 30 ================

    2010-12-26 15:36:14 -------- d-----w-

    c:\docume~1\erick\applic~1\SUPERAntiSpyware.com
    2010-12-26 15:36:14 -------- d-----w-

    c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-12-26 15:36:09 -------- d-----w- c:\program

    files\SUPERAntiSpyware
    2010-12-24 16:49:33 388096 ----a-r-

    c:\docume~1\erick\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\H

    iJackThis.exe
    2010-12-24 16:49:33 -------- d-----w- c:\program files\Trend Micro
    2010-12-24 16:45:20 -------- d-----w-

    c:\docume~1\erick\locals~1\applic~1\CoHelper
    2010-12-23 16:49:43 -------- d-----w-

    c:\docume~1\erick\locals~1\applic~1\AOL
    2010-12-23 16:48:34 -------- d-----w-

    c:\docume~1\erick\locals~1\applic~1\AIM
    2010-12-23 16:48:34 -------- d-----w-

    c:\docume~1\alluse~1\applic~1\AIM
    2010-12-23 16:48:18 -------- d-----w- c:\program files\common

    files\Software Update Utility
    2010-12-23 16:48:15 -------- d-----w- c:\program files\common

    files\AOL
    2010-12-15 18:36:05 40960 -c----w- c:\winnt\system32\dllcache\ndproxy.sys
    2010-12-15 18:35:32 45568 -c----w- c:\winnt\system32\dllcache\wab.exe
    2010-12-03 16:25:54 -------- d-----w- c:\program files\Titan Network

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\winnt\system32\isign32.dll
    2010-11-07 16:30:10 221 ----a-w- c:\docume~1\erick\applic~1\sdrfzfgd.bat
    2010-11-06 00:26:58 916480 ----a-w- c:\winnt\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\winnt\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\winnt\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\winnt\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\winnt\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\winnt\system32\win32k.sys

    ============= FINISH: 16:23:41.31 ===============

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi TheDeepBlue,

    Your log is a few days old. If you still need help reply back.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Dec 2010
    Posts
    27

    Default

    Quote Originally Posted by shelf life View Post
    hi TheDeepBlue,

    Your log is a few days old. If you still need help reply back.
    Yup, it's still goin' on. I was just being attentive to the part where I was supposed to wait four full days.

    If it's worth mentioning, I've seen the mshta.exe file sizes go a bit above 14 K since my first post. Also, I've noticed that I have multiple copies of svchost.exe running, with a couple running under NETWORK SERVICE and three under SYSTEM, as viewed from the Task Manager. The size of the largest svchost.exe file running under SYSTEM is 34.7 K and change.

  4. #4
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    ok. For now you can get another download as a check for malware. We can also upload the .exe to a web site to get it checked out.

    Please download the free version of Malwarebytes to your desktop.
    Double-click mbam-setup.exe and follow the prompts to install the program.
    Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    If an update is found, it will download and install the latest version.
    Once the program has loaded, select Perform FULL SCAN, then click Scan.
    When the scan is complete, click OK, then Show Results to view the results.
    Be sure that everything is checked, and click *Remove Selected.*

    *A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

    When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    Post the log in your reply.

    go to this web site browse for the file in the system32 directory then upload it to the website using the send file button. the site can be busy at times. You should see nothing listed under the result column.
    How Can I Reduce My Risk?

  5. #5
    Junior Member
    Join Date
    Dec 2010
    Posts
    27

    Default

    Updated MWB and ran Full Scan. Log follows:


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/30/2010 9:49:36 PM
    mbam-log-2010-12-30 (21-49-36).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 289794
    Time elapsed: 1 hour(s), 7 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{5E13212F-CDA6-4B95-8318-ABB4B45FA9B3}\RP143\A0007225.sys (Rootkit.Agent) -> No action taken.


    I'm didn't understand clearly whether or not you wanted me to upload the mshta.exe file to VirusTotal or not, but I did go ahead and upload the file from the log above. This is what VirusTotal says initially:

    MD5: 589312a3b46721c5a751e4d5222a89be
    Date first seen: 2008-09-13 14:30:26 (UTC)
    Date last seen: 2010-12-28 22:43:40 (UTC)
    Detection ratio: 8/43

    SHA1 : 3a497d3968a4f6e3c648d196da38e5f98e75ec30
    SHA256: 03cbe6df7f5605a3659ffe27a1184a8d9066436a17d7bac9cceb122de74f69ae

    There aren't very many comments on the site in reference to the file, but someone is saying that it's a 'part of malware' and others are saying that it's part of an antirootkit program called 'Avenger' or something, which I don't recall ever downloading.

  6. #6
    Junior Member
    Join Date
    Dec 2010
    Posts
    27

    Default

    Would have edited my last post, but I can't on this forum. I did remove the anomalous files detected by MWB with the program; I wasn't aware it would generate another log, so here's that one:


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/31/2010 2:48:13 AM
    mbam-log-2010-12-31 (02-48-13).txt

    Scan type: Quick scan
    Objects scanned: 1
    Time elapsed: 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Its a legit MS file that could be used by malware. I have seen it as a scheduled job for launching malware. Legit software can use it also.
    Lets see if we can find out what is using it. I would download either one of these two utilities: Process Hacker or Process Explorer, both are similar. both downloads are zip files. Extract to your desktop.
    In process hacker you want to use the .exe thats in the X86 folder.
    For either one once you start the .exe find the mshta.exe process, right click on it and select properties and see what is listed in the command line. May provide some clues.
    How Can I Reduce My Risk?

  8. #8

  9. #9
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    Take a look in task scheduler for any tasks.
    start>programs>accessories>system tools>scheduled tasks
    You can right click on each task and select delete if it something you dont recognise.
    How Can I Reduce My Risk?

  10. #10
    Junior Member
    Join Date
    Dec 2010
    Posts
    27

    Default

    Found over seventy tasks that I'm pretty sure I didn't set that came from one or the other of the two things in my previous post. Deleted them all.

    I googled the 'funnypandashow.com' thing and it seems to be related to that Thinkpoint thing that's going around. I've dealt with it at least three times in the past and for some reason it seemed to always load Adobe Reader at the same time it hit my system. Ever since I patched Adobe Reader, I haven't seen it again, but apparently something might still be on my machine...?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •