What are these registry entries?

[LuckyStrike]

While looking through the startup files, I found these two entries in the
registry that have me wondering what they could be. I used a program called
Pest Patrol to view both the startup files and the running processes of the
PC, to obtain this information that I've provided.

HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)

HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)

Paths for the two are C:\windows\system\mshta.exe

Both possess an MD5 "signature" of
{95e7e4913891bd12ff9a58c60ea8d143}

What the heck are they? Would any of these be an issue for concern?

Thanks,
LuckyStrike
(e-mail address removed)

 

[PA Bear]

A Google Search shows nothing untoward. MSHTA.EXE is a valid Windows (IE)
file.

Follow siljaline's oft-posted advice:

Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

 

[LuckyStrike]

I did run Hijack this -should have mentioned it- and no presence of this
particular entry was present. The only thing that put me off was when I
looked in Pacs-Portal Startup info I had noticed a very similar entry
described "SystemBoot (2) Mshta.exe ...filename.hta Adult content dialler".
Naturally, I found that possibility to be unsettling.

So, Thanks PA Bear, for your help and putting my mind at ease.

LuckyStrike
(e-mail address removed)
----------------------------------------------------------------------------
--------

A Google Search shows nothing untoward. MSHTA.EXE is a valid Windows (IE)
file.

Follow siljaline's oft-posted advice:

Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

 

[YoKenny]

While looking through the startup files, I found these two entries in
the registry that have me wondering what they could be. I used a
program called Pest Patrol to view both the startup files and the
running processes of the PC, to obtain this information that I've
provided.

HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)

HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)

Paths for the two are C:\windows\system\mshta.exe

Both possess an MD5 "signature" of
{95e7e4913891bd12ff9a58c60ea8d143}

What the heck are they? Would any of these be an issue for concern?

You may want to read this:
HTA DOWNLOAD EXPLOIT
http://www.nsclean.com/psc-htas.html

"On July 28th 2003, a new means of exploit was discovered by the team at
spywareinfo.com which involved a program rapidly disseminating onto the
computers of innocent victims called "WINMAIN.EXE." The source of this file
is currently unknown, though it appears to be rampant, likely placed onto
machines as one of those "hijacker/adware" packages. Normally such programs
are at worst a privacy issue or an annoyance. However, this event portends
an entirely new method of attack against machines, given that the offending
executable activates a particularly dangerous piece of Internet Explorer and
exposes a serious new risk to all machines, since this executable runs
throughout an entire Windows session, and does not possess the ability to
distinguish the source of scripts which it will run. This particular
exploits drops a file called "C:\WINLOG.HTML" which is called, and can be
located, but future exploits will be able to generate other files with other
names in the future. This exploit is merely the opening salvo in what we
expect to be a whole new approach to trojans. "

Also read: (looking for winmain)
http://www.pacs-portal.co.uk/startup_pages/startup_all.php

 

[LuckyStrike]

YoKenny,

Thanks for the additional info. I had taken note of this in the Pacs-Portal
Startup pages as well, but did not
find any actual entries in the registry or anywhere else that indicated the
presence of either the "Winmain.exe" or "Winlog.html" existing within my PC.
That program does appear to be an insidious one, and maybe has a way of
truly hiding itself from being detected as such. While the path for
Mshta.exe is c:\windows\system\mshta.exe and the application is found
through this path, it is an older program revealing no indication of having
been modified or changed since Aug./02, if that is of any import.

In appreciation for your time and research - Thanks.

LuckyStrike
(e-mail address removed)

 

[LuckyStrike]

Hi Alan,

These files were unfamiliar to me and when I sought them out, Pest Patrol
showed them as being in the "startup files" along with items like
Scanregw.exe/autorun, MMkeyboard.exe, AVGCC32.exe, AVGSERV9.exe,
EM_EXEC.exe, AcBtnMgr_X83.exe and so forth. All of these and a couple more
are indicated by Pest Patrol as being in the registry.

While the aforementioned readily discernable applications are present as
startup items in Msconfig, the Mshta.exe's are not. I was/am concerned that
these two have never appeared in Msconfig, but seem to "lurk" in the
registry.

Thanks,
LuckyStrike
(e-mail address removed)