mshta.exe

[Hamish]

I have today started to get a connection alert from my firewall to tell me
that at boot up time, and before any user applications are opened, that

'Microsoft (R) HTML Application host' from your computer wants to connect to
home.comcast.net [204.127.198.24], port 80

and that application

c:\windows\system32\mshta.exe

is the application attempting the connection. I have researched mshta.exe,
and everything tells me that it is a normal windows xp program, but does not
explain why it should start trying to connect to home.comcast.net, on
204.127.198.24, which I can get neither http or ftp connection to with my
browser or ftp program, although my browser url switches to

http://www.comcast.net/memberservices/pwp/

before refusing connection.

The log my firewall keeps also punts to the fact that this mshta program is
a recent edition, but as far as I know nothing new has recently been added.



Has any body any idea what is going on, and how to prevent the connection
attempt (rather than just creating a rule to block it) if it is an
undesirable connection?

 

[Guest]

I have today started to get a connection alert from my firewall to tell me
that at boot up time, and before any user applications are opened, that

'Microsoft (R) HTML Application host' from your computer wants to connect to
home.comcast.net [204.127.198.24], port 80

and that application

c:\windows\system32\mshta.exe

is the application attempting the connection. I have researched mshta.exe,
and everything tells me that it is a normal windows xp program, but does not
explain why it should start trying to connect to home.comcast.net, on
204.127.198.24, which I can get neither http or ftp connection to with my
browser or ftp program, although my browser url switches to

http://www.comcast.net/memberservices/pwp/

before refusing connection.

The log my firewall keeps also punts to the fact that this mshta program is
a recent edition, but as far as I know nothing new has recently been added.



Has any body any idea what is going on, and how to prevent the connection
attempt (rather than just creating a rule to block it) if it is an
undesirable connection?

Well the good news is this is a valid Microsoft application but apparently
only a semi-necessary one. If you want to stop it 'phoning home, go
Start>Run and type in msconfig then go to the Services tab and scroll down
until you find it. Untick the box, click Apply and OK. This will force a
restart and when it does, tick the "don't show this message again" box and
then OK.

 

[Wesley Vogel]

The legit Mshta.exe file has no reason to access the internet.

Have a look here >>
http://startup.iamnotageek.com/srch-Mshta.exe ...filename.hta.html

Mshta.exe is a legit MS file, but it is not a service.

Mshta.exe is Microsoft (R) HTML Application host and located here >>
C:\WINDOWS\system32\dllcache
and
C:\WINDOWS\system32

Do *NOT* disable any service using msconfig. Use Services.msc.

Why can't I use msconfig to change my services?
http://www.blackviper.com/AskBV/XP25.htm

 

[Hamish]

Thanks to both Roger and Wesley who's advice I tried from the 2 replies
higher up. However I found the culprits which where causing this problem,
lurking in my start up directory. I normally keep this empty, but 2 programs
had found there way there. These being "MicrosoftOffice.hta" which is the
one applying to the network, and another named OfficeOSA.exe, which I have
executed and nothing seems to happen other than an invalid windows 32
application message.

The original problem I found only occurred when I was connected to my
router, and I booted up, and as it is a while since I connected with the
router, recently preferring to use my ADSL modem, I can not actually say
when these 2 programs arrived in my startup directory. I have checked for
virus's and spyware and found none. The most recent things installed where 2
of Microsoft's power toy applications. The Tweak UI and the desktop icon
fixer. Could it have been either of these which added the 2 startup entries.

 

[Wesley Vogel]

Hamish,

OfficeOSA.exe is not a Microsoft file.

OSA.exe is an MS file.

OFFXP: What Is the Osa.exe File and What Does It Do?
http://support.microsoft.com/default.aspx?scid=kb;en-us;290144

Google search for OfficeOSA.exe
http://www.google.com/search?hl=en&lr=&q=OfficeOSA.exe&btnG=Search

MicrosoftOffice.hta returns nothing in MS & Google searches.

It is doubtful that MicrosoftOffice.hta is a legit file.

hta files...
[[Run applications from HTML documents. Note: This file type can become
infected and should be carefully scanned if someone sends you a file with
this extension.]]
http://www.filext.com/detaillist.php?extdetail=hta

These two items are probably viruses or scumware.

What does Properties show for the two files?

Right click each file | Properties | Version tab |
All info under Other Version information.

Scumware and virus scumbags make their crap look like legit programs.

Update your anti virus software and run a full system scan.

I have two *.hta files on my machine and they are part of MS Works Suite.
Opening them opens MSHTA.EXE, MSHTA.EXE does not try to access the internet.

--
Hope this helps. Let us know.
Wes

In

Thanks to both Roger and Wesley who's advice I tried from the 2
replies higher up. However I found the culprits which where causing
this problem, lurking in my start up directory. I normally keep this
empty, but 2 programs had found there way there. These being
"MicrosoftOffice.hta" which is the one applying to the network, and
another named OfficeOSA.exe, which I have executed and nothing seems
to happen other than an invalid windows 32 application message.

The original problem I found only occurred when I was connected to my
router, and I booted up, and as it is a while since I connected with
the router, recently preferring to use my ADSL modem, I can not
actually say when these 2 programs arrived in my startup directory. I
have checked for virus's and spyware and found none. The most recent
things installed where 2 of Microsoft's power toy applications. The
Tweak UI and the desktop icon fixer. Could it have been either of
these which added the 2 startup entries.

I have today started to get a connection alert from my firewall to
tell me that at boot up time, and before any user applications are
opened, that

'Microsoft (R) HTML Application host' from your computer wants to
connect to home.comcast.net [204.127.198.24], port 80

and that application

c:\windows\system32\mshta.exe

is the application attempting the connection. I have researched
mshta.exe, and everything tells me that it is a normal windows xp
program, but does not explain why it should start trying to connect
to home.comcast.net, on 204.127.198.24, which I can get neither http
or ftp connection to with my browser or ftp program, although my
browser url switches to

http://www.comcast.net/memberservices/pwp/

before refusing connection.

The log my firewall keeps also punts to the fact that this mshta
program is a recent edition, but as far as I know nothing new has
recently been added.



Has any body any idea what is going on, and how to prevent the
connection attempt (rather than just creating a rule to block it) if
it is an undesirable connection?

 

[Torgeir Bakken \(MVP\)]

Thanks to both Roger and Wesley who's advice I tried from the 2 replies
higher up. However I found the culprits which where causing this problem,
lurking in my start up directory. I normally keep this empty, but 2 programs
had found there way there. These being "MicrosoftOffice.hta" which is the
one applying to the network, and another named OfficeOSA.exe, which I have
executed and nothing seems to happen other than an invalid windows 32
application message.

Hi

You are most likely infected by a trojan called Bloodhound.Exploit.21
or Troj/Chum-B (name depending on anti-virus vendor).

Bloodhound.Exploit.21
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.21.html

Troj/Chum-B.
http://www.sophos.com/virusinfo/analyses/trojpsymebd.html