# Solved: c:\windows\system32\mshta.exe



## flavallee (May 12, 2002)

I started using *Panda Cloud Antivirus 3.01* a couple of weeks ago.

This morning, it brought up an alert that it was blocking this file - see below image of its event report.

I haven't gone to any dubious sites nor downloaded anything.

The computer is running Windows 7 Professional SP1 32-bit.

I run AdwCleaner and Malwarebytes and SUPERAntiSpyware weekly.

Other than 2 - 3 adware tracking cookies, nothing is found.

Is this a false positive?


----------



## flavallee (May 12, 2002)

I just did a scan with all 3 and they all found nothing except for 1 adware tracking cookie.

Here is what the mshta.exe properties window looks like.


----------



## Cookiegal (Aug 27, 2003)

The file itself is not malicious but there is a vulnerability in IE that something is attempting to exploit. This might be helpful:

http://www.pandasecurity.com/mediacenter/2010/06/03/behavioral-blocking-rules/


----------



## flavallee (May 12, 2002)

Thanks, K. I see the 5021 rule you're referring to.

I've added that behavioral blocking rules site to my "Favorites" list. :up:


----------



## Cookiegal (Aug 27, 2003)

You're welcome Frank.


----------



## Phantom010 (Mar 9, 2009)

I did personally work on multiple threads regarding suspicious behavior with the *mshta.exe *process. Turned out to be malware every time. Might be a good idea to investigate a little further?

http://forums.techguy.org/virus-other-malware-removal/1038096-visual-c-error-scvhost-exe.html

http://forums.techguy.org/windows-xp/998629-cant-access-user-acounts-system.html

http://forums.techguy.org/windows-xp/994571-what-mshta.html

http://forums.techguy.org/virus-other-malware-removal/986059-mshta-exe-task-manager.html

http://forums.techguy.org/virus-other-malware-removal/986664-mshta-exe-x-20-processes.html

http://forums.techguy.org/virus-other-malware-removal/974720-generic-host-process-error.html

http://forums.techguy.org/general-security/979728-extra-mshta-exe-process-funnymouseshow.html

http://forums.techguy.org/virus-other-malware-removal/960097-never-ending-instances-mshta-exe.html

http://forums.techguy.org/windows-xp/956067-mdm-exe-mshta-exe.html


----------



## flavallee (May 12, 2002)

They all appear to be 2010 - 2012 threads and nothing more recent.

I'm pretty good at maintaining and keeping my computers up-to-date, and I have what I consider to be safe and responsible computing habits, so I'm going to wait and see if anything else develops.

----------------------------------------------------------


----------



## Cookiegal (Aug 27, 2003)

Malware can and often does exploit the mshta.exe but the file alone doesn't signify malware as it's a valid Windows component that is simply being used to attempt to display a malicious web page. The fact that Panda Cloud blocked it means it's doing it's job nicely so it's unlikely that anything got through, especially with the lack of symptoms, but of course checking is wise and I'm sure Frank already has run some scans as he said in his first post. 

Frank, you might just want to check the Scheduled Tasks and browser extensions/addons for anything suspicious and delete all temp files and folders as well just as a precaution.


----------



## Phantom010 (Mar 9, 2009)

Cookiegal said:


> Malware can and often does exploit the mshta.exe but the file alone doesn't signify malware as it's a valid Windows component that is simply being used to attempt to display a malicious web page. The fact that Panda Cloud blocked it means it's doing it's job nicely so it's unlikely that anything got through, especially with the lack of symptoms, but of course checking is wise and I'm sure Frank already has run some scans as he said in his first post.
> 
> Frank, you might just want to check the Scheduled Tasks and browser extensions/addons for anything suspicious and delete all temp files and folders as well just as a precaution.


The file itself is a legitimate Windows file and located in the right folder as well, as it was on the infected computers I've worked on. As you say, it can be exploited and Panda did block something. But if it blocked the file, let's hope there's nothing malicious lurking somewhere on that computer.

On some computers I worked on, the file, or the nasty using the file, was trying to call home on a strange IP address located in Latvia... If you ever see that file again in your list of running processes, try the procedure from some of my links with Process Explorer. The information under Image and the Command line was self-explanatory.

http://forums.techguy.org/virus-other-malware-removal/960097-never-ending-instances-mshta-exe.html


----------



## flavallee (May 12, 2002)

I remember that same *mshta.exe* file recemtly being blocked in my other full-time Windows 7 desktop.

I just checked the quarantine list and see it listed there as being blocked on July 26th.

----------------------------------------------------------

Here is what the complete list of toolbars and extensions looks like.

Java and Adobe are usually the only ones that load.

If you feel any of the enabled ones should be disabled, please let me know.

All search providers and accelerators are kept disabled.


----------



## flavallee (May 12, 2002)

Okay, this is weird. 

When I opened the HP Printer Assistant to check the ink levels in both of my HP Deskjet 2540 series all-in-ones, Panda displayed a pop-up about blocking that same file.

You can see at the bottom of the list when it was first blocked on July 26th.


----------



## flavallee (May 12, 2002)

Shutting down for the day. See you folks in the morning.

----------------------------------------------------------


----------



## Phantom010 (Mar 9, 2009)

flavallee said:


> Okay, this is weird.
> 
> When I opened the HP Printer Assistant to check the ink levels in both of my HP Deskjet 2540 series all-in-ones, Panda displayed a pop-up about blocking that same file.
> 
> You can see at the bottom of the list when it was first blocked on July 26th.


May not be malicious after all. We'll see.

http://h30434.www3.hp.com/t5/Printe...ficeJet-4620-installation/td-p/1680009/page/2

http://h30434.www3.hp.com/t5/Printe...ng-Options-utility-weird-Notepad/td-p/2253693

Your printer seems to be using .HTA files. The following applications also use them:

Microsoft Visual Studio .NET

Microsoft Office XP

Internet Explorer

... and more.

An .HTA is executed using the *mshta.exe *process.


----------



## Cookiegal (Aug 27, 2003)

It doesn't tell you where it was trying to connect?

It may be a false positive.


----------



## Phantom010 (Mar 9, 2009)

Panda is probably aware of past exploits with the *mshta.exe *process and is flagging it as a precaution. In flavallee's case, the HP printer seems to be the one using it legitimately. I have no idea what it does though. I've never seen that process running on my computers.


----------



## flavallee (May 12, 2002)

I just loaded the HP printer assistant in this desktop to see if the same thing would happen, and it did.

The Panda warning about mshta.exe pops up in the lower right corner and then fades away after a few seconds, so I'm not able to snip a screenshot of it.

Below is a screenshot of the HP printer assistant main window.

The pop-up warning doesn't appear to be hurting anything, so I'm sure I can get used to it appearing from time to time.


----------



## Phantom010 (Mar 9, 2009)

Another HP article and the mshta.exe process:

http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c01467981

I do believe HP printers need that file. For what purpose, I have no idea. Seems to execute HTML applications (.hta files) and helps scripts run in Windows. My Canon printer does not call that process. Is your printer networked?


----------



## flavallee (May 12, 2002)

I have 2 Dell OptiPlex 780 desktop systems on separate desks in my computer room.

A HP Deskjet 2540 printer is connected to each desktop with a USB printer cable.

I alternate from one to the other and usually don't have both running at the same time.

Both have the exact same programs and personal data.

If one crashes for some reason, I can still keeping going. 

---------------------------------------------------------


----------



## Phantom010 (Mar 9, 2009)

To be sure, I still recommend running *Process Explorer* for more details on the *mshta.exe* process. As mentioned by Cookiegal, it might tell us where it's trying to connect... It's quite simple to use and does not require any installation. It's a Task Manager on steroids. You can simply run the .exe file directly from the website if you do not wish to download it:










Right-click a *mshta.exe *process after using your HP printer and select Properties... > Image > copy what you see in the *Command line:* and paste it in your next reply.










--------------------------------------------------------------------------------------------------------------

*CurrPorts* is another very interesting free tool to use from Nirsoft, again, requiring no installation. It will give you the Remote Address and possibly the Remote Host Name for that mshta.exe process, and more.










However, *Process Explorer* will also give you some of that info when selecting the *TCP/IP* tab, but with less details.


----------

