What are these registry entries?

TheMSsForum.com: The Microsoft Software Forum

While looking through the startup files, I found these two entries in the
registry that have me wondering what they could be. I used a program called
Pest Patrol to view both the startup files and the running processes of the
PC, to obtain this information that I've provided.

HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)

HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)

Paths for the two are C:\windows\system\mshta.exe

Both possess an MD5 "signature" of
{95e7e4913891bd12ff9a58c60ea8d143}

What the heck are they? Would any of these be an issue for concern?

Thanks,
LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
-----------
Top

Re: What are these registry entries? by PA

PA
Thu Aug 07 16:20:21 CDT 2003

A Google Search shows nothing untoward. MSHTA.EXE is a valid Windows (IE)
file.

Follow siljaline's oft-posted advice:

Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip, double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")

Next, HijackThis | Config [button] | Misc Tools [button]
Click: Generate StartupList log [button] (generates "startuplist.txt")

Next, go to the below location: Spyware and Hijackware Removal Support.
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files in your message.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com

LuckyStrike wrote:
>> While looking through the startup files, I found these two entries in the
>> registry that have me wondering what they could be. I used a program
called
>> Pest Patrol to view both the startup files and the running processes of
the
>> PC, to obtain this information that I've provided.
>>
>> HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>>
>> HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>>
>> Paths for the two are C:\windows\system\mshta.exe
>>
>> Both possess an MD5 "signature" of
>> {95e7e4913891bd12ff9a58c60ea8d143}
>>
>> What the heck are they? Would any of these be an issue for concern?

Top

Re: What are these registry entries? by LuckyStrike

LuckyStrike
Thu Aug 07 17:31:55 CDT 2003

I did run Hijack this -should have mentioned it- and no presence of this
particular entry was present. The only thing that put me off was when I
looked in Pacs-Portal Startup info I had noticed a very similar entry
described "SystemBoot (2) Mshta.exe ...filename.hta Adult content dialler".
Naturally, I found that possibility to be unsettling.

So, Thanks PA Bear, for your help and putting my mind at ease.

LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
--------
"PA Bear" <PABear@mvps.org> wrote in message
news:ug8MAnSXDHA.1744@TK2MSFTNGP12.phx.gbl...
> A Google Search shows nothing untoward. MSHTA.EXE is a valid Windows (IE)
> file.
>
> Follow siljaline's oft-posted advice:
>
> Go to: http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> Unzip, double-click "HijackThis.exe" and Press "Scan".
>
> When the scan is finished, the "Scan" button will change into a "Save Log"
> button.
> Click: "Save Log" (generates "hijackthis.log")
>
> Next, HijackThis | Config [button] | Misc Tools [button]
> Click: Generate StartupList log [button] (generates "startuplist.txt")
>
> Next, go to the below location: Spyware and Hijackware Removal Support.
>
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11
>
> Sign in, then copy and paste both files in your message.
> --
> HTH...Please post back to this thread
>
> ~Robear Dyer (aka PA Bear)
> MS MVP-Windows (IE/OE)
> http://mvp.support.microsoft.com
>
> LuckyStrike wrote:
> >> While looking through the startup files, I found these two entries in
the
> >> registry that have me wondering what they could be. I used a program
> called
> >> Pest Patrol to view both the startup files and the running processes of
> the
> >> PC, to obtain this information that I've provided.
> >>
> >> HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)
> >>
> >> HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)
> >>
> >> Paths for the two are C:\windows\system\mshta.exe
> >>
> >> Both possess an MD5 "signature" of
> >> {95e7e4913891bd12ff9a58c60ea8d143}
> >>
> >> What the heck are they? Would any of these be an issue for concern?
>


Top

Re: What are these registry entries? by YoKenny

YoKenny
Fri Aug 08 01:35:43 CDT 2003

LuckyStrike wrote:
> While looking through the startup files, I found these two entries in
> the registry that have me wondering what they could be. I used a
> program called Pest Patrol to view both the startup files and the
> running processes of the PC, to obtain this information that I've
> provided.
>
> HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>
> HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)
>
> Paths for the two are C:\windows\system\mshta.exe
>
> Both possess an MD5 "signature" of
> {95e7e4913891bd12ff9a58c60ea8d143}
>
> What the heck are they? Would any of these be an issue for concern?

You may want to read this:
HTA DOWNLOAD EXPLOIT
http://www.nsclean.com/psc-htas.html

"On July 28th 2003, a new means of exploit was discovered by the team at
spywareinfo.com which involved a program rapidly disseminating onto the
computers of innocent victims called "WINMAIN.EXE." The source of this file
is currently unknown, though it appears to be rampant, likely placed onto
machines as one of those "hijacker/adware" packages. Normally such programs
are at worst a privacy issue or an annoyance. However, this event portends
an entirely new method of attack against machines, given that the offending
executable activates a particularly dangerous piece of Internet Explorer and
exposes a serious new risk to all machines, since this executable runs
throughout an entire Windows session, and does not possess the ability to
distinguish the source of scripts which it will run. This particular
exploits drops a file called "C:\WINLOG.HTML" which is called, and can be
located, but future exploits will be able to generate other files with other
names in the future. This exploit is merely the opening salvo in what we
expect to be a whole new approach to trojans. "

Also read: (looking for winmain)
http://www.pacs-portal.co.uk/startup_pages/startup_all.php

Top

Re: What are these registry entries? by LuckyStrike

LuckyStrike
Fri Aug 08 10:46:31 CDT 2003

YoKenny,

Thanks for the additional info. I had taken note of this in the Pacs-Portal
Startup pages as well, but did not
find any actual entries in the registry or anywhere else that indicated the
presence of either the "Winmain.exe" or "Winlog.html" existing within my PC.
That program does appear to be an insidious one, and maybe has a way of
truly hiding itself from being detected as such. While the path for
Mshta.exe is c:\windows\system\mshta.exe and the application is found
through this path, it is an older program revealing no indication of having
been modified or changed since Aug./02, if that is of any import.

In appreciation for your time and research - Thanks.

LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
--------

"YoKenny" <YKnot@home.invalid> wrote in message
news:%237KMadXXDHA.2620@TK2MSFTNGP09.phx.gbl...
> LuckyStrike wrote:
> > While looking through the startup files, I found these two entries in
> > the registry that have me wondering what they could be. I used a
> > program called Pest Patrol to view both the startup files and the
> > running processes of the PC, to obtain this information that I've
> > provided.
> >
> > HKLM\software\CLASSES\htafile\shell\open\command (MSHTA.EXE "%1"%*)
> >
> > HKey_CLASSES_ROOT\htafile\shell\open\command (MSHTA.EXE "%1"%*)
> >
> > Paths for the two are C:\windows\system\mshta.exe
> >
> > Both possess an MD5 "signature" of
> > {95e7e4913891bd12ff9a58c60ea8d143}
> >
> > What the heck are they? Would any of these be an issue for concern?
>
> You may want to read this:
> HTA DOWNLOAD EXPLOIT
> http://www.nsclean.com/psc-htas.html
>
> "On July 28th 2003, a new means of exploit was discovered by the team at
> spywareinfo.com which involved a program rapidly disseminating onto the
> computers of innocent victims called "WINMAIN.EXE." The source of this
file
> is currently unknown, though it appears to be rampant, likely placed onto

> machines as one of those "hijacker/adware" packages. Normally such
programs
> are at worst a privacy issue or an annoyance. However, this event portends
> an entirely new method of attack against machines, given that the
offending
> executable activates a particularly dangerous piece of Internet Explorer
and
> exposes a serious new risk to all machines, since this executable runs
> throughout an entire Windows session, and does not possess the ability to
> distinguish the source of scripts which it will run. This particular
> exploits drops a file called "C:\WINLOG.HTML" which is called, and can be
> located, but future exploits will be able to generate other files with
other
> names in the future. This exploit is merely the opening salvo in what we
> expect to be a whole new approach to trojans. "
>
> Also read: (looking for winmain)
> http://www.pacs-portal.co.uk/startup_pages/startup_all.php
>


Top