Over 1 million tech questions and answers.

Multiple mshta.exe processes & low memory

Q: Multiple mshta.exe processes & low memory

System is at a slow crawl. Do I have a virus that's causing multiple mshta.exe processes? I keep running out of memory. Thanks!
Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz, x86 Family 15 Model 2 Stepping 7
Processor Count: 1
RAM: 511 Mb
Graphics Card: NVIDIA GeForce4 Ti 4600 (Microsoft Corporation), 128 Mb
Hard Drives: C: Total - 78159 MB, Free - 55412 MB;
Motherboard: ASUSTeK Computer INC., P4B533
Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:46:18 AM, on 1/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Uniblue\PowerSuite\powersuite.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\BILL TRABACK\Local Settings\Temporary Internet Files\Content.IE5\EN80M41Y\SysInfo[1].exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\BILL TRABACK\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=ZUGO&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="wLink">http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: FCTBPos00Pos - {9EBF8AAF-0A31-4786-909A-97A0EF101743} - C:\Program Files\AddThis Toolbar\Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O3 - Toolbar: Support.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: AddThis Toolbar - {B43176CC-4D9E-493B-A636-D9CBFE39C6DA} - C:\Program Files\AddThis Toolbar\Toolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [ReceiveUtility] C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [PowerSuite] "C:\Program Files\Uniblue\PowerSuite\launcher.exe" delay 20000 -m
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.10)_Gecko/20100504_Firefox/3.5.10_(.NET_CLR_3.5.30729)_FBSMTWB" -"http://espn.go.com/free-online-games/dcrFrame?swfPath=http://a.espncdn.com/arcade/prod/games/bmx_park/20100209/bmx_park.dcr&width=640&height=480&sw2=&gameID=64&swlist="
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mfr.mlxchange.com
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - https://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange.com/5.3.11.19845/Control/IRCSharc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 12371 bytes
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by BILL TRABACK at 10:47:47 on 2012-01-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.52 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Uniblue\PowerSuite\powersuite.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\SearchIndexer.exe
svchost.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\BILL TRABACK\Local Settings\Temporary Internet Files\Content.IE5\EN80M41Y\SysInfo[1].exe
C:\Documents and Settings\BILL TRABACK\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: AddThis Toolbar BHO: {9ebf8aaf-0a31-4786-909a-97a0ef101743} - c:\program files\addthis toolbar\Toolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: Support.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AddThis Toolbar: {b43176cc-4d9e-493b-a636-d9cbfe39c6da} - c:\program files\addthis toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [PowerSuite] "c:\program files\uniblue\powersuite\launcher.exe" delay 20000 -m
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.10)_Gecko/20100504_Firefox/3.5.10_(.NET_CLR_3.5.30729)_FBSMTWB" -"http://espn.go.com/free-online-games/dcrFrame?swfPath=http://a.espncdn.com/arcade/prod/games/bmx_park/20100209/bmx_park.dcr&width=640&height=480&sw2=&gameID=64&swlist="
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [<NO NAME>]
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [ReceiveUtility] c:\program files\hp\hp laserjet m1319 mfp series\ReceiveFaxUtility.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: mlxchange.com\mfr
Trusted Zone: showingtime.com\links
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxps://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://mfr.mlxchange.com/5.3.11.19845/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{FA8C0B24-F024-4AC9-A38B-EE677CAA959A} : DhcpNameServer = 65.32.5.111 65.32.5.112
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKslde7c3611;MpKslde7c3611;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{34007196-4ee9-4be8-b1ff-03bee7ed4470}\mpkslde7c3611.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{34007196-4ee9-4be8-b1ff-03bee7ed4470}\MpKslde7c3611.sys [?]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.SYS [2011-6-12 10752]
R3 HP1319FX;HP1319FX;c:\windows\system32\drivers\HP1319FAX.SYS [2011-6-12 11264]
S1 MpKsl157be229;MpKsl157be229; [x]
S1 MpKsl1ed4ee2b;MpKsl1ed4ee2b; [x]
S1 MpKsl3082b1ad;MpKsl3082b1ad; [x]
S1 MpKsl3e90d577;MpKsl3e90d577; [x]
S1 MpKsl4a17f182;MpKsl4a17f182; [x]
S1 MpKsl5a922c9f;MpKsl5a922c9f; [x]
S1 MpKsl6ad40477;MpKsl6ad40477; [x]
S1 MpKsl6ccf2232;MpKsl6ccf2232; [x]
S1 MpKsl7049c147;MpKsl7049c147; [x]
S1 MpKsl7f8f4a75;MpKsl7f8f4a75; [x]
S1 MpKsl8a741d2b;MpKsl8a741d2b; [x]
S1 MpKsl91c1f278;MpKsl91c1f278; [x]
S1 MpKsl97ff6d86;MpKsl97ff6d86; [x]
S1 MpKsla3ca354b;MpKsla3ca354b; [x]
S1 MpKsla463e793;MpKsla463e793; [x]
S1 MpKsla4ea1e16;MpKsla4ea1e16; [x]
S1 MpKsla72ef66d;MpKsla72ef66d; [x]
S1 MpKslaa22437d;MpKslaa22437d; [x]
S1 MpKslaf9269ac;MpKslaf9269ac; [x]
S1 MpKslb614ed19;MpKslb614ed19; [x]
S1 MpKslc05175cf;MpKslc05175cf; [x]
S1 MpKsld40c2080;MpKsld40c2080; [x]
S1 MpKsle0098e91;MpKsle0098e91; [x]
S1 MpKslf07788f5;MpKslf07788f5; [x]
S1 MpKslf8c42bca;MpKslf8c42bca; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-21 135664]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2009-5-10 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2009-5-10 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2009-5-10 39552]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2009-5-10 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2009-5-21 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2009-5-21 10368]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-21 135664]
.
=============== Created Last 30 ================
.
2012-01-21 15:12:10 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e8b3b7b3-dd7d-4b69-862c-b031b201bd92}\mpengine.dll
2012-01-06 14:17:09 -------- d-----w- c:\documents and settings\bill traback\application data\FCTB000061107
2012-01-06 14:16:33 -------- d-----w- c:\program files\AddThis Toolbar
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-26 13:27:54 -------- d-----w- c:\documents and settings\bill traback\application data\Malwarebytes
2011-12-26 13:27:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M ====================
.
2011-12-04 12:43:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-08 14:55:12 60304 ----a-w- c:\documents and settings\bill traback\g2mdlhlpx.exe
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 10:49:19.59 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-22 00:34:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: ytxk97pq.exe; Driver: C:\DOCUME~1\BILLTR~1\LOCALS~1\Temp\kwncypoc.sys
---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xF27E4300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF8A16300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[828] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1228] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[3400] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs F2857400

---- EOF - GMER 1.0.15 ----

RELEVANCY SCORE 200
Preferred Solution: Multiple mshta.exe processes & low memory

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Multiple mshta.exe processes & low memory

Read other 16 answers
RELEVANCY SCORE 82.8

Every hour another mshta.exe process starts. Looks like it is trying to connect to 85.234.191.60/88.php. I've seen a few other people having the same issue. Also, when I start my computer, svchost.exe is taking 100% of the CPU causing it to take extremely long to load. I have to kill the svchost.exe process before it can finish. I have run DDS and GMER. Below are the dds.txt, attach.txt and GMER logs. Thanks for your help.
DDS (Ver_10-12-05.01) - NTFSx86
Run by dknerr at 9:30:20.66 on Thu 12/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.469 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:�... Read more

A:mshta.exe multiple processes running

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

Read other 2 answers
RELEVANCY SCORE 82.8

Hello everyone, recently I have caught a bit of a bug on the ol' computer. Here's the short story.

I got the "Think Point" malware virus about a week ago. Took a lot of work to get just that off of my computer. After checking registries and using removal tools I felt happy about vanquishing this foe. Sadly the next day I noticed several instances of "mshta.exe" running in my task manager. I can't really tell what all the processes are doing, but I have noticed that I get redirected when using search engines. I feel that this is some for of spy ware / malware. I've searched everywhere I can think of and my tools can't seem to narrow down the issue.

So in hopes to resolve this I have turned to you all for help and I am grateful that a site like this exists.

Thanks for the time and future efforts.

Read other answers
RELEVANCY SCORE 82

I need assistance please!

Had an attack of ThinkPoint and used guidance from bleeping computer to clear that up, then Malwarebytes found Zefarch so I followed Symantec advice to clear that up.

tdsskiller, rkill, malwarebytes, Symantec AV and Spybot all find nothing and yet I still have problems.

Occasional redirection particularly from google searches, windows explorer bombs, I get a firewall message saying that explorer is trying to make contact and task manager shaows many instances of mshta running.

I have follwoed the instructions in the sticky with the exception that I can not get GMER to complete a full scan and produce a log file, it runs for ten minutes or so the the PC freezes. attach.txt is attacged and the HJT and DDS logs are pasted below.

Thanks in anticipation

Mike

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:15:51, on 05/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PR... Read more

A:Browser redirect and multiple mshta processes

Read other 16 answers
RELEVANCY SCORE 82

Hi guys I was searching for info on this process and found these forums so here's my problem:
After using IE and getting some error that called up windows help and services center I noticed later that i have a bunch of mshta.exe running in my task manager so I downloaded that HJT program and got this:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:42:12 PM, on 11/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Kasper... Read more

A:Multiple mshta.exe processes in my task manager

Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully​
Download ComboFix from Here or Hereto your Desktop.
As you download it rename it to username123.exe
**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not inst... Read more

Read other 3 answers
RELEVANCY SCORE 82

Hi,

I am in need of some expert advice here! Last week I noticed that the dreaded Thinkpoint icon had appeared on my desktop, and I also had some issues with browser redirecting. (Probably worth noting that the actual thinkpoint program itself seemingly did not actually install for some reason, and I subsequently removed the installer file from the C: drive)

Following some advice I THOUGHT I had solved the redirect problem, using a combination of Malware Bytes and some manual file removal. I also gave the computer a quick scan with SAS which removed a few extra bits and pieces, and I thought I was in the clear. However, I now seem to have a probelm with mutiple mshta.exe processes running (like 10 at a time), and 2 iexplore processes running. Combined with numerous svchost processes, this is causing the computer to run very slowly, and now I'm not sure about whether I have actually sorted the thinkpoint problem at all!

Any advice you guys can give would be greatly appreciated, please take it slowly as I'm still learning!

Thanks.

Read other answers
RELEVANCY SCORE 81.2

Hi and thank you for any help in avance. In my windows task manager, I have several instances of MSHTA.exe running. A new one opens every 15-45 minutes; I have had as many as 12 running at one time. I am pretty much a novice user and have little experience with this sort of things, but I can follow directions! Again, thank you for any help.
DDS (Ver_09-06-26.01) - NTFSx86
Run by Kris at 18:13:53.10 on 06/07/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2038.1450 [GMT 1:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\StacSV.exe
C:\Program Files\Symantec AntiVirus\Rtvsc... Read more

A:Multiple instances of mshta.exe in processes - they keep coming back

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..------------------------------------------------------------------------------------------------------------------NOTE: IMPORTANT! To other lurkers who see this topic, if you ever want to use ComboFix, please have a look at below tutorial.. You have been warned!http://www.bleepingcomputer.com/combofix/how-to-use-combofixYou should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Read other 2 answers
RELEVANCY SCORE 72

For the past month or so I've noticed that my computer will gradually get really slow until I am forced to reboot. I saw that when I opened my task manager my computer will show very little available memory if left on for a few sdays.

Now that I look closer, there are several dozen processes called "mshta.exe". When I reboot there will be only one, and then over time they multiply slowly. I've looked around here and it looks like others have had the same problem and the result is to use a custom txt file of some sort that closes an automated task.

I suspect the task that is causing this is related to google updater but I don't know for sure. I don't have any google software on my computer but maybe I did at one time.

Anyway I am hoping someone here can help me. I am posting the requested log files as per the forum guidelines.

Thanks

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:46:17 PM, on 7/28/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\AASP\1.00.82\aaCenter.exe
C:\Program Files (x86)\QuickBooks Online Backup\OnlineBackup.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe
C:\Program Files (x86)\AVG\AVG9\avgtray.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\C... Read more

A:Multiple processes "mshta.exe" eating up RAM

Nevermind, I reformated and installed Windows 7. Bye bye Vista.
Seems to have solved the problem.

Thanks guys for the hard work and quick response.
 

Read other 1 answers
RELEVANCY SCORE 65.2

Greetings!
 
I have been running into an issue where multiple (I'd estimate at least 100 currently) dllhost.exe processes are running at one point in time. So many start running that my memory is almost 100% consumed, crippling my computer. The problem went away for a while but has now come back. After looking at this report I realized that the last time I tried to fix this problem, one of the steps involved disabling my antivirus, which I forgot to re-enable. I just tried to reenable antivirus (microsoft security essentials) and I was unable to. The error description when I tried to update was "The definition updates couldn't be installed. Please try again later."
 
DDS:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17344  BrowserJavaVersion: 10.51.2
Run by Mike at 15:11:08 on 2014-12-13
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16352.3273 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Outdated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Disabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
F:\Windows\system32\lsm.exe
F:\Windows\system32\svchost.exe -k DcomLaunch
F:\Windows\system32\svchost.exe -k RPCSS
f:\Program Files\Microsoft Security Clien... Read more

A:multiple dllhost.exe processes consuming memory

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Read other 21 answers
RELEVANCY SCORE 65.2

Hi everyone. Im at a loss. I currently am running xp and using IE8. I recently installed a bunch of addons. About a week later I noticed my computer was acting a little sluggish so I uninstalled and disabled most of the addons. I left 2 on there. (roboform and something else cant remember). However after getting rid of them it was still running a little off. I looked to see what processes I had running in task manager and found iexplore listed about 6 times. I had maybe 2 or 3 tabs open in IE but only one window. Do I have some hidden addon or is this a know issue with something?
Thanks guys - Liam

A:Multiple IE processes running using alot of memory

Hello and Welcome to TSF,

Yes thats normal for 2 iexplorer.exe per page open for IE8.0.

Read other 3 answers
RELEVANCY SCORE 64

THe computer is running slow and I am seeing multiple copies of dllhost.exe using large amounts of RAM.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16584  BrowserJavaVersion: 10.67.2
Run by Jim at 2:32:34 on 2014-10-28
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4009.1082 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\atashost.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Canon\imagePROGRAFStatusMonitor\cnwisam.exe
C:\Program Files (x86)\Common Files\EFI\EFI ES-1000 Service\ES100... Read more

A:dllhost.exe *32 COM Surrogate multiple processes/high memory usage

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

Read other 8 answers
RELEVANCY SCORE 64

Like many other members, I appear to have this infection. In Task Manager, there are about 20 dllhost.exe *32 processes, and under the command line column for about ten of them it says ###CLIENT###. My computer has taken an hour to just post this. I have attached scans from DDS and FRST. I will be thrilled if someone helps. Thank you so much
 
OS: Vista
Dllhost Processes are coming from C:\Windows\syswow64 folder
 
 
DDS.txt
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 10.67.2
Run by Ashley at 13:23:13 on 2014-10-18
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.4085.846 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.... Read more

A:Trojan.Poweliks with multiple dllhost.exe processes consuming memory!

First we will remove the Adware, then Poweliks.Step 1: AdwarecleanerPlease download AdwCleaner (by Xplode) from the link below and save it to your Desktop:Download Mirror #1Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)Click Scan and let the scan run.When it finishes, click Clean, following the on screen promptsAfter your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.Note: The log can also be found in here: C:\AdwCleaner\Step 2: MalwarebytesPlease download Malwarebytes Anti-Malware to your desktop Install the progamme and select updateOnce it has updated select Settings > Detection and ProtectionTick Scan for rootkitsGo back to the Dashboard and select Scan NowIf threats are detected, click the Apply Actions button, MBAM will ask for a reboot.On completion of the scan (or after the reboot) select View Detailed LogSelect Export > Select text file and save to the desktopAttach/Post that logStep 3: Junkware Removal Tool  Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completio... Read more

Read other 6 answers
RELEVANCY SCORE 63.2

After reviewing several posts about this mshta.exe business, I decided it's time I tried myself. Here is my HijackThis report, hopefully you guys can make more sense of it than I can. I've found the mshta.exe, and the mshta.exe.mui, though when scanned they are clean. I however found 20+ scheduled tasks, all related to mshta.exe. Any help you could provide would be awesome, and very much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:33 AM, on 3/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Liv... Read more

A:mshta.exe X 20+ processes running!!

Read other 16 answers
RELEVANCY SCORE 62.4

I've noticed several processes in my task manager for the last two weeks or so, and they're titled 'mshta.exe'. I know there's been other people with this issue but I have reason to believe that my machine is infected.

I downloaded Process Explorer to investigate - as of right now I have five running processes, and the command line for each is identical, and reads:

http://funnymouseshow.com/hsdgjhjk.php?cfbgkjdffg=7461573902922

That doesn't look good to me, and I'd be grateful if someone could assist me in getting rid of these.

Below is my HijackThis log - thanks so much in advance. If anything jumps out at you that I didn't address that could/should be corrected, feel free to point it out as well.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:13:55 PM, on 1/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:... Read more

Read other answers
RELEVANCY SCORE 60.4

Hi,

Two days ago, I was reading a forum I go on quite often, so what happened was I was on this forum reading varies different threads, I had opened up. So as I did this, they were taking time to load, so I went away and came back. When I got back, my computer seemed to have restarted, and I was prompted to log in. So as soon as I logged in, there was an alert from 'Windows Security Essentials Alert' so I quickly did a search and found that this was a fake alert/Trojan etc etc. I then found a guide on google I followed which removed this 'fake' Trojan, however after this, I went into my Task Manager to see what was running and I found 2 processors running which I haven't seen before, a quick search I found that it was either spyware or virus related. I then scanned my computer using spyware doctor, AVG anti-virus, RegDefense, CCleaner but none seemed to have removed this. I have followed the guide I was linked to by 'amateur' and here are the following.

P.S. I have a copy of the OS disc which came with the computer when I bought it few years back, however I have tried running the disc but when I tried to boot from the CD after changing the boot sequence from BIOS etc, I got an error saying disc error.



DDS (Ver_10-11-10.01) - NTFSx86
Run by Jack at 0:58:13.18 on 21/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.53 [GMT 0:00]

AV: AVG Internet Security *On-access scan... Read more

A:unknown mshta.exe and FGuard.exe running in task manager processes?

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log... Read more

Read other 4 answers
RELEVANCY SCORE 58

Hello folks,

I recently went looking at woodworking sites and, inadvertently, clicked on something that downloaded a "hotfix" folder onto my computer. I started receiving one of those "yer pc is infected bla bla" followed by multiple pop-up windows of some sorta action cannot be bla bla. I did a search for all new files on my comp and deleted everything that had been created within the last hour, that was the "hotfix" folder and some accompanying files. I had to do a restart before I could delete anything, however, due to the massive amount of pop-ups freezing my computer. I no longer see hotfix or any of the "yer pc is broke, pay us all yer money so we can hotfix it for ya" stuff anymore, but I do get multiple instances of mshta.exe popping up in my process window. I'm sure something became embedded somewhere when I was forced to restart. I haven't taken any further action on it, since I have a great track record with you guys, I came here first. Any advice ya'll could offer would be greatly appreciated.

A:Multiple mshta.exe

Hello, it appears that during the upgrade of our forum your topic has been overlooked. If you still need help with this ....Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

Read other 2 answers
RELEVANCY SCORE 58

Hello,

I am receiving multiple instances of mshta.exe in my process window after attempting to remove a program folder named "Hotfix" from my computer after inadvertently picking it up from a website. I understand mshta.exe is a valid file, I believe the multiple instances in my process window are a symptom of something that got left behind. Here are my DDS and GMER logs. Thanks!

DDS (Ver_10-11-08.01) - NTFSx86
Run by MINES at 21:38:13.09 on Sun 11/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.938 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\sys... Read more

A:Multiple mshta.exe

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The ... Read more

Read other 12 answers
RELEVANCY SCORE 57.2

I've had issues with pages redirecting, and now in the last 2 days im having multiple instances of mshta.exe going in my task manager. yesterday there were around 20, at the moment theres just 2. yesterday my computer stopped working totally in normal mode, but its been ok in safe mode. earlier this afternoon i got it to work again in normal mode, but im back to having these issues, any help would be greatly appreciated, thank you. Im using Windows XP Media Center Edition Version 2002 Service pack 2

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:21:53 PM, on 2/2/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\Java\jre6\bin\j... Read more

Read other answers
RELEVANCY SCORE 57.2

Ive read a few posts here about this issue and it seems potentially serious so I wanted to resolves this issue. The longer my computer is running the more mshta.exe appear in my processes tab of windows task manager. I am using windows xp.

I also have the "google redirect" problem other are having, so im sure my computer is due for cleaning.

Thanks in advance for any help.

A:Multiple mshta.exe running

hello and welcome,let's get a scan log and see if we can get a handle on this.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all th... Read more

Read other 3 answers
RELEVANCY SCORE 57.2

Hello heroes,

A coworkers PC has a virus. Please help.

I appreciate any time and help you can give me on this virus battle and will do my best to follow instructions faithfully and provide timely and relevant information to you.

Besides the multiple instances of mshta.exe running in task manager and the Just In Time debugger message that continues to pop up, the browser (IE) is constantly redirecting.

Here are my logs:
DDS (Ver_10-12-05.01) - NTFSx86
Run by markm at 17:22:47.33 on Wed 12/08/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1071 [GMT -8:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program File... Read more

A:multiple instances of mshta.exe

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

Read other 22 answers
RELEVANCY SCORE 57.2

Hey guys, I have had multiple instances of mshta.exe running on my PC for a couple of days - I've tried using standard AV software (Symantec, Avast) and have always used a firewall (ZoneAlarm) and run weekly spybot checks. However, I had a couple of viruses detected previously that I deleted from Symantec's quarantine, but was still having google searches hijacked using IE or Chrome.

In the middle of running the GRME software (note that it detected rootkits on initial launch) a few minutes ago (when the multiple mshta.exe were running), I blue screened and thus had to reboot.

Since then, I've thus redone the DDS Download and GMRE links, but I have the older files for the DDS (before the crash) if those are more helpful (after the blue screen reboot, no instances of mshta.exe are running). For now, I have rerun the DDS and GRME software here and used these new logs.


Sidenote: I wonder if the bluescreen means the rootkits have not loaded up again? Is that why I'm not detecting anything.
Update 2: My computer just froze, again. I wonder if the GMRE link is the issue.

A:Multiple instances of mshta.exe

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 57.2

I've noticed recently that mshta.exe has been showing up multiple times in Windows Task Manager. A new one seems to appear every 20 minutes or so, each one having about 9000 K of memory usage. There also seems to be an unusual amount of svchost.exe files, around 7 at any given time.

I've searched google and read about several similar cases of multiple mshta.exe files, but have yet to find a fix or known cause.

I followed all of the preparation instructions to a tee, however the GMER program has crashed my computer each time I've used it, so I have not been able to save a GMER report. The first time it showed a strange looking file named mbr.sys, but this did not show up the second time. The program runs for about 10 minutes, and then everything crashes and the computer needs to be restarted.

Thanks in advance for your time and help!

-Bill
DDS (Ver_10-11-27.01) - NTFSx86
Run by Bill and Larissa at 14:22:33.95 on Mon 11/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3061.2341 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\W... Read more

A:mshta.exe multiple instances

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 18 answers
RELEVANCY SCORE 57.2

Hello!
I have tried, in vain, to handle this myself but I am clearly not experienced enough.

AVG will pop up randomly and claim to have detected a trojan. Upon attempting to quarantine or heal, it will sometimes "successfully quartantine" and other times it will report that the file can no longer be found. Malware bytes yields a similar action if finding anything at all.

This seems to be user specific. I created a second admin account to do some poking around for odd files in the temp directory for the original user profile etc, but am unable to access the profile in explorer. When I click on the (presumably) infected profile, it says that access is denied... although the appropriate permissions are granted. Strangely, I can find no temp file under the user profile while logged into it. I'm not sure if this is relevant or not.

I use firefox, and have not noticed any change to my proxy settings or anything of that nature.

I have attached the requested log documents after running GMER and DDS programs.

Any help is sincerely appreciated. Thanks in advance!

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-13 00:42:29
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800BB-53CAA1 rev.17.07W17
Running: gmer.exe; Driver: C:\DOCUME~1\curry\LOCALS~1\Temp\ffrcqfow.sys
---- Kernel code sections - GMER 1.0.15 ----

? dvlxj.sys ... Read more

A:mshta.exe - multiple entries

Hello and welcome to Bleeping ComputerI'm judicandus and I'll be helping you out.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.Please post a DDS log and Gmer log. For instructions please read this post:http://www.bleepingcomputer.com/forums/topic34773.html

Read other 2 answers
RELEVANCY SCORE 56.4

Hi,

I have multiple mshta.exe instances in my process list. Earlier I had like 12. I closed them all and rebooted and within a couple of hours, I have four more. Here are my logs. Thanks in advance for any help you can provide!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:44:48 PM, on 2/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Fi... Read more

A:Multiple mshta.exe in process list

Any assistance would be greatly appreciated.

Thanks
 

Read other 2 answers
RELEVANCY SCORE 56.4

I recently noticed several copies of mshta.exe running on my computer. They often seem to be using a great deal of memory. I never noticed this before and they all seem to have some relation to the url 85.234.191.60/88.php?olala=952182726783741 (in Latvia?). I'm not noticing any trouble with my browsers or computer, except occasional slowing.

Here are my logs:
DDS (Ver_10-11-10.01) - NTFSx86
Run by Michael at 9:48:28.71 on Wed 11/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.416 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:&... Read more

A:Multiple copies of mshta.exe running

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 18 answers
RELEVANCY SCORE 56.4

I've had up to as many as 12 instances. Currently have four. Also, in the process of trying to fix it, have managed to get a Google redirect issue too. Thanks in advance for any insight you all can provide!

Here are my logs:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Harvey at 22:09:23.92 on Mon 02/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1855 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
... Read more

A:Multiple instances of mshta.exe running

=Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!These instr... Read more

Read other 16 answers
RELEVANCY SCORE 56.4

Hi,

A month or two after finding & eliminating a rootkit from my system, my computer is infected with multiple instances of mshta.exe, a problem that seems common from other forum posts I've read. In most such cases, the recommendation seems to be to run ComboFix, but I don't want to do this on my own. Also, I'd like to know whether ComboFix is going to have any effect on my network (or network startup tasks), as I'm on a work computer.

Below & attached are the DDS logs. I was unable to create a GMER log because the program kept crashing my computer. I've also attached OTL logs, in case this is helpful.

Any assistance would be greatly appreciated ~ thank you!

Chris

=
DDS (Ver_10-11-10.01) - NTFSx86
Run by ######### at 10:48:45.45 on Wed 11/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.478.49 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
H:\General\PureText\PureText.exe
C:\Program Files\Akeni\Akeni Pro Messenger ... Read more

A:multiple mshta.exe after rootkit (tdds?)

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 14 answers
RELEVANCY SCORE 56.4

My computer is slow. Windows task manager shows multiple mshta.exe. What is this and why are there so many. Could this be my problem or what. I keep going in task manager to close them and they keep coming back. The windows security esentials antivirus on my computer doesnt work right. Cant connect to the internet to update yet I can get on the internet fine. Obviously I have problems. LOL!!! Help please.
Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz, x86 Family 15 Model 4 Stepping 1
Processor Count: 2
RAM: 501 Mb
Graphics Card: Intel(R) 82915G/GV/910GL Express Chipset Family, 128 Mb
Hard Drives: C: Total - 186434 MB, Free - 105632 MB;
Motherboard: Intel Corporation, D915GAG, AAC77881-305, BQAG50904629
Antivirus: Microsoft Security Essentials, Updated: No, On-Demand Scanner: Enabled
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:29:24 PM, on 10/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common... Read more

Read other answers
RELEVANCY SCORE 56.4

So I switched to Firefox about 6 months ago because all my IT colleagues wore up and down that it was virus proof. Well they were wrong, evidently...

I was on the website for one of the local newspapers and a Sun Java loading dialog popped up in the middle of the browser and immediately froze the machine...I rebooted into safe mode and ran malware bytes and it found a few things and i had them removed.

Everything seemed ok until i randomnly viewed taskmanager and saw like 30 mshta.exe instances going. So at that point I tried numerous virus/malware removals it kept finding "TDS rootkit" and they seemed to be gone.

However now my browsers - both of them - are hijacked and are redirecting to BS shopping sites and everytime i use google or bing etc. On top of that, the computer just keeps crashing with a general 32 error whatever that it.

If someone with more expertise in this would lend a hand I'd be very happy. Thanks in advance.

Hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:56 AM, on 12/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
... Read more

A:mshta.exe and multiple browser hijacks

so the rules say I can bump this after more than a day. so.. bump. thanks
 

Read other 2 answers
RELEVANCY SCORE 56.4

Have been having some problems lately. Hitman Pro 3.5 indicated some problems in the root. Got a number of chkdisk messages. They have finally gone away after multiple reboots. Was running System Suite 10 but removed it and have Microsoft Security Essentials running right now. I have seen as many as 8 copies of mshta.exe running as well as 8 copies of svchost.exe currently running. Looking for some help. Thanks
 

Read other answers
RELEVANCY SCORE 56.4

Hello!
My problem is that when I try to mount a img-file with daemontools I get this mshta.exe error,0x01fb13f4 referred to 0x0325e000 bla bla memory could not be read. And when I try to reinstall xp I get a "hardware malfunction message". I've tried memtest,Maxtor powermax,clear cmos,remove dvd,soundcard,router,disable network,change memorysticks,chkdsk,kapersky-avg-panda-nod-vundo-spybot-adaware scan.Changed every driver possible. Everything I've used reported no problems whatsoever. I'm going slightly mad soon. Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 00:28:40, on 2007-01-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\DELADE~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Java\jre1.5.0_10\bin\jusched.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Stardock\ObjectDock\ObjectDock.exe
C:\Program\Delade filer\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS... Read more

Read other answers
RELEVANCY SCORE 56

Please help, while updating windows today, I got an alert from AVG that malware was detected. I quarantined it, but now I notice that I have multiple instances of Mshta.exe running and never saw that before!! I ran hijack this and got

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:28 AM, on 11/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG... Read more

Read other answers
RELEVANCY SCORE 56

So I switched to Firefox about 6 months ago because all my IT colleagues wore up and down that it was virus proof. Well they were wrong, evidently...

I was on the website for one of the local newspapers and a Sun Java loading dialog popped up in the middle of the browser and immediately froze the machine...I rebooted into safe mode and ran malware bytes and it found a few things and i had them removed.

Everything seemed ok until i randomnly viewed taskmanager and saw like 30 mshta.exe instances going. So at that point I tried numerous virus/malware removals it kept finding "TDS rootkit" and they seemed to be gone.

However now my browsers - both of them - are hijacked and are redirecting to BS shopping sites and everytime i use google or bing etc. On top of that, the computer just keeps crashing with a general 32 error whatever that it.

If someone with more expertise in this would lend a hand I'd be very happy. Thanks in advance.

Hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:56 AM, on 12/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32&#... Read more

A:mshta.exe and multiple browser hijacks/redirects

are there other sites that help with these problems? This is the third site ive tried, still no help

Read other 3 answers
RELEVANCY SCORE 56

My system keeps crashing and freezing due to mshta sessions running in the background. I can see in task manager, and i keep ending the process, but another program is obviously making it restart. i can't find that app or program. I have seen you advise for others how to fix, but each solution seems to be computer specific, so i have downloaded the data as requested. Can you help me root out the culprit and remove?
Very much appreciated!!!
Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Professional, Service Pack 3, 32 bit
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz, x86 Family 6 Model 15 Stepping 2
Processor Count: 2
RAM: 2037 Mb
Graphics Card:
Hard Drives: C: Total - 238355 MB, Free - 127878 MB; I: Total - 304574 MB, Free - 100309 MB;
Motherboard: Dell Inc. , 0RF703, , ..CN137407230289.
Antivirus: avast! Antivirus, Updated: Yes, On-Demand Scanner: Enabled

1. Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:54:43 AM, on 6/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17098)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile De... Read more

Read other answers
RELEVANCY SCORE 56

Keep getting Multiple MSHTA sessions from the following 2 IP addresses BOTH in LATVIA:

91.188.59.17 and 85.234.191.60

I just cleared all over them right before starting this process and I have 4 already again! I have MS sec Essentials, Spybot destroyer, and Malwarebytes installed to no avail with this issue.

Will say this is on my dad's pc who is a NOOB in his online venturing. Yes he hits those BAD websites. Guess I'll be a dirty old man too lol.
PC info
Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
Processor: AMD Sempron(tm) 3000+, x86 Family 6 Model 10 Stepping 0
Processor Count: 1
RAM: 511 Mb
Graphics Card: RADEON 9200 SERIES , 128 Mb
Hard Drives: C: Total - 22125 MB, Free - 7469 MB; D: Total - 54166 MB, Free - 54071 MB;
Motherboard: Acer, G74M, ,
Antivirus: Microsoft Security Essentials, Updated: Yes, On-Demand Scanner: Enabled

Ok, so attaching the recommended files - Attach, DDS, ARK and HiJackthis.

Thanks in advance for your assistance and please let me know if you need anything further. 1st time poster so don't kill this noob lol. Seriously appreciate the help.

tj
 

A:Multiple MSHTA sessions continue to occur

Just wondering if anyone has checked this out yet. Thanks!
 

Read other 2 answers
RELEVANCY SCORE 56

I have had serious problems today with malware infections. I was hit this morning with the bogus "Microsoft ThinkPoint" anti-malware from a malicious website, which I thought I managed to kill. As I was getting ready to shut down for the day, I opened the Task Manager and saw that I had more than a dozen instances of mshta.exe running. Looking at them in Process Explorer, each of the duplicates has the command line mshta.exe hxxp://funnybarsshow.com/jhkhj.php?kxdkhjk= -- definitely suspect. (Replaced http with hxxp to avoid danger to other users.)

The last time I had multiple svchost.exe processes running, it was a very nasty rootkit infection that I finally managed to kill with Kaspersky TDSSKiller. I ran that this time, and it found nothing, nor did Avast! anti-virus. I tried running the latest Microsoft Malicious Software Removal tool, which crashed after running for seven hours and finding nothing on the system drive. Based on the GMER report, it looks like there's definitely an infection, but I'm having trouble getting rid of it.

I ran Malwarebytes, which found and removed a keylogger, but GMER still indicates "rootkit-like behavior."

This is definitely a new problem that began December 9; I use Task Manager and Process Explorer all the time, and I haven't seen this behavior previously.

Any suggestions would be greatly appreciated.

=== DDS log ==

DDS (Ver_10-10-21.02) - NTFSx86
Run by Owner at 1:36:59.39 on Fri 12/10/2010
Int... Read more

A:Malware infection: multiple mshta.exe, svchost.exe

Hello AaronSev ,This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.If you have trouble running it the first time, then rename ComboFix.exe to AaronSev.exe and try again.Thanks,tea

Read other 31 answers
RELEVANCY SCORE 56

Hello

I am getting multiple occurrences of mshta in the task manager. This has started since I have cleaned up a virus which popped up a fake microsoft security essentials warning.

This is the hijack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:46:51 AM, on 11/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program F... Read more

A:mshta multiple times in task manager

Read other 16 answers
RELEVANCY SCORE 56

Hello, I'm over my head on this one! I throw myself at the mercy of the very knowledgable people here at bleepingcomputer.com. I'm having the same problems that I see a lot of other people having. My computer was infected with a malicious program that kept redirecting my browser after a google search. Microsoft Security Essentials and Malwarebytes would not detect any threats. Neither program along with Windows updates would connect to their update servers. I finally got the redirects to quit and the updates to work after running a few different malware and antivirus programs. It appears Kaspersky Antivirus 2011 was responsible for getting my redirects to stop and my updates to resume. BUT! My system is still very slow! My Google Chrome browser and my printer quit working and I'm getting a new mshta.exe entry in the taskmanager every 20 minutes or so. I've ran the defogger tool, the dds tool and tried to run the gmer tool but it freezes my system. DDS (Ver_10-11-27.01) - NTFSx86 Run by Lisa Whelan at 12:03:04.32 on Fri 12/03/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.759.455 [GMT -6:00]AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunc... Read more

A:mshta.exe appears multiple times in taskmanager

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 4 answers
RELEVANCY SCORE 56

I have started by doing the Prep Guide and I have the information you need from them. Note: The program DDS did not work for me and I was instructed to use RSIT.exe by Bleepin' Janitor and to post here.
Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2010-11-17 19:48:04
Microsoft Windows XP Professional Service Pack 2
System drive C: has 121 GB (40%) free of 305 GB
Total RAM: 2045 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:48:23 PM, on 11/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\csrss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\system32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C: ... Read more

A:Mshta.exe running multiple times in processed

I believe I have rid myself of this malware .... I am sorry that I could not wait for you to help me! I would like that this thread be closed unless you see something in the lower log that looks like I still have some type of malware/virus/trojan/spyware.. Thanks for taking the time to look and again I am sorry I could not wait!


Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2010-11-20 16:56:58
Microsoft Windows XP Professional Service Pack 2
System drive C: has 121 GB (40%) free of 305 GB
Total RAM: 2045 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:57:07 PM, on 11/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS1\System32\smss.exe
C:\WINDOWS1\system32\winlogon.exe
C:\WINDOWS1\system32\services.exe
C:\WINDOWS1\system32\lsass.exe
C:\WINDOWS1\system32\svchost.exe
C:\WINDOWS1\System32\svchost.exe
C:\WINDOWS1\system32\svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\System32\svchost.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS1\system32 ... Read more

Read other 4 answers
RELEVANCY SCORE 55.2

I have the google redirect virus. Sometimes it opens another browser window to a random site. Also I have multiple mshta.exe files running in the process window. I have run my McAfee virus scan, SuperAntispyware and Mbam. Mbam removed a few problems, and Super removed some tracking cookies but I still have the same problems. any help would be appreciated.

A:Google Redirect and multiple mshta.exe files running

Hello,Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Orange Blossom

Read other 2 answers
RELEVANCY SCORE 55.2

Hi I would appreciate some help to resolve the below problems.
My computer has multiple entries of mshta.exe in the windows task master and also crashes every time I try to go into safe mode to run any antispyware or malware software. Have run various software in normal mode to remove virus but dont seem to be able to romove it completely. It always seems to come back.
I did follow your guide and ran Defogger, DDS (logs below).
When I tried to run GMER the computer crashed again. and rebooted from retore.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 9:58:54.39 on 30/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.27.1033.18.2047.1294 [GMT 2:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.e... Read more

A:Multiple entries of mshta.exe and crashing in safe mode

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

Read other 30 answers
RELEVANCY SCORE 55.2

Hello -

I am having the multiplying mshta.exe problem. I read through your other threads and am hoping you can help me sort this out. Below are the copies of the files your "read this first" thread requested. I also attached the attach.txt file.

When I delete the mshta files from the process explorer program, two things happen:
1. a process called wmiprvse.exe also shuts down, and once that happens mshta.exe no longer replicates; and
2. the MIDI playback device goes missing (the volume control delivers a warning that "there are no active mixer devices available"). The CD player and youTube videos make no sound, though the speakers continue to play whatever noises the programs make.

I did a search and deleted all instances of mshta and wmiprvse except those in their proper locations.
C:\Windows\System32\mshta, and
C:\Windows\System32\wbem\wmiprvse

I would appreciate any help you can render. Thank you.

I am running this system:
Tech Support Guy System Info Utility version 1.0.0.1
OS Version: Microsoft Windows XP Professional, Service Pack 2, 32 bit
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz, x86 Family 15 Model 4 Stepping 9
Processor Count: 2
RAM: 3070 Mb
Graphics Card: NVIDIA GeForce 9500 GT, 1024 Mb
Hard Drives: C: Total - 76253 MB, Free - 42343 MB; D: Total - 76285 MB, Free - 14387 MB; I: Total - 953867 MB, Free - 445027 MB;
Motherboard: Dell Inc. , 0HH807, , ..CN1374066I03KO.
Antivirus: Norton Internet Security, Updated: Yes, On-Demand Scanner: ... Read more

A:Removing multiple copies of mshta in task manager

mshta.exe is still propagating in the task manager. I have seen you help other users with this problem, and also read the warnings that I shouldn't run ComboFix without guidance. Please give me a hand with this. Thank you
 

Read other 1 answers
RELEVANCY SCORE 54.8

I have the google redirect virus. It also sometimes opens a new browser window to a random site. Once I realized I had a problem I tried to system restore, but all the points before the day of infection were inaccessible. Also I have many mshta.exe files running in the process window. I have run my McAfee virus scan and found nothing. Next I ran Mbam and SuperAntispyware and both found a few things but I still have the problem. I tried starting in safe mode to run Super but I receive Keyboard malfunction when I use the F8 key. So I am unable to run in safe mode. I have done all the steps in the preparation guide and created some logs for gmer and dds. Thanks for the help in advance. Attached is the dds. log, attach.txt, and ark.txt file.
DDS (Ver_10-11-10.01) - NTFSx86
Run by Brandon Kyle at 21:51:46.73 on Sat 11/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1330 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\program files\dell printers\Additional Color Laser Software\S... Read more

A:Google redirect virus and multiple mshta.exe files running

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

Read other 16 answers
RELEVANCY SCORE 54.4

My computer's been acting rather strange recently. Multiple instances of mshta.exe, attempted connections from hxxp://funnypinguinshow.com/sdad.php?kxasdasddkhjk=, a random tab pop-up once every couple hours, and Generic Host Win32 crashes.

Things completed so far:
Malwarebytes quick scan
SUPERAntispyware full scan
NOD32 smart scan

Any help is very much appreciated, thanks in advance!

DDS (Ver_10-12-12.02) - NTFSx86
Run by user at 21:59:05.31 on 01/25/2011 Tue
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.1014.98 [GMT -8:00]

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
FW: Kaspersky Internet Security *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magi... Read more

A:Multiple instances of mshta.exe, random tabs popping up, attempted connections

Good evening. Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop. You will then need to extract the file(s) from the zipped folder.
To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish
Please close all open programs as this may result in a reboot being necessary.
Double click TDSSKiller.exe to begin. Click Start scan and allow the tool to do just that. One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate. Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens. If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
Please check that you get the one with the right date and time.

Read other 6 answers
RELEVANCY SCORE 54.4
A:mshta hijacked and multiple instances of fake programs in task manager

Thanks for reading,

I have a windows xp laptop that is severly infected.
Mshta has been duped in task manager and there are other fake programs running. When connected to the web it redirects any search or address bar submissions. Home page redirects aswell even with it set via Internet options.

Avg didn't catch anything and acted as if it was operating 3 times it's normal speed which was very odd to me and it only found tracking cookies but a prompt popped up saying I needed to update before it could delet the tracking cookies....I called bs to that and downloaded rkill ran it and like magic my avg was terminated along with all the fake mshtas/fake programs. So I downloaded mbam,emsisoft,hijackthis,dds,gmer,defoger,superantispyware. Before I got started I tested the severity of reoccurances if I ended a fake proccess. Ending each in task manager was fine with no issues even the web would work with fewer redirects any time a page was closed a fake program would appear in the proccess list. I then ran mbam It found 7 Trojans they deleted fine but now the computer was slower than before and now mbam needed to update? I launched task manager and now instead of 8 mshtas running I now had 20 and other fake programs running. I ran rkill again but this time it didn't remove any fake processes from running. Any attemp at ending a fake proccess like before now results in access denied and a fatal error occurring shutting down with a timer. Says I have 1 min before the la... Read more

Read other 4 answers
RELEVANCY SCORE 53.6

"Deckard's System Scanner v20071014.68
Run by Owner on 2007-12-22 04:41:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-12-22 09:41:59 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-12-22 09:40:33 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:57 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C... Read more

A:Popups, Multiple unknown processes, Multiple viruses and malware found...

TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose Yes at the Warning prompt.
Expand the Tools menu.
Click Resident.
Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
In the File menu click Exit to exit Spybot Search & Destroy.

Download http://www.techsupportforum.com/sect...etTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


----------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Curb tool help dart] C:\Documents and Settings\All Users\Application Data\Move Bore Curb Tool\That This.exe
O4 - HKCU\..\Run: [CreativeWeb] C:\DOCUME~1\Owner\APPLIC~1\LITEPL~1\Defy bias plus.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Ignore any prompts for a reboot


---------------


www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3... Read more

Read other 6 answers