Is this normal? autoexec.bat is 0 bytes, config.sys is 0 bytes, hiberfil.sys is 400MB, io.sys is 0 bytes, msdos.sys is 0 bytes, ntldr is 232KB, np.tmp 4bytes, boot.ini 196 bytes, AVG6DB_F.DAT 19.5 MB, AVG6DB_N.DAT 322 KB, pagefile.sys is 576MB, and I have a debug.txt, proclist.txt . Also, I just downloaded Internet periscope which detects strange registry values. It said my registry key HKEY_CLASSES_ROOT\htafile\Shell\Open\Command contains: C:\WINDOWS2\System32\mshta.exe "%1" %*
It should contain: "%1" %*
This may be the 'Unknown Starting Method' used by SubSeven. In any case, many security experts believe that the .hta association has a security exploit. It is recommended that you remove this association from your machine.

The registry key HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command contains: C:\WINDOWS2\System32\mshta.exe "%1" %*
It should contain: "%1" %*

It also said:

C:\WINDOWS2\_default.pif was last modified Saturday, August 18, 2001.
It is strongly recommended that you check the Properties of this and all other pif files to find out which autoexec and config files your pif files use. Trojans can hide in custom autoexec and config files used by pif files.

also, in Zone Alarm Pro at the top where it says programs and has four tiny windows with icons in them, is it normal for two of them to be Generic Host Processes for window 32 services? And should i be worried if I have incoming connections which saying Incoming (accept) then action taken "Blocked"???

If all my ports are stealthed and I've tried many applications which detect no trojans on my system then why am I still receiving medium and high level UDP and TCP (flag:S) incoming port probes from american, japan, and all other world addresses which the beginning of their hostname being called ADSL or something. These definitely don't sound like legitimate probes to me, so how are they still constantly finding me and probinb my ports???

Most of that mystifies me.

In your circumstances I’d immediately re-format the C: drive and restore a clean backup.
If you have any nasty infections in your software that should make them history.
If I wanted to be really certain I’d write zeros to the drive, re-partition, re-format & restore a clean backup.

I use Windows 98 and my “mshta.exe” file is in the “C:\Windows\System” folder, not the “System32” sub-folder within a “Windows2” folder. [Do you have Windows, Windows1 & Windows2 folders?]
In my Registry:
1. HKEY_CLASSES_ROOT\htafile\Shell\Open\Command contains: C:\WINDOWS\System\mshta.exe "%1" %*
This is correct because it agrees with the location of the “mshta.exe” file on my PC.
It is FALSE to say “It should contain: "%1" %*” [only].
It should certainly include those and it does.

2. Since the key in 1 above is simply an extracted copy of:
HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command
which contains: C:\WINDOWS\System\mshta.exe "%1" %*
Then both my copies are identical to each other and so are yours identical to each other.
If I remember right, if you change one the other is automatically changed.
If you wanted to be certain you'd change 2.

I suppose you could undo little bits of the damage this thing has done but will you catch it all?
MUCH better to restore a backup to undo all of it.

mshta.exe is listed here http://www.answersthatwork.com/Tasklist_pages/tasklist_m.htm
It is an essential program and should be left alone.

Actually you files look pretty much normal for XP.....

autoexec, config etc are DOS files and not needed by XP.

hiberfil is your hibernation file......so yes it is large.

AVG6DB_F.DAT 19.5 MB, AVG6DB_N.DAT 322 KB...are the AVG definitions


Thos warnings do not indicate that you are infected, but are outlining possible security holes....the default pif date is just the date MS made it; the hta association is a known hole and probably a good idea to change it. As it is now is the default MS installed way...lax security.

so I just go to those two registry entries and remove the hta bit and leave the %1% bits?? Why do I keep receiving huge counts of high and medium port probes then?

Port probes go on all the time for everyone, they are harmless as long as you keep blocking them with a good firewall. It is possible that you may get more than some because your system used to be open and has been infected. It is possible that your address is circulating among the idiots that do the attacks....

Also if you have a static IP and have done any P2P in the past you are going to get slammed...

The best thing to do would be to release/renew your IP, that should cut down on the attempts....the next will be to turn off the alert feature in your firewall and just check the logs on a schedule (like every other day).

Daniel-Man

You said:
“so I just go to those two registry entries and remove the hta bit and leave the %1% bits??”

NO!
Do not just “remove the hta bit and leave the %1% bits”.

1. The “HKEY_CLASSES_ROOT\htafile\Shell\Open\Command” key must have a value that is consistent with the actual location and name of your “mshta.exe” file, so you must go find that file and study its path or address. Only if the value is incorrect [because the file does not exist in the location specified by the value] should you then correct the value.

2. Do NOT change the value from within “Regedit.exe”. That’s the dangerous way to change it.
Go instead to “Windows Explorer>View>Folder Options>File Types>Registered File Types>HTML Application>Edit>Actions>[click “Open”]>Edit”.

3. If the value [this is simply displaying the value that’s in the registry] in the “Application Used to Perform Action” window is inconsistent with the actual address and name of the “mshta.exe” file then:

4. Click the “Browse” button to go to the correct location of the file and select it so that the correct value is now displayed in the [“Application Used to Perform Action”] window. This will have safely changed the value in the registry key to a correct value. It is correct if it points to the true address and name of the “mshta.exe” file as it exists on your PC.

a. When you right click on a file with an “.hta” extension, Explorer searches the registry and finds that there is only a key for an “Open” action and displays “Open” in the context menu.

b. When you click on the “Open” action it uses the file specified in the “htafile\Shell\Open\Command” [the one YOU have now specified should be used] to process the “.hta” file that has been chosen.

c. The “%1” bit tells Explorer to act upon the [".hta"] file at the address selected.

d. I think the inverted commas specify that long filenames [with spaces] are to be catered for.

e. I’m not sure what %* [percent asterisk] specifies.