Latest HTAStop? Old one on your site.

thx guys i was able to get it this time yeah

kinda got excited like a little kid geting that big red shiney metal fire truck on christmass morning lol

 

I'm running Script Sentry do I need to use HTAStop?

 

Do not use XP myself, but have seen a couple of reports that say if you use the classic mode, then Users in the control panel doesn't work, when HTASTOP2003 is toggled on.

Perhaps the best answer is to try for yourself, but as others have said, a simple toggle on-off makes it pretty much a non-issue.

 

Thanks LWM. I'll look into HTAStop a little bit more. Maybe I'll look into a program like WormGuard or something like that.

 

Well, I finally managed to get HTAStop2003 from Simtel (thanks to Brummelchen on MTM's site), but I had to go this route:
ftp://gatekeeper.dec.com/pub/micro/pc/simtelnet/win95/security/HTAstop.exe .

Now, however, there's been a question raised as to whether or not the program actually works - supposedly, if you're running XP (or maybe even WinMe), the mshta.exe simply gets re-created as it was at the next re-start - whether you've "fixed" it with HTAStop2003 or not.

The info for the program does say (on this page http://www.nsclean.com/htastop.html ) that it's for "Windows95, 98, NT, 2000 or Windows ME" (I'm really kind of surprised W2K doesn't replace "critical" system files like XP does, if that's the case).


Anyone got any input on this? Pete

 

Um, Windows File Protection works on digital sigs not just file names, and will therefore replace notepad-renamed-as-mshta. So it appears HTAstop Build 3 is broken too.

 

You are correct about this. Rename any file in a temp directory to "mshta.exe", then copy that file over system32\mshta.exe... You will either have it restored quietly, or be prompted to insert your WinXP CD.

The solution, if you wanted to do it manually, would be to make sure the WinXP CD wasn't inserted, then overwrite the system32\mshta.exe and system32\dllcache\mshta.exe files at the same time. My own way to do this would be to extract a ZIP file that contains two copies of the file I want to replace mshta.exe with (full paths in the ZIP file would be required). And of course when prompted, cancel and confirm the WFP request to restore the originals.

If you ever run System File Checker (SFC) with the /scannow parameter, the original mshta.exe files will be restored (that's the whole intent of SFC--to verify valid system files). This is why I would create a ZIP file, with full paths stored, containing both bogus mshta.exe files. If I ever need to run "sfc /scannow", I let it replace the originals, then I pull the WinXP CD and extract the ZIP file and respond to the prompts. I've been doing that for eons with notepad.exe (so I can easily use a Notepad replacement).

You can actually replace the mshta.exe files automatically, as needed (such as after running "sfc /scannow", or if you're just paranoid). Use the WinZip command-line support add-on. The command line you would use is as follows:

"C:\Program Files\WinZip\WZUNZIP.EXE" -d -o -yo "[path to ZIP file]" C:\

For example:

"C:\Program Files\WinZip\WZUNZIP.EXE" -d -o -yo "D:\Data\Replace MSHTA.EXE.zip" C:\

* The "-d" command-line option tells WZUNZIP.EXE to use the stored folders in the ZIP file being extracted.
* The "-o" command-line option tells WZUNZIP.EXE causes the target files to be overwritten without a prompt.
* The "-yo" command-line option tells WZUNZIP.EXE to overwrite the target files, even if they are hidden, system, or read-only files.

A few points (sorry for the gory detail; I want to speak to novice users as well as the experts around here):

1) Make sure the ZIP file being used has paths stored, and that it has nothing but the two mshta.exe files you want to overwrite. For example, this is what is inside my ZIP file (file/path):

mshta.exe WINDOWS\system32\
mshta.exe WINDOWS\system32\dllcache\

Note that the two "mshta.exe" files represented above are bogus... They're actually renamed copies of Notepad.exe. I mention this because it's rather critical not to accidentally use the real mshta.exe files! (Kind of defeats the whole purpose.)

So, when I extract to C:\ using the command line shown above, the actual files that get replaced are:

C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\dllcache\mshta.exe

2) Do this when the WinXP CD is not inserted, or WFP will silently undo your replacement.

3) Be sure to extract this ZIP file after running "sfc /scannow".

4) After running the command line which extracts the ZIP file and overwrites the mshta.exe files, WFP will prompt you to insert your WinXP CD to undo the file replacement. Click "Cancel", then click "Yes" to confirm.

5) Of course, make sure you use the correct path to WZUNZIP.EXE, not to mention your ZIP file.

Edit: Please read the caveat I added in my new post below before performing the procedure above. (I added it as a new post so that it would catch the attention of anyone who subscribed to this thread, who might have already performed the procedure.)

 

Thanks LWM, Milly and nameless! Great info! Pete

 

same config here - no trouble

Ruben

 

I fear you are mistaken (though I can't explain why you're seeing what you're seeing). I doubt that any version of HTAstop touches the DLLCache at all (and I've certainly not seen or heard of a build which does, though without documentation anything is possible).

Could. But aren't, I don't think :-

https://grc.com/x/news.exe?cmd=article&group=grc.news.latestversions&item=2370

You might wish to bear in mind that this whole "serious new attack method" has been debunked as a mistake ...

https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=88849

... and that there is no new mshta exploit. That this ...

https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=88452

... just isn't true.

I understand that people may wish to kill mshta nevertheless, of course, and this thread now contains methods for manually doing so (including that neat winzip trick), so some good has come of it. But XP|ME + HTAstop isn't an ideal recipe.

- Added URL tags to fix all the GRC links - LWM

 

Milly - Thank you for joining the discussion here! And, welcome to Wilders. (Read a lot of your stuff over on GRC). Pete

 

A sidenote (more a "warning") to anyone considering following my instructions above... I have noticed that the User Accounts Control Panel applet no longer works with Notepad as a replacement for mshta.exe (the exact error is "C:\Temp\res:\C:\WINDOWS\system32\nusrmgr.cpl\nusrmgr.hta contains an invalid path.", where "C:\Temp" is a path that will vary by system). I was surprised by this, and I don't know what else might be affected by altering mshta.exe.

I'm close to deciding that this whole "replace mshta.exe" thing is too elaborate and inconvenient for my taste. Having things broken, and having to remember extra stuff are security trade-offs that I tend to be very loathe to make. I have so many other layers of protection that I'm not too worried about anything going wrong anyway. YMMV.

 

You are right about the control panel. However you simplly need to deactivate HTA when you need to access it and then reactivate hta afterwards

 

Sure, but the point is that's a hassle, and it's just not worth it to me from this vantage point. I don't even really use that Control Panel applet--I just happened to be poking around when I discovered the issue--but I don't like having 5,000 little "gotchas" on my system like that.