.hta file ending in start menu: VIRUS??!

Recently and for no apparent reason, as usual, I found that an error message would pop-up upon reboot stating that a file with a an .hta file ending couldn't be loaded?!Its in start menu and when I right click it (after a FIND FILES search w/ *.hta) its properties says its an HTML application and its full name is SB.hta

Could it be VIRUS related (embeded in an HTML page??! I don't know   and its bugging me...
TIA. RAD {:-()>
LVL 1
RADWeb DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RADWeb DeveloperAuthor Commented:
Oh in addition, there were 2 more files with that ending, one in my C drive (main) named removeit.hta (yeah ha ha) and one in my WINDOWS/SYSTEM folder named 971833EO.hta

It sounds wormy to me...
I'm off to microsofts page to look for worm solutions... HELP!

RAD
0
Member_2_49692Commented:
It is a Virus

JS.Seeker trojan (Also known as HTA.runme trojan)
This trojan is a malicious script embedded in HTML code which may be inadvertently run by an Internet user visiting the seedier side of the Internet. This trojan exploits a bug in Internet Explorer which allows it to store files on the users machine. Removeit.hta is stored in C:\ drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when run this file changes the default URL for the Internet Explorer to be changed to www.sureseeker.com.

The trojan possesses a basic stealth capability. When runme.hta is run it will modify registry entries so that the file will be deleted after it has been run. Removing this file is an attempt by seeker to hide the fact that the machine has been attacked/compromised.

CA's anti-virus software will detect the attempt to write the removeit.hta and runme.hta files to you computer. Other viruses and trojans exploit the same bug in Internet Explorer, so we recommend you download and install the following patch to Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Member_2_49692Commented:
see this link it is how to remove it

http://www.symantec.com/avcenter/venc/data/js.seeker.html

I posted the contents below for you


When JS.Seeker is executed, it makes changes to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.



Removal instructions:

To remove JS.Seeker you need to:

Run a full system scan and delete any files that are detected as infected.
Delete the Homereg111.reg and Prefs.js files.
Restore original settings by merging Backup1.reg and Backup2.reg into the registry.

For instructions on how to do this, see the sections that follow.

To run a full system scan:
1. Make sure that Norton AntiVirus is set to scan all files.
2. Run a complete system scan.
3. Delete all files found to be infected with JS.Seeker.

To find and delete the Homereg111.reg and Prefs.js files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

homereg111.reg prefs.js

4. Click Find Now. Windows will find the files (if they exist) and display them in the lower pane of the Find dialog box.
5. Select each displayed file, press Delete, and click Yes to confirm.
6. Leave the Find: All Files window open, and go on to the next section.

To find and merge Backup1.reg and Backup2.reg into the registry:
1. Click New Search, and click OK to confirm.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

backup1.reg backup2.reg

4. When found, double-click each of these files to restore the registry settings.
5. Once the registry has been restored and the computer is working correctly, delete Backup1.reg and Backup2.reg.



Additional information:

There are other things that you can do to protect your system from this type of Trojan Horse.

Script Blocking

If you are using Norton AntiVirus 2001, a free program update is that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.


Install the Microsoft patch
This worm takes advantage of a known Microsoft Outlook/Outlook Express security hole. Microsoft has provided a patch for this security hole at http://www.microsoft.com/technet/security/bulletin/MS99-032.asp
0
Member_2_49692Commented:
Here is a free virus detector and it fixes it also I believe

http://www.fprot.org/
0
RADWeb DeveloperAuthor Commented:
Thank you for the gret info brian..
Only the virus detector from http://www.fprot.org/ only produced 2 of the 3 .hta file endings. When it found the removeme.hta it only asked that I delete it. No suggestion for the numbered .hta file.
but alls well that ends well :-)
RAD
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.