.hta file ending in start menu: VIRUS??!

Posted on 2001-08-15
Last Modified: 2013-12-28
Recently and for no apparent reason, as usual, I found that an error message would pop-up upon reboot stating that a file with a an .hta file ending couldn't be loaded?!Its in start menu and when I right click it (after a FIND FILES search w/ *.hta) its properties says its an HTML application and its full name is SB.hta

Could it be VIRUS related (embeded in an HTML page??! I don't know   and its bugging me...
TIA. RAD {:-()>
Question by:RAD
  • 3
  • 2

Author Comment

ID: 6389439
Oh in addition, there were 2 more files with that ending, one in my C drive (main) named removeit.hta (yeah ha ha) and one in my WINDOWS/SYSTEM folder named 971833EO.hta

It sounds wormy to me...
I'm off to microsofts page to look for worm solutions... HELP!

LVL 21

Accepted Solution

briancassin earned 50 total points
ID: 6389483
It is a Virus

JS.Seeker trojan (Also known as HTA.runme trojan)
This trojan is a malicious script embedded in HTML code which may be inadvertently run by an Internet user visiting the seedier side of the Internet. This trojan exploits a bug in Internet Explorer which allows it to store files on the users machine. Removeit.hta is stored in C:\ drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when run this file changes the default URL for the Internet Explorer to be changed to

The trojan possesses a basic stealth capability. When runme.hta is run it will modify registry entries so that the file will be deleted after it has been run. Removing this file is an attempt by seeker to hide the fact that the machine has been attacked/compromised.

CA's anti-virus software will detect the attempt to write the removeit.hta and runme.hta files to you computer. Other viruses and trojans exploit the same bug in Internet Explorer, so we recommend you download and install the following patch to Internet Explorer: 
LVL 21

Expert Comment

ID: 6389538
see this link it is how to remove it

I posted the contents below for you

When JS.Seeker is executed, it makes changes to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.

Removal instructions:

To remove JS.Seeker you need to:

Run a full system scan and delete any files that are detected as infected.
Delete the Homereg111.reg and Prefs.js files.
Restore original settings by merging Backup1.reg and Backup2.reg into the registry.

For instructions on how to do this, see the sections that follow.

To run a full system scan:
1. Make sure that Norton AntiVirus is set to scan all files.
2. Run a complete system scan.
3. Delete all files found to be infected with JS.Seeker.

To find and delete the Homereg111.reg and Prefs.js files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

homereg111.reg prefs.js

4. Click Find Now. Windows will find the files (if they exist) and display them in the lower pane of the Find dialog box.
5. Select each displayed file, press Delete, and click Yes to confirm.
6. Leave the Find: All Files window open, and go on to the next section.

To find and merge Backup1.reg and Backup2.reg into the registry:
1. Click New Search, and click OK to confirm.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

backup1.reg backup2.reg

4. When found, double-click each of these files to restore the registry settings.
5. Once the registry has been restored and the computer is working correctly, delete Backup1.reg and Backup2.reg.

Additional information:

There are other things that you can do to protect your system from this type of Trojan Horse.

Script Blocking

If you are using Norton AntiVirus 2001, a free program update is that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.

Install the Microsoft patch
This worm takes advantage of a known Microsoft Outlook/Outlook Express security hole. Microsoft has provided a patch for this security hole at
LVL 21

Expert Comment

ID: 6389545
Here is a free virus detector and it fixes it also I believe

Author Comment

ID: 6390988
Thank you for the gret info brian..
Only the virus detector from only produced 2 of the 3 .hta file endings. When it found the removeme.hta it only asked that I delete it. No suggestion for the numbered .hta file.
but alls well that ends well :-)

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question