Solved

.hta file ending in start menu: VIRUS??!

Posted on 2001-08-15
5
707 Views
Last Modified: 2013-12-28
Recently and for no apparent reason, as usual, I found that an error message would pop-up upon reboot stating that a file with a an .hta file ending couldn't be loaded?!Its in start menu and when I right click it (after a FIND FILES search w/ *.hta) its properties says its an HTML application and its full name is SB.hta

Could it be VIRUS related (embeded in an HTML page??! I don't know   and its bugging me...
TIA. RAD {:-()>
0
Comment
Question by:RAD
  • 3
  • 2
5 Comments
 
LVL 1

Author Comment

by:RAD
ID: 6389439
Oh in addition, there were 2 more files with that ending, one in my C drive (main) named removeit.hta (yeah ha ha) and one in my WINDOWS/SYSTEM folder named 971833EO.hta

It sounds wormy to me...
I'm off to microsofts page to look for worm solutions... HELP!

RAD
0
 
LVL 21

Accepted Solution

by:
briancassin earned 50 total points
ID: 6389483
It is a Virus

JS.Seeker trojan (Also known as HTA.runme trojan)
This trojan is a malicious script embedded in HTML code which may be inadvertently run by an Internet user visiting the seedier side of the Internet. This trojan exploits a bug in Internet Explorer which allows it to store files on the users machine. Removeit.hta is stored in C:\ drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when run this file changes the default URL for the Internet Explorer to be changed to www.sureseeker.com.

The trojan possesses a basic stealth capability. When runme.hta is run it will modify registry entries so that the file will be deleted after it has been run. Removing this file is an attempt by seeker to hide the fact that the machine has been attacked/compromised.

CA's anti-virus software will detect the attempt to write the removeit.hta and runme.hta files to you computer. Other viruses and trojans exploit the same bug in Internet Explorer, so we recommend you download and install the following patch to Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
0
 
LVL 21

Expert Comment

by:briancassin
ID: 6389538
see this link it is how to remove it

http://www.symantec.com/avcenter/venc/data/js.seeker.html

I posted the contents below for you


When JS.Seeker is executed, it makes changes to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.



Removal instructions:

To remove JS.Seeker you need to:

Run a full system scan and delete any files that are detected as infected.
Delete the Homereg111.reg and Prefs.js files.
Restore original settings by merging Backup1.reg and Backup2.reg into the registry.

For instructions on how to do this, see the sections that follow.

To run a full system scan:
1. Make sure that Norton AntiVirus is set to scan all files.
2. Run a complete system scan.
3. Delete all files found to be infected with JS.Seeker.

To find and delete the Homereg111.reg and Prefs.js files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

homereg111.reg prefs.js

4. Click Find Now. Windows will find the files (if they exist) and display them in the lower pane of the Find dialog box.
5. Select each displayed file, press Delete, and click Yes to confirm.
6. Leave the Find: All Files window open, and go on to the next section.

To find and merge Backup1.reg and Backup2.reg into the registry:
1. Click New Search, and click OK to confirm.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

backup1.reg backup2.reg

4. When found, double-click each of these files to restore the registry settings.
5. Once the registry has been restored and the computer is working correctly, delete Backup1.reg and Backup2.reg.



Additional information:

There are other things that you can do to protect your system from this type of Trojan Horse.

Script Blocking

If you are using Norton AntiVirus 2001, a free program update is that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.


Install the Microsoft patch
This worm takes advantage of a known Microsoft Outlook/Outlook Express security hole. Microsoft has provided a patch for this security hole at http://www.microsoft.com/technet/security/bulletin/MS99-032.asp
0
 
LVL 21

Expert Comment

by:briancassin
ID: 6389545
Here is a free virus detector and it fixes it also I believe

http://www.fprot.org/
0
 
LVL 1

Author Comment

by:RAD
ID: 6390988
Thank you for the gret info brian..
Only the virus detector from http://www.fprot.org/ only produced 2 of the 3 .hta file endings. When it found the removeme.hta it only asked that I delete it. No suggestion for the numbered .hta file.
but alls well that ends well :-)
RAD
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now