.hta file ending in start menu: VIRUS??!

Posted on 2001-08-15
Medium Priority
Last Modified: 2013-12-28
Recently and for no apparent reason, as usual, I found that an error message would pop-up upon reboot stating that a file with a an .hta file ending couldn't be loaded?!Its in start menu and when I right click it (after a FIND FILES search w/ *.hta) its properties says its an HTML application and its full name is SB.hta

Could it be VIRUS related (embeded in an HTML page??! I don't know   and its bugging me...
TIA. RAD {:-()>
Question by:RAD
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 6389439
Oh in addition, there were 2 more files with that ending, one in my C drive (main) named removeit.hta (yeah ha ha) and one in my WINDOWS/SYSTEM folder named 971833EO.hta

It sounds wormy to me...
I'm off to microsofts page to look for worm solutions... HELP!

LVL 21

Accepted Solution

briancassin earned 200 total points
ID: 6389483
It is a Virus

JS.Seeker trojan (Also known as HTA.runme trojan)
This trojan is a malicious script embedded in HTML code which may be inadvertently run by an Internet user visiting the seedier side of the Internet. This trojan exploits a bug in Internet Explorer which allows it to store files on the users machine. Removeit.hta is stored in C:\ drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when run this file changes the default URL for the Internet Explorer to be changed to www.sureseeker.com.

The trojan possesses a basic stealth capability. When runme.hta is run it will modify registry entries so that the file will be deleted after it has been run. Removing this file is an attempt by seeker to hide the fact that the machine has been attacked/compromised.

CA's anti-virus software will detect the attempt to write the removeit.hta and runme.hta files to you computer. Other viruses and trojans exploit the same bug in Internet Explorer, so we recommend you download and install the following patch to Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp 
LVL 21

Expert Comment

ID: 6389538
see this link it is how to remove it


I posted the contents below for you

When JS.Seeker is executed, it makes changes to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.

Removal instructions:

To remove JS.Seeker you need to:

Run a full system scan and delete any files that are detected as infected.
Delete the Homereg111.reg and Prefs.js files.
Restore original settings by merging Backup1.reg and Backup2.reg into the registry.

For instructions on how to do this, see the sections that follow.

To run a full system scan:
1. Make sure that Norton AntiVirus is set to scan all files.
2. Run a complete system scan.
3. Delete all files found to be infected with JS.Seeker.

To find and delete the Homereg111.reg and Prefs.js files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

homereg111.reg prefs.js

4. Click Find Now. Windows will find the files (if they exist) and display them in the lower pane of the Find dialog box.
5. Select each displayed file, press Delete, and click Yes to confirm.
6. Leave the Find: All Files window open, and go on to the next section.

To find and merge Backup1.reg and Backup2.reg into the registry:
1. Click New Search, and click OK to confirm.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

backup1.reg backup2.reg

4. When found, double-click each of these files to restore the registry settings.
5. Once the registry has been restored and the computer is working correctly, delete Backup1.reg and Backup2.reg.

Additional information:

There are other things that you can do to protect your system from this type of Trojan Horse.

Script Blocking

If you are using Norton AntiVirus 2001, a free program update is that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.

Install the Microsoft patch
This worm takes advantage of a known Microsoft Outlook/Outlook Express security hole. Microsoft has provided a patch for this security hole at http://www.microsoft.com/technet/security/bulletin/MS99-032.asp
LVL 21

Expert Comment

ID: 6389545
Here is a free virus detector and it fixes it also I believe


Author Comment

ID: 6390988
Thank you for the gret info brian..
Only the virus detector from http://www.fprot.org/ only produced 2 of the 3 .hta file endings. When it found the removeme.hta it only asked that I delete it. No suggestion for the numbered .hta file.
but alls well that ends well :-)

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question