Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


.hta file ending in start menu: VIRUS??!

Posted on 2001-08-15
Medium Priority
Last Modified: 2013-12-28
Recently and for no apparent reason, as usual, I found that an error message would pop-up upon reboot stating that a file with a an .hta file ending couldn't be loaded?!Its in start menu and when I right click it (after a FIND FILES search w/ *.hta) its properties says its an HTML application and its full name is SB.hta

Could it be VIRUS related (embeded in an HTML page??! I don't know   and its bugging me...
TIA. RAD {:-()>
Question by:RAD
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 6389439
Oh in addition, there were 2 more files with that ending, one in my C drive (main) named removeit.hta (yeah ha ha) and one in my WINDOWS/SYSTEM folder named 971833EO.hta

It sounds wormy to me...
I'm off to microsofts page to look for worm solutions... HELP!

LVL 21

Accepted Solution

briancassin earned 200 total points
ID: 6389483
It is a Virus

JS.Seeker trojan (Also known as HTA.runme trojan)
This trojan is a malicious script embedded in HTML code which may be inadvertently run by an Internet user visiting the seedier side of the Internet. This trojan exploits a bug in Internet Explorer which allows it to store files on the users machine. Removeit.hta is stored in C:\ drive and runme.hta is stored in the Windows Startup directory.

When the machine is rebooted the runme.hta file will be executed, when run this file changes the default URL for the Internet Explorer to be changed to www.sureseeker.com.

The trojan possesses a basic stealth capability. When runme.hta is run it will modify registry entries so that the file will be deleted after it has been run. Removing this file is an attempt by seeker to hide the fact that the machine has been attacked/compromised.

CA's anti-virus software will detect the attempt to write the removeit.hta and runme.hta files to you computer. Other viruses and trojans exploit the same bug in Internet Explorer, so we recommend you download and install the following patch to Internet Explorer: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp 
LVL 21

Expert Comment

ID: 6389538
see this link it is how to remove it


I posted the contents below for you

When JS.Seeker is executed, it makes changes to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.

Removal instructions:

To remove JS.Seeker you need to:

Run a full system scan and delete any files that are detected as infected.
Delete the Homereg111.reg and Prefs.js files.
Restore original settings by merging Backup1.reg and Backup2.reg into the registry.

For instructions on how to do this, see the sections that follow.

To run a full system scan:
1. Make sure that Norton AntiVirus is set to scan all files.
2. Run a complete system scan.
3. Delete all files found to be infected with JS.Seeker.

To find and delete the Homereg111.reg and Prefs.js files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

homereg111.reg prefs.js

4. Click Find Now. Windows will find the files (if they exist) and display them in the lower pane of the Find dialog box.
5. Select each displayed file, press Delete, and click Yes to confirm.
6. Leave the Find: All Files window open, and go on to the next section.

To find and merge Backup1.reg and Backup2.reg into the registry:
1. Click New Search, and click OK to confirm.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following file names:

backup1.reg backup2.reg

4. When found, double-click each of these files to restore the registry settings.
5. Once the registry has been restored and the computer is working correctly, delete Backup1.reg and Backup2.reg.

Additional information:

There are other things that you can do to protect your system from this type of Trojan Horse.

Script Blocking

If you are using Norton AntiVirus 2001, a free program update is that includes Script Blocking is available.Please run LiveUpdate to obtain this.
For other versions of Norton AntiVirus, SARC offers a tool to disable the Windows Scripting Host.

Install the Microsoft patch
This worm takes advantage of a known Microsoft Outlook/Outlook Express security hole. Microsoft has provided a patch for this security hole at http://www.microsoft.com/technet/security/bulletin/MS99-032.asp
LVL 21

Expert Comment

ID: 6389545
Here is a free virus detector and it fixes it also I believe


Author Comment

ID: 6390988
Thank you for the gret info brian..
Only the virus detector from http://www.fprot.org/ only produced 2 of the 3 .hta file endings. When it found the removeme.hta it only asked that I delete it. No suggestion for the numbered .hta file.
but alls well that ends well :-)

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question