scanning the system volume

Discussion in 'Trojan Defence Suite' started by pin, Nov 4, 2002.

Thread Status:
Not open for further replies.
  1. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    tds3 found an HTA file in what it calls a suspicious spot, the system volume.

    it found something like this a long time ago.. i foolishly said delete without thinking, and it seemed i could no longer do a restore. dont' know if those two are connected... but probably.

    anyway, how can i figure out if this HTA is just tds3 being extra careful and thus a bit silly, or if it's something serious?
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Pin,
    It's a shame you destroyed the evidence so to speak - Can you remember anything else that might help us to help you?
     
  3. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    hey no problem!

    the time i couldn't restore: i ended up doing a clean reinstall.

    now i guess it's back: but this time around i didn't delete anything, so i can just do a rescan and type the info in here.

    however, if there was a log file it would be easier. i mean, i found a tds3 logfile, but it listed everything it was doing, not what was found apparently. just a moment as i do another scan!
     
  4. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    here we go:
     

    Attached Files:

  5. grey_ghost

    grey_ghost Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    60
    Hi,

    The .HTA is a HTML application extension.

    .HTA runs like an executable .exe written in C++ or Visual Basic.

    Used in Win32 applications running IE.

    Regards
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the alerts window, rightclick the finds and "save to text" so the alerts will be saved to Scandump.txt with the alert and full pathnames to the file.
    Mind: you might like to save a few alerts away before it will be overwritten with the next saved scandump.
     
  7. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    i foudn the exact file.. here's the contents of it:

    <HTML>
    <HEAD>
    <TITLE>MSN.COM Privacy Statement</TITLE>

    <HTA:APPLICATION
    ID="oHTA"
    >

    </HEAD>

    <script>

    function window.onload()
    {
       var cmdLineArray;
       var url;
       cmdLineArray = oHTA.commandLine.split(" ");
       url = "http://watson.microsoft.com/dw/dcp.asp?CLCID=" + cmdLineArray[2].toString();

       document.frames[0].location.href = url;
    }


    </script>


    <FRAMESET>
    <FRAME SRC="">
    </FRAMESET>
    </HTML>

    i guess tds3 was just being extra careful.. this doesn't seem like anything nasty.
     
  8. pin

    pin Registered Member

    Joined:
    Nov 4, 2002
    Posts:
    116
    thx for the help grey_ghost and Jooske =).
     
  9. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    If you want System Restore to stop upsetting TDS-3, you can either exclude it from scanning or (In XP anyway) create a new restore point and then use Disk Cleanup to remove all but the most recent restore points.
     
Thread Status:
Not open for further replies.