scanning the system volume

tds3 found an HTA file in what it calls a suspicious spot, the system volume.

it found something like this a long time ago.. i foolishly said delete without thinking, and it seemed i could no longer do a restore. dont' know if those two are connected... but probably.

anyway, how can i figure out if this HTA is just tds3 being extra careful and thus a bit silly, or if it's something serious?

 

Hi Pin,
It's a shame you destroyed the evidence so to speak - Can you remember anything else that might help us to help you?

 

hey no problem!

the time i couldn't restore: i ended up doing a clean reinstall.

now i guess it's back: but this time around i didn't delete anything, so i can just do a rescan and type the info in here.

however, if there was a log file it would be easier. i mean, i found a tds3 logfile, but it listed everything it was doing, not what was found apparently. just a moment as i do another scan!

 

here we go:

 

Hi,

The .HTA is a HTML application extension.

.HTA runs like an executable .exe written in C++ or Visual Basic.

Used in Win32 applications running IE.

Regards

 

In the alerts window, rightclick the finds and "save to text" so the alerts will be saved to Scandump.txt with the alert and full pathnames to the file.
Mind: you might like to save a few alerts away before it will be overwritten with the next saved scandump.

 

i foudn the exact file.. here's the contents of it:

<HTML>
<HEAD>
<TITLE>MSN.COM Privacy Statement</TITLE>

<HTA:APPLICATION
ID="oHTA"
>

</HEAD>

<script>

function window.onload()
{
   var cmdLineArray;
   var url;
   cmdLineArray = oHTA.commandLine.split(" ");
   url = "http://watson.microsoft.com/dw/dcp.asp?CLCID=" + cmdLineArray[2].toString();

   document.frames[0].location.href = url;
}


</script>


<FRAMESET>
<FRAME SRC="">
</FRAMESET>
</HTML>

i guess tds3 was just being extra careful.. this doesn't seem like anything nasty.

 

thx for the help grey_ghost and Jooske =).

 

If you want System Restore to stop upsetting TDS-3, you can either exclude it from scanning or (In XP anyway) create a new restore point and then use Disk Cleanup to remove all but the most recent restore points.