.hta Alarm - Should I delete?

Discussion in 'Trojan Defence Suite' started by richrf, Dec 11, 2003.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am evaluating TDS-3 and I received an alarm for a suspicious file named:

    a0000566.hta in the system volume information/_restore folder. Should I be concerned and should I delete this file. Thanks for any info that you can provide.

    Rich
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello richrf and welcome!
    Youmight like to disable system restore a moment, reboot, enable system restore and make another new system restore point; with the first action all former system restore points are deleted, with the next you have a new clean point to start with so eventual infections or suspiciousities form former occasions can't come back in the running system anymore!
    Happy evaluating!
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    Thanks for the reply. From your reply it looks like there should not be a .hta file in the system volume/_restore folder. Is this right? Also, can you tell me how do I turn off the system restore feature and then turn in on again. Thank you for all of your help.

    Rich
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi richrf,

    Well that's not exactly right. The System Restore area can end up with all kinds of files in it, good ones and bad ones. Windows copies various files from your active system to the System Restore area in order to allow you to "roll your computer back" to how it was at a previous point in time. If you have a problem with your computer today, you can use System Restore to set it back to a point when it was working fine, like yesterday.

    To do all this, System Restore will make "restore points" and copy many types of files into these areas. Sometimes virus and trojan files can end up in there, too. The only way to safely clean virus or trojan files out of the System Restore area is to cycle it off and then back on which removes all the old restore points (and those bad files) and let's you start fresh and clean again.

    Here are a couple links regarding how to cycle / clean out System Restore. They are both good. (I provide both because sometimes one site of the other may not be available at the moment you may click the links):

    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    That detection in TDS-3 is a little overly sensitive now that Microsoft uses a lot of HTA files - especially in Windows XP. I think they use them for the tour and welcome, among other things :)

    I'd just leave it, any dangerous HTA files and others involved in exploits and viruses should be positively detected by your AV or TDS, or both.
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Thank you very much for your help and replies.

    A warm holiday season to all,

    Rich
     
Thread Status:
Not open for further replies.