[btketron]

I have the following visual basic scripts blocked in MS Antispyware, and was wondering which were harmful and which were harmless. I think the VB Script that maps my network drive connections on my computer is blocked, but I don't want to un-block the wrong one and have a bunch of malware coming in. Please someone, look at this list, and try to let me know what you can. These are all in different Temp folder locations on my comp.

457.bat
541.bat
E1.bat
3E.bat
ckz.tmp13793a/setup.bat
D1.bat

Any help, small or large, is greatly appreciated. Thanks in advance guys!

Brad

[Advertisements]

Hi Brad, are you sure these are for your network drive mappings? Why are they in the temp folders?

I can't tell which ones are bad or not...at least not like that. You MUST open up each one in Notepad and tell me what they say...better yet see if you recognize the network mapping instead...because I probably won't know since it's your network mapping. Do NOT double click on the .bat files to open them up...that will actually run them. Instead, right click on them and choose Edit.

[greyknight17]

Hi Brad, are you sure these are for your network drive mappings? Why are they in the temp folders?

I can't tell which ones are bad or not...at least not like that. You MUST open up each one in Notepad and tell me what they say...better yet see if you recognize the network mapping instead...because I probably won't know since it's your network mapping. Do NOT double click on the .bat files to open them up...that will actually run them. Instead, right click on them and choose Edit.

[btketron]

Yeah--that was kind of a red flag for me when I was looking at what was blocked and what wasn't in MS AntiSpyware. I didn't expect to see .bat files in the Temp folders. Also, the setup.bat runs something called CommSetup33.exe--that's unfamiliar to me. Thanks again!

457.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\untokuoitu.exe"
if exist "C:\WINDOWS\untokuoitu.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\457.bat"

541.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\io2uns.exe"
if exist "C:\WINDOWS\io2uns.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\541.bat"

E1.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\untokuoitu.exe"
if exist "C:\WINDOWS\untokuoitu.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\E1.bat"

3E.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\system32\adposter.exe"
if exist "C:\WINDOWS\system32\adposter.exe" goto repeat
rmdir "C:\WINDOWS\system32"
:done

del "C:\WINDOWS\TEMP\3E.bat"

setup.bat:

Setup.exe /q2 partner=14 referrer=33
CommSetup33.exe

D1.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\system32\adposter.exe"
if exist "C:\WINDOWS\system32\adposter.exe" goto repeat
rmdir "C:\WINDOWS\system32"
:done

del "C:\WINDOWS\TEMP\D1.bat"

[greyknight17]

ALL bad

Delete all those files and the EXE mentioned in those .bat files. Then do this:

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

[btketron]

Deleted all .bat files and related .exe's. Here's my HJT file. Looks relatively clean to me.

Logfile of HijackThis v1.99.1
Scan saved at 9:17:06 AM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124389670668
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[greyknight17]

Yep, all clear. Just one thing that stood out though. You know why this is set to be the start page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/

If that's ok, then:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[btketron]

I know why the homepage is set to that--it's because this is a company computer and I'm on a network. That is the default address to our intranet homepage for company purposes. So it's all clear--thanks again for all the help!

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.