Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Visual Basic files blocked by MS AntiSpyware [RESOLVED]


  • This topic is locked This topic is locked

#1
btketron

btketron

    Member

  • Member
  • PipPip
  • 13 posts
I have the following visual basic scripts blocked in MS Antispyware, and was wondering which were harmful and which were harmless. I think the VB Script that maps my network drive connections on my computer is blocked, but I don't want to un-block the wrong one and have a bunch of malware coming in. Please someone, look at this list, and try to let me know what you can. These are all in different Temp folder locations on my comp.

457.bat
541.bat
E1.bat
3E.bat
ckz.tmp13793a/setup.bat
D1.bat

Any help, small or large, is greatly appreciated. Thanks in advance guys!

Brad
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Brad, are you sure these are for your network drive mappings? Why are they in the temp folders?

I can't tell which ones are bad or not...at least not like that. You MUST open up each one in Notepad and tell me what they say...better yet see if you recognize the network mapping instead...because I probably won't know since it's your network mapping. Do NOT double click on the .bat files to open them up...that will actually run them. Instead, right click on them and choose Edit.
  • 0

#3
btketron

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yeah--that was kind of a red flag for me when I was looking at what was blocked and what wasn't in MS AntiSpyware. I didn't expect to see .bat files in the Temp folders. Also, the setup.bat runs something called CommSetup33.exe--that's unfamiliar to me. Thanks again!

457.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\untokuoitu.exe"
if exist "C:\WINDOWS\untokuoitu.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\457.bat"

541.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\io2uns.exe"
if exist "C:\WINDOWS\io2uns.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\541.bat"

E1.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\untokuoitu.exe"
if exist "C:\WINDOWS\untokuoitu.exe" goto repeat
rmdir "C:\WINDOWS"
:done

del "C:\DOCUME~1\btketron\LOCALS~1\Temp\E1.bat"

3E.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\system32\adposter.exe"
if exist "C:\WINDOWS\system32\adposter.exe" goto repeat
rmdir "C:\WINDOWS\system32"
:done

del "C:\WINDOWS\TEMP\3E.bat"

setup.bat:

Setup.exe /q2 partner=14 referrer=33
CommSetup33.exe

D1.bat:

set n=
:repeat
set n=%n%a
if %n%==aaaaaaaaaaaaaaaaaaaa goto done
del "C:\WINDOWS\system32\adposter.exe"
if exist "C:\WINDOWS\system32\adposter.exe" goto repeat
rmdir "C:\WINDOWS\system32"
:done

del "C:\WINDOWS\TEMP\D1.bat"
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
ALL bad :tazz:

Delete all those files and the EXE mentioned in those .bat files. Then do this:

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
  • 0

#5
btketron

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Deleted all .bat files and related .exe's. Here's my HJT file. Looks relatively clean to me.

Logfile of HijackThis v1.99.1
Scan saved at 9:17:06 AM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
\Hg-srv-fs1\Users\btketron\Personal\My Programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [BelNotify] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Belarc\Advisor\System\NPBelv32.dll,RunDll32_BelNotify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Genifax Print to Mail.lnk = C:\Program Files\Omtool\GenifaxPrintToMail\GenifaxPTM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120575933776
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124389670668
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - https://oracle.alpha...tor/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alphanr.org
O17 - HKLM\Software\..\Telephony: DomainName = alphanr.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alphanr.org
O23 - Service: BelMonitor Service (BelMonitorService) - Belarc, Inc. - C:\PROGRA~1\Belarc\BelMonitor\BANTMonitorSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yep, all clear. Just one thing that stood out though. You know why this is set to be the start page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://info/

If that's ok, then:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
btketron

btketron

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I know why the homepage is set to that--it's because this is a company computer and I'm on a network. That is the default address to our intranet homepage for company purposes. So it's all clear--thanks again for all the help!
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP