Try a forum search for file.bat as this one has very recently been discussed (with suggestions, etc.) as there are also associated files, one being c:\windows\services.exe which depending on your OS isn’t in the correct location and is a fake.
The file is strange… specially on windows folder…
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.
Hi there,
Same thing with file.bat; it is only one command turning off windows firewall
I deleted it and remake new one with write protection containing echo command
But, now avast is blocking from time to time massive mails comming out from my computer.
I made already avast scan on boot.
set avast protection on high for everything
firewall? install comodo or pctools
if firefox install script blocker
run ccleaner or ATF cleaner to clean temp files - including IE temp files
do NOT disable System Restore
post the avst log- send everything to chest
reboot immediately if asked by any of these help programs
go to the top of this forum - read instructions and submit a “Hijack this”
then
go to malwarebytes.org and run both RogueRemover Free and Malware Bytes Anti Malware
update first
with MBAM put a check next to any baddies and then click REMOVE CHECKED
post the log
if you have time do SAS else new HJT (it’s quick)
download superantispyware update clean quarantine post log (edit out cookies)
new HJT
trend micro rootkit check
do you have spywareblaster or spybot search and destroy, windows defender, etc?
OK,
So the reason was service.exe in windows folder executed on startup.
creating file.bat with command to stop windows firewall (forgot to keep original file )
changing administrator rights (never work as administartor! ) impossible to start windows firewall
sending mails every 5min in case you are connected to internet (probably ping first and than send if active)
I reboot in cmd mode (F8) and changed service.exe and file.bat + changing right to read only
Impossible to find where is run/service.exe in reg. base! so i am running in selected mode (msconfig)
service.exe should be at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
I also suggest:
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
I am having similar issues and I am new to the Avast! program. COX (my internet provider) claims that this program is better than McAffee, but after two weeks I’m already encountering a huge problem like this one below:
Every time I turn on my computer, the same avast warning sign pops up with the same virus/worm. I initially tried to move to chest, like it recommended, but when I restart the computer the same message shows again. So then I tried every single combintation (*move to chest, then delete from chest *repair *delete…) but the deletion always claims to be successful, even though after restarting the computer I get the same message… VBS:Malware-gen C:\WINDOWS\file.bat
I’ve been going through a few threads, and I’m vaguely familiar with the lingo around here, so please bare with me. I have a Windows XP Home Edition Version 2002 Service Pack 3. When I upload the file onto Virus Total, the result is always: 0 bytes size received / Se ha recibido un archivo vacio .
COX also advised to use Spybot. When I check for problems I have issues with my firewall or something.
ProblemsKind
Microsoft.WindowsSecurityCenter.FirewallOverride 1 entries Security
Microsoft.WindowsSecurityCenter_disabled 1 entries Security
Right Media 1 entries Browser
Win32.Joleee.K 1 entries Trojans
Every time I attempt to ‘fix selected problems’, they resurface when I ‘check for problems’. It’s a never-ending cycle on both programs.
“Capability to send out email message(s) with the built-in SMTP client engine.
Contains characteristics a SPAM bot, backdoor trojan, and a rootkit. The backdoor component allows the remote hacker to download/install additional components and instruct the bot to launch massive SPAM attacks from the compromised system.”
Firstly, I just recieved another virus message, but this time the file is Win32: Trojan-gen {other}. I sent it to the chest. So do I just let it sit there? What do I do next? Will it later attack my computer?
Secondly, I just deleted my temporary internet files and restarted my computer and the first virus message has not appeared (yet…) . This is also in the chest along with the other virus. In total, I have three sitting in the chest:
Win32: Agent-COH [trj] file name SpybotSD.exe.hdmp
VBS:Malware-gen file name file.bat AND
Win32: Trojan-gen {other} file name services.exe
I feel like recently I’ve been recieving a rush of viruses, but I have not had any unusual activity on the web. At least before Avast my McAfee never reacted this way. Is it just very sensitive? I’m about the restart my computer to see if it was truly succesful.
CharelyO,
I see there is an analysis of these files (that I don’t really understand). Is there anything I can fix about these files so that if there are any problems, I can fix them, and if they aren’t real problems, then that they don’t show up as problems?
let it/ them sit in chest chest is encrypted and is safe place
can you create a new file called suspect like C:\suspect
then go into avast and exclude c:\suspect*
export your hits to C:\suspect
go on the internet to virustotal.com
upload the files
post the results or a link
thanks
we need to get a positive id on these especially the -gen or general
A response from Greyfox at the spybot forum
re:
SpybotSD.exe.hdmp
As far as I am aware the .HDMP file extension identifies a Windows Heap Dump and is an Error report file created by Microsoft Windows as a part of its critical error logging systems. You should be able to view it in any text editor or word processor.
It would suggest that at some stage there has been a problem with SpybotSD.exe. If it is now in the Avast Virus chest it can stay there without doing any harm and when you are sure Spybot is working properly and your scans are clear you could then delete it
I know this may be frusturating to you all, but I’m really lost when it comes to this virus stuff. And I’d hate to download all these additional programs when I don’t know how my computer will take the programs–and I probably have similar ones. I can’t see how to exclude or export files on avast. ???
Tech,
I have Avast, Spybot Search, Clean Up and Super AntiSpyware (Free Edition). All given by COX.
About exporting and exluding, I was refering to wyrmrider’s advice (a few posts above), but I know it’s impracticle to try and follow both of your directions. But I think I’m just going to leave it for now until I can get my bearings. I’ve been busy lately and I feel better at least knowing that they’re safe in the chest.
I believe I’m getting the one virus in particular from a website that I frequent. Do I now have to altogether not browse it? It’s never been an issue in the past before avast.
Bearings is not available in the general English dictionary and thesaurus.
Well… it won’t be avast fault, on contrary, don’t you think?
Maybe you could post an edited (hxxp instead of http) link to this particular site you’re referring to.
hi
i just run the runscanner program.
i dont know if my notebook its ok
i found this bat file . Is this bad ??
please let me know
online malware analysis report
Warning! Rating of all the files in the database is not yet complete.
Consulting an expert is always better than relying on an online report.
This report excludes all safe whitelisted items.
Unrated items are not yet checked for safety.
Red items are not safe.
this file is digitally signed by it's publisher.
Report Url:
Switch to the full report
Always consult an expert before fixing items on your system!
View a list of specialist helper forums Runscanner.net is a completely free service.
Consider making a donation if this program helped you.
000 General info
RunScanner Version 1.8.1.0
Creation time 7/7/2009 11:10:00 PM
User rights Administrator
OS Windows Vista ™ Home Premium
OS Build 6001
OS SP Service Pack 1
User Language English (United States)
IE version 7.0.6001.18000
Windows folder C:\Windows
Hosts file location %SystemRoot%\System32\drivers\etc
Hosts <> 127.0.0.1 0
002 Autorun registry entries local machine
WAWifiMessage C: \ Program Files \ Hewlett-Packard \ HP Wireless Assistant \ WiFiMsg… - Hewlett-Packard Development Compan…
003 Autorun registry entries Current User
RAM Booster Expert C: \ Program Files \ Bodrag \ RAM Booster Expert \ RAMBooster.exe - Bodrag S.R.L.
SmartRAM C: \ Program Files \ IObit \ Advanced SystemCare 3 \ Sup_SmartRAM.exe - IObit
005 Current user startup startmenu
Device Detector 3 C: \ Program Files \ Olympus \ DeviceDetector \ DevDtct2.exe - OLYMPUS IMAGING CORP.
006 Start Menu\Programs\Startup
Device Detector 3 C: \ Program Files \ Olympus \ DeviceDetector \ DevDtct2.exe - OLYMPUS IMAGING CORP.
010 Installed services
Com4Qlb C: \ Program Files \ Hewlett-Packard \ HP Quick Launch Buttons \ Com4Q… - Hewlett-Packard Development Compan…
GameConsoleService C: \ Program Files \ HP Games \ My HP Game Console \ GameConsoleServic… - WildTangent, Inc.
HP Health Check Service c: \ Program Files \ Hewlett-Packard \ HP Health Check \ hphc_service… - Hewlett-Packard
Cyberlink RichVideo Service(CRVS) C: \ Program Files \ CyberLink \ Shared Files \ RichVideo.exe -
SupportSoft RemoteAssist C: \ Program Files \ Common Files \ supportsoft \ bin \ ssrc.exe - SupportSoft, Inc.
011 Installed drivers
BVRPMPR5 NDIS Protocol Driver C: \ Windows \ system32 \ drivers \ BVRPMPR5.SYS - Avanquest Software
VN Series Device C: \ Windows \ system32 \ DRIVERS \ VNUSB.sys - OLYMPUS IMAGING CORP.
031 Installed protocol handlers
tbr {4D25FB7A-8902-4291-960E-9ADA051CFBBF} C: \ PROGRA~1 \ Crawler \ ctbr.dll - Crawler.com
041 Internet Explorer Toolbars
Crawler Toolbar Browser Object {4B3803EA-5230-4DC3-A7FC-3363… C: \ PROGRA~1 \ Crawler \ ctbr.dll - Crawler.com
042 HKLM Internet Explorer Extensions
HP Smart Select {58ECB495-38F0-49cb-A538-10282ABF65E7} GUID / CLSID not found
Research {92780B25-18CC-41C8-B9BE-3C9C571A8263} GUID / CLSID not found @btrez.dll,-4015 {CCA281CA-C863-46ef-9331-5C8D4460577F} GUID / CLSID not found
045 Internet Explorer\Toolbar\WebBrowser
Crawler Toolbar Browser Object {4B3803EA-5230-4DC3-A7FC-3363… C: \ PROGRA~1 \ Crawler \ ctbr.dll - Crawler.com
052 Explorer Browser Helper Objects (BHO)
{02478D38-C3F9-4efb-9B51-7695ECA05670} GUID / CLSID not found
Crawler Toolbar Browser Object {1CB20BF0-BBAE-40A7-93F4-6435… C: \ PROGRA~1 \ Crawler \ ctbr.dll - Crawler.com
{201f27d4-3704-41d6-89c1-aa35e39143ed} GUID / CLSID not found
{5C255C8A-E604-49b4-9D64-90988571CECB} GUID / CLSID not found
061 Shell Approved Extensions
ShellViewRTF {7F67036B-66F1-411A-AD85-759FB9C5B0DB} C: \ Windows \ System32 \ ShellvRTF.dll - XSS
Monitor {7842554E-6BED-11D2-8CDB-B05550C10000} C: \ Windows \ system32 \ btncopy.dll - Broadcom Corporation.
073 %windir%\Tasks
AWC Startup.job C: \ Program Files \ IObit \ Advanced SystemCare 3 \ AWC.exe - IObit
SmartDefrag.job C: \ Program Files \ IObit \ IObit SmartDefrag \ IObit SmartDefrag.exe - IObit
100 Internet Explorer settings
Start Page HKCU http://br.yahoo.com/
Start Page HKLM http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c…
Default_Page_URL HKCU http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c…
Default_Page_URL HKLM http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c…
104 ActiveX controls (Distribution Units)
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} GUID / CLSID not found
{8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/u… C: \ Program Files \ Java \ jre6 \ bin \ jp2iexp.dll -
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} GUID / CLSID not found
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/u… C: \ Program Files \ Java \ jre6 \ bin \ jp2iexp.dll -
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/u… C: \ Program Files \ Java \ jre6 \ bin \ jp2iexp.dll -
105 IE Menu extensions
Crawler Search tbr:iemenu
E&xport to Microsoft Excel res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Send image to &Bluetooth Device…
Send page to &Bluetooth Device…
223 HKLM AllFileSystemObjects\ShellEx\ContextMenuHandlers
MBAMShlExt C: \ Program Files \ Malwarebytes’ Anti-Malware \ mbamext.dll - Malwarebytes Corporation
225 HKCU Folder\ShellEx\ContextMenuHandlers
MBAMShlExt C: \ Program Files \ Malwarebytes’ Anti-Malware \ mbamext.dll - Malwarebytes Corporation
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} {967B2D40-8B7D-4127-9… GUID / CLSID not found
MBAMShlExt C: \ Program Files \ Malwarebytes’ Anti-Malware \ mbamext.dll - Malwarebytes Corporation
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} {967B2D40-8B7D-4127-9… GUID / CLSID not found
227 HKLM Directory\ShellEx\ContextMenuHandlers
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} {967B2D40-8B7D-4127-9… GUID / CLSID not found
254 HKCU Directory\Shellex\CopyHookHandlers
Monitor C: \ Windows \ system32 \ btncopy.dll - Broadcom Corporation.