VBS:Malware-gen C:\WINDOWS\file.bat

[mr984]

Hello.

after opening the internet site yourgals.net/detail5483.htm (a russian forum with paintings of jacques callot), I got the warning message:

VBS:Malware-gen

C:\WINDOWS\file.bat

It detects the virus at startup everytime even though i have tried to move it to chest or delete it several times... 

I'm user of avast Home 4.8

What can i do?

Thanks.

[DavidR]

Try a forum search for file.bat as this one has very recently been discussed (with suggestions, etc.) as there are also associated files, one being c:\windows\services.exe which depending on your OS isn't in the correct location and is a fake.

[Lisandro]

The file is strange... specially on windows folder...
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

[Pylon]

Hi there,
Same thing with file.bat; it is only one command turning off windows firewall
I deleted it and remake new one with write protection containing echo command
But, now avast is blocking from time to time massive mails comming out from my computer.
I made already avast scan on boot.

Any idea how to clean the computer?

Best regards,   

[wyrmrider]

set avast protection on high for everything
firewall?  install comodo or pctools
if firefox install script blocker
run ccleaner or ATF cleaner to clean temp files - including IE temp files
do NOT disable System Restore


post the avst log- send everything to chest 
reboot immediately if asked by any of these help programs

go to the top of this forum - read instructions and submit a "Hijack this"

then
go to malwarebytes.org and run both RogueRemover Free and Malware Bytes Anti Malware
update first
with MBAM put a check next to any baddies and then click REMOVE CHECKED
post the log

if you have time do SAS else new HJT (it's quick)
download superantispyware  update clean quarantine post log (edit out cookies)
new HJT
trend micro rootkit check

do you have spywareblaster or spybot search and destroy, windows defender, etc?

[Pylon]

OK,
So the reason was service.exe in windows folder executed on startup.
- creating file.bat with command to stop windows firewall (forgot to keep original file )
- changing administrator rights (never work as administartor! ) impossible to start windows firewall
- sending mails every 5min in case you are connected to internet (probably ping first and than send if active)

I reboot in cmd mode (F8) and changed service.exe and file.bat  + changing right to read only
Impossible to find where is run/service.exe in reg. base! so i am running in selected mode (msconfig)
 
F... Micro and Soft
 

[Lisandro]

Impossible to find where is run/service.exe in reg. base!

service.exe should be at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

I also suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[taxigreen]

I am having similar issues and I am new to the Avast! program. COX (my internet provider) claims that this program is better than McAffee, but after two weeks I'm already encountering a huge problem like this one below:

Every time I turn on my computer, the same avast warning sign pops up with the same virus/worm. I initially tried to move to chest, like it recommended, but when I restart the computer the same message shows again. So then I tried every single combintation (*move to chest, then delete from chest *repair *delete...) but the deletion always claims to be successful, even though after restarting the computer I get the same message...  VBS:Malware-gen C:\WINDOWS\file.bat

I've been going through a few threads, and I'm vaguely familiar with the lingo around here, so please bare with me. I have a Windows XP Home Edition Version 2002 Service Pack 3. When I upload the file onto Virus Total, the result is always: 0 bytes size received / Se ha recibido un archivo vacio .

COX also advised to use Spybot. When I check for problems I have issues with my firewall or something.

Problems                                                      Kind                             
Microsoft.WindowsSecurityCenter.FirewallOverride      1 entries Security
Microsoft.WindowsSecurityCenter_disabled                1 entries Security
Right Media                                                          1 entries Browser
Win32.Joleee.K                                                     1 entries Trojans

Every time I attempt to 'fix selected problems', they resurface when I 'check for problems'. It's a never-ending cycle on both programs.

Can anybody help? Please and thank you.

[Lisandro]

Every time I turn on my computer, the same avast warning sign pops up with the same virus/worm.
Can anybody help? Please and thank you.

Did you follow the general cleaning procedure that I've posted right above?

[CharleyO]

***

Information on Right Media :

This is owned mostly by Yahoo and is used to deliver ads. See the link below for many links of information.

http://g.s.scandoo.com/search?q=Right+Media&btnG=Search&hl=en&sa=2

Information on Win32.Joleee.K :

"Capability to send out email message(s) with the built-in SMTP client engine.   
Contains characteristics a SPAM bot, backdoor trojan, and a rootkit. The backdoor component allows the remote hacker to download/install additional components and instruct the bot to launch massive SPAM attacks from the compromised system."

http://www.threatexpert.com/report.aspx?uid=f712970c-948f-4fa0-b5d4-15c28f23cb0d


***

[taxigreen]

Every time I turn on my computer, the same avast warning sign pops up with the same virus/worm.
Can anybody help? Please and thank you.

Did you follow the general cleaning procedure that I've posted right above?

Firstly, I just recieved another virus message, but this time the file is Win32: Trojan-gen {other}. I sent it to the chest. So do I just let it sit there? What do I do next? Will it later attack my computer?
Secondly,  I just deleted my temporary internet files and restarted my computer and the first virus message has not appeared (yet...) . This is also in the chest along with the other virus.  In total, I have three sitting in the chest:
Win32: Agent-COH [trj] file name SpybotSD.exe.hdmp
VBS:Malware-gen file name  file.bat          AND
Win32: Trojan-gen {other} file name services.exe

I feel like recently I've been recieving a rush of viruses, but I have not had any unusual activity on the web. At least before Avast my McAfee never reacted this way. Is it just very sensitive? I'm about the restart my computer to see if it was truly succesful.

CharelyO,
I see there is an analysis of these files (that I don't really understand). Is there anything I can fix about these files so that if there are any problems, I can fix them, and if they aren't real problems, then that they don't show up as problems?

Thank you.

[wyrmrider]

let it/ them  sit in chest  chest is encrypted and is safe place
can you create a new file called suspect  like C:\suspect
then go into avast and exclude c:\suspect\*
export your hits to C:\suspect
go on the internet to virustotal.com
upload the files
post the results or a link
thanks

we need to get a positive id on these especially the -gen or general

[Lisandro]

Firstly, I just recieved another virus message, but this time the file is Win32: Trojan-gen {other}. I sent it to the chest. So do I just let it sit there?

Yes. Chest is safe to kept the file(s) into.

What do I do next? Will it later attack my computer?

Not that particular file, maybe a replicant... it's good to follow the steps I've posted before.

[wyrmrider]

A response from Greyfox at the spybot forum
re:
SpybotSD.exe.hdmp



As far as I am aware the .HDMP file extension identifies a Windows Heap Dump and is an Error report file created by Microsoft Windows as a part of its critical error logging systems. You should be able to view it in any text editor or word processor.

It would suggest that at some stage there has been a problem with SpybotSD.exe. If it is now in the Avast Virus chest it can stay there without doing any harm and when you are sure Spybot is working properly and your scans are clear you could then delete it

[taxigreen]

I know this may be frusturating to you all, but I'm really lost when it comes to this virus stuff. And I'd hate to download all these additional programs when I don't know how my computer will take the programs--and I probably have similar ones. I can't see how to exclude or export files on avast.