bla.exe  help

By Optik · 18 replies
Jul 17, 2005
  1. hi there :)

    well, there is an exe that appeared suddenly in C:, a week ago,
    dunno how.Then there is it, bla.exe and its 0 bytes size!!
    -when i try to delete it, says" its being used by nother person or program" then cant delete it. even if i go safe boot mode,same happens.
    -if i scan it wit Kav , says virus free, but in report i can read "skipped because of its small size"...

    .i know bla.exe is not a safe file 2 have, can u help me solve this ?


    ps: i dont see bla.exe in taskmanagr..
  2. just_a_nobody

    just_a_nobody TS Rookie Posts: 182

  3. Optik

    Optik TS Rookie Topic Starter

    thanks for reply,

    yea..i thought so, but, if i got a worm and that gaobot worm, i should have those registry things they say in symantec right?

    in HKLM/...../run i only have 5 Known processes like kav, zalarm, scvhost or anything strange.

    also,,,,if its tha worm, virus,, shouldnt bla.exe not be 0 Bytes ?

    also , i notice anything strange in the computer behavior, nothing strange in taskmanagr , if its 1 virus, something should be diferent..

    also i dont have any of these :
    "...Adds one of the values:

    "Config Loader"="scvhost.exe"
    "Task Scheduler"="WincfgM32.exe...."

    then ,,i got the virus in some way? ,,or..what is this? what should i do?
    also i cant delete it , says bla.exe being used :O

    Thanks! :)
  4. just_a_nobody

    just_a_nobody TS Rookie Posts: 182

  5. Optik

    Optik TS Rookie Topic Starter


    ehh,,disconnect ,,,why? what do u mean?

    ok, i got a hi end system, 56k modem connection,with Kaspersky AV 5, uptodate definitions, ZoneAlarm Firewall, Spybot(clean scan), ad aware, n hijackthis.

    about scanning bla.exe (its 0 bytes size) isnt this a problem to scan? (kaspersky says its virus free but also says, file too small)

    Thanks ;)
  6. Optik

    Optik TS Rookie Topic Starter

    u think i may have Gaobot/Reckmess/win32Agent Virus right,
    yeah ,but ...if so,,
    1-bla.exe is 0 bytes (if virus should be some size right?)
    2-my registry patch is clear HKLM/.../run..shows 5 Known processes, no strange thing
    3-computer should behave any diferent if afected by virus right?,,some strange runing process in taskman? i see no strange process in taskman, computer behaving ok ,as usual.

    then,,what do i do with bla.exe what s that ,,,if i should delete it,,how?
  7. just_a_nobody

    just_a_nobody TS Rookie Posts: 182

    Sorry Optik, for taking so long to get back on, but our cable service went out for awhile. I wanted you to disconnect from the internet, so you won't spread the worm, or get attacked, while trying to find a cure for this beast.

    Do you know when this virus first accured? Can you do a system restore, to a point before, you noticed the virus showing up?

    Read this from the zonealarm sight, and look for the winamp.exe file.

    Reckmess.A!downloader has been distributed as " bla.exe " (in one confirmed case this file was dropped via an unpatched Internet Explorer exploit). When executed, it downloads a file from an encrypted URL in its code and executes it using the name " c:\winamp.exe ". The file " C:\bla.exe " is then deleted.

    When the backdoor trojan is executed, it copies itself to %System% \<random file name >.exe and sets the following registry key so as to run each time Windows is started:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate0.07 = "%System% \<random file name >.exe"

    The backdoor trojan, running as “ c:\winampa.exe ”, deletes itself and remains running in memory.

    Note: ‘%System%’ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

    Do a google search for the bla.exe virus, you should find plenty of info there.

    I'm not going to kid you, you may be better off doing a reformat, and reinstall.
  8. Optik

    Optik TS Rookie Topic Starter


    i dont have this "c:\winamp.exe "
    i got winamp.exe in winamp
    aint got this ....."HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \JavaUpdate0.07 = "%System% \<random file name >.exe" ,,,,
    in HKCU\....\run ..i have nothing, no reg key.

    also, aint got an exe in system32 folder tha sbeen created in the past 2 months
    i got winampa in winamp folderpath, as usual
    also, i notice no change in computer behavior, or runijng processes.
    then, how can i be infected by that Reckmess worm?

    look my hjthis:
    Logfile of HijackThis v1.99.1
    Scan saved at 2:14:18, on 18/07/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    F:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Archivos de programa\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
    C:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.exe
    C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O1 - Hosts:
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Archivos de programa\Adobe\Acrobat 7.0 R\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - F:\ARCHIV~1\TWEAKM~1\TweakBHO.dll
    O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Archivos de programa\TGTSoft\StyleXP\TGT_BHO.dll
    O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Toolbar\01.01.1601.0\es\msntb.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Zone Labs Client] F:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [TweakMASTER] F:\ARCHIV~1\TWEAKM~1\TMTray.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [KAVPersonal50] F:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKLM\..\Run: [CTSysVol] C:\Archivos de programa\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime
    O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.exe
    O8 - Extra context menu item: Add to &LinkFox - res://F:\ARCHIV~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
    O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ARCHIV~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ARCHIV~1\MESSEN~1\MSMSGS.EXE
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {6A868C04-B942-11D8-8D76-0008C7FF1716} (BanServidorFicherosBPP.DownloadBPP) -
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
    O20 - AppInit_DLLs: PAVWAIT.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: kavsvc - Kaspersky Lab - F:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

  9. just_a_nobody

    just_a_nobody TS Rookie Posts: 182

    I don't see anthing, in your HJT log, but you may want to see, if there are any windows updates, that apply to your system, maybe that will help you.
  10. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Get DrDelete and Killbox (find on Google).

    Boot in Safe Mode
    Turn System Restore off
    Run HijackThis and put a tickmark in the square little box before:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *
    O1 - Hosts:
    O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Toolbar\01.01.1601.0\es\msntb.dll (file missing)
    ALL your O16 - DPF: entries
    O20 - AppInit_DLLs: PAVWAIT.DLL

    Now click on Fix checked
    Search for and delete PAVWAIT.DLL (leftover from Panda)
    Use first DrDelete to get rid of bla.exe, if it can't, use Killbox.
  11. Optik

    Optik TS Rookie Topic Starter

    ok, ty just a nobody.

    -Thank u RealBlackStuff,ill do that

    and...can u tell me (to learn), why should i have to go in safemodeboot and turn system restore off and then run hjthis to fix selected?

    ...and ..why should i remove "O1 - Hosts:".. What does this mean, what is it?

    ....and why should i remove *all* the 016-DPF entries, plz?

    ...Whats wrong with this...isnt it Windows Update..?.."R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer ="

    Thanks!! RBS!

    ps.ill try killbox to get rid of like to know what appl is using bla.exe....cuz when i try 2 delete bla.exe,,, says,,"being used by nother user or application",,,,?!
    ty ;)
  12. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Running in Safe Mode only loads necessary programs and services.
    Switch off System Restore deletes all your 'old' restore-points (that have the infections in them also).
    You remove those things because I tell you so! Ignore at your own peril!
  13. Optik

    Optik TS Rookie Topic Starter

    aha ok thanks

    but couldnt u just tell me what is "O1 - Hosts:" ?..what does this mean and why is this dangerous?
    -just tell me that please, to know.
  14. Optik

    Optik TS Rookie Topic Starter

    ok i deleted all the entries u said.

    and now,,,what about bla.exe then?,, what is/was it? what application is using it? why is it 0 bytes? and is it a virus then ,,am i infected,.,,,should i delete bla.exe with killbox?

    Thankz :)
  15. Abraxas

    Abraxas TS Rookie Posts: 157

    Perhaps you should read what he has written. All of it.
  16. Optik

    Optik TS Rookie Topic Starter

    iany 1 knows what is a o bytes bla.exe doing in my C:/ ?
    (its not gaobot virus)
  17. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    It is very difficult to find out, in the PC world, exactly HOW or WHY something happens. All we can do is clean it up after the fact.

    What is bla.exe?
    Could it be you had Gaobot and Kaspersky removed it but left one piece? Could it be you did not ever get Gaobot but that file was copied but never got to run? Could it be that the file is just corrupt and shows 0 bytes though it may have more? Who knows.

    But it is NOT a rare thing that a file won't delete and says it's in use. This happenes often, that's why there are programs like Killbox.

    The "Hosts" entries in HJT maps IP addresses to domains. For most all people, there is no good reason to ever have extra hosts entries. Unless you're in a business network or have special needs. Most of the time HOST entries are placed in there by spyware and viruses.

    The 016 DPF entries are ActiveX controls. Things, good or bad, that attach themselves to Internet Explorer for "added functionality". You won't miss them once their gone, and should you ever require that functionality again, IE will prompt you to load it again. No harm done.

    The "WindowsUpdate" entries are set as PROXY server. This is also NOT something most people need (any proxy server), unless it is required at a business site or advanced network.
    Having a proxy forces your Internet traffic to filter through that proxy. Thus letting the proxy site know exactly what you are doing and where you are going. And the proxy has the right to refuse you the pages you're looking for.
    So like the ActiveX controls, a proxy just isn't needed.
    The fact that the proxy says windowsupdate is just plain weird and suspicious.

    Basically RBS is cleaning you out of useless Proxy settings, useless ActiveX controls, and unwanted Hosts file entries.

    These subjects go much deeper then what I scratched on the surface, but maybe that'll help you understand. To learn more about it, do some Google searching for Host file, ActiveX controls, and proxy servers.

  18. Optik

    Optik TS Rookie Topic Starter

    aha, Great ..Thanks a lot Vigilante!!! now i understand, u explained very well.

    i cleared HJT , now its clean.ok.
    and now, ill delete bla.exe with killbox, and solved, i have the problem, fixed, as no registry entries of gaobot or something,no more

    Thank You Vigilante ! :) ur very helpful!
  19. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Thank you very much :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...