bla.exe help

Status
Not open for further replies.
O

Optik

Posts: 11   +0
hi there :)

well, there is an exe that appeared suddenly in C:, a week ago,
dunno how.Then there is it, bla.exe and its 0 bytes size!!
-when i try to delete it, says" its being used by nother person or program" then cant delete it. even if i go safe boot mode,same happens.
-if i scan it wit Kav , says virus free, but in report i can read "skipped because of its small size"...

.i know bla.exe is not a safe file 2 have, can u help me solve this ?

thanx.

ps: i dont see bla.exe in taskmanagr..
 
thanks for reply,

yea..i thought so, but, if i got a worm and that gaobot worm, i should have those registry things they say in symantec right?

in HKLM/...../run i only have 5 Known processes like kav, zalarm, tweakmaster...etc..no scvhost or anything strange.

also,,,,if its tha worm, virus,, shouldnt bla.exe not be 0 Bytes ?

also , i notice anything strange in the computer behavior, nothing strange in taskmanagr , if its 1 virus, something should be diferent..

also i dont have any of these :
"...Adds one of the values:

"Config Loader"="scvhost.exe"
"Task Scheduler"="WincfgM32.exe...."

then ,,i got the virus in some way? ,,or..what is this? what should i do?
also i cant delete it , says bla.exe being used :O

Thanks! :)
 
..thanks..

ehh,,disconnect ,,,why? what do u mean?

ok, i got a hi end system, 56k modem connection,with Kaspersky AV 5, uptodate definitions, ZoneAlarm Firewall, Spybot(clean scan), ad aware, n hijackthis.

about scanning bla.exe (its 0 bytes size) isnt this a problem to scan? (kaspersky says its virus free but also says, file too small)

Thanks ;)
 
u think i may have Gaobot/Reckmess/win32Agent Virus right,
yeah ,but ...if so,,
1-bla.exe is 0 bytes (if virus should be some size right?)
2-my registry patch is clear HKLM/.../run..shows 5 Known processes, no strange thing
3-computer should behave any diferent if afected by virus right?,,some strange runing process in taskman? i see no strange process in taskman, computer behaving ok ,as usual.

then,,what do i do with bla.exe what s that ,,,if i should delete it,,how?
Thankz!
 
Sorry Optik, for taking so long to get back on, but our cable service went out for awhile. I wanted you to disconnect from the internet, so you won't spread the worm, or get attacked, while trying to find a cure for this beast.

Do you know when this virus first accured? Can you do a system restore, to a point before, you noticed the virus showing up?

Read this from the zonealarm sight, and look for the winamp.exe file.

Reckmess.A!downloader has been distributed as " bla.exe " (in one confirmed case this file was dropped via an unpatched Internet Explorer exploit). When executed, it downloads a file from an encrypted URL in its code and executes it using the name " c:\winamp.exe ". The file " C:\bla.exe " is then deleted.

When the backdoor trojan is executed, it copies itself to %System% \<random file name >.exe and sets the following registry key so as to run each time Windows is started:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaUpdate0.07 = "%System% \<random file name >.exe"

The backdoor trojan, running as “ c:\winampa.exe ”, deletes itself and remains running in memory.

Note: ‘%System%’ is a variable location. The trojan determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95, 98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Do a google search for the bla.exe virus, you should find plenty of info there.

I'm not going to kid you, you may be better off doing a reformat, and reinstall.
 
thanks

i dont have this "c:\winamp.exe "
i got winamp.exe in winamp flder...plus
aint got this ....."HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \JavaUpdate0.07 = "%System% \<random file name >.exe" ,,,,
in HKCU\....\run ..i have nothing, no reg key.

also, aint got an exe in system32 folder tha sbeen created in the past 2 months
i got winampa in winamp folderpath, as usual
also, i notice no change in computer behavior, or runijng processes.
then, how can i be infected by that Reckmess worm?

thanks
look my hjthis:
Logfile of HijackThis v1.99.1
Scan saved at 2:14:18, on 18/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
F:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
F:\ARCHIV~1\TWEAKM~1\TMTray.exe
C:\Archivos de programa\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Windowsupdate.microsoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.Windowsupdate.microsoft.com
*.Windowsupdate.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 65.54.224.250 65.54.224.250
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Archivos de programa\Adobe\Acrobat 7.0 R\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - F:\ARCHIV~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Archivos de programa\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Toolbar\01.01.1601.0\es\msntb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] F:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TweakMASTER] F:\ARCHIV~1\TWEAKM~1\TMTray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [KAVPersonal50] F:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [CTSysVol] C:\Archivos de programa\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Archivos de programa\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: Add to &LinkFox - res://F:\ARCHIV~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Download with GetRight - C:\Archivos de programa\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Archivos de programa\GetRight\GRbrowse.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ARCHIV~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\ARCHIV~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097268757108
O16 - DPF: {6A868C04-B942-11D8-8D76-0008C7FF1716} (BanServidorFicherosBPP.DownloadBPP) - https://www.bancaja.es/arq_activex/particulares/BanServidorFicherosBPP.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: kavsvc - Kaspersky Lab - F:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

thanx
 
I don't see anthing, in your HJT log, but you may want to see, if there are any windows updates, that apply to your system, maybe that will help you.
 
Get DrDelete and Killbox (find on Google).

Boot in Safe Mode
Turn System Restore off
Run HijackThis and put a tickmark in the square little box before:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = Windowsupdate.microsoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.Windowsupdate.microsoft.com
*.Windowsupdate.com
O1 - Hosts: 65.54.224.250 65.54.224.250
O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Toolbar\01.01.1601.0\es\msntb.dll (file missing)
ALL your O16 - DPF: entries
O20 - AppInit_DLLs: PAVWAIT.DLL

Now click on Fix checked
Search for and delete PAVWAIT.DLL (leftover from Panda)
Use first DrDelete to get rid of bla.exe, if it can't, use Killbox.
 
ok, ty just a nobody.

-Thank u RealBlackStuff,ill do that

and...can u tell me (to learn), why should i have to go in safemodeboot and turn system restore off and then run hjthis to fix selected?

...and ..why should i remove "O1 - Hosts: 65.54.224.250 65.54.224.250".. What does this mean, what is it?

....and why should i remove *all* the 016-DPF entries, plz?

...Whats wrong with this...isnt it Windows Update..?.."R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = Windowsupdate.microsoft.com"

Thanks!! RBS!

ps.ill try killbox to get rid of bla.exe....altough..id like to know what appl is using bla.exe....cuz when i try 2 delete bla.exe,,, says,,"being used by nother user or application",,,,?!
ty ;)
 
Running in Safe Mode only loads necessary programs and services.
Switch off System Restore deletes all your 'old' restore-points (that have the infections in them also).
You remove those things because I tell you so! Ignore at your own peril!
 
aha ok thanks

but couldnt u just tell me what is "O1 - Hosts: 65.54.224.250 65.54.224.250" ?..what does this mean and why is this dangerous?
-just tell me that please, to know.
 
ok i deleted all the entries u said.

and now,,,what about bla.exe then?,, what is/was it? what application is using it? why is it 0 bytes? and is it a virus then ,,am i infected,.,,,should i delete bla.exe with killbox?

Thankz :)
 
It is very difficult to find out, in the PC world, exactly HOW or WHY something happens. All we can do is clean it up after the fact.

What is bla.exe?
Could it be you had Gaobot and Kaspersky removed it but left one piece? Could it be you did not ever get Gaobot but that file was copied but never got to run? Could it be that the file is just corrupt and shows 0 bytes though it may have more? Who knows.

But it is NOT a rare thing that a file won't delete and says it's in use. This happenes often, that's why there are programs like Killbox.

The "Hosts" entries in HJT maps IP addresses to domains. For most all people, there is no good reason to ever have extra hosts entries. Unless you're in a business network or have special needs. Most of the time HOST entries are placed in there by spyware and viruses.

The 016 DPF entries are ActiveX controls. Things, good or bad, that attach themselves to Internet Explorer for "added functionality". You won't miss them once their gone, and should you ever require that functionality again, IE will prompt you to load it again. No harm done.

The "WindowsUpdate" entries are set as PROXY server. This is also NOT something most people need (any proxy server), unless it is required at a business site or advanced network.
Having a proxy forces your Internet traffic to filter through that proxy. Thus letting the proxy site know exactly what you are doing and where you are going. And the proxy has the right to refuse you the pages you're looking for.
So like the ActiveX controls, a proxy just isn't needed.
The fact that the proxy says windowsupdate is just plain weird and suspicious.

Basically RBS is cleaning you out of useless Proxy settings, useless ActiveX controls, and unwanted Hosts file entries.

These subjects go much deeper then what I scratched on the surface, but maybe that'll help you understand. To learn more about it, do some Google searching for Host file, ActiveX controls, and proxy servers.

cheers.
 
aha, Great ..Thanks a lot Vigilante!!! now i understand, u explained very well.

i cleared HJT , now its clean.ok.
and now, ill delete bla.exe with killbox, and solved, i have the problem, fixed, as no registry entries of gaobot or something,no more worries.cool

Thank You Vigilante ! :) ur very helpful!
 
Status
Not open for further replies.

Similar threads

AGenericFool
Help - Valid Windows 10 Licenses deactivate after two days?!
Replies
1
Views
302
Nelson28
N
B
Help with "special permissions" please
Replies
1
Views
524
Nelson28
N
Daniel Sims
Google Drive users report losing files from the last few months
Replies
12
Views
345
GodisanAtheist
GodisanAtheist

Latest posts

Back