Poser- C:Windows\tmpdelis.bat

Hello,
Pc-cillin identified the above referenced file on my puter, assoociated to
Spyware. I clicked on more info and went to trendmicro.com. This spyware is
said to be low risk....

Spyware is named/identified as.... SpyW_INVkey12A at trendmicro.com

These are the Files & Registry Keys associated
Files
datview.exe
iks.dat
license.txt
order.txt
README.TXT
Uninst.isu
%Windows%\Desktop\Log Viewer for IKS.lnk
%Windows%\tmpdelis.bat
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)

Registry Keys
HKEY_LOCAL_MACHINE\Software\Amecisco
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\IKS 1.2 Demo

I *didn't* have the reg. keys!

I *had* one file associated to this spyware....... C:\Windows\tmpdelis.bat
or batch file!!

The bat file can be executed... I *deleted* it!! Before, I deleted it I
ran Spybot and Ad-Aware and came up clean.
I ran PC-cillin after deleting and came up clean, nothing more found.

Has anyone else found tmpdelis.bat without any other evidence of malware on
the puter ???

Thank you, Star

Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Star wrote:
Hello,
Pc-cillin identified the above referenced file on my puter, assoociated
to Spyware. I clicked on more info and went to trendmicro.com. This
spyware is said to be low risk....

Spyware is named/identified as.... SpyW_INVkey12A at trendmicro.com

These are the Files & Registry Keys associated
Files
datview.exe
iks.dat
license.txt
order.txt
README.TXT
Uninst.isu
%Windows%\Desktop\Log Viewer for IKS.lnk
%Windows%\tmpdelis.bat
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)

Registry Keys
HKEY_LOCAL_MACHINE\Software\Amecisco
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\IKS 1.2 Demo

I *didn't* have the reg. keys!

I *had* one file associated to this spyware.......
C:\Windows\tmpdelis.bat or batch file!!

The bat file can be executed... I *deleted* it!! Before, I deleted it I
ran Spybot and Ad-Aware and came up clean.
I ran PC-cillin after deleting and came up clean, nothing more found.

Has anyone else found tmpdelis.bat without any other evidence of malware
on the puter ???

Thank you, Star

Thanks, Pa Bear... been reading the links, good link!!

tmpdelis.bat..... in C:\Windows.

I've been doing searches, am I getting bad information. Some forums say,
*this is a legitimate* Windows file created by the Windows installer.

Tell me, "what do you say" , Pa Bear ???

Star

"PA Bear" wrote in message
...
Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Star wrote:
Hello,
Pc-cillin identified the above referenced file on my puter, assoociated
to Spyware. I clicked on more info and went to trendmicro.com. This
spyware is said to be low risk....

Spyware is named/identified as.... SpyW_INVkey12A at trendmicro.com

These are the Files & Registry Keys associated
Files
datview.exe
iks.dat
license.txt
order.txt
README.TXT
Uninst.isu
%Windows%\Desktop\Log Viewer for IKS.lnk
%Windows%\tmpdelis.bat
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)

Registry Keys
HKEY_LOCAL_MACHINE\Software\Amecisco
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\IKS 1.2 Demo

I *didn't* have the reg. keys!

I *had* one file associated to this spyware.......
C:\Windows\tmpdelis.bat or batch file!!

The bat file can be executed... I *deleted* it!! Before, I deleted it
I
ran Spybot and Ad-Aware and came up clean.
I ran PC-cillin after deleting and came up clean, nothing more found.

Has anyone else found tmpdelis.bat without any other evidence of malware
on the puter ???

Thank you, Star

Thanks Lee, Glee and Pa Bear....
I made another tmpdelis.bat file w/legit entries and placed in Windows.

The one I deleted was bad.... it didn't have the bat/batch icon.... it was
different.

Does the legit file have a unique icon unlike other bat files ????

However, I had none of the registry entries, nor any other files listed.

Trend, said, "it was spyware" .....

Maybe the other files were blocked/stopped from corrupting my system.
I do have 7.1 pattern, which PC-cillin says, "protects".

Thanks for helping me figure it out.

Star


"Lee" wrote in message
ups.com...
@if exist C:\WINDOWS\tmpcpyis.bat del C:\WINDOWS\tmpcpyis.bat
@if exist C:\WINDOWS\winstart.bat C:\WINDOWS\winstart.bat
Contents of legit tmpdelis.bat here.

@if exist C:\WINDOWS\tmpcpyis.bat del C:\WINDOWS\tmpcpyis.bat
@if exist C:\WINDOWS\winstart.bat C:\WINDOWS\winstart.bat
Contents of legit tmpdelis.bat here.

Same here....been there since Win95 days.
--
Glen Ventura, MS MVP W95/98 Systems
http://dts-l.org/goodpost.htm

"Lee" wrote in message
ups.com...
@if exist C:\WINDOWS\tmpcpyis.bat del C:\WINDOWS\tmpcpyis.bat
@if exist C:\WINDOWS\winstart.bat C:\WINDOWS\winstart.bat
Contents of legit tmpdelis.bat here.

I'd wanna check out...

"The worm creates the following files:
snip
C:\Windows\Tmpdelis.bat. This is a simple batch file that copies the file
C:\Program Files\Curlysoft\Viewer.dll to C:\Program Files\Curlysoft\Run.com.
It also enters the data in C:\V.reg into the registry. Finally it executes
the file C:\File1980.com."

Symantec Security Response - W32.Alcarys.B@mm:


'Big Guns' version:

Dealing with Trojans & Hijackware (Do A and B.)

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Star wrote:
Thanks, Pa Bear... been reading the links, good link!!

tmpdelis.bat..... in C:\Windows.

I've been doing searches, am I getting bad information. Some forums say,
*this is a legitimate* Windows file created by the Windows installer.

Tell me, "what do you say" , Pa Bear ???

Star

"PA Bear" wrote in message
...
Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)

Star wrote:
Hello,
Pc-cillin identified the above referenced file on my puter,
assoociated to Spyware. I clicked on more info and went to
trendmicro.com. This spyware is said to be low risk....

Spyware is named/identified as.... SpyW_INVkey12A at trendmicro.com

These are the Files & Registry Keys associated
Files
datview.exe
iks.dat
license.txt
order.txt
README.TXT
Uninst.isu
%Windows%\Desktop\Log Viewer for IKS.lnk
%Windows%\tmpdelis.bat
(Note: %Windows% is the Windows folder, which is usually C:\Windows or
C:\WINNT.)

Registry Keys
HKEY_LOCAL_MACHINE\Software\Amecisco
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\IKS 1.2 Demo

I *didn't* have the reg. keys!

I *had* one file associated to this spyware.......
C:\Windows\tmpdelis.bat or batch file!!

The bat file can be executed... I *deleted* it!! Before, I deleted
it I ran Spybot and Ad-Aware and came up clean.
I ran PC-cillin after deleting and came up clean, nothing more found.

Has anyone else found tmpdelis.bat without any other evidence of
malware on the puter ???

Thank you, Star

Error Message: Invalid Path, Not Directory, or Directory Not Empty
(245560) - When you start your Windows 98-based computer, you may
receive the following error message: Invalid path, not directory, or
directory not empty. This behavior can occur if the Winstart.bat file
calls the Tmpcpyis.bat file and the Tmpcpyis.bat file...
http://support.microsoft.com/default...b;en-us;245560

Tmpdelis.bat is legitimate as Lee posted it. Mine looks the same...

@if exist C:\WINDOWS\tmpcpyis.bat del C:\WINDOWS\tmpcpyis.bat
@if exist C:\WINDOWS\winstart.bat C:\WINDOWS\winstart.bat

I suppose it is the mechanism to execute Winstart.bat, if that one
exists. But I can see how a virus would want to get it's hands on it.


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

"PA Bear" wrote in message
...
| I'd wanna check out...
|
| "The worm creates the following files:
| snip
| C:\Windows\Tmpdelis.bat. This is a simple batch file that copies the
file
| C:\Program Files\Curlysoft\Viewer.dll to C:\Program
Files\Curlysoft\Run.com.
| It also enters the data in C:\V.reg into the registry. Finally it
executes
| the file C:\File1980.com."
|
| Symantec Security Response - W32.Alcarys.B@mm:
|
|
| 'Big Guns' version:
|
| Dealing with Trojans & Hijackware (Do A and B.)
|
| A. Removing Trojans and Trojanware with Sysclean
|
| Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or
just
| a desktop folder). Download 'Sysclean.com' from
| http://www.trendmicro.com/download/dcs.asp to this folder. Download
the
| latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
| http://www.trendmicro.com/download/pattern.asp and extract its
contents to
| the same folder; see the Readme text file for instructions.
|
| Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
| accepting the option to delete all offline content. Reboot and delete
| contents of TEMP folders and Recycle Bin.
|
| Close all running programs including your anti-virus application, go
| offline, and run Sysclean. For best results, do nothing with the
machine
| until the scan completes.
|
| If the scan shows any infections in System Restore files:
|
| (1) create a new Restore Point (StartProgramsAccessoriesSystem
| ToolsSystem Restore), then
|
| (2) delete all but the most recent Restore Point
| (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options
[tab]).
|
| Afterwards, update your own anti-virus application and perform another
full
| system scan.
|
| B. Hijackware
|
| Help with Hijackware (all are MS MVP sites)
| http://aumha.org/a/parasite.htm
| http://aumha.org/a/quickfix.htm
| http://mvps.org/winhelp2002/unwanted.htm
| http://inetexplorer.mvps.org/Darnit.htm
| http://www.mvps.org/sramesh2k/Malware_Defence.htm
|
| Run the following tools in this order with nothing else running in
| background:
|
| 1. CWShredder v2.0 (no updates available currently; choose Fix, not
Scan)
|
| 2. Ad-Aware SE (Reconfigure per
http://aumha.org/forum/viewtopic.php?t=5877;
| Fix all found)
|
| 3. Spybot (RTFM; Immunize first and then scan; Generally, fix
everything in
| red)
|
| Important: You must seek updates for Ad-Aware, Spybot, etc., before
each and
| every use, even "right out of the box". But even they can't catch
| everything, 24/7.
|
| When all else fails, HijackThis
| (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred
tool to
| use. It will help you to both identify and remove any
hijackware/spyware.
| **Post your files to http://forums.spywareinfo.com/,
| http://castlecops.com/forum67.html or
| http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not
here.**
|
| [Alternate download pages for many of the above tools may be found at
| http://aumha.org/a/parasite.htm.]
|
| So How Did I Get Infected Anyway?
| http://boards.cexx.org/viewtopic.php?t=957
|
| --
| ~Robear Dyer (PA Bear)
| MS MVP-Windows (IE/OE)
|
| Star wrote:
| Thanks, Pa Bear... been reading the links, good link!!
|
| tmpdelis.bat..... in C:\Windows.
|
| I've been doing searches, am I getting bad information. Some forums
say,
| *this is a legitimate* Windows file created by the Windows
installer.
|
| Tell me, "what do you say" , Pa Bear ???
|
| Star
|
| "PA Bear" wrote in message
| ...
| Help with Hijackware
| http://aumha.org/a/parasite.htm
| http://aumha.org/a/quickfix.htm
| http://mvps.org/winhelp2002/unwanted.htm
| http://inetexplorer.mvps.org/Darnit.htm
| http://www.mvps.org/sramesh2k/Malware_Defence.htm
|
| --
| ~Robear Dyer (PA Bear)
| MS MVP-Windows (IE/OE)
|
| Star wrote:
| Hello,
| Pc-cillin identified the above referenced file on my puter,
| assoociated to Spyware. I clicked on more info and went to
| trendmicro.com. This spyware is said to be low risk....
|
| Spyware is named/identified as.... SpyW_INVkey12A at
trendmicro.com
|
| These are the Files & Registry Keys associated
| Files
| datview.exe
| iks.dat
| license.txt
| order.txt
| README.TXT
| Uninst.isu
| %Windows%\Desktop\Log Viewer for IKS.lnk
| %Windows%\tmpdelis.bat
| (Note: %Windows% is the Windows folder, which is usually
C:\Windows or
| C:\WINNT.)
|
| Registry Keys
| HKEY_LOCAL_MACHINE\Software\Amecisco
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
| CurrentVersion\Uninstall\IKS 1.2 Demo
|
| I *didn't* have the reg. keys!
|
| I *had* one file associated to this spyware.......
| C:\Windows\tmpdelis.bat or batch file!!
|
| The bat file can be executed... I *deleted* it!! Before, I
deleted
| it I ran Spybot and Ad-Aware and came up clean.
| I ran PC-cillin after deleting and came up clean, nothing more
found.
|
| Has anyone else found tmpdelis.bat without any other evidence of
| malware on the puter ???
|
| Thank you, Star
|