install_ad1, 222.133.3.210, Is this a virus?

  • Thread starter Thread starter Paul Brady
  • Start date Start date
P

Paul Brady

I have SpyNoMore, which scans my computer and shows no problems. But,
in the past few weeks, I keep getting a batch file automatically
executed a few times a day. This causes a file "install_ad1.bat" to
appear in my windows\temp file to appear, and it runs. It brings up
the DOS window and does a few things, and appears to access this URL:
222.133.3.210. Cookies are generated, and this URL appears in my
history file. It then quite the DOS procedure and nothing else seems
to happen. At best, this is a nuisance, but I fear that more may be
happening.
SpyNoMore has a feature that allows me to send it a report and
ask for special help. I did this, and received only a notification
that they had completed work on my report. I guess they found
nothing.
I routinely delete all files in the windows temp and
temporaryInternetFiles directories. This does not stop this problem.
I have looked thru a few thousand titles of messages in this
group for "install_ad1", also the above URL, and also "clickhype"
which seems to be involved. Nothing appears in this group, but a
Google search yields several responses, and other people seem to have
this problem.
Is anyone familiar with this, and does anyone know how to
remove this?
Thanks. Pete
 
I have SpyNoMore, which scans my computer and shows no problems. But,
in the past few weeks, I keep getting a batch file automatically
executed a few times a day. This causes a file "install_ad1.bat" to
appear in my windows\temp file to appear, and it runs. It brings up
the DOS window and does a few things, and appears to access this URL:
222.133.3.210. Cookies are generated, and this URL appears in my
history file. It then quite the DOS procedure and nothing else seems
to happen. At best, this is a nuisance, but I fear that more may be
happening.
SpyNoMore has a feature that allows me to send it a report and
ask for special help. I did this, and received only a notification
that they had completed work on my report. I guess they found
nothing.
I routinely delete all files in the windows temp and
temporaryInternetFiles directories. This does not stop this problem.
I have looked thru a few thousand titles of messages in this
group for "install_ad1", also the above URL, and also "clickhype"
which seems to be involved. Nothing appears in this group, but a
Google search yields several responses, and other people seem to have
this problem.
Is anyone familiar with this, and does anyone know how to
remove this?
Thanks. Pete
Click to expand...
Pete,

To begin with, the IP address 222.133.3.210 belongs to someone in China. See
<http://wq.apnic.net/apnic-bin/whois.pl> for details. I would worry about
running a batch file that you didn't write or don't know what it's doing.

SpyNoMore was listed as "suspect" by spywarewarrior for false positives,
<http://www.spywarewarrior.com/rogue_anti-spyware.htm#snm_note>, but seems to
have improved. Nonetheless you should scan with another application such as
Spybot Search & Destroy, <http://www.spybot.info/en/index.html> and/or
Superantispyware, <http://www.superantispyware.com/>. Both of these are free
for the downloading.

What OS are you using? What anti-virus program?
 
From: "Bart Bailey" <[email protected]>

|
| Maybe a good start would be to run hijackthis
| to see what all that malware installed?
| from the author's site http://tinyurl.com/23fbn2
|

Except that we don't want HJT Logs posted in Usenet and those that have gone through
"training" won't accept Trend Micro's version of HJT.

For Paul B.


Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
 
those that have gone through
"training" won't accept Trend Micro's version of HJT.
Click to expand...

Just curious why that is,
the v1.99 is quite a bit smaller,
is the v2.0 bloated with something?
 
From: "Bart Bailey" <[email protected]>


|
| Just curious why that is,
| the v1.99 is quite a bit smaller,
| is the v2.0 bloated with something?
|

hat's a GOOD question.

The anti malware community doesn't trust the changes made and fear what Trend Micro will do
with it.

An alternative utility is in the works as I write this.
 
I have SpyNoMore, which scans my computer and shows no problems. But,
in the past few weeks, I keep getting a batch file automatically
executed a few times a day. This causes a file "install_ad1.bat" to
appear in my windows\temp file to appear, and it runs. It brings up
the DOS window and does a few things, and appears to access this URL:
222.133.3.210. Cookies are generated, and this URL appears in my
history file. It then quite the DOS procedure and nothing else seems
to happen. At best, this is a nuisance, but I fear that more may be
happening.
Thanks. Pete
Click to expand...

This virus is also on my computer, so any help would be appreciated.
I'm not technically literate, so hopefully someone can figure out the
best solution for me to locate the problem.
 
Back
Top