When I checked all of the batch files, I found each would attempt to delete a specific file from the system and that the files they would attempt to delete appeared to be ones associated with downloaded malware; apparently they were part of an attempt to hide evidence of the malware.
C:\Users\Pamela\AppData\Local\Temp>more tmp1e9dbcf0.bat
@echo off
:d
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_aef1a404.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_aef1a404.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp1e9dbcf0.bat"
C:\Users\Pamela\AppData\Local\Temp>more tmp2949fc28.bat
@echo off
:d
del "C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA
70B}\msiexec.exe"
if exist "C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA70B}\msiexec.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp2949fc28.bat"
C:\Users\Pamela\AppData\Local\Temp>more tmp37d76ef8.bat
@echo off
:d
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_ffe043e6.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_ffe043e6.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp37d76ef8.bat"
C:\Users\Pamela\AppData\Local\Temp>more tmp41b5fe46.bat
@echo off
:d
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_baee5f9e.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_baee5f9e.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp41b5fe46.bat"
C:\Users\Pamela\AppData\Local\Temp>more tmp81ac8b47.bat
@echo off
:d
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp81ac8b47.bat"
C:\Users\Pamela\AppData\Local\Temp>more tmpf8e7c342.bat
@echo off
:d
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_937d179a.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_937d179a.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmpf8e7c342.bat"
C:\Users\Pamela\AppData\Local\Temp>All but one of the batch files referenced an
UpdateFlashPlayer_xxxxxxxx.exe file where "xxxxxxxx" was an
8-character string of random characters. The remaining one referenced
C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA70B}\msiexec.exe. After deleting the files they referenced, they
had a delete command to delete themselves. Though the batch files remained,
none of the exe files were on the system any longer.
When I checked the time stamps on the files, I found the batch files were created between October 21 and November 4, 2014.
C:\Users\Pamela\AppData\Local\Temp>dir tmp*.bat
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\Local\Temp
10/21/2014 04:54 PM 234 tmp1e9dbcf0.bat
11/04/2014 05:10 PM 286 tmp2949fc28.bat
10/22/2014 08:51 AM 234 tmp37d76ef8.bat
10/22/2014 01:02 PM 234 tmp41b5fe46.bat
10/29/2014 08:13 AM 234 tmp81ac8b47.bat
10/22/2014 07:49 AM 234 tmpf8e7c342.bat
6 File(s) 1,456 bytes
0 Dir(s) 884,731,953,152 bytes freeThe system is configured to use the backup and restore program that is included in Windows 7 (Control Panel\System and Security\Backup and Restore), to backup the system every Sunday evening to an external USB drive, so I checked to see if any of those files were included in a backup on that external drive. I found that program apparently does not backup the Temp directory beneath user's AppData\Local directories. I can understand why the backup program might aim to conserve disk space by not storing backups of temporary files.
A Trojan.Agent-252657 Worldwide Infection Rate chart at All information about Trojan.Agent-252657 showed Trojan.Agent-252657 appearing on November 9, spiking quickly to a rate of 0.13% on November 12, declining rapidly, then spking again on November 15, 2014 after which it again precipitously declined.
The description there states:
A Trojan.Agent-252657 or Trojan.Agent-252657 horse is often used by hackers to gain access to a computer in order to steal information or engage in other malicious activity. Users can unwittingly expose their computers to these programs by downloading other files or applications that contain them.
VirSCAN.org, a site that allows you to upload files for scanning by multiple antivirus programs, shows names other antivirus products use for what ClamWin labels Trojan.Agent-252657 at a page for UpdateFlashPlayer_b3d5a443.zip.
Malwarebytes Anti-Malware Premium
is installed on the system. When I checked its
quarantine log, I found it had detected and quarantined the
malicious
msiexec.exe file on November 6 at 7:24:26 AM. It
had also quarantined several UpdateFlashPlayer exe files, though I didn't
see the ones referenced in the batch files above listed as being quarantined
by Malwarebytes Anti-Malware.
| Vendor | Date | Type | Location |
|---|---|---|---|
| Trojan.Agent.DED | 11/20/2014 8:57:32 PM | File | C:\ProgramData\Windows Genuine Advantage\{79623D25-6343-4C6D-8513-FA858BC30771}\msiexec.exe |
| Trojan.Agent.DED | 11/20/2014 8:57:32 PM | File | C:\ProgramData\Windows Genuine Advantage\{D75F6D4D-FEF6-4545-825E-EDDE3C6C62AB}\msiexec.exe |
| Trojan.Agent | 11/6/2014 7:24:26 AM | File | C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA 70B}\msiexec.exe |
| Trojan.Agent.ED | 11/4/2014 5:10:06 PM | File | C:\ProgramData\Windows Genuine Advantage\{89B0946F-E47F-4C01-B0CF-18FD0C563569}\msiexec.exe |
| Trojan.Agent | 11/6/2014 7:24:26 AM | File | C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_200de97e.exe |
| Spyware.Zbot.ED | 10/29/2014 10:24:31 PM | File | C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe |
| Trojan.Zemot | 10/29/2014 10:24:31 PM | File | C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_fc99e43b.exe |
| Trojan.Inject.ED | 10/29/2014 10:24:31 PM | File | C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_6e337c59.exe |
| Trojan.Zemot | 10/29/2014 10:24:31 PM | File | C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_8c8c5dd0.exe |
Created: Saturday November 22, 2014