Support Forums
A real Bastard. - Printable Version

+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Virus Protection, Removals, and HJT Team (https://www.supportforums.net/forumdisplay.php?fid=56)
+---- Forum: Computer Security, Firewalls, and Antivirus (https://www.supportforums.net/forumdisplay.php?fid=10)
+---- Thread: A real Bastard. (/showthread.php?tid=3155)

Pages: 1 2

A real Bastard. - Extasey - 11-26-2009

Okay, so I was downloading a torrent and I think it had been binded to a virus.
I'm using Windows 7

Heres the symptons so far:
  • Long hang time upon boot
  • Can't run .exe
  • All links on the task bar and start menu have been changed to .ink
  • Task Manager has long hang times
  • System Restore is disabled
  • Most "links" on the start menu do not respond*

*Normally when you launch a program from the Start Menu it closes then the program opens, the start menu is not closing in this case and the program is not launching.

Because I can't run .exe files I can't start any AV (such as MalwareByte's or HJT). However, when I click "Search for a program associated online" when the computer is telling me that it doesn't have a program capable of running .ink's, it opens Chrome!

I can run batch files and am trying to launch programs from it as you read, just have to remember the execute codes (Google FTW).

Can anyone Help?
I'll post back when with the results of the batch file launching as soon as I finish.
These are the symptons I am experienceing within safe mode by the way.
Batch File Launching is not working. Any Windows program isn't be recognised by the computer (eg. regedit, cmd, dxdiag)*

*By this I mean I am receiving an error of "<directory path> No such interface supported"
Have managed to launch dxdiag using the following code:

Code:
@echo off
start dxdiag
pause
Have managed to install MalwareByte's Anti-malware via batch file, launching the setup from the same folder the batch file is located in.
Updated and running scan now.
Here is the log file from a "Quick Scan"
Code:
Malwarebytes' Anti-Malware 1.41
Database version: 3236
Windows 6.1.7600 (Safe Mode)

26/11/2009 8:21:27 PM
mbam-log-2009-11-26 (20-21-24).txt

Scan type: Quick Scan
Objects scanned: 92667
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Cameron\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
Am now running a "Full Scan" before I restart and completely remove this virus (hopefully).
"Full Scan" log:
Code:
Malwarebytes' Anti-Malware 1.41
Database version: 3236
Windows 6.1.7600 (Safe Mode)

26/11/2009 9:01:57 PM
mbam-log-2009-11-26 (21-01-57).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 238795
Time elapsed: 18 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Downloads\Games + Hacks\Hacking\RATs\client.exe (Backdoor.Nuclear) -> Quarantined and deleted successfully.
D:\Downloads\Games + Hacks\Hacking\RATs\Crypting\Uniq Stub Generator 0.3.1.exe (Trojan.Refroso) -> Quarantined and deleted successfully.
D:\Downloads\Games + Hacks\Hacking\RATs\Crypting\Crypters_by_Mana5olia\Crypters by Mana5olia\CrYpt3r Dewwill MOD\CrYpt3r Dewwill\CrYpt3r Dewwill.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Downloads\Software\Burning and Encoding\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\ALCOHOL 120 1.9.7.Build 6221(NEW-UPDATED Build)\CRACK\LOADER exe\Alcohol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\RECYCLER\S-1-5-21-1801674531-329068152-839522115-1003\De189\Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{FA19E403-3ED1-4B37-A274-D186833DEE76}\RP40\A0018015.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{FA19E403-3ED1-4B37-A274-D186833DEE76}\RP40\A0018016.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

A few of the things were some of mine, I chose to remove them because I don't use them anymore.

Restarting into normal mode now.

RE: A real Bastard. - Extasey - 11-26-2009

Virus removal seems to have fixed the .ink problem, but now excessive lag has made it impossible to do anything within the normal operating system. I assume it is a program running eating up all of my processor, have disconnected DVD-RW drive just to be sure its not halting the system (like it sometimes does).
Going to try a restore now.
Booted into Safe Mode, MalwareByte's managed to fix up the .exe problem as well. Rolled back my "C:" drive 24hrs (almost exactly) and system seems to be fine.

Thank God this virus didn't have a drive spread.

Will be leaving this here as a "thought process".

RE: A real Bastard. - Codine - 11-26-2009

Which virus was it that you got?

RE: A real Bastard. - Extasey - 11-26-2009

I can't tell now because my iPhone doesn't know how to scroll code boxes, but I think it was some sort of word exploit? Renamed all the etxtensions for certain programs and stopped me from running an .exe

Just annoying.

RE: A real Bastard. - Skawke - 11-28-2009

(11-26-2009, 01:32 PM)Extasey Wrote: I can't tell now because my iPhone doesn't know how to scroll code boxes, but I think it was some sort of word exploit? Renamed all the etxtensions for certain programs and stopped me from running an .exe

Just annoying.

The virus was probably a simple batch file that messed up the file extensions then, lol.

RE: A real Bastard. - Extasey - 11-29-2009

Mmm, not sure if it was a batch, I was thinking about it the other day and it must have had a task kill list in it + I couldn't run ANY .exe at all. I've never seen a batch file that can block .exe's in general.

RE: A real Bastard. - Extasey - 12-17-2009

(11-26-2009, 09:04 AM)Codine Wrote: Which virus was it that you got?

Code:
Heuristics.Reserved.Word.Exploit


RE: A real Bastard. - DAMINK™ - 12-17-2009

Appears to be a batch file.
Could you not just run another batch file to change the extensions back or did they change that also?

*update*
If for example your .exe have been changed to .ink which i dont think they have. .ink is just a shortcut i believe but check C to find out.
If that is what has happend you could just make another one to repair it.
assoc .ink=.exe or whatever the problem may be.
Still there is a virus or infection there so guess that would need to be cleaned first.
Sorry about the update post.

RE: A real Bastard. - υℓqυισяяα - 12-17-2009

Way to go brah!

RE: A real Bastard. - DAMINK™ - 12-17-2009

I should have added. WHY did you not sandbox this file first?
Seriously. P2P, torrents and warez related files have to be quarantined these days and examined.
Let that be a lesson should you need to format over this which may be the best solution.
Still i have done it and it sucks i know mate.