Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Bit Torrent and Text File


  • Please log in to reply
60 replies to this topic

#1 geotan

geotan

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 08:13 AM

I had a Bit Torrent on my computer that I had not downloaded. After usinG Unlocker a few times I was able to delete it. I also have a Text File on my Desk Top. I can delete it but it keeps returning - each time with a different message. Most of the Icons on my Desk Top have been changed. I managed to rename MBAM.exe and run it. It found three items which have been deleted. I cannot run any other anti virus programme. The virus has turned off my Fire Wall.

I downloaded DDS and transferred it to the infected computer. When I try to run it I get a message "Windows cannot open this file......". so I am unable to prepare a log to post here.

All suggestions appreciated,
George.

BC AdBot (Login to Remove)

 


#2 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 08:17 AM

Hey George,
Lets see if we can get some information out of that machine:
We need to create an OTListIt2 Report
  • Please download OTListIt2 from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#3 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 08:26 AM

Harry,

Downloaded and transferred to infected computer. Cannot run it. Same message as before. The Icon has changed to the square window with the four dots? in it. Tried to run it in safe mode but still the same.

George.

#4 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 08:47 AM

Ok, lets try this:
Right-click on the OTListit file and change the .exe extension to .bat, and then double-click on it to run.
If that will not work please copy the entire message you are recieving for me please.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#5 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 09:07 AM

Changed the extension. Double clicked and nothing happens. Tried Right Click but there is no "Run" in the Menu.
Changed extension back to .exe and nothing happens.

#6 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 09:15 AM

Lets take a look at something:
Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in looker.bat for the file name. Right below that click the down arrow in the line for "save as" and select all files. Save this to your desktop and close notepad.
regedit /e peek.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
type peek.txt
start notepad peek.txt
EXIT
Locate the looker icon on your desktop and double click it. A box will pop up briefly on your screen and disappear, this is normal.

Please copy the contents of the notepad box that opens and paste it here for me.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#7 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 09:27 AM

Harry,

Computer will not open Note Pad.

#8 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 09:27 AM

Harry,

Computer will not open Note Pad.

#9 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 09:41 AM

Lets see what happens here, click on Attached File  tst.bat   139bytes   35 downloads
if prompted to allow it to run, answer yes.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#10 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 09:51 AM

Tried downloading it directly to the infected computer and the code came up but nothing happened. Downloaded and transferred it to infected somputer. tried to open and nothing happens.
One other thing I have just found, don't know if it is of any help, my home page has changed to Ask.com

#11 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 09:56 AM

Can you boot into safe mode with networking?
If so, can you get on the net in this mode?

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#12 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 10:10 AM

I booted in "Safe Mode with Networking" but when I try the network I am told that there is a fault.
Quote:-

Windows cannot access \\Special
Check the spelling of the name. Otherwise there might be a problem with your network.
To try and identify and resolve network problems click Diagnose.

Result:-

Network Diagnostics pinged the the remote host but did not receive a response.

Tried in Normal Mode, works fine.

#13 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 10:13 AM

Ok George, are you comfortable with looking in your registry for me?
There might have been some changes that were made in there, which is preventing us from running things. Its simple to look, and I can walk you through it :thumbup2:

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#14 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:05:34 PM

Posted 19 March 2009 - 10:17 AM

I am ok with looking. But if I have to do changes you will have to give me extremely simple instructions as I am afraid that I do not have a five year old with me to show me how to do it.

#15 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:11:34 AM

Posted 19 March 2009 - 10:32 AM

Alrighty George, lets get a peek at a few things. First, the disclamer:
These instructions are intended for this user only. Please do not open your registry without the help of a trained professional, as you might destroy your machine.
We want to see what is in the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
To navigate to this, do the following.
  • Click on start
  • Click on run
  • In the box that opens, type regedit and hit enter
  • The registry editor should now be open
  • Scroll all the way to the top of the left pane
  • Expand HKEY_CLASSES_ROOT (HKCR) by clicking the plus sign (+)
  • Scroll down to exefile and expand
  • Scroll down to shell and expand
  • Scroll down to open and expand
  • Scroll down to command and expand
In the right pane there should be some value next to default, let me know if it looks like this:
@="\"%1\" %*"

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users