strange .bat file shutting down win vista... not really a virus but... - Tech Support Forums

renesisspeed · May 30th, 2008, 07:53 PM

So my dumb-a$$ ex-girlfriend decided she wanted to spy on her current boyfriend by "hacking" into his myspace.

(yeah I know + why am I helping her now). well she found a supposed myspace password hacker through youtube & lo-and-behold screwed up her computer just like I told her she would. whatever, now the damage is done & maybe she has a lesson learned.... right.

You can view the video here if you want YouTube - Myspace Password Hacker 8.0 (NEW)
the guy says there is a link to download this "utility" in a zip file. So of course she downloaded it (it was actually just a .bat file, unless something else came with it un-seen). Upon running it, it restarted her comp, and since then after boot-up, if you try to do anything (and I mean anything) it reboots.

I downloaded the same file while running linux to minimize my risk and examined it.

So heres the commands this batch file runs. as near as I can tell there is no way for it to repeatedly run any kind of malicious operation, but... (just for safety's sake, if you're running windows don't mess with this, I don't want to be blamed)

ipconfig /release

start shutdown.exe -s -t 04 -c "You Must Restart Windows To Use Myspace Password Hacker 8.0"

The "comment" shown above appeared the first time, but not since.

The thing that gets me is that there should be no way for this thing to auto execute.

I understand what the commands and flags all do (reset ip / network connection, "shutdown" with a flag to shutdown, with a delay of 4 seconds and kill all running processes.

There were no other files downloaded with this (like I said unless something snook in), she said that she deleted the file from her desktop @ some point (not quite sure when she managed to do it) but regardless, by going in with a boot cd and browsing with a file manager, i could find no trace of it in her recycle bin, desktop or temp internet files.

She's running winVista Home Premium on a gateway W340UI laptop.

If anyone has any suggestions, I would really appreciate the input, otherwise i'll have to try to salvage all of her files and restore the computer to a factory installation and reinstall all her programs for her. I'm sure there is just something I am not seeing here. It won't stay runn9ing in safe mode either, so I can't even try to run any utilities from with-in windows itself.

Thanks!!!

Keymaker · May 30th, 2008, 08:23 PM

She obviously didn't download the correct file. I would not have run that batch file from the begin with. Unless I'm using VMware.

Of course I would also run that little haxxers program in VMware as well.

Anyway... You need to see what is auto starting. I know a few, unfortunately this requires to install the utility. Seen as how the computer won't stay on, that won't help.. I think this stand alone utility may help if you run it in a live CD like UBCD4WIN. SIW | System Information for Windows by Gabriel Topala

Does safe mode work?

renesisspeed · May 31st, 2008, 04:08 PM

If I run that utility from a live cd, won't it just tell me what the start-up processes for the live cd OS are?

& no, Safe Mode does not work. I also tried going into safe mode with command prompt and it immediately began to shut down. (presumably as soon as command prompt was launched, just like when trying to manually launch anything else.)

(PS: I was born in Loveland... live in Detroit now

)

Keymaker · June 1st, 2008, 03:57 AM

Quote:

Originally Posted by renesisspeed

If I run that utility from a live cd, won't it just tell me what the start-up processes for the live cd OS are?

Your right, it will. forgot about that. Well UBCD4win has some tools. So you could browse the hard drive . Ahh, dang, you can't even use safe mode either. I had to use safe mode once to evoke a system restore through the command prompt.

There has to be something in the windows startup directory. If you browse the hard drive with a live CD, then I would look in the Windows folder. Especially system32.

Have you tried to use the recovery console with the Windows install disk?

Quote:

Originally Posted by renesisspeed

(PS: I was born in Loveland... live in Detroit now

)

Small world! Especially how small this town is. You won't believe how much it has changed now. Building all over! We have a new hospital, (Level 2 trauma I believe) Medical Center of the Rockies, and out that way near I25 there is a new shopping mall. Couple years ago when the Blue Angles came to Loveland I was listening to their coms. and heard one pilot say how he couldn't believe how much we changed.

They were here before many years ago. I'm not originally from Loveland though. Moved from Riverside CA.

Seems like everyone is moving from there. Now if my parents would have stayed.. they would had made a fortune on the house!

renesisspeed · June 1st, 2008, 03:42 PM

Well. I haven't been able to find anything relating to the original file name anywhere on the C drive. I also tried to look for files that were created when it happened and couldn't come up with anything productive. The only thing I found (& it didn't do any good) were the prefetch files created at the time it happened (for cmd.exe, ipconfig.exe & shutdown.exe). I had hoped that by deleting them & letting them be re-created fresh I might be able to solve the problem.

So basically, im still stumped. I really don't want to have to run recovery & restore it to factory... but it looks like that may be what its coming to. Either way Keymaker, I really appreciate you're input.