BleepingComputer.com: RUN CMD.EXE causes Explorer to Crash

I'm not convinced that I'm out of this yet, but here is what I did: I was successful in booting into "Safe Mode", copying cmd.exe to cmd2.exe, and launching SDFix. The important thing to remember here is that you must run SDFix in SAFE MODE and then when it restarts, you MUST hit F8 at boot time again to run in SAFE MODE again! The process for running once you have copied cmd.exe to cmdWHATEVER.exe:

c:\
cd\SDFix
runthis.bat

Follow the menus.

When it wants to reboot, let it, but make SURE that you hit F8 at the boot and go back into SAFE MODE again. Once in Safe mode again:

Start, Run, c:\windows\system32\cmdWHATEVER.exe
c:\
cd\SDFixc
runthis.bat

At the menu, even though it doesn't show it, press F, then enter to Finish the malware scan.

I'm still in safe mode, and I'm running the Microsoft MRT tool again to see if it picks up anything. Then, I will look into the registry...more to come.

No Joy. Both problems still present. Even in "SAFE MODE". Firefox or IE when using google to search for anything both redirect you beyond the link that you click on to everything ranging from Stopzilla to other, more generic search sites. Also, cmd.exe still fails to run natively, but I can run the cmd2.exe that I created, and I can edit the registry by running regedit.exe underneath a cmd2.exe process. SDFix is NOT a viable solution. I think we have a new signature folks. Does anyone know what wjjgn.sys is? Microsoft's MRT control Panel App shows that this little gem attempted to do seomthing at 12:51 AM this morning while I was running a scan with AVG. Just curious if it has anything to do with the problem. I'll keep hunting, but thought I would do my best to keep everyone posted...

I just came back from my client's site. I wanted to do one more look using Process Explorer (Systernal's tool) and HiJackThis! to see if I saw ANYTHING that didn't look like it belonged.

The particular PC I have been working on has LogMeIn installed as well as webEx. Both of which I know are legit applications.

I scanned for files that might have a newer time/date stamp newer than a week old. I came up with none that aren't supposed to be there. I looked for weird names files, files whose names were random letters and numbers, cleared all temp files and temp internet files, cleared all cookies. (CCleaner is great for that). I even scanned the registry BY HAND looking for stuff that looked weird. Nothing.

Whatever this this is, it's stealthy. it HAS to replace a legit file somehow to do it's dirty work.

I'll keep working and let everyone know immediately if I find an answer.

We'll beat this. we have to...

This post has been edited by tmongiello: 01 March 2009 - 05:16 PM

I too have this problem. Unfortunately, I am not capable of performing diagnostics, only googling my problems and performing the work others have already determined works. Consider my machine another test site to experiment if others have suggestions.

My problem is identical. A machine that is basically fully functional. Redirects via google and Yahoo in IE. CMD and regedit from the run window resulting in explorer crashing. Also, I use AIM and the program failed completely. This was my first indication I had a problem to begin with.

Have run:

Ad Aware
Spybot
Malwarebytes
housecall
ccleaner
spyware cease
autoruns.exe
hijackthis

None have fixed my problem over here nor indicate the problem source.

spyware cease found problems that I could not fix because the freeware version does not correct problems without a license. autoruns.exe was a neat program I think I will find very handy but at this time I have accounted for every program that runs at startup, unless this malware hides itself as a microsoft program, a device driver that appears legit, or as a copy of winrar (is this thing supposed to be all over the registry? I have like three copies of the same file within the autoruns scan)

When I run hijackthis, my logs are under a page, usually under 10 entries total. It boggles my mind how some of the posted logs can go on and on!

Anyways, no fix yet over here. I'll be testing out the solutions you guys come up with as I readthem.

Thanks for all your efforts. The lurkers here appreciate it.

I got the same issue. I was having a redirect problem and then got rid of it (I think, vundo on a system32\itcc.dll) using SuperAntiSpyware. Thats gone now, but I was having explorer.exe crash after startup, so I was working that issue, and found I could not run CMD or Regedit either. Both will close explorer.exe.

The 2 known Event Viewer issues I have are with DS1410D and KR10N services. Not sure if thats related?

Re-running virus checkup now. Not sure what will be next.

I found this thread via Google today and thought I'd throw my 2 cents in. My wife's computer had this malware, whatever it is. Same symptoms, Google links were intermittently redirecting to ad sites and commands such as cmd.exe and regedit.exe would not work (crashed explorer). What eventually did work for me was ComboFix, running in Safe Mode. I'm not sure why it wouldn't work for previous posters. I did run it off of a thumb drive though I don't know if that made any difference. Once it finished what it was doing, it rebooted, went into Windows normally, finished doing some other stuff, and then when it was done the programs worked again and I couldn't reproduce the ad-forwarding anymore. Hope that helps...

I'm not sure why combofix doesn't work, but I DID try running it in safe mode and I was still unable to get combofix to run at all.

I think combofix tries to run a CMD window, doesn't it? Since this is crashing, I think this is why it wont run loaded normally, and may from a thumb drive. I may try that thumb drive option. For me, I think thats why I crash on startup, as I have a few CMD window startup items as well. If you are able to run CMD windows in safe mode, then maybe this isn't it, but seems right...? (why I was never able to get similar other tools to run either, they would hang on the CMD window)

--UPDATE: yep, combofix from a thumb drive is running. (though I need to wait for AVG to finish)

This post has been edited by netmatt: 01 March 2009 - 07:25 PM

Paranode, thanks for your input. I have not tried ComboFix yet but will try it now from safemode.

Dr.WAV: what version of ComboFix are you using? Paranode, what version did you use? Maybe this is something one version gets that another doesn't see?

T

Hey guys, I just want to say I am reading this post and really sorry that this seems to be a nasty infection. I guess the anti-malware and anti-virus tools need to react to this soon, so keep updating your definitions.

I would also recommend to each of you to read this forum and post your Hijack This logs there to get proper help:
http://www.bleepingcomputer.com/forums/forum103.html

Odd. Running combofix solved my problem. I did boot into safe mode without networking to run it, but was away from my machine while it did its thing. When I came back it booted into normal windows and completed all activities. (point: was not able to reboot into safe mode as recommended by others in this forum)

Now I seem to have a fully functional computer. no redirects yet, cmd and regedit work again. batch files work again. will reinstall aim when possible and check again.

This post has been edited by White Rabbitt: 01 March 2009 - 07:33 PM

WhiteRabbit, which version of ComboFix did you run? I want to make sure I have the same version for tomorrow.

Thanks!

T

netmatt, on Mar 1 2009, 07:21 PM, said:

How exactly did you get combofix to work? Did you just copy the exe to the thumb drive and run it on the machine with the problems? Wouldn't just running the exe on another drive be the same? I ask because I tried running combofix from one of my other drives and had the same problem.

As for what version of combo fix I am using I downloaded it just a few days ago, but I can't find any version number anywhere in the file to give you an exact version.

I will repeat what DC3 said in an earlier post:

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix It is an extremely powerful tool which should only be used when
instructed to do so by someone who has been properly trained in the use of the program.
ComboFix is intended by its creator to be "used under the guidance
and supervision of an expert", NOT for private use.
Please read Combofix's Disclaimer.. Using this tool incorrectly could
lead to disastrous problems with your operating system such as preventing
it from ever starting again.

EDIT TO ADD: I'm curious as to what happens when you access command prompt from
Start Menu/All Programs/Accessories/Command Prompt

They both do the same thing. (At least they did when I did a tracert from Run/cmd.exe and from command prompt in accessories) If I am wrong about this, please let me know.

This post has been edited by Queen-Evie: 01 March 2009 - 08:21 PM

I had to go as well. I was waiting for AVG to complete. I started combofix from the USB, but it was waiting for AVG to quit.

When I came back, Windows had restarted, it said it recovered from a serious problem, and the Microsoft said a problem with my AV software. I check AVG, and it had found 3 issues, all b2e.dll files, and removed them.

All seems t be working fine now... huh? Hate to not be able to help anyone with a process, but maybe latest AVG has an update for this?

UPDATE: Not sure the version I used, but I dont think I needed it. I never really ran it. I just put the EXE on the thumb drive, and double -clicked, In any case, it was Link 2 from another support site forum, in a thread regarding the VUNDO virus. (though for the Queen's sake, I was not going to run it fully, I was really seeing if it would run (as this problem seems to prevent it). If so, then ask someone what to do to run it...)

FINAL UPDATE: Just to be complete, the combination of Super AntiSpyware (free edition) and AVG latest updates cleared it for me. The first for the redirects, and then the second for the Trojan horse backdoor.smallx.vx (b2e.dll, which is my guess what was causing the explorer issues?) Also, for the redirects, they did seem to go away when I disabled/removed all Java, but I did that the same time SuperA... was running.

This post has been edited by netmatt: 01 March 2009 - 10:48 PM