Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Endless Command.com Initiated By A Rundll32 Loop!


  • Please log in to reply
3 replies to this topic

#1 Inevitable

Inevitable

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 18 August 2008 - 08:29 PM

Ok, so I'm new here, but I've heard great things about the community, as such I look forward to working with you all!

On to teh rather interesting problem, a little background.

I was recently asked to help 'fix' a windows XP professional machine. The owner claimed it was running 'a little slow' Come to find out that it was in fact infected with just about every trojan, spyware, malware, and generally undesirable thing that one can get from the net (no joke all told over 40,000 individual traces, files and infections, probably about 200 different actual different core infections).

Suffice to say, it wsa a battle, but I did manage to get the darned thing clean. However, now it's developed a rather nasty side effect.

When the machine boots, and you log into an account, the machine gets hung into an endless loop of command.com windows cycling endlessly, precluding explorer from loading completely. I can access task manager, and if I kill the single rundll32, it stops the loop and everything runs totally normal afterward.

I've had no luck hunting it out with procmon, and hijackthis shows clean as well. I can only assume it's a remnant instruction buried somewhere trying to reinstall a downloader or malware package.....but for the life of me I don't know where. I can't see any obvious hooks anywhere. System file scan comes back totally green, and all my attempts to locate any more threats say the machine is in fact totally clean, so I think the malicious side of it is gone, just the instruction that was left behind somewhere.

Anyone have a clue where to start looking for this? I'm at a total loss. :thumbsup:

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:11 AM

Posted 19 August 2008 - 01:58 PM

Hello
Would you please run this scan.
Are you trained in reading an HJT Log to be certain it is clean/

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Inevitable

Inevitable
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 20 August 2008 - 12:41 AM

My apologies for the delayed response.

To address your first question, I have not been through the bleepingcomputer course, but have been reading hijackthis logs for about 2 years now, and know windows well enough to be completely confident in my abilities regarding both. However, advice is always welcome : ), and I certainly don't mind asking for it.

As requested I did install and run malwarebytes' Anti-Malware, however the quick scan yielded no results at all.

I ran a full scan as well, and produced the following log:

[codebox]Malwarebytes' Anti-Malware 1.25
Database version: 1071
Windows 5.1.2600 Service Pack 3

1:11:08 AM 8/20/2008
mbam-log-08-20-2008 (01-11-08).txt

Scan type: Full Scan (F:\|)
Objects scanned: 201949
Time elapsed: 2 hour(s), 10 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
[/codebox]

As you can see, no hits whatsoever. Doing some additional hunting, I've narrowed it down to what I think is a remnant of a filter hijack for troj_agent.tqz reinstall process keys. Trouble is they're seeded all throughout the hkcr under a variety of key profiles. The files are all gone, but I'm still having to fish out all of it's remnants in the registry.

Once I get it all cleaned (or as clean as i can) I'll post back.

If you have any other ideas, I'd love to hear them, I can provide the original spybot scanlogs if you're interested as to what was actually on the machine before cleaning, but be warned that they're rather huge.

Thanks for the help so far, I'd not used malwarebytes in some time, and think it'll become on of my primary tools now that I've been reintroduced to it; the logging is much better than other programs I've used as of late.

Edited by Inevitable, 20 August 2008 - 12:49 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:11 AM

Posted 20 August 2008 - 01:09 PM

Very well then ,please keep us aprised.
If you would care to run another very good tool. And run this from safe mode try this

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users