Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I just cant get rid of it. something keeps starting a new windows\system32\cmd.com virus


  • Please log in to reply
38 replies to this topic

#1 boatsandbeach

boatsandbeach

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 03 January 2009 - 09:31 PM

I ran Malwarebytes and it catches the following items as shown in the log. I will attach the HJT log too. I still cant get this fixed after a week of trying. Thanks for the help.

Adding in contextual information from another topic.~ OB

My main problem seems to be when I start in normal mode at the exact time explorer starts, i get a command prompt window that repeatedly opens reading "windows\systems32\cmd.com" After I power off and restart, i can no longer get into my user account in normal mode. I restart in safe mode (earlier i was not able, but was successful after using the win xp disk and recovery console) and can access admin account to run malwarebytes, sdfix, smitfraud and panda. After they catch dozens of bad items (trojan.vundo-rogue.spywareguard-adware.mywebsearch and many other), I restart into normal mode and the cmd.com issues comes up again.

End of added information. ~ OB

Attached Files


Edited by Orange Blossom, 04 January 2009 - 08:35 PM.
Topic reopened. ~ OB


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 16 January 2009 - 08:04 AM

Hello boatsandbeach

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 January 2009 - 06:07 PM

Hello boatsandbeach

Welcome to BleepingComputer :thumbsup:
========================

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


I can only use this account in safe mode, is that ok?

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 16 January 2009 - 06:44 PM

Yes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 January 2009 - 07:35 PM

The files are too large to attach

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 16 January 2009 - 08:12 PM

Click Here to upload the files please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 January 2009 - 08:22 PM

OK, both files sent.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 16 January 2009 - 08:33 PM

Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
=============
Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove the old removal programs on your system.
==================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 16 January 2009 - 08:37 PM

ALso note that one of these needs to be removed\uninstalled prior to doing anything:
Panda Antivirus Pro 2009 or Avira AntiVir PersonalEdition
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 16 January 2009 - 09:06 PM

ALso note that one of these needs to be removed\uninstalled prior to doing anything:
Panda Antivirus Pro 2009 or Avira AntiVir PersonalEdition



Prior to doing what? I just did everything you asked. I sent the Combo Fix log the same way i sent the others.

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 17 January 2009 - 08:26 AM

Meaning remove one of the 2 antiviruses before doing any of my previous instructions.
I meant to put it in my first post but it was cut of.

Anyway no harm done go ahead and see if you are able to remove one of those programs.
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 17 January 2009 - 09:29 AM

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 3

2009-01-17 09:28:46
mbam-log-2009-01-17 (09-28-46).txt

Scan type: Quick Scan
Objects scanned: 60487
Time elapsed: 37 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 17 January 2009 - 09:32 AM

How are things running?

Please post a new rsit log or upload it Here
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 boatsandbeach

boatsandbeach
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 17 January 2009 - 09:39 AM

How are things running?

Please post a new rsit log or upload it Here


Still does the same thing as before.

FYI, when in the admin account its fine, my user account in safe mode its fine. It only loads that cmd.com windows repeatedly when im in my user account out of safe mode. It acts like it start when widows loads something with the desktop.

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:29 PM

Posted 17 January 2009 - 09:56 AM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
======================================================
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users