Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CMD crashes Explorer


  • Please log in to reply
4 replies to this topic

#1 another computer sho

another computer sho

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 10 March 2009 - 12:02 PM

Please see this threat for further information; http://www.bleepingcomputer.com/forums/t/206736/run-cmdexe-causes-explorer-to-crash/

Computer is XP Home edition w/SP3, and IE 6.

I've run Avira free edition, Malwarebytes free edition, Superantispyware free edition, AVG free edition does not install, Safety.live online scanner. I've run ATF-cleaner and CCleaner (against my better judgement) with no success.

I've tried to run SDFix.exe, Combofix.exe, Smitfraudfix.exe with the same results. Because CMD is being blocked, all three of those programs fail to run.

On the thread linked they could run combofix to cure their issue, it will not run for me, not off a thumb drive, from the desktop, from C drive.

In the thread linked they could rename CMD to CMD2 and it would work. On my computer I had to rename cmd to 1234. If I left CMD in the name it would not run and would crash explorer. Explorer will always return after about 5 seconds or less. Using cmd renamed to 1234 I tried to execute combofix and SDfix both with failed success.

I've gained access to the registry by renaming regedit to regedit123. But I found nothing in the HKey/local machine that looked out of place. If screenshots are requested of registry I can do that.

This is a customers business computer which I've had for 3 days now. She's persistant and doesn't care to give me much more time.
I've come to this threat trying to follow protocol, althought judging by the other threat I believe I will be told to post a hjthis log in the appropriate forum. Still I'd appreciate any assistance I can get. Thank you.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:07 PM

Posted 10 March 2009 - 04:08 PM

I'm not going to reread that rambling thread again. It was full of contradictory information.
And you're correct, with the tools that you have already run, I'm going to suggest a HJT log
We've had an increase in logs, so there will be a bit of a wait

------------------------------

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 another computer sho

another computer sho
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 11 March 2009 - 08:38 AM

http://www.bleepingcomputer.com/forums/t/210262/explorer-crashes-when-you-run-cmd-and-ie-redirects/


As I suspected DDS would not work because of the same CMD issues affecting Combofix and Smitfraudfix and SDFix.

Still, the topic is created and I shall wait further instructions.





On a side note. I do agree that the topic that lead me here is convoluted. Since none of them could give a real reason why combofix would suddenly work for them, nor would any of them post logs stating what combofix removed. Still...I'm leaving this in your, hopefully, capable hands.

#4 another computer sho

another computer sho
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 11 March 2009 - 09:40 AM

I shant bump my threat anymore, I merely wished to express my displeasure and the answer to my issue. My displeasure because your admins bumped my threat to a defunct board since I could not post a log of which I was obviously unable to attain. Since your DDS program needs a functioning CMD and the infected computer did not have that. The admin... excuse me, "Janitor" obviously spent no time even reading my thread. Or you, garmanma, did not since you sent me to a board I could not use, knowingly asking me to run a CMD based tool when I could not obviously run anything dependent on CMD. Either way the failure of comprehension from a group of people who are supposed to be combating "ever changing" or "morphing" malware is a bit unsettling.

Still I shall share the answer here to help save others from this issue and hopefully enlighten the board staff as well.


I found the answer here:

http://www.experts-exchange.com/Virus_and_...Q_24187778.html

from this post.


QUOTE
I was able to work out a solution!
Using Hijackthis, I opened the process manager under Misc tools. When I viewed the loaded DLL's under iexplore.exe, there was this:
"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
I deleted this file on reboot using again the feature under Misc tools, then I reset the aux settings in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
QUOTE



I checked the aux key in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] and indeed it was redirected to [C:\WINDOWS\system32\..\ytxh.ioe]

Resetting the Aux key back to [C:\windows\system32\wdmaud.drv] returned my cmd and regedit functionality.



I still have the browser redirect issues, but I'm sure I can solve those on my own before I'd get help from this board so I shant start a third topic.

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:07 PM

Posted 11 March 2009 - 04:58 PM

I only follow protocol. The directions are posted throughout the forum
HJT logs posted in any forum other than HJT are moved
Combofix logs are not to be used outside the HJT forum and only under the direction on a HJT team member
The author of Combofix does not wish to have the app. discussed in the general public
Had you needed an alternative for DDS, I would have provided you with 2 when asked
Sorry
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users