Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Infection: CMD/Regedit crash Explorer

  • Please log in to reply
No replies to this topic

#1 sexconker


  • Members
  • 1 posts
  • Local time:05:08 AM

Posted 03 April 2009 - 08:15 PM

Got a particularly fun infection on a machine at work.

Browser redirects to ad pages about 50% of the time, blocks a bunch of sites such as this one, has a fun learning blocker that, for example, learned to block youtube.com after a search result for MBAS included a youtube video, and browser crashes frequently (IE and FF).

Trying to run CMD will cause explorer to crash, even in safe mode.
Same for regedit.
Tools like SDFix and ComboFix won't run past the initial stuff.

Symantec was throwing up real time protection notices saying it blocked a generic trojan.
I did a lot of digging and I found a fun username.exe in C:\Documents and Settings\ (where username is the name of the user), and was able to kill that off.
Also found and killed off some file in C:\Windows\System32 that was named something like 9735823.exe.

SuperAntiSpyware detected a few things and cleaned them, and now shows clean logs.
Same for MBAS.
Symantec no longer throws up the warnings.
Hijack This logs appear clean.

Pretty much identical to this thread below, which was "solved" mysteriously.

I've seen a few other posts scattered across the web with similar issues, and they're all from about within a week or so.

This looks like it's the hot new thing.
I don't have access to the machine again until Monday.
Any ideas?

Even if we wipe the machine on Monday and start fresh, I'll try to post an initial DDS log just to see if we can find some common element.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users