Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Batch File/ cmd.exe wont run


  • This topic is locked This topic is locked
7 replies to this topic

#1 tarquinon

tarquinon

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 04 May 2009 - 09:44 AM

I'm really hoping someone here can help me. I've looked around a bit and found a few threads with people who have symptoms similar to mine. However, no solutions seemed to be posted. Most of those threads led back here. If someone can just point me in the right direction I would greatly appreciate it.

Problem: Running any batch file or trying to run cmd from run will cause explorer to crash temporarily. I will see the screen go blank and the taskbar will disappear for a few moments before recovering. About a month ago I was infected with something, and was able to get rid of it (or so I thought) by running avg in safe mode followed by Malwarebytes. The malware bytes log is below. Anything anyone can offer me would be greatly appreciated. Thanks.

~Mark

Edit/Update: Neither Malwarebytes, nor AVG will allow me to update. Both say they cannot connect to the server.







Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/6/2009 3:50:36 PM
mbam-log-2009-04-06 (15-50-36).txt

Scan type: Quick Scan
Objects scanned: 73899
Time elapsed: 17 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81e73bd8-b363-424e-90c7-eef2c16fa688} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81e73bd8-b363-424e-90c7-eef2c16fa688} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rilehunera (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\ovfsthxqoajyohodghkgpmekookhqhxjeigfvm.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\D3Engineering\Local Settings\Temp\raoncmwxse.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\D3Engineering\Local Settings\Temp\naxwcseomr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\D3Engineering\Local Settings\Temp\ovfsthpuxmostyqf.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\D3Engineering\Local Settings\Temp\ovfsthqhtieqnxbv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\D3Engineering\Local Settings\Temp\ovfsthxtegfievlq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovfsthlshbdevokhdftwiplwpiuevcudhtuaqj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by tarquinon, 04 May 2009 - 09:52 AM.


BC AdBot (Login to Remove)

 


#2 commandhat

commandhat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 04 May 2009 - 10:31 AM

Not a Hijack this log, but this goes in the Removal forum, I think.

#3 tarquinon

tarquinon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 04 May 2009 - 10:34 AM

Is there another log I should post? Or shouldn't I have posted that one? Do I have to do something to move this to the removal forum? Sorry I'm really not sure what to do from that statement...

#4 commandhat

commandhat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 04 May 2009 - 10:42 AM

Sorry, I should probably explain better.

The "Am I infected?" forum is for getting help from the community members,and the "Malware Removal forum" is for getting help from experts. However, if you want your topic to be noticed in Malware Removal, you need to post an HJT log. Logs from things like MBAM and HJT will probably be moved or ignored by community members.

TL;DR
logs are better posted in Malware Removal, and "am I infected" is asking for help.

EDIT: looking at your log, you appear to be infected with Vundo, as well as rootkits.

Edited by commandhat, 04 May 2009 - 10:44 AM.


#5 tarquinon

tarquinon
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 04 May 2009 - 10:50 AM

commandhat, thank you for your help. I've posted in the other forum and have included a HJT log. Thanks.

#6 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:06:05 AM

Posted 04 May 2009 - 11:05 AM

@commandhat:
MBAM logs are used here (as well as a few other types).

The Am I Infected? forum is a means of asking for help if you believe you are infected. If you have logs from things like your Antivirus or Antispyware/malware programs, you can post them here in your first post to give a better idea for 1st responders to help quickly.

However, one of the main reasons for this forum as quoted below by tg1911 (one of the Site Admins):

The AII forum was set up as a triage forum, to try and alleviate some of the backlog in the HJT forum.
As the name suggests, Am I Infected?, it's the forum to post to, if you think you are infected.


HJT, RSIT, DDS, and a few other types are HJT forums only.

@tarquinon:
Since you now have an HJT log posted, I'll have to ask for this topic to be closed.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#7 commandhat

commandhat

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 04 May 2009 - 11:25 AM

Ah, sorry for the confusion scff249.

#8 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:06:05 AM

Posted 04 May 2009 - 11:35 AM

tarquinon, there is infection present on your machine, and help should be coming in the removal forum.

This topic is closed.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users