Solved

Command Prompt closes instantly - including hijackthis log

Posted on 2009-05-11
23
865 Views
Last Modified: 2013-12-06
Possible virus

Running XP Pro
run> type cmd hit enter - all icons disappear from the desktop and reappear. Command prompt doesn't show.

Same happens when I click on cmd from C:\WINDOWS\system32 or from all programs etc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:48, on 11/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\MSSQL\MSSQL\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Shiro SKYPE DECT\USBPhone4Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\explorer.exe
E:\Infection Removal\HijackThis.2.0.2\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [USBPhone4Skype] C:\Program Files\Shiro SKYPE DECT\USBPhone4Skype.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IPEVO Control Center] C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe -startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HeatMat.local
O17 - HKLM\Software\..\Telephony: DomainName = HeatMat.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HeatMat.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HeatMat.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7572 bytes


0
Comment
Question by:unrealone1
  • 7
  • 5
  • 4
  • +4
23 Comments
 
LVL 10

Expert Comment

by:cdebel
Comment Utility
Have you checked the signature of C:\WINDOWS\SYSTEM32\CMD.EXE?
0
 
LVL 10

Expert Comment

by:cdebel
Comment Utility
if its not a virus, i would check the events log in the administrative tools of the control panel
0
 
LVL 3

Expert Comment

by:nhenny2009
Comment Utility
Report back the date/timestamp of CMD.EXE.  CMD.EXE may have been corrupted so you can attempt to copy from another machine.

Can you run other apps from c:\windows\system32\...like clipbrd.exe?  I don't think it is a %path% issue since you can't even run it directly from the location.
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
Does typing

command

instead of

cmd

get you a command prompt?
0
 
LVL 27

Expert Comment

by:David-Howard
Comment Utility
You might running SFC /SCANNOW.
SFC SCANNOW takes about fifteen minutes and requires your OS CD.
Just insert your CD while holding down Shift to prevent autorun.
Release the Shift key after about ten seconds.
Then click Start and in the Run field type SFC /SCANNOW and select OK.
SFC SCANNOW directions/screenshots
http://www.updatexp.com/scannow-sfc.html

This entries are unnecessary and can be removed.
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
Your log file is clean for all other purposes.
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
@ akahan

Yes when I type command - I get command box
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
@ nhenny2009:
Have you checked the signature of C:\WINDOWS\SYSTEM32\CMD.EXE?

How do I do this?
0
 
LVL 10

Expert Comment

by:cdebel
Comment Utility
go in Windows Explorer, find your file (C:\WINDOWS\SYSTEM32\CMD.EXE)
Right click on the file, then choose properties.

Give us some info like who did the program, the file size and all that stuff.  Browse thru the tabs, you should find this info
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
In the registry.....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Is thre a subkey named cmd.exe? If so, kill it......

Log looks fine....

"all icons disappear from the desktop and reappear."

Thats a sign Explorer.exe is crashing, which is your Shell....



0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Check for an Explorer.exe subkey under there as well.....

Also in the registry......

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look for the following values....

Shell=Explorer.exe
Userinit=C:\Windows\system32\userinit.exe, <~~~~ Should look EXACTLY like this, including the comma...
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Also.....

RootRepeal - RootRepeal - Rootkit Detector
http://rootrepeal.googlepages.com/

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
If the Rootkit Detector finds nothing, & the problem is still unresolved, try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before running ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
@johnb6767
I can't run regedit either.

@cdebel
File size 380kb
file version: 5.1.2600.5512
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Hi,

I have just noticed that this only occurs when I logon as a domain user. user1, administrator etc.
It doesn't occur when I log on as a local user. Sorry I should have nemtioend this.

Any ideas why it would do this?
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
bump
0
 
LVL 3

Expert Comment

by:nhenny2009
Comment Utility
Now it sounds like a permissions issue of some sort.  Could you ensure that you don't have and "deny" ACL's on the the c:\windows\system32 folder or directly on the cmd.exe file itself.  If you don't then please ensure that you add domain users to this folder and retry.

Thanks.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Ok, now that seems more like a Policy..... Any GPOs in place?

Error "Registry Editing has been disabled by your administrator"
http://windowsxp.mvps.org/tweakuirest.htm

That the error you are getting?
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
Interesting; usually when use of "cmd" is barred by a policy restriction, the user gets a message that says something along the lines of "CMD is disabled by your group policy; please check with your administrator," or something like that, rather than having the command just silently close out.

The registry entry affecting "cmd" from the group policy point of view (at least the one I know about) is at:

HKCU\Software\Policies\Microsoft\Windows\System!DisableCMD

If "DisableCMD" is set to 1, then the use of the command prompt is disabled, and the user will get the "talk to your administrator" message.
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Thanks for your suggestions, but I haven't done any further alterations.

I noticed there were a lot of updates missing. So I installed them 25+ from windows update site, I still haven't installed sp3.

And the problem has gone away, cmd opens find, so does regedit. Has anyone got any Idea why an update would make it work suddenly?
0
 
LVL 26

Accepted Solution

by:
akahan earned 500 total points
Comment Utility
Those updates replace a lot of Windows system files with newer versions.  Perhaps one of your Windows system files that was needed for "cmd" to operate properly was corrupted, and happened to get replaced by one of the updates.

0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 500 total points
Comment Utility
Another possibility is that your problem was caused by malware; those updates probably included updated versions of the Windows Malicious Software Removal Tool; that tool will run as part of the reboot after the updates are installed, and will attempt to remove the malware it knows about.  

You can also run the tool manually by typing

mrt

in the Start/Run box (same place you were typing "cmd").
0
 
LVL 26

Expert Comment

by:akahan
Comment Utility
By the way -- if you haven't installed SP3, any idea why your hijackthis log says you're running SP3?

0
 
LVL 1

Author Closing Comment

by:unrealone1
Comment Utility
Great Thank you
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now