Help!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Hi im new here, this might be a silly question for all you pros but recently i have been getting this error message when Windows starts up:

SYSTEM32/CMD.EXE is not a valid Win32 Application

What is this, why is it occurring and what should i do?

Thanx
 
Joined
Dec 9, 2000
Messages
45,855
We need more information. Cmd.exe IS, or should be, a valid application on an XP/NT/2k system but not a Win9x/ME one.

In any case it does not normally run on startup.

Give us a copy/paste of a HijackThis Scanlog following directions here:

http://www.tomcoyote.org/hjt/

Are you sure it didn't say "cmd32.exe", a commonly used "trojan" name?
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
hi Rolin' Rog heres the log, plz advise me of any trojans/spyware.. thnx

Logfile of HijackThis v1.97.2
Scan saved at 19:37:59, on 05/10/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Waleed\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=runonce&pver=6.0&plcid=0x0809
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://demo2.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O4 - HKLM\..\RunServices: [CMD] cmd32.exe

then reboot & delete C:\WINDOWS\System32\cmd32.exe which is a virus

then
download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then
Download Spybot - Search & Destroy from http://security.kolla.de


After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Thanks Derek for your help.. Alongside the cmd32.exe virus, I have also been infected with W32.Pinfi which infected around 200 files, NAV managed to repair most of them but couldnt repair around 8 files, how could I repair them?

SpyBot hilighted the following files in red, should I delete them?

-----------------------------------------------------------------------------------
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\related.htm

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2070620897-2317538923-1809067083-1010\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
-----------------------------------------------------------------------------------

Also I am having problems with NAV, I keep getting theses script errors, I have tried the suggestions on Symantec support site but still no luck..

When i open NAV I get this:

An error has occurred in the script on this page.

Line: 155
Char: 2
Error: Permission denied
Code: 0
URL: res://C:\PROGRA~1\NORTON~1\NAVUI.dll/navstats.htm

When I try and scan, the scan doesnt start and I get this:

An error has occurred in the script on this page.

Line: 82
Char: 2
Error: null is null or not an object
Code: 0
URL: res://C:\PROGRA~1\NORTON~1\NAVUI.dll/scan.htm


If anyone can help that would be great!

Thanx
 
Joined
Dec 9, 2000
Messages
45,855
What are the files that Nav says it cannot clean? If they are program files, the applications will have to be reinstalled. It is not likely they are XP system files.

You can have Spybot "fix" those exploits, it is not deleting anything just altering some registry entries.

What link or help article did you try to follow for those errors with Symantec?

Was it this one?

http://service1.symantec.com/SUPPOR...88256ad20079d32c?OpenDocument&src=bar_sch_nam
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Thanx Roll Rog, yes that is the same article that I reffered to, I have tried all suggestions apart from reinstalling NAV, I was leaving that as a last resort and hoping there was an easier solution..

The files that NAV cant repair display 'access denied', I cannot list them here because I also get a script error in the Quarintine
section which does not allow me to view the files.. Is there another way I can access them?
 
Joined
Dec 9, 2000
Messages
45,855
Check and see what is in:

C:\Program Files\Norton AntiVirus\Quarantine

This will tell us what the files are. Usually they would be safe to delete if they have actually been quarantined rather than just "backed up".

I'm afraid I don't have any magic answers on NAV if it's down to a remove and reinstall.
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Can someone check my recent log plz.. thanx

Logfile of HijackThis v1.97.2
Scan saved at 23:01:24, on 07/10/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\norton antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Waleed\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts...dir2.dll?s=consumer&ap=b201&c=3C01&lc=0809&ac
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/...rchredir2.dll?c=3C01&lc=0809&s=search&ap=b204
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://demo2.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Thanx Rollin 'Rog.. In the end i decided to reinstall NAV, now its fine, by the way should I allow Internet access to Microsoft Generic Host Process for Win32 Services (svchost.exe)?

I managed to get a list of the files that NAV couldnt repair, in total there are now 110, they are all similar temp files invected with W32.Pinfi, I will list some below, should i delete them?

aja2.temp ala3.temp aln453.tmp ana5.tmp bia1.tmp bia2.tmp bja2.tmp bka3.tmp bla1.tmp bla2.tmp bla3.tmp cka1.tmp dja1.tmp dka1.tmp dka2.tmp dka3.tmp etc etc
 
Joined
Dec 9, 2000
Messages
45,855
Absolutely. I don't know what created them but you can certainly delete anything with a .tmp or .temp extension

svchost.exe

Yes that is a vital XP service. Sometime trojans try to run under similar names or under the same name from a directory other than system32, but I'm sure what you are seeing is the valid one.
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Thanx again Rollin 'Rog, you've been most helpful..

When I scan in HJT and make a log, it saves the log as a FILE document not as a TEXT document, at first I thought W32.Pinfi had deleted my Notepad but its still there, has some other file been damaged for it to be doing this? Also my internet connection keeps disconnecting and only one computer secreen flashes whereas it was excellent before I was hit by this virus.

Where can i check what files are damaged and need re-installing, in Quarantine there are 330 backup items infected with W32.Pinfi which are mostly program files, have these files been repaired and should i delete them from the list?
 
Joined
Dec 9, 2000
Messages
45,855
It should be saving the Scanlog as a .log file

Sometimes file associations get buggered and log files do not open by default in Notepad as they should.

Right click on the saved file and select "properties". You will see an option there to change the program designated to open it with. Just find Notepad and select that.

Hard to know what is affecting your internet connection.

330 program files are a lot of files. Not knowing what they are, it is hard to advise. I think they may have just been backed up as a precaution prior to cleaning or repairing, since the only ones that NAV couldn't repair were evidently the temporary ones. Does the NAV log tell you which files were cleaned or repaired? If so, then you can delete from backup any that were successfully restored

You can try this for what it's worth: go to Start>Run and enter:

sfc /scannow

just have your desktop visible when you do this or you may not see what is happening.

Sfc, in theory, will check system files and replace automatically if it can, or prompt you if it can't, any files which are missing from the original protected file verification list.

Since you don't have IE sp1 installed, you could try updating to that to replace any damaged IE files. You should also install the latest cumulative patch.

The two flashing computer screens represent upload and download connectivity. You may see one or the other or both depending on what is required at any given time.

If you are using dialup and can try an alternate number or two, I would do that. Disconnects are usually the result of line noise or ISP router problems, or in some cases the modem itself.
 

LONDON GEEZA

Thread Starter
Joined
Oct 5, 2003
Messages
48
Yes the scanlog has always saved as a .log file but ever since 2 days ago it stopped opening in Notepad,and I have been doing it manually as you mentioned above, I just got a bit suspicious and thought the virus was back..

This is what NAV says about the backed up items: "This is a backed-up copy of a file that has been repaired. When you are confident that the repaired item is working properly, delete this item." But im not confident that they are all working as i dont know what they do or how to test them.. heres a few of the files:

_isdel.exe
Acrodist.exe
AcroRd32.exe
AcroTray.exe
AOM.exe
ar40eng.exe
ckcwin.exe
Dc12.exe
Dc4.exe
Dc6.exe etc etc

I tried the sfc /scannow and that seems to be ok..

Yes I am using dialup and but its a new modem, when you said 'try an alternate number or two' what did you mean? Also the connecting sound sounds diffrent and takes longer to connect, is that that the line noise?..
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top