Can not launch command shell

Discussion of bugs and problems found in Altap Salamander. In your reports, please be as descriptive as possible, and report one incident per report. Do not post crash reports here, send us the generated bug report by email instead, please.
therube
Posts: 674
Joined: 14 Dec 2006, 06:22

Re: Can not launch command shell

Post by therube »

Maybe if you added filters: Process Name is salamand.exe & Process Name is cmd.exe, that would cut down on size (& hopefully provide enough information to work with)?

Or you could post it to a place like, http://pastebin.com/. (Still a size limit, but can handle ~500 KB.)

Quite a lot can happen in a matter of seconds ;-).
WinXP Pro SP3 or Win7 x86 | SS 2.54
User avatar
SelfMan
Posts: 1142
Joined: 05 Apr 2006, 20:51
Contact:

Re: Can not launch command shell

Post by SelfMan »

Ok, I've got the trace. The result is not so nice for you as I;ve discovered, taht your system is infected by a fake antivirus malware.
You should clean up your system first... Symantec does not a good job here.
Try some of the online scanners like the one from ESET or Dr.Web Antivirus
- CureIt

See the problem (offending part is the k.exe):

Code: Select all

109485	23:56:02,1143247	salamand.exe	4284	CreateFile	C:\Program Files\Altap Salamander\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109486	23:56:02,1144055	salamand.exe	4284	QueryNameInformationFile	C:\Windows\System32	SUCCESS	Name: \Windows\System32
109487	23:56:02,1144359	salamand.exe	4284	QueryNameInformationFile	C:\Windows\System32	SUCCESS	Name: \Windows\System32
109488	23:56:02,1145159	salamand.exe	4284	QueryNameInformationFile	C:\Windows\System32	SUCCESS	Name: \Windows\System32
109489	23:56:02,1145480	salamand.exe	4284	QueryNameInformationFile	C:\Windows\System32	SUCCESS	Name: \Windows\System32
109490	23:56:02,1145839	salamand.exe	4284	QueryNameInformationFile	C:\Windows\System32	SUCCESS	Name: \Windows\System32
109491	23:56:02,1146436	salamand.exe	4284	CreateFile	C:\Windows\System32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109492	23:56:02,1147956	salamand.exe	4284	CreateFile	C:\Windows\system32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109493	23:56:02,1149411	salamand.exe	4284	CreateFile	C:\Windows\system\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109494	23:56:02,1151339	salamand.exe	4284	CreateFile	C:\Windows\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109495	23:56:02,1153230	salamand.exe	4284	CreateFile	C:\Windows\system32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109496	23:56:02,1155115	salamand.exe	4284	CreateFile	C:\Windows\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109497	23:56:02,1156886	salamand.exe	4284	CreateFile	C:\Windows\System32\Wbem\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109498	23:56:02,1158612	salamand.exe	4284	CreateFile	C:\Program Files\WIDCOMM\Bluetooth Software\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109499	23:56:02,1160381	salamand.exe	4284	CreateFile	C:\Program Files\Citrix\system32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109500	23:56:02,1162290	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\Applications\Bin\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109501	23:56:02,1164298	salamand.exe	4284	CreateFile	C:\Program Files\Common Files\EricssonShare\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109502	23:56:02,1165791	salamand.exe	4284	CreateFile	C:\Program Files\Common Files\EricssonShare\NextCCShare\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109503	23:56:02,1167238	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109504	23:56:02,1168625	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ThirdParty\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109505	23:56:02,1169976	salamand.exe	4284	CreateFile	C:\NDI\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109506	23:56:02,1171391	salamand.exe	4284	CreateFile	C:\Windows\system32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109507	23:56:02,1172729	salamand.exe	4284	CreateFile	C:\Windows\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109508	23:56:02,1174293	salamand.exe	4284	CreateFile	C:\Windows\System32\Wbem\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109509	23:56:02,1175687	salamand.exe	4284	CreateFile	C:\Program Files\WIDCOMM\Bluetooth Software\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109510	23:56:02,1176990	salamand.exe	4284	CreateFile	C:\Program Files\Citrix\system32\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109511	23:56:02,1178435	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\Applications\Bin\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109512	23:56:02,1179809	salamand.exe	4284	CreateFile	C:\Program Files\Common Files\EricssonShare\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109513	23:56:02,1181157	salamand.exe	4284	CreateFile	C:\Program Files\Common Files\EricssonShare\NextCCShare\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109514	23:56:02,1182657	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109515	23:56:02,1184209	salamand.exe	4284	CreateFile	C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ThirdParty\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109516	23:56:02,1185558	salamand.exe	4284	CreateFile	C:\NDI\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109517	23:56:02,1186710	salamand.exe	4284	CreateFile	C:\windows\system32\cmd.exe\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109518	23:56:02,1188301	salamand.exe	4284	CreateFile	C:\Program Files\Altap Salamander\ \K "\".exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
There are only TWO places where Salamander is searching and invoking the cmd.exe

Code: Select all

41845	23:56:02,1186710	salamand.exe	4284	CreateFile	C:\windows\system32\cmd.exe\ \K.exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

41878	23:56:02,1233537	salamand.exe	4284	CreateFile	C:\windows\system32\cmd.exe\ \K "\".exe	PATH NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
Both fail attmpts fail with PATH NOT FOUND.
Problem is, that the malware is modifying the path so it is allways started as a main executable and then it runs the desired application as its parameter. In case of Salamander this fails as Salamander starts the cmd directly and not using explorers API.

So, clean up your system AND I recommend to change all your passwords. Mail, websites, this forum, everything.

Oh an there is one more thing. Your registry does not contain the following registry key:

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Applications\cmd.exe]
"NoOpenWith"=""

Copy and paste this to a text file, rename it to cmd.reg and import it to your system. (dont forget to enable the displaying of file extension so you don't end with cmd.reg.txt)
therube
Posts: 674
Joined: 14 Dec 2006, 06:22

Re: Can not launch command shell

Post by therube »

(I would backup your data.)

[ > infected by a fake antivirus malware

I would think that Malwarebytes Anti-Malware would do better. Free version is fine. Pro adds real-time protections.
http://www.bleepingcomputer.com/virus-removal/ has very good guides on many of these Fake A/V's. ]
C:\Windows\System32\ \K.exe
The "space" (or some otherwise non-displayable character) is purposely there?

And the actual "K.exe" (part of the) malware is physically gone? Just that it's presence is still littered throughout the Registry?
WinXP Pro SP3 or Win7 x86 | SS 2.54
User avatar
SelfMan
Posts: 1142
Joined: 05 Apr 2006, 20:51
Contact:

Re: Can not launch command shell

Post by SelfMan »

I did not go deeper in to it... the space is really there. I cant tell at the moment if its a space or some special character.
The thing is, that it should not be there...
jpermana
Posts: 36
Joined: 17 Feb 2010, 17:48

Re: Can not launch command shell

Post by jpermana »

thx selfman and therube,

I finally make it work, seem windows vista service pack 2 not quite stable... :lol:

jpermana...
User avatar
SelfMan
Posts: 1142
Joined: 05 Apr 2006, 20:51
Contact:

Re: Can not launch command shell

Post by SelfMan »

Just a quick question for others - what tool did you use to clean up the worm?
jpermana
Posts: 36
Joined: 17 Feb 2010, 17:48

Re: Can not launch command shell

Post by jpermana »

no tool...reformat hard drive.... :lol:
Post Reply