Maybe if you added filters: Process Name is salamand.exe & Process Name is cmd.exe, that would cut down on size (& hopefully provide enough information to work with)?
Or you could post it to a place like, http://pastebin.com/. (Still a size limit, but can handle ~500 KB.)
Quite a lot can happen in a matter of seconds .
Can not launch command shell
Re: Can not launch command shell
WinXP Pro SP3 or Win7 x86 | SS 2.54
Re: Can not launch command shell
Ok, I've got the trace. The result is not so nice for you as I;ve discovered, taht your system is infected by a fake antivirus malware.
You should clean up your system first... Symantec does not a good job here.
Try some of the online scanners like the one from ESET or Dr.Web Antivirus
- CureIt
See the problem (offending part is the k.exe):
There are only TWO places where Salamander is searching and invoking the cmd.exe
Both fail attmpts fail with PATH NOT FOUND.
Problem is, that the malware is modifying the path so it is allways started as a main executable and then it runs the desired application as its parameter. In case of Salamander this fails as Salamander starts the cmd directly and not using explorers API.
So, clean up your system AND I recommend to change all your passwords. Mail, websites, this forum, everything.
Oh an there is one more thing. Your registry does not contain the following registry key:
Copy and paste this to a text file, rename it to cmd.reg and import it to your system. (dont forget to enable the displaying of file extension so you don't end with cmd.reg.txt)
You should clean up your system first... Symantec does not a good job here.
Try some of the online scanners like the one from ESET or Dr.Web Antivirus
- CureIt
See the problem (offending part is the k.exe):
Code: Select all
109485 23:56:02,1143247 salamand.exe 4284 CreateFile C:\Program Files\Altap Salamander\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109486 23:56:02,1144055 salamand.exe 4284 QueryNameInformationFile C:\Windows\System32 SUCCESS Name: \Windows\System32
109487 23:56:02,1144359 salamand.exe 4284 QueryNameInformationFile C:\Windows\System32 SUCCESS Name: \Windows\System32
109488 23:56:02,1145159 salamand.exe 4284 QueryNameInformationFile C:\Windows\System32 SUCCESS Name: \Windows\System32
109489 23:56:02,1145480 salamand.exe 4284 QueryNameInformationFile C:\Windows\System32 SUCCESS Name: \Windows\System32
109490 23:56:02,1145839 salamand.exe 4284 QueryNameInformationFile C:\Windows\System32 SUCCESS Name: \Windows\System32
109491 23:56:02,1146436 salamand.exe 4284 CreateFile C:\Windows\System32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109492 23:56:02,1147956 salamand.exe 4284 CreateFile C:\Windows\system32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109493 23:56:02,1149411 salamand.exe 4284 CreateFile C:\Windows\system\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109494 23:56:02,1151339 salamand.exe 4284 CreateFile C:\Windows\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109495 23:56:02,1153230 salamand.exe 4284 CreateFile C:\Windows\system32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109496 23:56:02,1155115 salamand.exe 4284 CreateFile C:\Windows\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109497 23:56:02,1156886 salamand.exe 4284 CreateFile C:\Windows\System32\Wbem\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109498 23:56:02,1158612 salamand.exe 4284 CreateFile C:\Program Files\WIDCOMM\Bluetooth Software\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109499 23:56:02,1160381 salamand.exe 4284 CreateFile C:\Program Files\Citrix\system32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109500 23:56:02,1162290 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\Applications\Bin\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109501 23:56:02,1164298 salamand.exe 4284 CreateFile C:\Program Files\Common Files\EricssonShare\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109502 23:56:02,1165791 salamand.exe 4284 CreateFile C:\Program Files\Common Files\EricssonShare\NextCCShare\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109503 23:56:02,1167238 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109504 23:56:02,1168625 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ThirdParty\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109505 23:56:02,1169976 salamand.exe 4284 CreateFile C:\NDI\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109506 23:56:02,1171391 salamand.exe 4284 CreateFile C:\Windows\system32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109507 23:56:02,1172729 salamand.exe 4284 CreateFile C:\Windows\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109508 23:56:02,1174293 salamand.exe 4284 CreateFile C:\Windows\System32\Wbem\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109509 23:56:02,1175687 salamand.exe 4284 CreateFile C:\Program Files\WIDCOMM\Bluetooth Software\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109510 23:56:02,1176990 salamand.exe 4284 CreateFile C:\Program Files\Citrix\system32\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109511 23:56:02,1178435 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\Applications\Bin\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109512 23:56:02,1179809 salamand.exe 4284 CreateFile C:\Program Files\Common Files\EricssonShare\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109513 23:56:02,1181157 salamand.exe 4284 CreateFile C:\Program Files\Common Files\EricssonShare\NextCCShare\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109514 23:56:02,1182657 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109515 23:56:02,1184209 salamand.exe 4284 CreateFile C:\Program Files\Aastra\Solidus eCare\ScriptManager\Bin\ThirdParty\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109516 23:56:02,1185558 salamand.exe 4284 CreateFile C:\NDI\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109517 23:56:02,1186710 salamand.exe 4284 CreateFile C:\windows\system32\cmd.exe\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
109518 23:56:02,1188301 salamand.exe 4284 CreateFile C:\Program Files\Altap Salamander\ \K "\".exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
Code: Select all
41845 23:56:02,1186710 salamand.exe 4284 CreateFile C:\windows\system32\cmd.exe\ \K.exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
41878 23:56:02,1233537 salamand.exe 4284 CreateFile C:\windows\system32\cmd.exe\ \K "\".exe PATH NOT FOUND Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
Problem is, that the malware is modifying the path so it is allways started as a main executable and then it runs the desired application as its parameter. In case of Salamander this fails as Salamander starts the cmd directly and not using explorers API.
So, clean up your system AND I recommend to change all your passwords. Mail, websites, this forum, everything.
Oh an there is one more thing. Your registry does not contain the following registry key:
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\Applications\cmd.exe]
"NoOpenWith"=""
Re: Can not launch command shell
(I would backup your data.)
[ > infected by a fake antivirus malware
I would think that Malwarebytes Anti-Malware would do better. Free version is fine. Pro adds real-time protections.
http://www.bleepingcomputer.com/virus-removal/ has very good guides on many of these Fake A/V's. ]
And the actual "K.exe" (part of the) malware is physically gone? Just that it's presence is still littered throughout the Registry?
[ > infected by a fake antivirus malware
I would think that Malwarebytes Anti-Malware would do better. Free version is fine. Pro adds real-time protections.
http://www.bleepingcomputer.com/virus-removal/ has very good guides on many of these Fake A/V's. ]
The "space" (or some otherwise non-displayable character) is purposely there?C:\Windows\System32\ \K.exe
And the actual "K.exe" (part of the) malware is physically gone? Just that it's presence is still littered throughout the Registry?
WinXP Pro SP3 or Win7 x86 | SS 2.54
Re: Can not launch command shell
I did not go deeper in to it... the space is really there. I cant tell at the moment if its a space or some special character.
The thing is, that it should not be there...
The thing is, that it should not be there...
Re: Can not launch command shell
thx selfman and therube,
I finally make it work, seem windows vista service pack 2 not quite stable...
jpermana...
I finally make it work, seem windows vista service pack 2 not quite stable...
jpermana...
Re: Can not launch command shell
Just a quick question for others - what tool did you use to clean up the worm?
Re: Can not launch command shell
no tool...reformat hard drive....