Results 1 to 14 of 14

Thread: CMD.EXE pop-up when windows startsup help please!

  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    5

    CMD.EXE pop-up when windows startsup help please!

    I have problem with Dos window shows up on Windows start up: "c:/windows/system32/cmd.exe" Here is how it started: after Windows booted up on desktop notepad opened up by itself with a few rows of gibbersh only readable line was "update completed" in between the lines. Now every time i (re)boot dos promt shows up.I used Spybot,Yahoo antispy, Ad-Aware, Norton antivirus. Yahoo Antispy did find "unknown trojan" removed it but problem didn't go away. My system Windows XP pro sp2. Also some strange stuff in my startup.ini: /program/,Fbfxec.exe(4 times). Please Help!

    P.S. There is another post about it on this board but no solution.
    Last edited by hugenex; January 6th, 2005 at 23:59 PM.

  2. #2
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,385
    Oh... THAT cmd.exe post...

    ok, it definitely sounds like you have a virus, especially with the fbfxec.exe in startup... As Yahoo found a trojan, albeit unknown, it probably didnt know exactly how to remove it, so you should treat the 'Removed' with caution. Have you updated your virus definitions before you did the virus scan and adware scans etc?

    Try rebooting into safe mode, and run the virus scan, as some viruses know they are being scanned and either turn off AV or themselves...

    you could try doing an Online Virus scan, LynchKnot would be best person to talk to - he's had lots of experience with viruses

    --- 0wN3D by 3gG ---

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Yeah everything is up to date. Did Virus scan in safe mode still no luck.Any other ideas? Also did search on fbfcex no mention at all.

  4. #4
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,303
    Tried CWShredder yet?

  5. #5
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Here is my Hijackthis log Please decode:
    Logfile of HijackThis v1.98.2
    Scan saved at 1:10:32 AM, on 1/6/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\WINDOWS\system32\FBFxec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [FB Exec Stub] FBFxec.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [FB Exec Stub] FBFxec.exe
    O4 - HKLM\..\RunOnce: [FB Exec Stub] FBFxec.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [FB Exec Stub] FBFxec.exe
    O4 - HKCU\..\Run: [LDM] \Program\
    O4 - HKCU\..\RunOnce: [FB Exec Stub] FBFxec.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...b7_artist.html
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3122ccba...p/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1089965184421
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O18 - Protocol: bw+0 - {3CBB5D10-77F8-4705-A6B8-73096A007D6B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {3CBB5D10-77F8-4705-A6B8-73096A007D6B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {3CBB5D10-77F8-4705-A6B8-73096A007D6B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {3CBB5D10-77F8-4705-A6B8-73096A007D6B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {3CBB5D10-77F8-4705-A6B8-73096A007D6B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

  6. #6
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,089
    Copy & Paste your log into decoded Hijackthis

    Bookmark the link

    I would disable the startup items that aren't vital, start them manually if needed.
    Last edited by FastGame; January 7th, 2005 at 16:32 PM.

  7. #7
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Thank you everybody! I can't locate that ****ing virus, tried safe mode nothing. SWshredder did find 1 trojan and removed it other than that
    fbfxec.exe is still in the system. Hijackthis can't recognize it. Should I just try to backup some files and format hd?

  8. #8
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,089
    Quote Originally Posted by hugenex
    Should I just try to backup some files and format hd?
    You don't have to ask us that question thats our favorite way of fixing most things

    Of coarse most of the TZ'ers have an image of their drives, only takes a few minutes.

    BTW lynchknot is our expert in this field

  9. #9
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    I'm having the same problem, cmd prompt after boot, fbfxec.exe in task. No idea where it came from. I'll post if i figure it out. AV and spyware progs don't seem to know anything about it

  10. #10
    Junior Member
    Join Date
    Jan 2005
    Posts
    3
    I recently installed an updated version of Ebay toolbar about the same time it showed up. You?

  11. #11
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,737
    Quote Originally Posted by ETJ
    I recently installed an updated version of Ebay toolbar about the same time it showed up.
    Try this.
    Uninstall the eBay toolbar or use system restore and select the latest restore point prior to installing the toolbar.If the problem persists you can then rule out the toolbar.

    =========== Please Read The Forum Rules ===========

  12. #12
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,737
    A couple of other possbile fixes:

    Have you checked your Start Up folder? There may be a reference to fbfxec.exe in there. Right click and delete it if there is.

    Navigate to the file C:\WINDOWS\system32\FBFxec.exe and try deleting it.(you may need to delete it in Safe Mode)

    =========== Please Read The Forum Rules ===========

  13. #13
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Latest software i instaled: ipod and itrip (little gadget for ipod to play it wireless) that is all.

  14. #14
    Junior Member
    Join Date
    Jan 2005
    Posts
    3

    think its gone

    I nuked it from c:\windows\system32 and blew away all traces in the registry. >seems< to be gone now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •