Jump to content

Recommended Posts

Hello, first post here.  Apologies for a long post but I want to give a detailed account of what's happened / what I've tried doing to mitigate the issue.

I've run into a potential problem with Windows Command Processor.  Left my comp on last night and came in to find it was off.  Might have been part of my UPS scheduling, or maybe not.  However when I logged in I immediately noticed a problem with the computer.  Primarily, it would not connect to the network.  I have a wired connection, and the wifi was working (able to access internet via my phone, which uses the same wifi/router/ cable modem).  I tried to diagnose the network problem, but the Network Sharing Center would not start.  That's when I suspected something was up, and opened Task Manager to see if any weird programs were going on or odd processes running. Unfortunately I could not diagnose the issue.

About this time, the "Do you want to allow X to make changes" notification regarding Windows Command Processor came up and I ignored it, trying to discover what it was (I recognized it as a suspicious message immediately).  By using my phone's internet I discovered this as a likely trojan malware infection.  I did not grant it permission to do anything, and as far as I can remember it shut itself down (I may have used Task Manager to end task, I can't exactly remember, but I expressly did not give it permission)

Malwarebytes was already on my comp but WAY out of date.  Without internet, I could not update.  Despite this I ran a scan... it showed no issues.

I've tried following various instructions to clear the problem myself but am unsure whether I have been successful.

Here's what I've done:

  • Attempted to restart in Safe Mode with Networking - but ended up restarting in normal.  I logged into the alternative account (guest permissions) to check startup files that might be related to Windows Command Processor but found none (looking in appdata roaming and local startup folders).  After two more tries I managed to get into Safe w/ networking.  
  • Unfortunately Safe w/ Networking continued to have no network access.  Meaning I could not work on it.
  • I grabbed my laptop, downloaded a new copy of Malwarebytes on it, intending to manually port the updated malware log to the infected computer and then run MWB again.
  • ~ Weirdly, the infected computer managed to gain an internet connection after 15-20 minutes of sitting idle.  I'm typing on it now.  (I never ported anything from the good comp to the bad)
  • Using the now-freed-up internet connection, I updated MWB, ran it again and found some PUP items.  I followed the instructions and quarantined them.  (They were Ask files - probably related to Ask.com which could be old / unrelated... or not) 
  • Then i downloaded RKill, ran it, then ran MWB again, and Trend Micro's Housecall.  Both scans came up clean.
  • I also downloaded FRST and ran it.  Don't really know what to do with the info.
  • Subsequent MWB and Trend Micro scans haven't found anything.

Here's the txt logs:

 

(Appreciate any help - will leave this comp on and in Safe w/ Networking until I hear otherwise.)

 

Addition.txt

FRST.txt

Malwarebytes report.txt

MWB PUP 6 26.txt

MWB Scan 6 26.txt

Rkill.txt

Edited by Blackfive
Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

Hello @Blackfive and :welcome:

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi, Ron. 

Thanks for the help!  

I started following the steps with the comp. In windows safe mode with networking. (more on that later)  Immediately ran into a problem as JRT would not run as administrator.  I'd right click, select run as administrator, but the dos shell program states that the program runs better when running with administrator privileges.  I don't know if that is a normal problem when running in safe mode or if there is a problem with permissions.  In any event I ran the program and it found and cleaned a bunch of files. Next I ran AdwC.  It worked flawlessly, locating and cleaning registry entries. 

Unfortunately Sophos won't install in Safe mode.  I loaded up in normal but the installation apparently requires network access (it hung almost as soon as it began the installation). 

Here is the crux: whatever infection I have is preventing /delaying making a network connection.  The primary culprit has something to do with the firewall.   In normal mode CPU runs at 100% and it seems I never get a network connection.  I have to shut off at the PSU. 

In Safe, I still have high CPU loads with nothing running, but after 20 minutes or so will connect to the internet. The same process is running. 

Unfortunately I had to leave, but when I get back to the house I will upload the reports from the two programs that did run.  I can also post a screen shot of the running processes if you want. 

Question: should I load normal windows and let the computer sit idle until it makes a network connection and then try Sophos again? 

 

Link to post
Share on other sites

Back home.  The processes running in the Resource Monitor are shown in the attached Jpeg.

Note: the JRT is the second run report.  The first got overwritten.

 

I am going to try to bypass the networking problem by unplugging from the network and see if I can't get Sophos to work.

JRT.txt

1AdwCleaner[S0].txt

1AdwCleaner[C0].txt

Running Processes and Svs Safe Mode.jpg

Edited by Blackfive
Link to post
Share on other sites

  • Root Admin

Please try to uninstall Java.

Then try to run the following.

 

Please visit this web page and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

I'll do that. 

In the meantime, SVRT and FRST both failed to find anything, and there are no fix logs to report.   Without networking I was not able to get any updates for SVRT - but I used the build you supplied and it looked fairly recent. 

I was unable to remove Java in Safe mode.  Nor could I get an internet connection to download the program.  Whether related or not I noticed explorer.exe was not responding (red in task manager) 

 

Booted up in normal mode, but cpu is running above 76% and physical memory is at 10%.  The Uninstaller froze and the entire system is now hung up (dings every mouse click) 

Time to shut down via the PSU and see if I can get something to work...  Will report back soon 

appreciate your time ! 

Edited by Blackfive
Link to post
Share on other sites

  • Root Admin

Don't typically notice that in F8 but maybe the MFG added it. Normally see that from BIOS or UEFI menu to allow booting from USB or other choices.

There could potentially be a rootkit but need something to run to try and find it.

We can do a special FRST run from the Recovery Environment if needed but typically if something was there it shows in the normal run.

Let me know how Combofix goes

 

 

Link to post
Share on other sites

Um... Well, after reading the combofix instructions I may not be able to use it.  It requires an active internet connection. 

Getting late here.  Will try to reestablish a connection in the morning. 

Thanks again for the help!

Going to try the msconfig now 

Edit : network just came up(37 minutes where)  starting to get combofix 

Edited by Blackfive
Link to post
Share on other sites

Hmmm... Combofix ran, apparently fine.  Found several files to delete, including one called installer. Exe on a rarely used drive.  I didn't have time to jot down the rest. 

Then it said it was restarting the computer... And is apparently hung up.  Only have a black screen. Fans are running normally so I'll just let it sit (likely overnight) until I hear back from you on what steps I need to take. 

 

Thanks and good night 

Link to post
Share on other sites

Sad to say, but the comp is in the same state it was last night. 

While I have not done any thing, this bleeping computer thread is the only one I've seen with a similar state https://www.bleepingcomputer.com/forums/t/287104/black-screen-after-combofix-restart/

While the thread was too short to learn whether it actually preserved the log files, the .txt files listed give me some hope we can recover what ever combo did before the restart. 

Fwiw my black screen does not have a cursor (it's not a DOS black screen but rather grey/black because it is not doing anything) 

Waiting to hear back from you before I proceed. 

Edited by Blackfive
Link to post
Share on other sites

I'm afraid the computer may be FUBAR. 

After nearly 20  hours of the computer sitting idle I hit Cntrl+alt +del and it boots up. The Combofix  dos shell comes up with the home screen and says it is 'preparing log report' and asks me to not do anything. 

 

I let it sit for 40 minutes with nothing happening.  During this time the network icon has the churning circle but eventually it clears indicating that a network connection is available. 

Combofix is not doing anything, just sitting there with a blinking cursor. 

 

Decided to see if it had generated a log. I checked the . Text file location and there is a 4kb file that should be the log file. 

Unfortunately nothing will open. I get the error message 'illegal operation attempted on a registry key that is marked for deletion'. 

Ideas?

Link to post
Share on other sites

WOOT!  I left it alone, and eventually it generated a log file!

 

Heh (laughing at myself and the situation).  Both at my failure to apprehend the answer to the "Illegal Operation" thing was already in your post above (written in red of all things) and how long the program took to finish. 

  • Herein lies the problem of trying to solve computer issues after midnight.
  • Not since the '90s have I needed to leave a process running overnight for it to do something... and this one took two days! 
  • insert chagrinned, rueful laughter

Okay, so I left the blue screen with blinking cursor alone after posting the above and this morning woke up to find the ComboFix log on the screen.  And, as I am using the computer at the moment, the "Illegal Operation" messages have cleared up - meaning I can access files again.  Glad I didn't try any other self-help.

 

Here's the log. 

Next steps?

ComboFix.txt

Link to post
Share on other sites

  • Root Admin

Sorry it took so long. Not sure why that happened. Possibly a lot of temp files but we'll be cleaning those soon.

Is the computer able to boot into Normal mode now and have networking work?

Don't think this will find anything, but we should go ahead and try it to make sure.

 

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

Ron

 

 

Link to post
Share on other sites

Tried running TDSSSKiller.  It rebooted the computer.  But I'm not getting a network connection after Nearly 1/2 hour. 

TMDrMon (which Google tells me is a Trend Micro process) is churning 50% of the cpu.  The other 25% is the svchost (LocalServiceNoNetworking) which is doing something with Mpssvc - which Resource Monitor tells me has to do with the firewall. 

This is basically a continuing problem. 

It's possible that the comp. Will eventually establish a connection.  Will monitor. And post results of TDSSSKiller if I can get it to work 

Link to post
Share on other sites

Okay I killed Tmdrmon by ending the process and ending the process tree. 

 

I now have a very slow connection to the internet. TDSSKiller scan started... But while it says scan in process, after 5 minutes it still shows 0 objects processed. 

The log file's last entry is KSN ping started 

Link to post
Share on other sites

Deleted the Trend Micro program.  TDSSKILLER did nothing for over an hour. 

Rebooted 

Cpu usage still at 100 %

No network No ability to do anything. Every mouse click gets a Bing... Meaning it is not working 

 

I think the computer is borked.  Frustrating and starting to think I need to just buy a new HD and start over. 

Link to post
Share on other sites

  • Root Admin

Let's try something else.

Start the computer into the Windows Recovery Environment and we'll get a new FRST report from outside the installed operating system and see if we can find a cause.

 

Pease download Farbar Recovery Scan Tool and save it to a USB flash drive.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Plug the flash drive into the infected PC and start the computer into the Recovery Options for Command Prompt.

Windows Vista, 7

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

Windows 8, 8.1
Please see
How to use the Windows 8 System Recovery Environment Command Prompt

Windows 10
Please see
How to Start Windows 10 in Safe Mode with Command Prompt

How to Boot to Advanced Startup Options in Windows 10

Note: In case you can not enter System Recovery Options by using F8 method, you can use a Windows installation disc, or make a repair disc.
Any Windows installation disc or a repair disc made on another computer can be used.
Choose one of the options below to download and create a Windows Repair Disk or Installation Disk. Either one can be used.

How to Create a Windows 7 System Repair Disc
How to Create a System Repair Disc in Windows 10
Microsoft Windows and Office ISO Download Tool

You may also download from Microsoft but you will need to input your license key first. The above links do not require your key

Download Windows 7 Disc Images (ISO Files)
Download Windows 8.1
Download Windows 10

 

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • Notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

 

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.