Jump to content

Help with removing Hijack.Shell


Recommended Posts

Greetings, I had and a problem where the cmd opened on startup and couldn't be open by me after it closed automatically. I dowloaded Malwarebytes and it found to no ones suprise a threat. I quarantined it and removed it with the program.  After that I can still boot the computer but when I try to log into my account there is only a cmd in system 32 and a blackscreen behind it. How do i safely remove the infected file? I have restored my computer to a previous working version and quarantined the file again.




Link to post
Share on other sites

Hi Rhisk :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread

This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me a few to review your logs and get back at you.

Link to post
Share on other sites

Thank you for waiting. Follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply


Link to post
Share on other sites

Thank you for helping me, you are the best! Should I rebbot or not seeing as that is where it might break again?

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2017
Ran by Richard (29-11-2017 17:02:10) Run:1
Running from C:\Users\Richard\Downloads
Loaded Profiles: Richard (Available Profiles: defaultuser0 & Richard)
Boot Mode: Normal

fixlist content:

HKU\S-1-5-21-406179256-1937463932-1247465908-1001\...\Winlogon: [Shell] C:\Windows\System32\cmd.exe [272896 2017-09-29] (Microsoft Corporation) <==== ATTENTION
GroupPolicyUsers\S-1-5-21-406179256-1937463932-1247465908-1001\User: Restriction <==== ATTENTION

Task: {27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} - \ThunderMaster -> No File <==== ATTENTION
Task: {BEF6100E-7F70-4C5F-8FA3-744B0AACC337} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION

FirewallRules: [UDP Query User{A2BA608F-E26E-4141-8D84-2674BE2E59AF}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{2889C72F-6B72-4845-A4C4-40E0BCC294D8}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{41E1112E-341F-4FC8-ACDB-C39AEBB28E30}C:\users\richard\appdata\local\temp\netease-tianyu.exe] => (Allow) C:\users\richard\appdata\local\temp\netease-tianyu.exe
FirewallRules: [UDP Query User{A18CE93C-7482-40D4-9D4F-15FEC185A0FB}C:\users\richard\appdata\local\temp\netease-tianyu.exe] => (Allow) C:\users\richard\appdata\local\temp\netease-tianyu.exe
FirewallRules: [TCP Query User{8C6F3F92-9FFE-4DA5-918C-2FD6289626A6}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe
FirewallRules: [UDP Query User{48DA146F-9033-4458-A020-CBD282913A56}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{51E8C798-3706-4B7F-B4D5-E4A8CC536597}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe
FirewallRules: [UDP Query User{485BC9C2-4330-41C8-9467-ECBEF26FEE4C}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{4FDB2B14-DA48-4E0A-B1E2-6A85D2673C10}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe
FirewallRules: [UDP Query User{376CCD2A-E709-49F5-8C35-917F9BF552F1}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe
FirewallRules: [TCP Query User{120FE2FA-182D-4384-88B5-EED7F00A1C55}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe
FirewallRules: [UDP Query User{9AD8A5A4-718C-4906-962A-94C21C977106}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe



Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-406179256-1937463932-1247465908-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully
C:\WINDOWS\system32\GroupPolicyUsers\S-1-5-21-406179256-1937463932-1247465908-1001\User => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ThunderMaster => key not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BEF6100E-7F70-4C5F-8FA3-744B0AACC337} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEF6100E-7F70-4C5F-8FA3-744B0AACC337} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A2BA608F-E26E-4141-8D84-2674BE2E59AF}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2889C72F-6B72-4845-A4C4-40E0BCC294D8}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{41E1112E-341F-4FC8-ACDB-C39AEBB28E30}C:\users\richard\appdata\local\temp\netease-tianyu.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A18CE93C-7482-40D4-9D4F-15FEC185A0FB}C:\users\richard\appdata\local\temp\netease-tianyu.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8C6F3F92-9FFE-4DA5-918C-2FD6289626A6}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{48DA146F-9033-4458-A020-CBD282913A56}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{51E8C798-3706-4B7F-B4D5-E4A8CC536597}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{485BC9C2-4330-41C8-9467-ECBEF26FEE4C}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{4FDB2B14-DA48-4E0A-B1E2-6A85D2673C10}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{376CCD2A-E709-49F5-8C35-917F9BF552F1}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{120FE2FA-182D-4384-88B5-EED7F00A1C55}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9AD8A5A4-718C-4906-962A-94C21C977106}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe => value removed successfully
C:\Users\Richard\AppData\Local\updater.log => moved successfully
C:\Users\Richard\AppData\Local\UserProducts.xml => moved successfully
C:\Users\Richard\AppData\Roaming\Microsoft\SoundMixer => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 20439688 B
Java, Flash, Steam htmlcache => 366048434 B
Windows/system/drivers => 3065448 B
Edge => 1659567 B
Chrome => 619463717 B
Firefox => 420441627 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 302 B
LocalService => 0 B
NetworkService => 28518 B
defaultuser0 => 0 B
Richard => 342804995 B

RecycleBin => 0 B
EmptyTemp: => 1.7 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:02:30 ====

Link to post
Share on other sites

FRST did not reboot my computer during the fix only promted me to do so. I wasn't sure if I should but I have done it now. There was no cmd on startup anymore and I scanned again with malwarebytes which showed no threats. I can now also open my own cmd which I couldn't do before but the hijacked key is still in the quarantine so it might be that. Can I delete it from there now?

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.