Kazsuki Posted December 25, 2020 ID:1429107 Share Posted December 25, 2020 I've used malwarebyte for a while now and scan regularly as a free user, recently I've discovered that I'm having problem's with CMD, the moment I open it, it will instantly close, no matter what I do. I feel malware has modified it, and although the malware was cleaned, the modification remained. I've discovered the problem is with the autorun in : Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor, It contains 2 files: (Default) and Autorun Autorun contains this text when modifying: @mode 20,5 & tasklist /FI "IMAGENAME eq FirewallModule.exe" 2>NUL | find /I /N "FirewallModule.exe">NUL && exit & if exist "C:\Users\moham\AppData\Roaming\Microsoft\FirewallModule\FirewallModule.exe" ( start /MIN "" "C:\Users\moham\AppData\Roaming\Microsoft\FirewallModule\FirewallModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) I've noticed deleting this autorun fixes the issue and CMD works like normal, but then i'll have to manually launch explorer each time i restart the pc, as windows would not run it automatically. I would like advice on how i can correctly fix it. I've attached files below Addition.txt FRST.txt Threat Scan.txt Link to post Share on other sites More sharing options...
Solution nasdaq Posted December 25, 2020 Solution ID:1429157 Share Posted December 25, 2020 Hello, Welcome to Malwarebytes. I'm nasdaq and will be helping you. If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed. === AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} Enable Windows Defender. How To:https://docs.microsoft.com/en-us/mem/intune/user-help/turn-on-defender-windows <<<>>> Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted. Run FRST and click Fix only once and wait. The Computer will restart when the fix is completed. It will create a log (Fixlog.txt) please post it to your reply. === Please post the Fixlog.txt and let me know what problem persists. fixlist.txt 1 Link to post Share on other sites More sharing options...
Kazsuki Posted December 25, 2020 Author ID:1429204 Share Posted December 25, 2020 Thank you soo much Nasdaq, I found out I had to remove a registry file as that was disabling Windows defender for some reason (Using youtube.) Once deleted, I restarted defender and it started working like normal. After this I followed the guide you linked (though I was having problem's finding group policy and could not do the initial step.) But I activated cloud policy + realtime as it mentioned to do later on. After that I used the fixlist, CMD is working and does not instantly close anymore. I've uploaded a fixlog below. Is there anything else I'll be needing to do? Fixlog.txt Link to post Share on other sites More sharing options...
nasdaq Posted December 26, 2020 ID:1429240 Share Posted December 26, 2020 Hi, You are looking good. Stay safe. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 28, 2020 ID:1429521 Share Posted December 28, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts