Jump to content

Getting a strange CMD Prompt after being affected by trojans/malware.


Go to solution Solved by kevinf80,

Recommended Posts

I was watching some trading tutorials and downloading some torrents, and some ads popped up, I didn't really paid them any attention, as I assumed it was the next stage of the process, unfortunately I realized too late it was just an unwanted tab telling me to click yes.

What followed was Google Chrome repeatedly sending me unwanted desktop notifications from some "Rjxcy your computer may be affected". I went into settings on Google Chrome and there was a website listed here:

 image.png.1dea9ddc4a2c60d02e91bbbcc95c7bcd.png which I blocked or deleted, can't remember. I then made Malware bytes run a scan which I included rootkits and maaaaaybe archives, can't remember. And it came up with several things. I even ran a full windows defender and Microsoft offline scan and several things were removed. I attached all of the logs from today, the file labelled 0 is the last scan I did (quick scan). A Full scan takes about 2 and a half hours. I quarantined and then removed said detections.

However, during my scans and as well as playing a game this has been popping up randomly.

0eP8VMo.png

Im tempted top remove the file but I don't want to make things worse, all of my scans and windows scans say there isn't a problem, however, that thing pops up every now and again.

 

Any ideas? Thanks

0.txt 2.txt 3.txt 9.txt

Link to post
Share on other sites

There's an application in my control panel I can't seem to delete, however I tried to follow the file paths in its modify/repair/change, and when I try to remove/delete I get things like this: image.png.3b891f4ca18474d8a3a1484cc67417d1.png.

and now my windows defender keeps giving me trojan errors.

image.png.5912e6d417c42a28bb02dbc095837021.png

Link to post
Share on other sites

Hello Ragmarole12 and welcome to Malwarebytes,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

If our tools do not run because of windows smart screen or your security, consider the following:

Disable smart screen if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....


Thank you,

Kevin....
Link to post
Share on other sites

Hiya Ragmarole12,

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

Did you see which files were identified? odd that they do not show in the log... Never seen the named file PASSWD before, it seems to show as having no contents..

Can you run MSERT scanner again, this time go for "Full" scan... post the produced log.

Link to post
Share on other sites

Leave MSERT for now, run the following:

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.

https://www.techspot.com/downloads/5562-roguekiller.html

https://m.majorgeeks.com/files/details/roguekiller.html
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Report button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.

Thanks...

 

Link to post
Share on other sites

RogueKiller Anti-Malware V15.0.8.0 (x64) [Jul 13 2021] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.19042) 64-bit
Started in : Normal mode
User : Kris [Administrator]
Started from : C:\Users\Kris\Desktop\RogueKiller_portable64.exe
Signatures : 20210729_115300, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2021/08/01 19:17:01 (Duration : 00:02:32)

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
>>>>>> O4 - Run
  [Suspicious.Path (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-1064140606-41284523-1537055238-1002\Software\Microsoft\Windows\CurrentVersion\Run|utweb -- "C:\Users\Kris\AppData\Roaming\uTorrent Web\utweb.exe" /MINIMIZED (missing) -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Tr.Gen (Malicious)] (file) XD_sp.exe -- C:\Program Files\Common Files\Adobe\Adobe XD\XD_sp.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 

Link to post
Share on other sites

Hiya Ragmarole12,

Thanks for that log, continue:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Program Files\Common Files\Adobe\Adobe XD\XD_sp.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files

C:\Users\Kris\AppData\Roaming\uTorrent Web\utweb.exe

Thanks,

Kevin

Link to post
Share on other sites

The XP https://www.virustotal.com/gui/file/b20687ff050c717e6dd79a2a5c04f360d470f21637d341d1df6eede3603d557e/detection I reanalyzed the file, however it went down to a 3, it no longer was detected by Sophos or Qihoo360 here: https://www.virustotal.com/gui/file/b20687ff050c717e6dd79a2a5c04f360d470f21637d341d1df6eede3603d557e/detection

 

My pc couldn't find C:\Users\Kris\AppData\Roaming\uTorrent Web\utweb.exe or even  C:\Users\Kris\AppData\Roaming\uTorrent Web so what I did, I searched "This PC" for them and: image.thumb.png.397f089357e562084fb177d01ef50382.png

So after I manually searched for them however I couldn't find any of the above entries.

So I manually looked for them using their file locations. The first one lead me to:

image.png.49ea405c0e76992d6798946da65e8333.png

 

I ran the first two entries due to their late date and it has Account Unknown as one of the usernames, not sure if that's normal, but apparently created Friday. But using Virustotal, No security vendors flagged this file as malicious. 

 

 image.png.21131c3a02362440bea092f8daf269a6.png

 

However, I found image.png.59c831e0c985ffa761dc9329b3104883.png but this too was no security...malicious.

The second entry: image.thumb.png.455832e30e919f4a61f5db7cb9a09274.png

 

The last entry: image.png.b1d2046b07a585de1ec7f40d481aadf5.png

I ran it in virus total and no security vendors flagged, all went undetected.

image.png

image.png

Link to post
Share on other sites

  • Solution

Can you run RogueKiller again, this time remove the following entry:

[Tr.Gen (Malicious)] (file) XD_sp.exe -- C:\Program Files\Common Files\Adobe\Adobe XD\XD_sp.exe -> Found

I would ignore uTorrent entry, I believe that gets flagged as you have it running at boot and being a torrent conduit...

Make sure to reboot after RK completes...

Its 01:05 am local time for me, sleepy time me thinks...

Let me know how your system currently responds, also if any remaining issues or concerns...

Link to post
Share on other sites

Please ignore the last two attached images, forgot to remove. Also, redid a MSERT quick scan, 3 files came up infected, I recorded it however and played it back in slow motion.

 image.png.dda9ee5b44ebf22bed86c87d19caf45f.png

C:\Program Files\qBittorent\qbittorrent.exe got it to two. Then three

image.png.8f846a08468aeeccbce279656c6cc22d.png 

 

However, the MSERT log file says

image.png.60653a6006203dda884c423afb717d23.png

 

 

Link to post
Share on other sites

1 hour ago, kevinf80 said:

Can you run RogueKiller again, this time remove the following entry:

[Tr.Gen (Malicious)] (file) XD_sp.exe -- C:\Program Files\Common Files\Adobe\Adobe XD\XD_sp.exe -> Found

I would ignore uTorrent entry, I believe that gets flagged as you have it running at boot and being a torrent conduit...

Make sure to reboot after RK completes...

Its 01:05 am local time for me, sleepy time me thinks...

Let me know how your system currently responds, also if any remaining issues or concerns...

Hi Kev, so after removing those files, and general delete and clean up, as well as using Revo to get rid of the program which didn't want to be removed. I used CCleaner to clean up the registry, and uninstalled it afterwards.
Ran Rogue/MERST/Malware/Windows scans again on full and all came back clean. 
So thank you once again for the help and I'll send you something on paypal. 

Thanks, 

Kris

Link to post
Share on other sites

Hiya Kris,

Yes got the donation, thank you very much... Good to hear your system is ok for you now, continue to finish up:

Delete the following:

C:\Users\Kris\Desktop\RogueKiller_portable64.exe Plus its folder C:\Prgram Data\RogueKiller

Next,

Right click on FRST here: C:\Users\Kris\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge..

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.