Jump to content

Malware.Exploit.Agent.Generic in system32\cmd.exe


Go to solution Solved by kevinf80,

Recommended Posts

I received an alert about a threat "Malware.Exploit.Agent.Generic" in the location system32\cmd.exe and application Microsoft Word.  Malwarebytes says "Exploit Office WMI" was blocked.

Later, I received an alert from Malwarebytes winwird.exe (Microsoft Word) was trying to contact a website "mediageek.net" and the threat category was "Trojan."

Then I received an alert an exploit was blocked "Malware.Exploit.Agent.Generic" in system32\cmd.exe.

All these alerts came within two days.

I have scanned files with Malwarebytes and Kaspersky and no threats are found.

What should my next step be to resolve this?

Thanks in advance for your help!

Link to post
Share on other sites

Hello MBD888 and welcome to Malwarebytes,

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


You may need to do the following:

Disable smart screen if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Thank you,

Kevin
Link to post
Share on other sites

Got your log from your PM, not seeing any obvious Malware or infection. I do note several minidump files, your system must have crashed a few times..?

Can you zip up and attach the following folder: C:\Windows\Minidump

Next,

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.

https://www.techspot.com/downloads/5562-roguekiller.html

https://m.majorgeeks.com/files/details/roguekiller.html
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Report button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Copy and paste the entire contents of that log into your next reply.
Link to post
Share on other sites

My PC does occasionally crash, but it's not often and I don't know why.  My PCs have always been that way, since the early 1980s, but maybe things are better now and I should expect more?  I load a lot of stuff on my PCs.

I sent minidump and RKlog to you via PM.

Thank you for your help!

Link to post
Share on other sites

This PC has run a bit hot in the past.  I have had a cooling pad under it now and the PC does not seem to be even warm - although I am not driving the CPU hard at this time.  I could install a CPU temperature monitor (please suggest one if have one to recommend) and I can check.  Also, please suggest a good way to load the CPU.

I have USB external hard drives which are warm, not hot, and I don't think they would be contributing to this problem.

In case it matters, the PC is about 4 years old.

Link to post
Share on other sites

  • Solution

Hiya Marty,

CPU Thermometer is free and very easy to use: http://www.cputhermometer.com/

Complete the following first:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Full Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin.

fixlist.txt

Link to post
Share on other sites

The Microsoft scanner is still running: 73 hours and 80 million files scanned so far. I have old files on external drives I need to sort. 
 

Assuming the finds are valid, it’s done well. It has found 2,000+ infected files in drives I have scanned with multiple programs in the past. 
 

I think it will be another day or so before this scan is finished. 
 

Don’t fall off your chair laughing. 
 

Well, OK, have a laugh. ;-)

Link to post
Share on other sites

Attached are the log files requested.

I took all the actions as you described.  The text from the Microsoft Safety Scanner log is pasted below.

While the Microsoft Safety Scanner was running, I used Microsoft Word several times.  Once when I started Word, Malwarebytes blocked a program.  That event log is in the file uploaded named “Malwarebytes event 8-26-2021.txt.”

I did not open a Word file that had a problem when Malwarebytes blocked the program.  I simply opened Word.  That’s when Malwarebytes blocked the program.

If this is not a false detection, it would seem that either the Word program is infected or Windows 10 is infected.

Would it be wise to uninstall and reinstall Microsoft Office?  I suspect that’s where the problem resides.

Thanks.

 

Microsoft Safety Scanner v1.347, (build 1.347.399.0)
Started On Wed Aug 25 13:27:32 2021

Engine: 1.1.18500.9
Signatures: 1.347.399.0
MpGear: 1.1.16330.1Malwarebytes event 8-26-2021.txtAdwCleaner[C00].txt
Run Mode: Interactive Graphical ModeAdwCleaner[S00].txtMalwarebytes scan.txtFixlog.txtRKlog.txt

Link to post
Share on other sites

The PC seems to run OK, but it was running OK before.

The malware appeared to be attempting to send copies of Word documents I opened to a web site.  If so, that's a concern.  I really can't have that.

Any ideas about how to be sure that malware really has been removed by the Microsoft Scanner?  I guess I could just wait to see if Malwarebytes blocks a program again.

Would reinstalling Microsoft Office be likely to resolve this problem if it has not already been removed?

I am hesitant to reinstall Office, because it takes some time to set up Outlook again.  (Unless you know of a shortcut.)  All Email accounts, signatures, etc. need to be manually entered.  I'd rather visit the dentist.

Link to post
Share on other sites

Has that original issue not ceased?

Can you post a previous RTP detection log...

To get the RTP Detection log from Malwarebytes do the following:

Open Malwarebytes....

  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the RTP Detection log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply

 

Edited by kevinf80
Link to post
Share on other sites

The RTP Detection log does not show a new event since the event that occurred while I was running the Microsoft scan.  I posted that event above in an uploaded file named "Malwarebytes event 8-26-2021."

These events did not happen each time I opened Microsoft Word, only sporadically.  I'm not sure what exact conditions were required for the event to be triggered.

Maybe the best action is to watch the RTP Detection log for another event?

I am open to other suggestions.

Link to post
Share on other sites

Thanks for the update, run the following fix. Make sure FRST is run as administrator...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 

 

fixlist.txt

Link to post
Share on other sites

When I clicked "Run as Administrator," FRTS immediately started running.  I unloaded that log and it is named Fixlog initial.

Then I ran FRST again and clicked on Fix.  That log is uploaded and named Fixlog.Fixlog initial.txt  It did find and repair corrupt files.

Would it be helpful to run this FRST again to confirm it does not find any corrupt files?  I would have expected that all files would have been OK after all the repair utilities we have run.

Fixlog.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.