CMD window keeps popping randomly after malware infection

[nicotela94]

Greetings

Two weeks ago I downloaded a torrent that infected my laptop, since then a cmd black box keeps popping randomly disrupting my work constantly and it´s driving me crazy.

I followed the instructions detailed in the sticky in order to save some time, you can check the attached files in this post.

Thank you in advance,  I am really hoping you can help me!

Addition.txt FRST.txt Malwarebytes Scan Log.txt

[Maurice Naggar]

Hello.  My name is Maurice. I will guide you.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

  Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
  1. Show-Hidden-Folders-Files-Extensions
  https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

  2. Disable-Fast-Startup
  https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

3. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

[Maurice Naggar]

Hello. Good day to you. I have not heard back from you. Are you still needing help ? Are you still with me here ? I will close this case next Tuesday if I do not hear back from you. In order to continue here, I need to have the MSERT.log file.

[nicotela94]

Done! Sorry for the delay.

I´ve followed all your instructions pecisely.

Here is the file you requested msert.log

[Maurice Naggar]

Hello. Thank you. Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will cleanup a most suspicious scheduled task. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRST64.exe  program location:   Desktop folder C:\Users\nicot\Desktop\Proyecto CTC. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to C:\Users\nicot\Desktop\Proyecto CTC

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the C:\Users\nicot\Desktop\Proyecto CTC folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

[nicotela94]

Done!

Here is the file.

Fixlog.txt

[Maurice Naggar]

Hello. The custom fix run result is very good. A rogue scheduled task, plus some 5 rogue DLLs, plus a rogue sub-folder have been removed. This is a beneficial run. I expect that the "weird" CMD window is no longer around. 😎

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

If upon launching the Esetonlinescanner, there is a windows-message box displaying

A driver cannot load on this device. Driver ehdrv.sys

then, please, TICK the check-box

"Don't show this message again"

and then, click the Close button on that window-box. The ESET scan will proceed forward.

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review
• AND let me know, How is the system at that point ?

Edited January 22 by Maurice Naggar

[nicotela94]

Hi!

The issue is now fixed, the cmd balck screen no longer pops up!

Thank you very much, you were really kind.

Right now I am following your last instructions. Soon I will be posting the ESET scan log.

[nicotela94]

Here is the ESET scan log


23/01/2024 19:38:49
Files scanned: 298608
Detected files: 0
Cleaned files: 0
Total scan time: 05:00:29ESETscanlog.txt
Scan status: Finished

Seems we are doing okay now. Thank you again!

[Maurice Naggar]

That is very excellent. Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\nicot\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\nicot\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



Go slow & careful on this part.  In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and "Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. you

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_202401025_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply
• Have lots of patience, as this will most likely run for many hours.
• Also, be aware I am a volunteer here. I help here as personal time permits. I am not on all the time.

And be very sure to let me know, Has the rogue CMD 'black' window issue that started this case....IS it now GONE Away ??

Edited January 24 by Maurice Naggar

[Maurice Naggar]

Hello. Good afternoon. @nicotela94 Are you still around ? If you are still with me, I would like to know about the Scan I suggested above.

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks