Unknown causing cmd.exe to launch with suspicious cmd call

Get your PC tech problems solved here. Quick response time.

Moderator: The Mod Squad

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Mon Jan 12, 2015 7:11 am

Remove Vosteran:
https://forums.malwarebytes.org/index.p ... -vosteran/

the logfile, are you running IIS on that box by any chance?
http://serverfault.com/questions/100380 ... ssion-snag

One other thing I note is you are running in msconfig mode (so temporary disabled some stuff), I can imagine msconfig is doing so through a startup/logon script of some sort.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 7:37 am

I am attaching ntBootLog.txt as well as a few reg file containing what I found in the Windows registry

Code: Select all
Loaded driver \SystemRoot\System32\Drivers\a70km16k.SYS
Loaded driver \SystemRoot\System32\Drivers\ax0jhlar.SYS

neither one of thes files physically exist... that is I did a full search of my HDD including all folder and hidden files

these two stood out as suspicious O_o.....

how ever upon checking i found that ax0jhlar is linked to the DAEMON Tools virtual SCSI drive
I had a 2nd Virtual drive a BDROM thru DT.... I got rid of it as I didn't really need two... so I will test boot again...

Code: Select all
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 4]
"Interrupt"=dword:00000009
"IOAddress"=dword:0000fff0
"Driver"="ax0jhlar"

Code: Select all
[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 5]
"Interrupt"=dword:00000009
"IOAddress"=dword:0000ffe8
"Driver"="a70km16k"


________________________________________________________________________
edit:


IIS ( internet information services ) no definitely not, I do not even have it installed.
didn't feel I needed it...



Vosteran!!!!!
yes I did run into that, though I could have sworn I had dealt with it back on the old hdd (ie WinXP-Pro32bit SP3)

what ever the case.. I HIT IT HARD AND WITH A VENGEANCE....

I was grabbing an update from Source Forge ( they have been using these down-loaders, to help programmers generate revenue >_< BOOO ask for donations if u need the $$)

I guess I forgot to click the enable direct link that time... any how I grabbed it and ran...

here is one such project which has the DownLoader/installer $$ links enabled ;_; =(
https://sourceforge.net/projects/filezi ... nt/3.10.0/

since Filezilla (v3.9.0) its been vista and newer only so It probably wasn't this project I had downloaded on...

anyhow before I knew it it was already installing $%^!@#.... so I axed that installer forcefully and proceeded to HACK it out, starting with Spybot S&D and using all available tools including manual searches of the reg and manually hacking it out of FF... i even tried its uninstaller as well probably ....

possible it had left over? though I have made many complete scans using Spybot, M$ MRT, TDSSkiller (its showing clean, so it isn't a rootkit at least....)
Attachments
Windows Event Viewer Log Files_.rar
(2.39 KiB) Downloaded 30 times
[ntBootLog] & [reg-export].rar
(3.5 KiB) Downloaded 30 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 8:28 am

Attached three images..
file names describe contents png screen shots...
Attachments
Local User Groups and Accounts_Users.png
Local User Groups and Accounts_Users.png (29.98 KiB) Viewed 496 times
Local User Groups and Accounts_Groups.png
Local User Groups and Accounts_Groups.png (47.67 KiB) Viewed 496 times
Device Manager__SPTD_Virtual Devices after all.png
Device Manager__SPTD_Virtual Devices after all.png (96.52 KiB) Viewed 496 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 9:00 am

I am attaching an archive containing the in memory strings from cmd.exe

I found this among them

Code: Select all
REM/?
or  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
r32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"
COMSPEC
Attachments
cmd & drwtsn32 logs.rar
(54.58 KiB) Downloaded 31 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Mon Jan 12, 2015 9:29 am

if bleepingcomputer has no answer:
http://www.bleepingcomputer.com/forums/ ... mpt-error/
then we will have to dig seriously deep. usually they know what is cooking...
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Mon Jan 12, 2015 9:47 am

Your reference of " Application Data\1837308050\%i " turns up links to Vosteran.. a type of browser virus that wants to redirect you to other sites. "Free" malware with uncertified sites.
http://www.2-viruses.com/remove-vosteran-com-virus

There should be a folder for its files, and look there for an "uninstall" or "unwise" command line.
It should be listed in "Add/remove programs" from the Control Panel. But maybe not.
Might be time to do a Registry edit, taking out any references to it. But do a backup first!
You might be able to do a search for any remnants from the command prompt..
Start > Run > type in cmd and then type in Dir C:\*.vosteran/a/s
That will search all directories, sub-directories and files.. except the Registry.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20659
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 9:53 am

that Q&A u linked to... no one has replied to it yet....
its definitely looks like the same issue O_o...

but I've been up all night so either I am going for a walk or going to bed

Thx again for Awesome help Motherboards forums ;^_^;
at times when I couldn't solve something on my own
I could always to to Motherboards.org/forums ;^_^;

Eyy Karl, I already axed Vosteran a while back...
I got rid of every trace of it for absolutely certain



scans using MRT come up nothing too...

I will try a test I recreate that folder as named and see if the cmd at least auto exits for now...... no files

_________________________________________________
EDIT:

trying out this program called STOPzilla....... O_o...
Attachments
STOPZilla Scan pic_40p.jpg
STOPZilla Scan pic_40p.jpg (59.72 KiB) Viewed 492 times
STOPZilla Scan pic.jpg
STOPZilla Scan pic.jpg (68.31 KiB) Viewed 492 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 12:21 pm

99.98% of them were false positives

there was one left over conduit entry in the reg.. its gone now but sat next to this one
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
n dword 1

all of the HOST entries WERE ALL Spybot S&D Immunizations so I had to reapply them.. :roll:

another was the not touched or used small exe part of the instal4j that comes with Azureus (Bit-Torrent)
I never click on the offers, and all the updates I get for Azureus come via the dev channel so I never bother the original installer except when doing a fresh install...

after which I did a CCleaner reg scan again and found these..
Code: Select all
[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI]
@="MarshalableTI Class"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI\CLSID]
@="{466D66FA-9616-11D2-9342-0000F875AE17}"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI\CurVer]
@="Mslablti.MarshalableTI.1"


[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI.1]
@="MarshalableTI Class"

[HKEY_CLASSES_ROOT\Mslablti.MarshalableTI.1\CLSID]
@="{466D66FA-9616-11D2-9342-0000F875AE17}"



the other false positives included:
exes and files used for patching Elder scrolls 3 Morrowind with a graphics overhaul
http://www.nexusmods.com/morrowind/mods/36945/

C:\Program Files\Explorer Suite\
Signature Explorer.exe
which is part of CFF Explorer.exe used for seeing inside of a exe or dll
was suggested for changing the OS and Subsystem minimum on Firefox nightly v37 windows 64bit build so to try and make it run with XP64 (stuff they did requires Vista or newer =p )


so over all STOPzilla was a waste of time >_<

edit:

I tried recreating that folder, no.. no auto closing of that cmd window... whatever.... ;>_<;
C:\Documents and Settings\All Users\Application Data\1837308050




IDK WHAT ^^%$*& STOPZIlla did but it FCK'd Spybots Immunizations there are UN-Immunization-able now.. >_<!!

I have tried deleting the whole key in the reg for each and reapplying the immunizations no go >_<
Attachments
Spybot_screenshot.jpg
Spybot_screenshot.jpg (58.57 KiB) Viewed 492 times
immudebug.rar
(45.71 KiB) Downloaded 30 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Mon Jan 12, 2015 5:12 pm

Forgot to include about the CMD prompt.. when done, simply type in " exit " to close.
Hopefully, you have turned off the Windows 'restore' feature while doing this cleansing. If not, Windows will likely undo all your efforts on the next normal boot!
Might be an an idea to kill off all the suspect browser add-ons and similar.. then see what happens.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20659
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 12, 2015 5:21 pm

a few recommended from a local tech company I know (the guy that owns it helped setup that LAN center I had volunteered for).

Trying HiJackThis.... logs attached..
doesn't appear to be a problem apparent here either... >_<

also I took a screenshot and logs files from RogueKiller64


Code: Select all
explorer.exe
Windows Explorer
v6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
EXPLORER.EXE
Microsoft® Windows® Operating System
1.30 MB (1,364,480 bytes)
Created :  Sunday, February 18, 2007, 7:00:00 AM
Modified:  Sunday, February 18, 2007, 7:00:00 AM


Code: Select all
cryptdll.dll
Cryptography Manager
v5.2.3790.3959 (srv03_sp2_rtm.070216-1710)
cryptdll.dll
Microsoft® Windows® Operating System
47.0 KB (48,128 bytes)
Created :  Sunday, February 18, 2007, 7:00:00 AM
Modified:  Sunday, February 18, 2007, 7:00:00 AM


neither is digitally signed ?! should they be?!

_____________________________________________________________________________________________________

Karlsweldt wrote:Forgot to include about the CMD prompt.. when done, simply type in " exit " to close.
Hopefully, you have turned off the Windows 'restore' feature while doing this cleansing. If not, Windows will likely undo all your efforts on the next normal boot!
Might be an an idea to kill off all the suspect browser add-ons and similar.. then see what happens.



huh? I never use system restore its the first thing I ax on a ne build as its a waste of resources...
I got rid of the browser stuff some time ago I haven't had any real threat in a long time, only what appears to be a left over at worst ...

I have updated the archive again with adwcleaner_4.107.exe
it found a few things I had missed nothing to bad, I added its logs to the archive..
Attachments
NewLogs and screenshots.rar
Contains the logs for HiJackThis, RogueKiller (and screenshot), adwcleaner, etc
(180.64 KiB) Downloaded 31 times
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

PreviousNext

Return to Tech Support

Who is online

Users browsing this forum: Google [Bot] and 3 guests

cron