Unknown causing cmd.exe to launch with suspicious cmd call

Get your PC tech problems solved here. Quick response time.

Moderator: The Mod Squad

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Wed Jan 14, 2015 1:52 pm

I tried Kaspersky Rescue Disk,

FULL SCAN of all three of my internal HDDs
Didn't FIND A THING ;#_#; ^_^ @_@........
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Wed Jan 14, 2015 5:12 pm

Do a Regedit from the 'run' prompt. Then search for any notation of that "Vosteran". If any trace is found, delete its key value cell from the "tree" column.. but not any further into the "tree" than that individual cell page.
Put in a more basic way, the cell on the "tree" folder, when opened having a (+) sign, would show sub-cells of key values. Taking out the main cell folder may cause more problems if associations refer to other process files.
If you have several hard drives or multiple partitions, run that directory check on all.
The MSCONFIG process will list all programming that is on the system, so if something is causing unwanted operations, uncheck its function box.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20663
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Wed Jan 14, 2015 6:17 pm

breaking down the cmdline string.....
Code: Select all
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"


Code: Select all
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"')

/K Carries out the command specified by string but remains

/b Start application without creating a new window. The
application has ^C handling ignored. Unless the application
enables ^C processing, ^Break is the only way to interrupt






Code: Select all
regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
/u -   Unregister server
/s -   Silent; display no message boxes
/i -   Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall
/n -   do not call DllRegisterServer; this option must be used with /i


Code: Select all
do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"

so its going to silently, install passing this string to what ever was in that folder... PDT_Armataz_01_19 "/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " which appears to be a base 64 but I tried using online decoders to no avail..... and to not call the DllRegisterServer as well... i.e. being REAL s.n.e.a.k.y. about it PDT_Armataz_01_19


_________________________________________________________________________________________________
I could have sworn I had gotten rid of everything.... must be a reminats of my original cleaning....

Code: Select all
VosteranHTML.RK4WSBMGSSQO7S4EMNNWSWUNF4  reg_none  (zero-length binary value)

found at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids


Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe]
"LocalizedString"="vosteran"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\vosteran.exe\shell\open\command]
@="\"C:\\Documents and Settings\\Melchior\\Local Settings\\Application Data\\Vosteran\\Application\\vosteran.exe\""


well those reg keys are AXED.... and no trace of its files anywhere evident by the fact that not one took so far has seen anything left this time around...


a search of my file system (name and inside) and win-registry, of these strings nets nothing.

QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3
RK4WSBMGSSQO7S4EMNNWSWUNF4
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Wed Jan 14, 2015 10:34 pm

nope Malwarebytes Anti-Rootkit scanner didn't find a thing

AND its detailed scan of each HDDs Boot sectors... found nothing found. lol


testing using a tool called Emsisoft Emergency Kit
found two entries...App.win32.InstalledAd no targeted files ...

and on a full scan it only found 8 false positives (programs I had been using for years!!)...

and 4-5 old MS HTML Archives (from old research years ago) that had IE Frame exploits so I scrapped them,
then again I haven't opened those files in years... so there is no chance they are related this this nonsense
Attachments
Malwarebytes Anti-Rootkit__ScanLogs.rar
(3.52 KiB) Downloaded 35 times
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Thu Jan 15, 2015 2:20 am

A search for that {3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} key gives this:
http://www.avira.com/en/support-threats ... 9/tlang/en
So check for those files and delete them.

Another piece of evidence your system was hit by something REAL nasty, part of a rootkit I suspect. The problem with rootkits is, you NEVER can tell what the **** they put in where since they can mask everything at whatever point in the boot process of your machine (even pre-OS).

Have you checked your scheduled tasks folder yet?
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Thu Jan 15, 2015 3:12 am

evasive wrote:A search for that {3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} key gives this:
http://www.avira.com/en/support-threats ... 9/tlang/en
So check for those files and delete them.

Another piece of evidence your system was hit by something REAL nasty, part of a rootkit I suspect. The problem with rootkits is, you NEVER can tell what the **** they put in where since they can mask everything at whatever point in the boot process of your machine (even pre-OS).

Have you checked your scheduled tasks folder yet?



lol of course I have I ain't a newb :wink:

everything i see says my system is clean with the exception of that one thing,
nope nothing here matching what was on averia.... ?_?


I scanned with quote a few apps including TDSSKiller, Malwarebytes Anti-Rootkit scanner,
and I even ran the Kaspersky Rescue Disk and it didn't find a thing I will make note its NET drivers worked so I was able to get updated files for it.
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Thu Jan 15, 2015 6:28 am

Check your boot.ini file.. in the root of C:\. Should be something similar to this..
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect

Or from Settings > System > Advanced > Startup and Recovery, you can edit it if required. Back up the file first, though.

Even though I have Firefox as default browser, IE still gets some useless files.. but is not supposed to. Maybe the OS auto update search?
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20663
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Thu Jan 15, 2015 5:37 pm

lol of course I already checked that... its clean as a whistle.
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional x64 Edition" /noexecute=optin /fastdetect


I have CCleaner clean several times a day depending on how many times I close Firefox.... the only file I see for IE is the
a index file for its temp files which is automatically recreated when its deleted by CCleaner... that and when I do windows update checks via IE...



oohh looky here... a windows update more specifically the

- Malicious Software Removal Tool x64 - January 2015 (KB890830)
installing... =D done. and it say I am clean too....
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Fri Jan 16, 2015 1:18 am

I found something I wasn't sure about...
Code: Select all
COM Surrogate
(No signature was present in the subject) Microsoft Corporation
v5.2.3790.3959
Sat Feb 17 00:24:26 2007
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

autostart:
HKLM\System\CurrentControlSet\Services\COMSysApp


its a windows service.... seems legit except for the (No signature was present in the subject) part... is it supposed to have
Attachments
TDSSKiller.3.0.0.42_16.01.2015_07.23.26_log.rar
(23.43 KiB) Downloaded 38 times
unknown file plus reg files.rar
(3.05 KiB) Downloaded 37 times
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v388.00
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Fri Jan 16, 2015 6:07 am

As to that reference of " C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
autostart: HKLM\System\CurrentControlSet\Services\COMSysApp "..
Supposedly, it is an OS file provided by MS.. and may not require a digital signature, as it is not a critical core or Kernel file.
Found several references.. valid program required by the OS on start up, otherwise certain features may not be available.
http://www.bleepingcomputer.com/startup ... 25641.html
Seems to be a launch-type process for an add-on feature.. Wifi, external drive, network server? NAS?
http://msdn.microsoft.com/en-us/library ... .5%29.aspx

That Malicious Software Removal Tool is still issued monthly by MS.. a quick antivirus and malware cleaner. (KB890830) It will be issued for several more months, until all the POS (point-of-sale) systems have been upgraded. Almost all ATM and similar use a basic form of Win XP as the OS. By default, it scans only the C:\ drive.. but can scan all drives and files.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20663
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

PreviousNext

Return to Tech Support

Who is online

Users browsing this forum: No registered users and 3 guests