How to remove \SYSTEM32:CMD.EXE

November 20, 2016 at 10:05:05
Specs: Windows 7 home, Intel Pent., cpu g630, 4.00 GB, 64 bit
For quite some time now, I have been seeing a black box click on and off real quick as I change screens, like reading a BB. It is not seen in Start Up.

I have done a lot of research on it, Google, etc. I didn't realize it was a form of spyware until lately.

The name of the said file is supposed to be {7bcd1ddf-1d68-751a-15f8-4900acc0df46} Identified as a variant of the Backdoor.Win32.Poison.k keylogger.

This startup entry is started automatically via the following Windows Registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components

Under that key will be a subkey that is the CLSID listed below. That subkey will contain a value called StubPath that points to the file being loaded.

I don't see it under either H_KEY.

I have ran lots of virus checkers and malwarebytes etc, and it has not been found.

Any and all help greatly appreciated.

message edited by WarrenTSI


See More: How to remove \SYSTEM32:CMD.EXE

Reply ↓  Report •


#1
November 20, 2016 at 11:05:00
Try running both Adwcleaner & JRT.

https://www.malwarebytes.com/adwcle...

https://www.malwarebytes.com/junkwa...

Also have a look at the following although it's old & may not apply.

http://www.bleepingcomputer.com/tut...

Did you try a bootable Rescue disk?

https://support.kaspersky.com/4162

message edited by riider


Reply ↓  Report •

#2
November 20, 2016 at 12:46:41
Likely it will be something like the Kaspersky Rescue Disk that will eradicate it. Many a pest that is awkward to remove simply hides itself within the windows system files; and cannot be removed whilst windows is booted up. Thus one needs a tool that can find them when windows isn't booted up - and then deal with them.

Following on from riider's link - these two how to use it may prove useful:

https://support.kaspersky.co.uk/8092

http://tinyurl.com/373ojxb

http://tinyurl.com/mranxhd


Reply ↓  Report •

#3
November 21, 2016 at 15:47:27
I just ran the Rescue disk but after it did the scan, it couldn't connect to Internet, so I will run it again tomorrow after disabling the virus checkers.

Reply ↓  Report •

Related Solutions

#4
November 21, 2016 at 15:57:31
Hi Warren, use the process of elimination on your startup's.

Windows 7: Startup Programs - Change
http://www.sevenforums.com/tutorial...


Reply ↓  Report •

#5
November 21, 2016 at 18:54:46
Hi John: quite a few choices. lol Will get after this tomorrow.

Thank you

message edited by WarrenTSI


Reply ↓  Report •

#6
November 22, 2016 at 10:22:08
Have you run msconfig to see what all is listed in Startup?

Reply ↓  Report •

#7
November 22, 2016 at 10:54:54
Yes I have. a few times. I just ran the Rescue Disk. Not too familiar with this high tech stuff. Ran a bunch of scans it did. But still seem to have that trojan. the Cmd 32 thing.

Reply ↓  Report •

#8
November 22, 2016 at 12:55:25
System32\cmd is not necessarily a virus. There is probably something running that is utilizing that command, and that's why the window pops up then closes.

Check the Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Perhaps you can post what all is in there.


Reply ↓  Report •

#9
November 22, 2016 at 14:53:32
"Hi John: quite a few choices. lol Will get after this tomorrow"

Almost certainly a startup, use METHOD FIVE ( CCleaner ) to find out which one.

Uncheck one at a time, until you find the culprit.


Reply ↓  Report •

#10
November 23, 2016 at 07:32:28
beachyhbt

"Check the Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

Just ran this one, when I get to the last one, Run, there is nothing to open on it, a triangle pointing.

What do I do at this point.

I also ran both the HKEY listed in my original post. I don't see the file
{7bcd1ddf-1d68-751a-15f8-4900acc0df46} which is supposed to be the culprit


Reply ↓  Report •

#11
November 28, 2016 at 04:20:50
If you click on the "Run" what do you see in the right column?

Reply ↓  Report •

#12
November 28, 2016 at 06:23:32
ab(Default) REG_SZ (Value not Set)
New Value #1 REG_QWORD 0X00000000 (0)


there is a very small set of numbers in front of New Value in blue, looks like 011
110 they are on top of each other in one grouping

message edited by WarrenTSI


Reply ↓  Report •

#13
November 28, 2016 at 07:43:09
I'd remove the REG_QWORD value. When you run msconfig and click on Startup, what shows there?

Reply ↓  Report •

#14
November 28, 2016 at 08:34:10
CCleaner PiriformLtd C:/programFil HKCU/Software
avg framew AVG Technolog C:Program fi HKLM/Software
avg framew AVG Technolog C:Program fil HKLM/Software
VprotectAp Unknown C:program fil HKLM/ Software
AOL Service AOL Inc C:program fil HKLM/Softwar 11/21/2016 9:...
ICloudServices Unknown C:program fil HKCU/Slftware 11/18/2016 4:...
iTunes Apple Inc. C:program fil HKLM/Software 11/18/2016 4:...
MicrosoftFin Unknown C:progra~2 C:/users/user/appD 11/18/2016 4:...
the first four boxes are checked. this before deleting REG_QWORLD etc

message edited by WarrenTSI


Reply ↓  Report •

#15
November 28, 2016 at 10:53:32
Can you expand the Command window and show the path to the executables?

Reply ↓  Report •

#16
November 28, 2016 at 13:12:03
Not too familiar with registry. Is it the line C:\windows\system32\cmd.exe?

sorry for my ignorance on this


Reply ↓  Report •

#17
November 28, 2016 at 14:34:41
Open CCleaner > Tools > Startup > Windows.

Maximize the CCleaner window, take a screenshot & upload it to Zippyshare or one of your choosing.


Reply ↓  Report •

#18
November 28, 2016 at 15:58:51
http://www115.zippyshare.com/v/Y6ti...

Reply ↓  Report •

#19
November 28, 2016 at 16:05:04
Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
No HKCU:Run iCloudServices C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
Yes HKLM:Run AVG_UI AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=av
Yes HKLM:Run AvgUi AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw
No HKLM:Run HostManager AOL Inc. C:\Program Files (x86)\Common Files\AOL\1399800338\ee\AOLSoftware.exe
No HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
Yes HKLM:Run New Value #1
Yes HKLM:Run vProt AVG Technologies CZ, s.r.o. "C:\Program Files (x86)\AVG Web TuneUp\vprot.exe"
No Startup User Microsoft Find Fast.lnk C:\PROGRA~2\MICROS~1\Office\FINDFAST.EXE

Reply ↓  Report •

#20
November 28, 2016 at 16:15:36
Refer my SS.
http://fs5.directupload.net/images/...

Reply ↓  Report •

#21
November 28, 2016 at 16:19:40
Opp's, Re your post #19.
Set them all to No.

Do you still get > SYSTEM32:CMD.EXE


Reply ↓  Report •

#22
November 28, 2016 at 16:29:15
On the third item HKLM Run, access denied. is a duplicate

"Do you still get > SYSTEM32:CMD.EXE"


yes it is gone


Reply ↓  Report •

#23
November 28, 2016 at 16:37:20
"yes it is gone"
Contradiction there, did you mean > No it is gone

Reply ↓  Report •

#24
November 28, 2016 at 16:55:52
gonzo. not there anymore.

why didn't that zippy file open correctly, do you know


Reply ↓  Report •

#25
November 28, 2016 at 17:10:39
"gonzo. not there anymore"
Good, leave CCleaner at No, it is not needed in startups.
Now reset the others to Yes, one at a time, until you find the culprit.

"why didn't that zippy file open correctly, do you know"
They are like a lot of sites, trying to survive, by using ad's.

I use these.

Image Uploader or z_o_o_m's File & Image Uploader.

Using Image Uploader, I upload to directupload.com for images & Zippyshare for files ( neither need an account ) Give us the link/links please.

Image Uploader
http://www.softpedia.com/get/Intern...
http://zenden.ws/imageuploader_ru
How to use for images.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
How to use for files.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

I upload to 10000shared ( no account needed ) Plenty of other choices in the program. Give us the link/links please.
z_o_o_m's File & Image Uploader
http://z-o-o-m.eu/
Help
http://z-o-o-m.eu/help.htm
Forum
http://forum.z-o-o-m.eu/

Free file sharing sites come & go, if 10000shared, directupload.com & Zippyshare are too busy ( or not working ) there are many others to try if you want to do it manually. Here are a few.
Load.to
http://www.load.to/ ( no account needed )
File Dropper
http://www.filedropper.com/ ( no account needed )
Go4Up
https://go4up.com/ ( no account needed )

message edited by Johnw


Reply ↓  Report •

#26
November 29, 2016 at 04:57:54
Did you delete that NewValue entry from the Registry? I would uncheck everything, reboot, then see if the Command Window comes up. Then re-enable one at a time to see what's causing it. I tend to have as little as possible in the startup, so unless it's really needed, I uncheck it.

Reply ↓  Report •

#27
November 29, 2016 at 07:10:31
Thanks. Will do that.

Reply ↓  Report •


Ask Question