Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows StartUp Command Prompt error


  • Please log in to reply
2 replies to this topic

#1 iNeed

iNeed

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 October 2014 - 02:00 AM

Everytime when I start my computer a Command Prompt Screen appears and tells "The system cannot find the file specified."
So I run "msconfig.exe" and "Autostart program viewer (Sysinternals - www.sysinternals.com)" to find recent suspicious startup entry, but found nothing new.

Here's what I found :-

Malwarebytes Anti Malware removes folder :- "C:\Documents and Settings\All Users\Application Data\2308189059"

OS :- Windows XP SP3

Process :- cmd.exe (1292) | Parent :- <Non-existent Process>(1096)

Command line Argument :-
C:\WINDOWS\system32\cmd.exe  /K for  /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\2308189059\*"') do start /b regsvr32.exe /s /n /i:"" "C:\Documents and Settings\All Users\Application Data\2308189059\%i"

I want to know what is in that Folder - "C:\Documents and Settings\All Users\Application Data\2308189059\" and which process wants to execute its files?



BC AdBot (Login to Remove)

 


#2 iNeed

iNeed
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 08 October 2014 - 04:08 AM

Here I've uploaded a Screenshot from Process Explorer

https://i.imgur.com/cUaq3Ns.jpg?1

 

cUaq3Ns.jpg?1



#3 TryKindness

TryKindness

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 03 February 2015 - 02:20 PM

Hello iNeed (and anyone else who may come across this thread).

 

I got the same infection (not long after this thread was started actually).

I got it from the Vuze installer, downloaded from http://sourceforge.net/projects/azureus/

It installed a package of malware -- including the infamous "PC Optimizer Pro" -- that hijacked all of my browsers (Firefox, Opera and IE), launched fake "You're Infected!" prompts and launched processes that tried to access the Internet (and my networked computers) from every angle.

 

I removed the malware using Malwarebytes Anti-Malware, just as you did, and some sort of hidden launcher remained on my computer that tried to launch the now-removed malware file(s) via cmd.exe, just as it did in your case.

 

It looks like this hidden launcher might be operating via exploitation of the Background Intelligent Transfer Service (BITS).

I don't know for sure if that's the case. It's just a possibility.

 

The only two files on my computer that contain the unique numbers found in the command string are found at the following locations:

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

 

That Downloader folder, as I understand it, is the folder used by the BITS.

And if you search the web for those file paths, you'll come across details for a couple of known types of malware.

 

Personally, I deleted qmgr0.dat and qmgr1.dat

I first had to end the running svchost.exe process associated with the two files. You can use Ctrl+F in Process Explorer to find out which svchost.exe process you should end, or you can just try ending them all.

I also disabled the Background Intelligent Transfer Service since I only turn on Automatic Updates occasionally anyway, and can always just re-enable the BITS on those occasions. Instructions for disabling the BITS are easy to find online.


Edited by TryKindness, 03 February 2015 - 03:55 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users