Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware uncertainty - cmd.exe /k start cmd.exe


  • Please log in to reply
2 replies to this topic

#1 a.h.h.10

a.h.h.10

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 17 November 2014 - 02:04 PM

Long story short, I had suspected malware on my computer. One of the programs I used was RogueKiller; in the registry it found a shell that had the data cmd.exe /k start cmd.exe.

 

I'm somewhat good with computers, but I'm uncertain about what to do with this file that RogueKiller says is malware. From what I've gathered, it should say explorer.exe?

 

I've been afraid to delete this file because I wasn't sure if this file was necessary for Windows and didn't feel like causing further problems with my computer. Someone please help?



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:18 PM

Posted 17 November 2014 - 02:12 PM

Is that the full entry? If you look up the registry key itself, are there any arguments after that? It definitely looks suspicious to me, as that exact command would do nothing but open another command prompt that does nothing unless there are further arguments.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 a.h.h.10

a.h.h.10
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 17 November 2014 - 03:05 PM

Currently on the computer that is infected, I have it in safe mode (to look for malicious files with a different malware program). I just looked up the registry and this location is not able to be found.

 

After I did that scan on RogueKiller (earlier today), I did look it up in the registry and I did find it. (I'm sorry that I can't tell you very much right now)

Here's what RogueKiller told me where it was:

Root: HKEY_LOCAL_MACHINE

Key: RK_Software_ON_D_71B3\Microsoft\Windows NT\CurrentVersion\Winlogon

Data: cmd.exe /k start cmd.exe

 

I have a thought: since RogueKiller found this at a different time and I have since restarted the computer, I have the impression that maybe RogueKiller is making up this file? Because I've never seen this "RK_Software" in the registry until I used RogueKiller and since I haven't run it in the current mode I have right now, this file doesn't exist. I also had used RogueKiller a few days ago and it gave me a different key location (RK_Software_ON_D_C67C\Microsoft\Windows NT\CurrentVersion\Winlogon).

 

Your thoughts?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users