Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CMDPrompt keeps randomly opening and closing a window very rapidly


  • This topic is locked This topic is locked
5 replies to this topic

#1 ktrillman

ktrillman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 15 December 2016 - 09:17 PM

Hello,

 

I was told to come here after making a post in the "Am I Infected" Section of the forum regarding subject issue. That post is here: https://www.bleepingcomputer.com/forums/t/634488/post-virus-removal-cmd-prompt-keeps-opening-and-closing-randomly/

 

So story short, I was tricked into downloading a virus with what appeared to be legitimate software.  Immediately after I realized my mistake, I used several anti-virus systems to resolve the problem, all with increasingly successive levels of improvement.

 

First was Norton, which I realized now is complete garbage, but it was what I happened to have on my computer at the time (albeit with the subscription expired). This only cleared out some adware and cookies.

 

I then used SpyHunter, which removed several trojans - a BitCoinMiner being one of them.

 

Computer was still acting funny and I recognized several services running in Task Manager that I didn't recognize with non-official publishers, so I found about Malwarebytes and ran a full scan.

 

This seemed to clear out everything finally - except for one lingering thing that is happening that certainly never used to happen. The CMD prompt window now keeps opening up and closing on its own accord, for a split second, far too fast for me to read, until  I used my phone camera to record with my screen upon startup and captured it. I was able to screenshot the CMD window from the resulting video. I have attached it to this post and this is what it reads:

 

BITSADMIN version 3.0 1 7.57601 

BITS adminstration utility

<C> Copyright 2000-2006 Microsoft Corp

 

bitsadmin is deprecated and is not guaranteed to be available in future versions of Windows.

Administrative tools for the BITS service are now provided by BITS PowerShell

 

Found 2 jobs named "task3".

Use the job identifier instead of the job name.

 

 

Almost every hour or so this damn window will open up in CMDPrompt and rapidly disappear. I'm at a loss as to what to do. Multiple scans with various AV software show my computer as clean, but since this issue only happened after my intial virus infection I can only assume it is something left over.

 

I am running Windows 7 64 bit version.  Per the instructions of this forum, I have run FARBAR and attached the logs to this post. Additional logs from programs that I ran as instructed in my "Am I Infected" post are still in that thread, but I can upload here if requested. I also have the initial log from when I first ran Malwarebytes (prior to coming to this forum). It is also in my first thread.

 

Please let me know if there is anything else you need, and thank you in advance.

 

Original thread:

 

https://www.bleepingcomputer.com/forums/t/634488/post-virus-removal-cmd-prompt-keeps-opening-and-closing-randomly/

Attached Files


Edited by ktrillman, 15 December 2016 - 09:21 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:38 PM

Posted 16 December 2016 - 10:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-1435818055-3953686762-1654664753-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll [No File]
FF Plugin: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelogx64.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelog.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Norton Security Toolbar) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-12-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-25]
CHR Extension: (Chrome Media Router) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-25]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx [2016-11-19]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx [2016-11-19]
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  <not found>
S2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.2.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.3; \??\C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20161121.001\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20161121.001\EX64.SYS [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
S3 NTIOLib_FastBoot; \??\C:\Program Files (x86)\MSI\Fast Boot\NTIOLib_X64.sys [X]
FirewallRules: [{0EF4C84E-B5E0-4945-AFB4-E596188C3869}] => C:\Users\ShakielD\AppData\Local\ddnow.exe
FirewallRules: [{6A3C8F31-A236-44E8-B2B2-FCFAD3DA52DE}] => C:\Users\ShakielD\AppData\Local\Temp\installer1.exe
FirewallRules: [{6AB6E86F-034C-48F4-9C16-F961A742DFD2}] => C:\Users\ShakielD\AppData\Local\22553970.exe
C:\Users\ShakielD\AppData\Local\ddnow.exe
C:\Users\ShakielD\AppData\Local\Temp\installer1.exe
C:\Users\ShakielD\AppData\Local\22553970.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 7 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417045FF}) (Version: 7.0.450 - Oracle)
===

Please let me know what problem persists with this computer.

#3 ktrillman

ktrillman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 19 December 2016 - 08:42 PM

Sorry for the delay, I have been extremely busy.

 

FRST LOG:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2016
Ran by ShakielD (19-12-2016 20:30:46) Run:1
Running from C:\Users\ShakielD\Downloads
Loaded Profiles: ShakielD (Available Profiles: ShakielD)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-1435818055-3953686762-1654664753-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll [No File]
FF Plugin: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelogx64.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelog.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Norton Security Toolbar) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-12-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-11-25]
CHR Extension: (Chrome Media Router) - C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-25]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx [2016-11-19]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx [2016-11-19]
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] -  <not found>
S2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.2.0; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S2 AODDriver4.3; \??\C:\Program Files\AMD\ATI.ACE\Fuel\amd64\AODDriver2.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20161121.001\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security with Backup\NortonData\22.8.0.50\Definitions\SDSDefs\20161121.001\EX64.SYS [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
S3 NTIOLib_FastBoot; \??\C:\Program Files (x86)\MSI\Fast Boot\NTIOLib_X64.sys [X]
FirewallRules: [{0EF4C84E-B5E0-4945-AFB4-E596188C3869}] => C:\Users\ShakielD\AppData\Local\ddnow.exe
FirewallRules: [{6A3C8F31-A236-44E8-B2B2-FCFAD3DA52DE}] => C:\Users\ShakielD\AppData\Local\Temp\installer1.exe
FirewallRules: [{6AB6E86F-034C-48F4-9C16-F961A742DFD2}] => C:\Users\ShakielD\AppData\Local\22553970.exe
C:\Users\ShakielD\AppData\Local\ddnow.exe
C:\Users\ShakielD\AppData\Local\Temp\installer1.exe
C:\Users\ShakielD\AppData\Local\22553970.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-1435818055-3953686762-1654664753-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. 
"HKLM\Software\MozillaPlugins\@esn/npbattlelog,version=2.5.0" => key removed successfully
"HKLM\Software\MozillaPlugins\@esn/npbattlelog,version=2.7.0" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn/npbattlelog,version=2.5.0" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@esn/npbattlelog,version=2.7.0" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe => moved successfully
C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\ShakielD\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => key removed successfully
C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => key removed successfully
"C:\Program Files (x86)\Norton Security with Backup\Engine\22.8.1.14\Exts\Chrome.crx" => not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nppllibpnmahfaklnpggkibhkapjkeob" => key removed successfully
AODDriver4.1 => service removed successfully
AODDriver4.2.0 => service removed successfully
AODDriver4.3 => service removed successfully
MSICDSetup => service removed successfully
NAVENG => service removed successfully
NAVEX15 => service removed successfully
NTIOLib_1_0_C => service removed successfully
NTIOLib_FastBoot => service removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0EF4C84E-B5E0-4945-AFB4-E596188C3869} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6A3C8F31-A236-44E8-B2B2-FCFAD3DA52DE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6AB6E86F-034C-48F4-9C16-F961A742DFD2} => value removed successfully
"C:\Users\ShakielD\AppData\Local\ddnow.exe" => not found.
"C:\Users\ShakielD\AppData\Local\Temp\installer1.exe" => not found.
"C:\Users\ShakielD\AppData\Local\22553970.exe" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 31460060 B
Java, Flash, Steam htmlcache => 399177774 B
Windows/system/drivers => 237402 B
Edge => 0 B
Chrome => 774456086 B
Firefox => 4698033 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33058 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33058 B
systemprofile32 => 33618 B
LocalService => 66228 B
NetworkService => 2627096 B
ShakielD => 7651272 B
 
RecycleBin => 0 B
EmptyTemp: => 1.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:32:44 ====
 
 
 
 
I don't know if this would be help, but the other night Malwarebytes conducted a scan while my computer was idle and came up with these results:
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/18/2016
Scan Time: 3:46 AM
Logfile: Late night scan.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.12.18.01
Rootkit Database: v2016.11.20.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: ShakielD
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 334872
Time Elapsed: 20 min, 32 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.Spigot, HKU\S-1-5-21-1435818055-3953686762-1654664753-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B6CB85E2-179A-4102-864E-2F72DB0BF899}, , [bd0ca4449505b18514ce79d258ab4cb4], 
 
Registry Values: 1
PUP.Optional.Spigot, HKU\S-1-5-21-1435818055-3953686762-1654664753-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B6CB85E2-179A-4102-864E-2F72DB0BF899}|URL, https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}, , [bd0ca4449505b18514ce79d258ab4cb4]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.HijackHosts, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (192.192.3.8       virustotal.com), ,[577230b8158577bf7da2516bf7094bb5]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

 

I'm still seeing the CMDPrompt issue. What exactly is BITSADMIN referring to?



#4 ktrillman

ktrillman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 20 December 2016 - 12:30 AM

Edit: I actually think it might be gone, but I will wait to say for sure.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:38 PM

Posted 20 December 2016 - 10:49 AM


Just a check. Read about BITS.

https://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#6 ktrillman

ktrillman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:38 PM

Posted 21 December 2016 - 08:02 PM

I think it's safe to say the issue is resolved. Thank you for all the help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users