Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts

    CMD screen on startup

    Hi, can some help me out please.

    I've a laptop running XP, I've had it now for aprox 6mths with no issues.

    But just recently I'm getting a CMD Prompt popping up on bootup "C:\Windows\system32>

    CMD SCREEN ON BOOT UP XP.jpg

    Thanks,

    S.

  2. #2
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    It looks like something (most likely malware) is injecting registry change(s) at each startup. Try full malware scans with your existing AV (if any) and Malwarebytes as a beginning point. (During the installation of Malwarebytes, make sure you remove the tick from the checkbox asking if you want to try the trial version of the full product.)

    Hope this helps...

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Hi Rick, Thanks for the reply.

    I've ran MB as you suggested, the CMD boot up screen still comes on, but with a different prompt.

    I've Quarantined them all.

    CMD SCREEN ON BOOT UP_2.jpg

    1st log file off MB's

    Update, 18/01/2015 13:36:13, SYSTEM, SBJLAPTOP8, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
    Update, 18/01/2015 13:36:13, SYSTEM, SBJLAPTOP8, Manual, Rootkit Database, 2014.11.18.1, 2015.1.14.1,
    Update, 18/01/2015 13:36:45, SYSTEM, SBJLAPTOP8, Manual, Malware Database, 2014.11.20.6, 2015.1.18.6,
    Scan, 18/01/2015 13:57:53, SYSTEM, SBJLAPTOP8, Manual, Start:18/01/2015 13:37:03, Duration:19 min 51 sec,
    Threat Scan, Completed, 2 Malware Detections, 33 Non-Malware Detections,

    2nd log file

    Malwarebytes Anti-Malware


    Scan Date: 18/01/2015
    Scan Time: 13:37:03
    Logfile: 1st Scan MB.txt
    Administrator: Yes

    Version: 2.00.4.1028
    Malware Database: v2015.01.18.06
    Rootkit Database: v2015.01.14.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    OS: Windows XP Service Pack 3
    CPU: x86
    File System: NTFS
    User: Admin

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 446820
    Time Elapsed: 19 min, 51 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 17
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{42195ba9-d0c5-4371-bdc0-8cac894f13cd}, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXP LORER\BROWSER HELPER OBJECTS\{42195BA9-D0C5-4371-BDC0-8CAC894F13CD}, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\P42195ba9_d0c5_4371_bdc0_8ca c894f13cd_.P42195ba9_d0c5_4371_bdc0_8cac894f13cd_, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\P42195ba9_d0c5_4371_bdc0_8ca c894f13cd_.P42195ba9_d0c5_4371_bdc0_8cac894f13cd_. 10, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT \PREAPPROVED\{42195BA9-D0C5-4371-BDC0-8CAC894F13CD}, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{42195BA9-D0C5-4371-BDC0-8CAC894F13CD}\INPROCSERVER32, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{65e4e324-a227-44ba-a669-e411cc08c303}, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXP LORER\BROWSER HELPER OBJECTS\{65E4E324-A227-44BA-A669-E411CC08C303}, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\P65e4e324_a227_44ba_a669_e41 1cc08c303_.P65e4e324_a227_44ba_a669_e411cc08c303_, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\P65e4e324_a227_44ba_a669_e41 1cc08c303_.P65e4e324_a227_44ba_a669_e411cc08c303_. 10, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT \PREAPPROVED\{65E4E324-A227-44BA-A669-E411CC08C303}, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{65E4E324-A227-44BA-A669-E411CC08C303}\INPROCSERVER32, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Optional.WordProser.A, HKLM\SOFTWARE\WordProser_1.10.0.4, Quarantined, [f0ee7385ec9dad898f6e86f7ec176c94],
    PUP.Optional.Booster.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNI NSTALL\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{942c66f3}, Quarantined, [fae4ef09296063d32910d3c0b44f8779],
    PUP.Optional.cherimoya.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\cherimoya, Quarantined, [08d68771c7c2c96d69e1da9644bf6a96],
    PUP.Optional.WordProser.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wpnfd_1_10_ 0_4, Quarantined, [b02e10e85d2c221452aad5a804ff8779],
    PUP.Optional.Shopperz.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\shopperz, Quarantined, [ebf357a19ced7bbb54eae38e6d96fa06],

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 8
    PUP.Optional.VBates.A, C:\Documents and Settings\Admin\Application Data\Company\Product\1.0, Quarantined, [eaf4c434a5e4191d35aa3f3e5da616ea],
    Rogue.Multiple, C:\Documents and Settings\All Users\Application Data\4001812108, Quarantined, [b7274aaec1c8ed4955bb3ded25de7d83],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\LocalService\Local Settings\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}, Quarantined, [39a558a02b5e46f032217af0c83b8e72],
    PUP.Optional.WList.A, C:\Documents and Settings\LocalService\Local Settings\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}, Quarantined, [39a558a02b5e46f032217af0c83b8e72],
    PUP.Optional.WList.A, C:\Documents and Settings\LocalService\Local Settings\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5, Quarantined, [39a558a02b5e46f032217af0c83b8e72],

    Files: 10
    PUP.Optional.MultiPlug.A, C:\Documents and Settings\All Users\Application Data\nitrodeaal\a6y8iL4eDe8Hf1.dll, Quarantined, [0dd1ac4c3f4a8caa0de3e0ab14f150b0],
    PUP.Optional.MultiPlug.A, C:\Documents and Settings\All Users\Application Data\appSave\mytMPXuBoX0Y4I.dll, Quarantined, [9846c236d3b62a0c09e7eaa126dfb848],
    PUP.Hacktool.Patcher, C:\Program Files\DFX\dfx v10xx patch.exe, Quarantined, [1fbf0cec4841f541d92963a3eb158878],
    PUP.Optional.VBates.A, C:\Documents and Settings\Admin\Application Data\Company\Product\1.0\localStorageIE.txt, Quarantined, [eaf4c434a5e4191d35aa3f3e5da616ea],
    PUP.Optional.VBates.A, C:\Documents and Settings\Admin\Application Data\Company\Product\1.0\localStorageIE_backup.txt , Quarantined, [eaf4c434a5e4191d35aa3f3e5da616ea],
    Rogue.Multiple, C:\Documents and Settings\All Users\Application Data\4001812108\BITA.tmp, Quarantined, [b7274aaec1c8ed4955bb3ded25de7d83],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\config.js, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\tree.js, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\Admin\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\wlist.js, Quarantined, [7965b7410d7c1b1b39130461b44f5fa1],
    PUP.Optional.WList.A, C:\Documents and Settings\LocalService\Local Settings\Application Data\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}\{FBC0652C-7B29-4FB6-8ADA-91F54B267AD4}\1.5\sts.js, Quarantined, [39a558a02b5e46f032217af0c83b8e72],

    Physical Sectors: 0
    (No malicious items detected)

    Thanks,

    S.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 984 Times in 914 Posts
    The first screen is a program attempting to register an executable (regsvr32) most likely malware. Now that you've removed the bad files the command still runs but the executable can't be found. To remove the start up command you need to find out where it is - I use Autoruns for this as it lists everything that is run when your computer starts.

    cheers, Paul

  5. #5
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    It looks like Malwarebytes has quarantined the BITA.tmp file that was flagged as a 'Rogue.Multiple' - a term used by Malwarebytes to describe 'downloaders that install multiple rogue applications'. However, it hasn't removed the call to CMD... hence the command prompt. Use something like AutoRuns or WhatInStartup and look for the reference to BITA.tmp.

    The 2nd Malwarebytes log file shows a GUID for VBates. Have a look at this article. I suggest you also carry out a scan with AdwCleaner (shown in the article) to be on the safe side.

    Hope this helps...
    Last edited by Rick Corbett; 2015-01-18 at 10:26.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Hi, I've ran adwcleaner, but it didn't find any thing.

    I've also done a search in Autoruns & nothing showed looking for BITA.tmp.

    I can put up with the CMD box showing on startup, as long as nothing is booting up..

    Thanks for your time & effort, appreciated..

    S.

  7. #7
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,143
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Using AutoRuns, can you see any references to REGSVR32.EXE?

  8. #8
    Super Moderator BATcher's Avatar
    Join Date
    Feb 2008
    Location
    A cultural area in SW England
    Posts
    3,417
    Thanks
    33
    Thanked 195 Times in 175 Posts
    As Rick says, but click on the Logon tab in Autoruns, and check each item to make sure you recognise them.
    If you don't, ask again!
    BATcher

    Time prevents everything happening all at once...

  9. #9
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,794
    Thanks
    117
    Thanked 799 Times in 720 Posts
    Also check the Scheduled Tasks tab.

    Jerry

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Hi, I've had a look, probably staring me in the face, but I cannot see anything,

    Thanks,

    S.









  11. #11
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,191
    Thanks
    48
    Thanked 984 Times in 914 Posts
    First aid registry agent on the Logon tab looks dodgy - I'd be removing / uninstalling that one.

    cheers, Paul

    p.s. Loved the "pictures" of the screen.

  12. #12
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,405
    Thanks
    447
    Thanked 404 Times in 376 Posts
    Early in your scan listing (post 3), I found the following:

    Version: 2.00.4.1028
    Malware Database: v2015.01.18.06
    Rootkit Database: v2015.01.14.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    You might want to check to make sure that your malware protection is enabled.

  13. #13
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by mrjimphelps View Post
    Early in your scan listing (post 3), I found the following:

    Version: 2.00.4.1028
    Malware Database: v2015.01.18.06
    Rootkit Database: v2015.01.14.01
    License: Free
    Malware Protection: Disabled
    Malicious Website Protection: Disabled
    Self-protection: Disabled

    You might want to check to make sure that your malware protection is enabled.

    Hi Mr Jim, I'm running the free version, tried enabling Malware, & Malicious website protection, but it's greyed out & I can't.

    Thanks,

    S.
    Last edited by STEWBALL; 2015-01-23 at 15:25. Reason: spelling correction

  14. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    NE/UK
    Posts
    23
    Thanks
    10
    Thanked 0 Times in 0 Posts
    First aid registry agent nuked.

    p.s. Loved the "pictures" of the screen.
    Couldn't figure out how to screen shot, so digi camera came in handy..

    S.

  15. #15
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,405
    Thanks
    447
    Thanked 404 Times in 376 Posts
    Quote Originally Posted by STEWBALL View Post
    Hi Mr Jim, I'm running the free version, tried enabling Malware, & Malicious website protection, but it's greyed out & I can't.

    Thanks,

    S.
    That's what I figured. At least you get a free high quality manual scanner.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •