3

I've noticed that my command line didn't start anymore, it just immediately minimized and closed itself upon running. I suspect this is due to a virus or at least some kind of malicious program having been executed. I found the following code inside my registry. It seems legible but my knowledge of batch / the command line is limited. Can anyone tell me what it does?

@mode 20,5 & tasklist /FI "IMAGENAME eq SoundModule.exe" 2>NUL | find /I /N "SoundModule.exe">NUL && exit & if exist "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" ( start /MIN "" "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )
Gerhard
  • 22,678
  • 7
  • 27
  • 43
TemporaryName
  • 487
  • 5
  • 16
  • 1
    What do you mean your `cmd` closes immediately? Does it close when you open it or close when you run something? Did you change anything? `%Comspec%` or path's? is `cmd.exe` in the `c:\windows\system32` directory? Show you environment variables if possible, only related to `path` `comspec` etc. – Gerhard Nov 14 '19 at 06:01
  • 1
    Check this in virustotal `C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe` and scan your PC with a good antivirus – Hackoo Nov 14 '19 at 06:02
  • @GerhardBarnard I didn't change anything. I must've gotten a virus some way. It's that command which causes it to close, I have removed the entry and now it's all back to normal. – TemporaryName Nov 14 '19 at 06:18
  • @Hackoo Sure enough, that's a virus. I can't remove it though, because it's running. – TemporaryName Nov 14 '19 at 06:18
  • Run a proper virus scan. Delete that string completely as well you posted and restart and see if it returned. The batch seems to be starting the executable. So if you remove it from startup. and reboot they should hopefully not start. – Gerhard Nov 14 '19 at 06:20
  • 1
    @TemporaryName Try to kill it with this command line `Taskkill /F /IM "SoundModule.exe"` – Hackoo Nov 14 '19 at 06:29
  • @Hackoo He can't `cmd` closes immediately, remember `:)` He could try and add it to a batch file, but seems all batch executions might be blocked.. worth the try. – Gerhard Nov 14 '19 at 06:33
  • [Here](https://any.run/report/d02ed0cc374004fbde3518dcb35d5d5b5d635277ee3e98293837039a3610d007/8f03ae07-7973-4c50-b378-af4cb2e807d9) it shows definite malicious activity. I suggest you download the latest free version of Panda Antivirus and run a thorough scan. The fact that it is in your `%userprofile%` would mean it will be in any other profile as well, including Admin. – Gerhard Nov 14 '19 at 06:37
  • @GerhardBarnard I managed to make CMD run, but stopped the program with Task Manager. Now, today I've had something else happen to me: when I started my PC, it would only show a command prompt and nothing else would open. I decided to just type "explorer.exe" in there to try and see if it starts up manually and sure enough, it did. How do I make that start up automatically again? – TemporaryName Nov 14 '19 at 16:25
  • Did you run a virus scan yet? If not, do it asap. You might need to temporarily put a batch script in the start up to start explorer if it does not startup after a virus scan, but not sure what damage you have yet so maybe a rebuild is imminent. – Gerhard Nov 14 '19 at 17:20
  • Virus scans don't detect anything. I suspect that the SoundModule was the virus and I had some other script remove / edit registry keys. – TemporaryName Nov 14 '19 at 17:48
  • I think it's the same here ==> [Any.Run](https://app.any.run/tasks/8f03ae07-7973-4c50-b378-af4cb2e807d9/) [Virustotal](https://www.virustotal.com/gui/file/d02ed0cc374004fbde3518dcb35d5d5b5d635277ee3e98293837039a3610d007/detection) – Hackoo Nov 15 '19 at 02:09
  • [Hybrid-Analysis](https://www.hybrid-analysis.com/sample/d02ed0cc374004fbde3518dcb35d5d5b5d635277ee3e98293837039a3610d007/5dce0fea038838f707dd1775) – Hackoo Nov 15 '19 at 03:15
  • It doesn't seem to have executed on my system, I don't have any Cyberlink file. – TemporaryName Nov 15 '19 at 21:54

4 Answers4

5

According to this reddit thread, it's a "vmprotected cryptocurrency miner".

You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^)

The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64)

The malicious party added an AutoRun directive via registry to the Windows Command Processor (cmd.exe usually), which you need to remove from any of the following locations it's present in:

  • Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).

According to the other reply in this thread, they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe. Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word.

There are at least two confirmed VirusTotal records for this file: [1], [2]

Andrei
  • 1,723
  • 1
  • 16
  • 27
1

I had the same program on my computer, check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe"

XPD
  • 1,121
  • 1
  • 13
  • 26
random123
  • 11
  • 2
1

Run regedit Go to HKLM\Software\Microsoft\Command Processor\ or HKEY_CURRENT_USER\Software\Microsoft\Command Processor\ or HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\

For some reason there was AUTORUN key with "EXIT" inside.

Remove the AutoRun key and cmd will work fine. Then check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe" as the user above said.

Edit: I also found that it was a cryptocurrency mining virus located at %appdata%\Microsoft\SoundModule or SoundMixer on my case. You should probably delete this file too.

Kostantinos Petsinas
  • 11
  • 2
1

For reference, I will add that I was able to verify that my issue was the Autorun registry key by using Win-R to bring up the "Run" dialog, and typing cmd /d (which disables any autorun per the windows docs [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd] . This successfully opened a command prompt window.

Inspecting the registry, my HKEY_CURRENT_USER\Software\Microsoft\Command Processor had Autorun as Type=REG_SZ and Data=if exist. I made a restore point, then renamed that key to AutorunOld ... and then I was able to open a command prompt without issue.

Rick M
  • 1,012
  • 1
  • 7
  • 9