Author Topic: Is this malware? " \Winlogon | Shell : cmd.exe /k start cmd.exe "  (Read 13487 times)

0 Members and 2 Guests are viewing this topic.

January 13, 2015, 04:27:47 AM

jayh

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Hi All,

New to this and would be grateful for any assistance.

My email account was hacked and I wanted to make sure my computer was clean.

Found out about RogueKiller in a thread on Malwarebytes forum that recommended using RogueKiller and other tools:

(RKill, MalwareBytes, RogueKiller, Junkware Removal Tool, AdwCleaner, ESET, Farbar Recovery Scan Tool, ComboFix, JavaRa, TFC, TDSSkiller, Security Check)

and ran them on my Vista SP2 64bit Dell Studio 1537 laptop.

All items found have been identified as ok except for things RogueKiller found.

Kernel Filters:
In Registry section (in RED under Registry tab):
¤¤¤ Registry : 30 ¤¤¤
[Hj.RegVal] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found
[Hj.RegVal] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found

These two are concerning as they are listed in RED.
When cursor is hovered over them this message appears: "Critical - the item is malware and should be removed"
Would like confirmation.
Are these malware? And should they be deleted?
Are there other steps that should be taken?

Also -
In Antirootkit section (in ORANGE under Antirootkit tab)
¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\rimmpx64.sys)
Is this malware? And should it be deleted?
Are there other steps that should be taken?

In Processes section (in ORANGE under Processes tab)
¤¤¤ Processes : 5 ¤¤¤
[Suspicious.Path] httpd.exe(2448) -- C:\ProgramData\SingleClick Systems\apache\bin\httpd.exe[-] -> Killed [TermProc]
[Suspicious.Path] httpd.exe(2544) -- C:\ProgramData\SingleClick Systems\apache\bin\httpd.exe[-] -> Killed [TermProc]
[Suspicious.Path] mysqld.exe(3448) -- C:\ProgramData\SingleClick Systems\MySQL\bin\mysqld.exe[-] -> Killed [TermProc]
[Suspicious.Path] dsl_fs_sync.exe(3584) -- C:\ProgramData\SingleClick Systems\Remote Access File Sync Service\dsl_fs_sync.exe[7] -> Killed [TermProc]
[Suspicious.Path] hnm_svc.exe(3836) -- c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[7] -> Killed [TermProc]

Researching these I believe they were part of networking software installed as part of the factory image on Dell Laptops.
Should they be whitelisted?

Any help greatly appreciated.
Thanks!

Reply #1January 13, 2015, 04:24:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Is this malware? " \Winlogon | Shell : cmd.exe /k start cmd.exe "
« Reply #1 on: January 13, 2015, 04:24:01 PM »
Hi jayh,

Welcome to Adlice.com Forum.
Please remove the following entries :
Quote
[Hj.RegVal] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe
[Hj.RegVal] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_CF06\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe

The following entry is legit :
Quote
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\rimmpx64.sys)
It will be whitelisted in the next release of RogueKiller.

The entries about SingleClick Systems are legits aswell. These process are located in a subfolder within the C:\ProgramData folder, hence the reason for the detection.

If you need help with the tool, please refer to the official tutorial.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.