Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word. So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe. What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).Īccording to the other reply in this thread, they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor. ![]() Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor. ![]() The malicious party added an AutoRun directive via registry to the Windows Command Processor ( cmd.exe usually), which you need to remove from any of the following locations it's present in: The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64) You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^) If you want more advanced options, click Create. ![]() This link opens an easy-to-use wizard that will walk you through the process of creating a task. Click the Create Basic Task link at the right side of the Task Scheduler window. According to this reddit thread, it's a "vmprotected cryptocurrency miner". To launch the Task Scheduler, click Start, type Task Scheduler, and click the Task Scheduler shortcut (or press Enter).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |