Author Topic: [In Progress] how to remove C:\windows\syswow64\cmd.exe  (Read 524 times)

Offline crossworx

  • Bronze Member
  • Posts: 38
[In Progress] how to remove C:\windows\syswow64\cmd.exe
« on: February 13, 2017, 11:06:05 PM »
broke my own rule and got this ****. Kapersky cant get rid of it. help please.
« Last Edit: March 15, 2017, 12:35:50 PM by negster22 »



Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #1 on: February 14, 2017, 05:47:19 AM »


 Hello crossworx,

I am Platypuss, I will be helping you with your problem.
   
Before we begin, please follow my simple rules:-
  • If you do not understand any instructions, Stop & Ask do not risk creating
          further problems.
  • Please do not run any tools unless instructed to do so because it may well
          cause unforseen damage to your machine.
  • It may help you to print out my instructions, so that mistakes are not made.
  • I am a trainee here but my instructions are checked by my mentor, there may be some delay but you will get a high quality of service.
  • Malware removal is frequently complex, it takes time to analyse logs, please be patient.   
  • I will advise you as soon as your computer is clean, until then it may still be infected !

A few items before we get started :
    -----------------------------------------------------------
    Change Settings to View File Extensions and Hidden Files
    Go to Start > Control Panel > Folder Options, and click on the View tab.
    Under "Files and Folders",

        Uncheck  "Hide Extensions for known File Types"
        Check   Show Hidden Files Folders and Drives"

    Click Apply and OK.

    If you use Firefox:
    ----------------------------------------------------------
    Set Firefox so it Asks Where to Save Downloads
    Open Firefox, then hit the Alt key if necessary, so you can see the menu bar at the top.
    In the top menu bar, click on the icon in the upper right with the lines and select Preferences.
    In the new dialog window that pops up:
    Under the General category on the left, Click the radiobutton labeled Always ask me where to save files
    Exit Firefox (X in the upper right corner)

    If You use Chrome:
    ------------------------------------------------------------
    Set Chrome so it Asks Where to Save Downloads
    Open Chrome. Click on the Icon with the lines in the upper right corner.
    Click Settings
    Scroll down id necessary and click on Show Advanced Settings
    Under Downloads, click the box next to "Ask where to save each file before downloading"
    Now, everytime you download anything, the location to save it will not be a mystery. You will have chosen.
    Exit Chrome (X in the upper right corner)

    If you use Internet Explorer:
    ------------------------------------------------------------
    Click the Tools menu in the upper right-corner of the browser (the "gear" icon).
    Select View downloads.
    Select the Options link in the lower left of the window.
    Click Browse and select the Desktop; then choose the Select Folder button.
    Click OK, and then Close to get out of the View Downloads screen.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


  Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work
If you are using Windows XP and have boot issue, the system should boot to the Recovery Environment using a PE Boot CD and then you can run FRST.

I need both FRST.txt & Addition.txt logs please.
Platypuss.
>>>>>>>>>>>>>>>>>>>>>>>>

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #2 on: February 14, 2017, 05:15:40 PM »
the files were too big to post, so I sent as attachments. Please let me know if you got them, and Thanks!!

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #3 on: February 14, 2017, 05:17:31 PM »
here is the second one

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #4 on: February 15, 2017, 11:33:55 AM »


 

 Hello crossworx,

Just a couple of points while I am going through your log:-

I see you have P2P software ( UTorrent ) installed on your machine having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.
It is a SpywareHammer rule that all P2p software must be removed from your computer whilst it is being cleaned, to prevent possible further reinfection.Would you be good enough to remove it now please.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Your Java is out of date:-
There has been  recent severe exploitation of this software. Even though this exploit has been reportedly fixed there is still a vulnerability with the software, the below is currently all that you have installed Java related:-

BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin  \ssv.dll [2015-01-27] (Oracle Corporation)
  BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin  \jp2ssv.dll [2015-01-27] (Oracle Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation

  Java Issue
You may want to read these before you decide whether to keep Java on your system:
http://www.zdnet.com/a-close-look-a...eptive-software-with-java-updates-7000010038/
http://www.itworld.com/article/2940...-make-yahoo-your-default-search-provider.html

If You Decide to Keep it,
Download and Install the latest versions of Java Runtime Environment
from here :
http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html, and install them to your computer.
If it won't allow you to get past the "Agree to the license" dialog, you will need to set your browser to temporarily allow scripts.
Check the button to agree to the license.
Select the links for your Platform, both jre-8u102-windows-i586.exe and jre-8u102-windows-x64.exe
Click them one at a time, download each and save them to your desktop.
Then doubleclick each on your desktop, and they will install the newest versions of Java for you to use.
During installation, be certain to Uncheck and Refuse any offer for "partner software" or toolbars.
When it finishes, you can remove the Installer(s) from your desktop.
(I don't have any Java on my system, but you may decide it's a "must have" for some games).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Quote
the files were too big to post, so I sent as attachments
Please do not do that, i am unable to use my diagnostic tools readily & it doubles my time going through your log.
Simply split the log in half & post the halves separately.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

It appears that you have to firewalls running (Windows & Kaspersky) you only need one. I suggest that you disable one
It also appears that you have two antispyware services running (Windows Defender & Kaspersky) you only need one. I suggest that you disable one.

 [color="#FF0000"]Warning![/color]
Running more than one resident protection program of the same type (antivirus, firewall or antispyware program) at the same time can result in unwanted conflict.

This can reduce the effectiveness of all your antispyware programs individually.

I am still going through your log.
Platypuss
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>




Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #5 on: February 15, 2017, 04:00:56 PM »
Utorrent gone, java gone, window firewall was set on off, kaspersky firewall was on and windows defender was ON and now turned off. Got it with the attachments, just didn't know to split them up. Thanks

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #6 on: February 16, 2017, 11:49:19 AM »

Quote
Utorrent gone, java gone, window firewall was set on off, kaspersky firewall was on and windows defender was ON and now turned off
Very good, let`s continue:-

             FRST Run & Fix
  • Open Notepad Start > All Programs > Accessories > Notepad
  • Please copy all the text in the codebox below.
  • To do this highlight the contents of the box, right-click on it and select Copy.
  • Right-click in the open Notepad and select Paste.
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change Encoding: to Unicode:please agree and save it
NOTE: Both FRST64.exe and the fixlist.txt must be in the same location (Desktop) or the fix will not work
[/list]
Code: [Select]
start:
CloseProcesses:
CreateRestorePoint:
  HKLM-x32\...\Run: [] => [X]
  HKU\S-1-5-18\...\Run: [] => 0
  SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
  BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin    \ssv.dll [2015-01-27] (Oracle Corporation)
  BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin    \jp2ssv.dll [2015-01-27] (OracleCorporation)
  FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015  -01-27] (Oracle Corporation)
  CHR HKLM\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] -     hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
  CHR HKLM-x32\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] -     hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32    -> C:\Users\sonny.sonny
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32   -> C:\Users\sonny.sonny
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-    3CBE29274458}\InprocServer32 -> C:\Users\sonny.sonny-
  Task: {B3CF61FB-B4FD-4F3B-87B4-E39E4D085995} - \AutoKMS -> No File <==== ATTENTION
  FirewallRules: [{1E5BF610-0422-44C5-A37A-9FD213104630}] => C:\Users\sonny.sonny-PC\AppData\Roaming\uTorrent\uTorrent.exe
  FirewallRules: [{F902AC97-D36E-419A-B753-D834628527A9}] => C:\Users\sonny.sonny-PC\AppData\Roaming\uTorrent\uTorrent.exe
cmd:Ipconfig/flushdns:
reboot:


   
  • Double-click FRST64 to run the tool.
       
  • If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log Fixlog.txtin the same location from where it was run.
       
  • Please post the Fixlog.txt log in your reply.     
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Was there any reason for running your FRST in Safe mode?
Run Zoek in normal mode please.

         Download & Run Zoek

Download zoek.exe from here: http://hijackthis.nl/smeenk/ and save it to your Desktop.
Close/disable all anti virus and anti malware programs so they do not interfere with the download or execution of Zoek.exe
You can find instructions how to disable your security applications >> Here<< or >> Here
   
  • Double click zoek.exe to start the program.
       
  • Copy and paste the following script in the code box:
Code: [Select]
[color=green]
createsrpoint;
process;
filescrm;
Silent Runners;
Auto Clean;
emptyfoldersdcheck;ff[/color]
  • Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar !

  • Close any open browsers.
  • Click the "Run script" button and wait patiently.
       
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive (normally C:\).
       
  • Please post the logfile for further review in your next reply

I need the Fixlog.txt & zoek-results.log please.
Give it some time & let me know how the computer is running now please.
Platypuss
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>









   

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #7 on: February 16, 2017, 10:59:14 PM »

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by sonny on Thu 02/16/2017 at 23:07:13.06.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\sonny.sonny-PC\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2017-02-16-212552.log   17592 bytes
C:\zoek-results2017-02-17-034828.log   1657 bytes

==== System Restore Info ======================

2/16/2017 11:08:02 PM Zoek.exe System Restore Point Created Successfully.

==== Running Processes ======================

C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0 (1)\avp.exe
C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0 (1)\avpui.exe
C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Users\sonny.sonny-PC\Desktop\zoek.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe

==== C:\zoek_backup content ======================

C:\zoek_backup (files=67 folders=27 76100804 bytes)

==== EOF on Thu 02/16/2017 at 23:08:27.74 ======================

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #8 on: February 16, 2017, 11:00:04 PM »
Fix result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by sonny (16-02-2017 15:51:19) Run:1
Running from C:\Users\sonny.sonny-PC\Desktop
Loaded Profiles: sonny (Available Profiles: sonny)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start:
CloseProcesses:
CreateRestorePoint:
  HKLM-x32\...\Run: [] => [X]
  HKU\S-1-5-18\...\Run: [] => 0
  SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
  BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin    \ssv.dll [2015-01-27] (Oracle Corporation)
  BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin    \jp2ssv.dll [2015-01-27] (OracleCorporation)
  FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015  -01-27] (Oracle Corporation)
  CHR HKLM\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] -     hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
  CHR HKLM-x32\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] -     hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32    -> C:\Users\sonny.sonny
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32   -> C:\Users\sonny.sonny
  CustomCLSID: HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-    3CBE29274458}\InprocServer32 -> C:\Users\sonny.sonny-
  Task: {B3CF61FB-B4FD-4F3B-87B4-E39E4D085995} - \AutoKMS -> No File <==== ATTENTION
  FirewallRules: [{1E5BF610-0422-44C5-A37A-9FD213104630}] => C:\Users\sonny.sonny-PC\AppData\Roaming\uTorrent\uTorrent.exe
  FirewallRules: [{F902AC97-D36E-419A-B753-D834628527A9}] => C:\Users\sonny.sonny-PC\AppData\Roaming\uTorrent\uTorrent.exe
cmd:Ipconfig/flushdns:
reboot:

*****************

start: => Error: No automatic fix found for this entry.
Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key removed successfully
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=11.31.2 => key not found.
C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll => not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\fhoibnponjcgjgcnfacekaijdbbplhib => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fhoibnponjcgjgcnfacekaijdbbplhib => key removed successfully
HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key removed successfully
HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key removed successfully
HKU\S-1-5-21-852269278-3011722161-1824587135-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-    3CBE29274458} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{B3CF61FB-B4FD-4F3B-87B4-E39E4D085995} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3CF61FB-B4FD-4F3B-87B4-E39E4D085995} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E5BF610-0422-44C5-A37A-9FD213104630} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F902AC97-D36E-419A-B753-D834628527A9} => value not found.

========= Ipconfig/flushdns: =========


Error: unrecognized or incomplete command line.

USAGE:
    ipconfig [/allcompartments] [/? | /all |
                                 /renew [adapter] | /release [adapter] |
                                 /renew6 [adapter] | /release6 [adapter] |
                                 /flushdns | /displaydns | /registerdns |
                                 /showclassid adapter |
                                 /setclassid adapter [classid] |
                                 /showclassid6 adapter |
                                 /setclassid6 adapter [classid] ]

where
    adapter             Connection name
                       (wildcard characters * and ? allowed, see examples)

    Options:
       /?               Display this help message
       /all             Display full configuration information.
       /release         Release the IPv4 address for the specified adapter.
       /release6        Release the IPv6 address for the specified adapter.
       /renew           Renew the IPv4 address for the specified adapter.
       /renew6          Renew the IPv6 address for the specified adapter.
       /flushdns        Purges the DNS Resolver cache.
       /registerdns     Refreshes all DHCP leases and re-registers DNS names
       /displaydns      Display the contents of the DNS Resolver Cache.
       /showclassid     Displays all the dhcp class IDs allowed for adapter.
       /setclassid      Modifies the dhcp class id. 
       /showclassid6    Displays all the IPv6 DHCP class IDs allowed for adapter.
       /setclassid6     Modifies the IPv6 DHCP class id.


The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                       ... Show information
    > ipconfig /all                  ... Show detailed information
    > ipconfig /renew                ... renew all adapters
    > ipconfig /renew EL*            ... renew any connection that has its
                                         name starting with EL
    > ipconfig /release *Con*        ... release all matching connections,
                                         eg. "Local Area Connection 1" or
                                             "Local Area Connection 2"
    > ipconfig /allcompartments      ... Show information about all
                                         compartments
    > ipconfig /allcompartments /all ... Show detailed information about all
                                         compartments

========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 15:51:56 ====

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #9 on: February 17, 2017, 12:32:35 AM »
my computer runs fine. I have had my Kaspersky give me a warning, "C:\windows\syswow64\cmd.exe, legitimate program that can be used by criminals to damage your computer or personal data". Kaspersky wants me to resolve the issue but when I click the "resolve" button nothing happens. I just keep getting the warning.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #10 on: February 17, 2017, 02:37:40 PM »
 
Quote
my computer runs fine. I have had my Kaspersky give me a warning, "C:\windows\syswow64\cmd.exe, legitimate program that can be used by criminals to damage your computer or personal data". Kaspersky wants me to resolve the issue

Yes, I am going through the procedure to ensure that you do not actually have any such infestation on your computer & that particular folder is not infected.

I would just like to make one final check:-

    Please download
Malwarebytes' Anti-Malware Free Download to your Desktop
  • Double-click Free Download/b] and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • Click 0n the Scan tab > Click on Custom Scan sub tab, Click on configure Scan, tick the box "Scan for rootkits".Ensure C: box ticked
  • Ensure sub tab boxes are changed to PUP and PUM entries to Treat detections as malware
  • Then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is completed, a log will open, click on Save Results
  • Select  Copy to Clipboard  and click Quarantine Selected.
  • Select Restart computer, when restarted-
  • click on Desktop MBAM icon
  • Select  Reports on the appearing MBAM window
  • Now tickbox the latest report shown & select View Report
  • Click Export > From export you have three options:-


          Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
         Text file (*.txt)        - if selected you will have to name the file and save to your Desktop then attach to reply
       
  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

I need the MBAM log please
Platypuss
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>








[/list]
« Last Edit: February 17, 2017, 02:43:56 PM by PLATYPUSS »

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #11 on: February 17, 2017, 06:46:45 PM »
after 3 hours of scan I only received a "finish" button to click. There were no threats found though. i will run scan again later tonight.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #12 on: February 18, 2017, 04:23:06 AM »

Yes, I ran my copy last night & it was particularly slow.
I now see that there are complaints regarding this.
Let me know how your second scan went please.
Platypuss

Offline crossworx

  • Bronze Member
  • Posts: 38
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #13 on: February 18, 2017, 10:22:15 AM »
i found the "save to" in the lower right corner. Saved to clipboard but now cannot find where it was saved to. I have Windows 7. Didn't find any threats

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 443
Re: how to remove C:\windows\syswow64\cmd.exe
« Reply #14 on: February 18, 2017, 03:02:14 PM »


   
Quote
Didn't find any threats


That is good. Your computer is now clean  :)1
  So just one final scanner to run which removes my tools & conducts necessary maintenance:-

  Please download Delfix by Xplode and save it to your desktop.

Or use the following if first link is down: Delfix

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:
  • Remove disinfection tools <----- this will remove tools we have used.
       
  • Create registry backup<------this will create a registry back up with ERUNT,  the back up will be created here: C:\Windows\ERUNT.
       
  • Purge System Restore<--- this will remove all previous and possibly exploited restore points, a new point will be created.
       
  • Reset system settings  <----this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

     
  • Now click on Run and wait patiently until the tool has completed.
     
  • The tool will create a log when it has completed. I don't need you to post this.
  • The Zoek log files & the C:\Zoek backup folder will have to be removed manually
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Regarding the Kaspersky notification on the filepath  C:\WINDOWS\syswow64\cmd.exe you now know that it is not infected.
It is not within my remit to interfere with security vendors software.
However there is such a query raised HERE on the Kaspersky Lab Forum, which should yet provide an answer for you.

Next,
Please read the following link to fully understand PC security and best practices, you may find it very useful....
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
Platypuss