CMD.exe 立即关闭 - 自动运行注册表项中的异常行

Question

I've noticed that my command line didn't start anymore, it just immediately minimized and closed itself upon running. I suspect this is due to a virus or at least some kind of malicious program having been executed. I found the following code inside my registry. It seems legible but my knowledge of batch / the command line is limited. Can anyone tell me what it does?

@mode 20,5 & tasklist /FI "IMAGENAME eq SoundModule.exe" 2>NUL | find /I /N "SoundModule.exe">NUL && exit & if exist "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" ( start /MIN "" "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )

Answer 1

According to this reddit thread , it's a "vmprotected cryptocurrency miner".

You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^)

The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64)

The malicious party added an AutoRun directive via registry to the Windows Command Processor ( cmd.exe usually), which you need to remove from any of the following locations it's present in:

• Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor
• Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor

What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).

According to the other reply in this thread , they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon .

So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe . Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word.

There are at least two confirmed VirusTotal records for this file: [1] , [2]

Answer 2

I had the same program on my computer, check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe ) and change it to "explorer.exe"

Answer 3

Run regedit Go to HKLM\Software\Microsoft\Command Processor\ or HKEY_CURRENT_USER\Software\Microsoft\Command Processor\ or HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\

For some reason there was AUTORUN key with "EXIT" inside.

Remove the AutoRun key and cmd will work fine. Then check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe" as the user above said.

Edit: I also found that it was a cryptocurrency mining virus located at %appdata%\Microsoft\SoundModule or SoundMixer on my case. You should probably delete this file too.

Answer 4

For reference, I will add that I was able to verify that my issue was the Autorun registry key by using Win-R to bring up the "Run" dialog, and typing cmd /d (which disables any autorun per the windows docs [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmd]. This successfully opened a command prompt window.

Inspecting the registry, my HKEY_CURRENT_USER\Software\Microsoft\Command Processor had Autorun as Type= REG_SZ and Data= if exist . I made a restore point, then renamed that key to AutorunOld ... and then I was able to open a command prompt without issue.