0

Recently I scanned disk with MalwareBytes Anti-Malware and then accepted quarantine of specific registry key (don't remember which one was that) which seemed to be related to cmd.exe. After this scan and quarantine cmd.exe is starting, changing the window size to very small and quitting in less than a second. Even from powershell it does the same but leaving me in powershell, not closing the powershell window. I was suspecting some malware but nothing is founded by MBAM. There could be an edition of registry key related to cmd which MBAM has deleted and now it is not working properly.

What can I do to fix the problem with cmd.exe?

Improve this question
6
  • What version of Windows are you running? Can you boot into the recovery console and run SFC?
    – Jeff Zeitlin
    Commented Mar 29, 2018 at 19:47
  • Windows 10 Pro x64, version 1709 - 16299.309. SFC didn't found anything wrong. I don't have any restore point.
    – pbies
    Commented Mar 29, 2018 at 19:49
  • "Quarantine" suggests that it's preserved by MBAM, and can be reviewed (and possibly restored). Have you looked to see what the entry in question was? What else, beside SFC, have you tried to analyze or correct the problem?
    – Jeff Zeitlin
    Commented Mar 29, 2018 at 19:52
  • If you have reviewed the quarantined entry, what, specifically, was it?
    – Jeff Zeitlin
    Commented Mar 29, 2018 at 19:53
  • I am out of ideas what to do. Log from MBAM: PUM.Optional.CMDShell, HKU\S-1-5-21-3182972637-540971354-4033272233-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|SHELL, Added to quarantine, [6749], [464572],1.0.4528
    – pbies
    Commented Mar 29, 2018 at 19:57

1 Answer 1

Reset to default
0

This was malware named "Sound Mixer", a cryptocurrency miner. Not detected by MalwareBytes Anti-Malware, but detected by MalwareBytes Anti-Rootkit. I've removed the AutoRun key in [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] and now cmd is working fine.

Improve this answer
1
  • Please don’t use unfamiliar acronyms
    – Ramhound
    Commented Mar 30, 2018 at 0:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .