weird virus and command prompts related to mail.ru BITSADMIN opens at startup

system · 2017-10-23T01:41:38.000Z

I’ve been having this problem all day, I tried removing it with malwarebytes, adwcleaner and JRT but this prompt still appears on startup
Attached a FRST log
Help me please

SassDrake · 2017-10-23T08:01:51.000Z

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
BootExecute: autocheck autochk * sdnclean64.exe
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
Task: {3F3FD970-6D5D-4050-BF60-E1652500D59F} - System32\Tasks\5C4502B04B5 => "C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd" 
Task: {A04F0DED-0D78-46FD-98D8-4A390CC63B65} - System32\Tasks\98E35C9D23B1 => "C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd"
VirusTotal: C:\WINDOWS\SysWOW64\8256711.exe
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\Temp\f2h98xkf99.exe
C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd
C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd
cmd: bitsadmin /RESET /ALLUSERS
EmptyTemp:

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · 2017-10-23T13:24:18.000Z

Thank you so much for replying!
I had to reboot and cmd still tried to run but this time it was empty (no commands running) and it just disappeared 1 second after it appeared.

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-10-2017
Ran by JoseAlejandroPC (23-10-2017 08:12:12) Run:1
Running from C:\Users\JoseAlejandroPC\Desktop
Loaded Profiles: JoseAlejandroPC (Available Profiles: JoseAlejandroPC & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
BootExecute: autocheck autochk * sdnclean64.exe
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
Task: {3F3FD970-6D5D-4050-BF60-E1652500D59F} - System32\Tasks\5C4502B04B5 => "C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd" 
Task: {A04F0DED-0D78-46FD-98D8-4A390CC63B65} - System32\Tasks\98E35C9D23B1 => "C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd"
VirusTotal: C:\WINDOWS\SysWOW64\8256711.exe
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\Temp\f2h98xkf99.exe
C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd
C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd
cmd: bitsadmin /RESET /ALLUSERS
EmptyTemp:
*****************

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKLM\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3F3FD970-6D5D-4050-BF60-E1652500D59F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F3FD970-6D5D-4050-BF60-E1652500D59F} => key removed successfully
C:\WINDOWS\System32\Tasks\5C4502B04B5 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\5C4502B04B5 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A04F0DED-0D78-46FD-98D8-4A390CC63B65} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A04F0DED-0D78-46FD-98D8-4A390CC63B65} => key removed successfully
C:\WINDOWS\System32\Tasks\98E35C9D23B1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\98E35C9D23B1 => key removed successfully
VirusTotal: C:\WINDOWS\SysWOW64\8256711.exe => https://www.virustotal.com/file/452eb204875973149566fed16fe8869f3ee9cb11961b50dd088e5efb5a093889/analysis/1508583519/
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd => https://www.virustotal.com/file/e313bc84cf631e99a776feda312adfa2090b90d26885f97787388a28e8b2fde8/analysis/1508764334/
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd => https://www.virustotal.com/file/0ad0a02cc3572f3a5512844f83778d5b6e49d981c377710ba07a73126d48da72/analysis/1508764335/
VirusTotal: C:\Users\JoseAlejandroPC\AppData\Local\Temp\f2h98xkf99.exe => Error()
C:\Users\JoseAlejandroPC\AppData\Local\2B8845.cmd => moved successfully
C:\Users\JoseAlejandroPC\AppData\Local\1A5159A.cmd => moved successfully

========= bitsadmin /RESET /ALLUSERS =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{92B0FE23-5119-4C4E-A4A3-B4A8D3CD51A6} canceled.
{24A6BC72-A0F9-45B7-88A0-6D432489F39F} canceled.
2 out of 2 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27118771 B
Java, Flash, Steam htmlcache => 281283386 B
Windows/system/drivers => 1678379 B
Edge => 1089334 B
Chrome => 409573375 B
Firefox => 13978921 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 51284 B
NetworkService => 7264046 B
JoseAlejandroPC => 433784286 B
Administrator => 17740 B

RecycleBin => 46077689894 B
EmptyTemp: => 44 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 08:13:25 ====

SassDrake · 2017-10-23T14:43:34.000Z

Can you restart PC one more time and report if you are still getting CMD window during startup?

system · 2017-10-23T15:25:02.000Z

I just restarted and everything seems to work normally, cmd.exe didn’t appear at all this time and I think this is finally solved!
Thank you so much for helping me, I’m really grateful for all the support

SassDrake · 2017-10-23T16:23:16.000Z

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.]
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Announcements