Question Crazy malware/trojan on my PC. (CMD flashing open and closed frequently)

Shpeckledorf

Honorable
Apr 8, 2016
33
0
10,540
Hello everyone,

I am completely stuck on this one. I've always been able to remove viruses/malware from my computer but whatever is going on has me beat. For the past few weeks, a CMD window has been popping up on my screen and going away really fast. Not every hour, but every 10-20 minutes. It will tab out of whatever game I'm playing, and is enough to distract me and quite frankly worry me because I have no idea what commands it is executing or what its doing. The CMD box pops up and disappears so quick that for so long I couldn't see what it said.

Yesterday, I managed to screen record for about 25 minutes, and the window popped up. I put it in a video editor and slowed it down, and was able to see what the window was executing. Here is a screenshot

The path is:

C:\Users\00000000000000000000\AppData\Roaming\reirhbg

I cannot find this file where it says it is (I have hidden files enabled), however I can run it through Win+R. When I do, Windows tells me I am trying to run a system file, and that if I edit it or remove it Windows may become unstable. I'm then given the option to open it in something, and I chose notepad++ but I just get a bunch of lines of [NULL] but near the bottom there is something about Microsoft this and that.

What I've tried:

Running Hitman Pro, Running MalwareBytes Premium with all options enabled, Turning off CMD through group policy, Uninstalling all unnecessary programs, Ran CCleaner registry cleaner, Ran Malwarebytes Adware Remover, Checked Task Scheduler, Checked Event Viewer right after it happened

I do not have Office installed. Office is not updating every hour.

My specs:

Windows version: 20H2, OS Build: 19042.1083, 2 RTX 2080 TI's, Core i9 9900KF, 32GB 4266 Corsair Vengeance RAM

If you got this far, I appreciate it. Please let me know if you have experienced this before or have any idea what is going on because it is very concerning and if anything distracting as it tabs out of my games or what I'm doing and I have to reopen them.
Thanks in advance.
 

Shpeckledorf

Honorable
Apr 8, 2016
33
0
10,540
Nuke from orbit. Reformat and fresh install. "It's the only way to be sure" (lol)

I would consider any connected drive to be suspect as well.

Hope you have secure data backups.
I have a huge network drive attached and a bunch of drives with my plugins on them.. I really hope I wouldn't have to reformat :((
 

punkncat

Champion
Ambassador
I have a huge network drive attached and a bunch of drives with my plugins on them.. I really hope I wouldn't have to reformat :((

Just keep in mind that one of the most problematic features of good virus' is it's ability to propagate itself to other locations that it can access. This would make any connected drive, any network location with access permissions and even other computers on the LAN possibly infected.

You could possibly "clean" your system of it, just to be re-infected from any of those other locations.

IF this virus is actually what is opening a command window, I suspect you have quite an issue on your hands.
 

Shpeckledorf

Honorable
Apr 8, 2016
33
0
10,540
I ended up going to the path the CMD window was at, and was able to find the file and one other suspicious one by turning on "view system files". I deleted them. In the morning (today) I couldn't get my PC to boot. I ended up going in the BIOS and changing around a few things and it booted, but I'm not sure why I had to do that. As for the popup, I don't get it anymore. It had to be malware. Deleting the files did the trick. I just played 20+ games and didn't have a single interruption.