Jump to content

Windows Command Processor infection and possible deeper one?


Recommended Posts

hello there, my name is alex (Thejoindemand) and i got a big issue, first of all i would like to excuse myself if my english isnt correct. this is because i am not a native english speaker so please bear with it.

as for a few days back (6) i noticed in taskmanager that there where 2-5 programs appearing and after 1 second dissapearing, in wich i find very strange because it is not known for my computer to do so. i started to look up and down and i noticed ''Windows Command Processor'' in what i wasmt familiar with. after seeing the process it just keeps showing now.

if i keep looking it has a single process, but at some points it come's double, or even triple times above eachother and than 1 or 2 dissapear, and only 1 is showing.

shutting 1 of those down only makes them go away for 1-5 seconds before showing up agian.

at the same time in the Windows proccesses i got 1 Console window host opened even if i have nothing opened and just started my computer, and i noticed that when ''Windows Command processor" got 1 or 2 extra processes as i said above here, it also doubles the Console window host and after a while they also dissapear, and only showing 1.

i tried to right click on the process "Windows Command Processor'' and the location is very strange: this pc/Local Disc(C:)/Windows/sysWOW64. i know a bit of computers and i know this isnt right for a program like that to be there, so i searched it up online and in that location it is mostly a trojan with mean purposes.

now i know what to do so i first of all scanned my computer (full system scan) with Bitdefender 2017 (main antivirus) and updated it, but it says it cant find annything.

still not trusting it i scanned with Malwarebytes and it showed some tracking cookies. still not satisfied i scanned with Hitman Pro, and it gave something, in wich i will include in the attachment.

the first Suspicious file:C:\Users\Alex\AppData\Local\PunkBuster\BF4\pb\PnkBstrK.sys if i remember correctly, this is the AntiCheat program of Battlefield 4, that i have so that didnt alarm anny bells for me.

The second Suspicious file however did made some bells rinkle: C:\Windows\System32\drivers\TrueSight.sys this file is completely unknown of me and also i cant link it to something. because i dont want to harm my system i just clicked X of hitman pro and stopped there so i wont harm my system.

I did Another virus scan with RKill and it stated no harmfull files or processes, but did gave me 2 notices:

 * Checking for processes to terminate:

  C:\Windows\SysWOW64\ASGT.exe (PID: 1472) [WD-HEUR]

1 proccess terminated!

Performing miscellaneous checks:

*Windows Defender Disabled!

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

I dont know if this is caused by something or is normal because i got a antivirus but still i find it odd.

Furtheremore i did a rootkitscan with NPE (Norton Power Eraser) and it showed nothing when done. still not satisfied.

last but not least, i did a windows normal system scan and Safe mode With internet connection With rogue, in what showed something, but not really relatable to the possible trojan/virus i suspecting have. this scan will also be in the Attachment.

and since i done those scans, i noticed that whenever i am on google chrome (i got 2 widescreen gaming computer screens) and i am on the left screen and on the right screen i had taskmanager/nothing opened and what would happen is that on the left screen, google chrome  would act like i was doing something on the right screen, and it would go to the right screen to do something else, like google chrome is inactive, and i had to click on it agian to use/continue to what i was doing (like scrolling typing etc) in what i could find very frustrating/wierd and i think it has to do something with something that doesnt belong on my computer.

something that started occuring on 27 march 2017 after i turned my computer on after the night is that whenever i would create a folder/textdocument on my desktop it would take ages to even load the right mouse click index screen, and sometimes it just wont give my the option to create something and just gets stuck with the round loading thing of windows 8.1 and i couldnt even open a progam from my desktop. the strange thing is it could be related to a full/hard working ssd, but when i try it it just peaks to 32% Ssd usage and than drops to 18%. so that cant be it so i also relate this to something that isnt welcome on my computer.

today (28 march 2017) i noticed when i was checking taskmanager agian i saw 2 NET COMMAND progams in task manager, and without even time to right click on them they dissapear. i could wait on them or what not and they wouldnt come back. i closed task manager agian, opended it and scrolled very fast down to see those 2 for half a second before dissapearing. i trust almost nothing on my computer accept i can relate to something or that i manually downloaded so i opened source control to check the services running in the background/some that are hidden. i cant find NET COMMAND everywhere but i stumbeled on Smss.exe that was completely hidden and kept switching up and down if i would scroll down and up. Smss.exe has NO information where it comes from, the creator, or what else normally is there. completely nothing! so that is also something i wont trust for sure.

in taskmanager ''starting up'' where i shut down progams i dont want to directly run when starting (to keep booting/starting up fast) i also have 3 Program that are completely blank, i can only shut them down(appears to be) and nothing else i only can choose search online and that it. i noticed these since i found out about the ''Windows Command Processor'' virus. i dont know it it can be related to some of these things i have, but i also hope those can be helped to know from what they are and what they do.

i also noticed i have an unusial amount of Servicehost:local service and Servicehost:remote procedure call opened. 

if needed, i also got a MP4 file of the multible ''Windows Command Processor'' doing it multiplie thing if that is needed it is possible to explain it more if it is not clear enough.

i hope this helped alot to help me to if possible please help me with this problem, i can do alot myself, but if it come's to this i rather have help that knows what they do so i wont permantly damage my system making it unusable. i also want to try what is possible before i have to go to the last resort (complete clean install of windows+SSD whipe).

NOTICE! I had to translate FRST.TXT, Addition.txt,  HITMANPRO.log, Rkill.txt and Rogue.txt because some parts where my native language (dutch). i translated them with google translate BUT notice some can be WRONG TRANSLATED.

thanks already and i will keep an direct eye on this thread!

alexander ~Thejoindemand.

 

FRST.txt

Addition.txt

HitmanPro_20170427_2007.log

Rkill.txt

Rogue.txt

Link to post
Share on other sites

  • Root Admin

The computer does not appear to be infected. It is having a lot of issues, crashes of the video card drivers and application. We'll go ahead and scan the system for any potential malware but this looks to probably be a video card driver issue based on the Event Log entries.

 

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

here i AdvancedSetup. i need to say sorry for this late reply at my topic, this is because i just came home and the Sophos virus removal tool took longer than expected, but so, here are the logs

Notice!: on April 29 when i was watching youtube Bitdefender Blocked 2 things that came up completely blank. the only thing bitdefenders says is:

Module: Data Protection:

Traffic type:  

that is the only thing it shows so thats a bit wierd for me.

next thing is that the upperlisted thing that if i do something onl the left screen and than the right screen it seems like i click on the right screen so google chrome on the left acts like i started doing something on the rightscreen but i dont. this has worsened. it does it alot more and for longer now.

Sophos virus removal tool came out clean!

if i do not respond within 1 hour and 30 minutes, i will be sleeping sadly and will respond tomorrow

thanks already for the help! 

Alexander ~Thejoindemand

JRT.txt

AdwCleaner[S0].txt

AdwCleaner[C0].txt

FRST.txt

Addition.txt

Edited by Thejoindemand
mistyped some words
Link to post
Share on other sites

  • Root Admin

The logs do not indicate the computer is infected. It would "seem" that the issue is probably due to old or corrupted Nvidia drivers.

Please read the following, and other pages there and see if either this helps or a similar page. Please note that I have not tried this tool or drivers myself and I only found it by searching Google for help with removing and reinstalling Nvidia drivers.

https://forums.geforce.com/default/topic/878345/geforce-experience/-nvidia-driver-and-geforce-experience-errors-try-this-first-ddu-device-driver-uninstaller-03-19-2017/

https://devtalk.nvidia.com/default/topic/1004577/installer-failed-cuda-8-on-win-10-k3100m/?offset=3

Make sure you create a new System Restore Point though before making any changes.

Let me know how it goes.

Thanks

Ron

 

Link to post
Share on other sites

Hello Ron.

I read the forums and done the following:

Manually make system restore points, removed all nvidia drivers using DDU, installed microsoft visual studio(for Cuda Toolkit), installed Cuda Toolkit, installed Nvidia NSight HUD Launcer(detects errors and crashed within ndivia drivers).

What it did: solved sluggish creating folders on the desktop(right click for interface took long, is fixed).

No more when doing something on the left screen that it would seem that i started doing something on right screen.

Better response from desktop/applications.

Faster reboot time when needing to reboot after update(took 2-3mins, thought it was normal).

These things where solved but i still have a issue regarding that isnt solved:

Windows Command Processor still there and uses more CPU power(location: Local Disc (C:)/Windows/sysWOW64) Process analys shows it it waiting on a other process (bdwtxcr.exe) (PID: 2284) thread: - file is completely unknown.

I also uncluded the Farbar recovery scan tool logs.

Thanks already!

Alexander ~Thejoindemand

 

FRST.txt

Addition.txt

Link to post
Share on other sites

20 minutes ago, Thejoindemand said:

Hello Ron.

I read the forums and done the following:

Manually make system restore points, removed all nvidia drivers using DDU, installed microsoft visual studio(for Cuda Toolkit), installed Cuda Toolkit, installed Nvidia NSight HUD Launcer(detects errors and crashed within ndivia drivers).

What it did: solved sluggish creating folders on the desktop(right click for interface took long, is fixed).

No more when doing something on the left screen that it would seem that i started doing something on right screen.

Better response from desktop/applications.

Faster reboot time when needing to reboot after update(took 2-3mins, thought it was normal).

These things where solved but i still have a issue regarding that isnt solved:

Windows Command Processor still there and uses more CPU power(location: Local Disc (C:)/Windows/sysWOW64) Process analys shows it it waiting on a other process (bdwtxcr.exe) (PID: 2284) thread: - file is completely unknown.

I also uncluded the Farbar recovery scan tool logs.

Edit: Java(TM) Platform SE binary has stopped working. this is the new problem that occured after trying out all my games!

Thanks already!

Alexander ~Thejoindemand

 

FRST.txt

Addition.txt

 

Link to post
Share on other sites

  • Root Admin

C:\Windows\SysWOW64\ASGT.exe Is a valid program and allows you to monitor and optimize the settings for your ASUS graphics from ASUS
I've included a script that will stop it from loading for you.

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hello Ron.

i completed the Fixlist item with Farbar Revovery Scan Tool and it completed, so i also got the Fixlog done.

1 notice when i clicked Fix from FRST it just asked restart computer, so i did and upon rebooting it said Scanning And Repairing Drive (C:). dont know if this is part of the Fixlist i needed to do or something else so i thought i will say it just in case.

about the article of Msconfig is not a startup manager, i will look into it deeper and will do something of what is listed there, what is that if i do msconfig and i go to section startup, it says open taskmanager for management of startup items. however i will do something that is listed in the article u mentioned.

about the Platform SE binary has stopped working problem when i started some games, it is fixed after the fixlog i needed to do! so thanks for that.

thanks already for this huge help!

Alexander ~Thejoindemand

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Hi Alexander - not much to do with MSCONFIG. That article just discusses it. All you need to do is run MSCONFIG.EXE and click on the Normal and reboot.

Yes, I instructed the computer to run the disk check to make sure any disk errors were fixed and not causing an issue.

 

Link to post
Share on other sites

Hello Ron.

Ive did what you instructed me to do and my computer asked me to reboot and i did.

It now stands on normal boot.

And okay for the disk will not worry about it annymore.

Thanks ron for this amazing help already, u helped me out alot!

Thanks for the help!

Alexander ~Thejoindemand

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.