Jump to content

CMD window flashing


Recommended Posts

 I think I'm infected or something shady is going on. I also believe whatever it is - its undetected, as MBAM cannot catch it, neither AVG, I will try with Kaspersky  (and maybe Spybot S&D) but I think it wont help... What the problem is: Every time I open up battle.net client (a program similar to steam, but for blizzard games) each time a page opens up in the client itself, a cmd window opens up for a split second. I've disabled the cmd from gpedit.msc so now It's visible every time it opens up with the message "administrator disabled bla bla click to continue" so now at least I've stopped whatever it was doing. When that happens, weirdly enough the page that was trying to load freezes, until I close the cmd/click any key on it to close it.

I've tried disabling all services, I also enabled auditing and saw that battle net helper.exe is the program creating the process. (Wrote that to the blizzard staff, said something else must be causing it). Tested on a friend to see if he has the same problems - nope, no cmd for him. So clearly its something for me only. (I also tried reinstalling the battle.net helper thingy) Oh and not long ago, steam browser when I was surfing or browsing was opening some long links, but their destination was blocked by MBAM (malicious site).

 

Here are the auditing stuff if they help:

 

A new process has been created.

Subject:
	Security ID:		Betrayed-PC\Betrayed
	Account Name:		Betrayed
	Account Domain:		Betrayed-PC
	Logon ID:		0x5d24b

Process Information:
	New Process ID:		0xaa8
	New Process Name:	D:\Program Files (x86)\Blizzard App\Battle.net.9262\Battle.net Helper.exe
	Token Elevation Type:	TokenElevationTypeLimited (3)
	Creator Process ID:	0x99c
	Process Command Line:	

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. 
A new process has been created.

Subject:
	Security ID:		Betrayed-PC\Betrayed
	Account Name:		Betrayed
	Account Domain:		Betrayed-PC
	Logon ID:		0x5d24b

Process Information:
	New Process ID:		0xa54
	New Process Name:	C:\Windows\SysWOW64\cmd.exe
	Token Elevation Type:	TokenElevationTypeLimited (3)
	Creator Process ID:	0xaa8
	Process Command Line:	

virus scan of the battle net helper in question (just in-case you want to see it for yourself): https://virustotal.com/#/file/df6a70209b828418fc446321d54aff8917b49c9438cb5a5e5c94723a6ecd295b/detection

I've scanned FULLY my computer with AVG and MBAM, - no detections. I will do a kaspersky one these days, so I can remove that program from my computer. I have a torrent client, if I need to uninstall it, let me know. (I will not be using it or opening it until we end this if that is what you mean by disabling it. - As there is no startup entry for it)

 

I've also done a power cycle, dns flush, released + renewed my ip.

Addition.txt

FRST.txt

JRT.txt

Edited by SpiritBob
More info
Link to post
Share on other sites

  • Root Admin


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

After the reboot, then locate on your desktop the file MyScheduledTasks.txt and MyConsoleSettings.txt  then attach them back on your next reply and I'll take a look and see what's going on.

Thanks

Ron

 

Link to post
Share on other sites

  • Root Admin

Not seeing anything obvious there in the logs to cause it. Let's try resetting your browsers.

What did you do to disable CMD.EXE ?

 

 

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks

chrome_files_folders.png

 

Restart your computer now and make sure there are no longer any redirects or other browser issues. 

 

Link to post
Share on other sites

I'm using none of those. I have Waterfox 64-bit.

In the first post, I pointed out that I disabled CMD using gpedit.msc. In more detail:  User configuration > System > Prevent access to the command prompt > Enabled with disabled script processing ("Yes")

I haven't seen links in a while, cmd is still popping up  in battle.net. I installed https://docs.microsoft.com/en-us/sysinternals/downloads/procmon and am trying to see what exactly it is doing. (Internet explorer is completely disabled from Windows features)

Link to post
Share on other sites

A friend of mine decided to help me with this. I ran 'wmic process where caption=" http://battle.net helper.exe" get commandline' in the cmd which generated the following output: 

"Battle.net Helper.exe" --type=gpu-process --channel="5720.0.1435230791\15139479
06" --no-sandbox --lang=en-US --log-file="C:\Users\Betrayed\AppData\Local\Battle
.net\Logs\libcef-20170906T103904.948051.log" --log-severity=error --product-vers
ion=Battle.net/1.8.6.9262 --supports-dual-gpus=false --gpu-driver-bug-workaround
s=3,11,25,54,64 --gpu-vendor-id=0x10de --gpu-device-id=0x1401 --gpu-driver-vendo
r=NVIDIA --gpu-driver-version=22.21.13.8494 --lang=en-US --log-file="C:\Users\Be
trayed\AppData\Local\Battle.net\Logs\libcef-20170906T103904.948051.log" --log-se
verity=error --product-version=Battle.net/1.8.6.9262 /prefetch:2
"Battle.net Helper.exe" --type=renderer --no-sandbox --lang=en-US --lang=en-US -
-log-file="C:\Users\Betrayed\AppData\Local\Battle.net\Logs\libcef-20170906T10390
4.948051.log" --log-severity=error --product-version=Battle.net/1.8.6.9262 --ena
ble-system-flash --device-scale-factor=1 --num-raster-threads=2 --content-image-
texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,
3553 --video-image-texture-target=3553 --channel="5720.1.332156654\1538357073" /
prefetch:1

It seemed something was wrong, something was being written in a log located in C:\Users\Betrayed\AppData\Local\Battle.net\Logs\libcef-20170906T103904.948051.log In that log, this was found:

 [0906/133912:ERROR:gpu_video_decode_accelerator.cc(375)] HW video decode not available for profile 12 

Can this error message be printed by the cmd? If so, this is why the cmd is opening everytime, with the above error message I believe.

Let me know on your opinion and what I should do next.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.