Jump to content

Win10 HP laptop extremely slow, unknown command windows on startup


Recommended Posts

For some time now, my laptop has been running very slow, for no apparent reason. During slowdowns, task manager doesn't show inordinately high CPU or network usage usually, but disk often pegs around 100%. The reason I'm suspecting malware is I've noticed that upon restart, about a minute after the desktop loads, there are two command windows that pop up, issue a command, and shut down. I don't recall seeing those until the slowdown occurred, and they may have started after I stupidly clicked on an email attachment that I should have left alone. The windows don't open for long enough for me to scrutinize the command, but I do recall it's a single command with lengthy command line parameters that read like jibberish rather than word-like.

Malwarebytes scans give me a clean bill of health, other programs have likewise not found anything. My main AV software is McAfee (according to the FRST scan, it looks like there may be two copies floating around).

Any suggested actions for cleanup/optimization/threat removal? Any way to find out with which program these command popups are associated?

Thanks!

Rob

Addition_25-03-2019 23.06.28.txt FRST_25-03-2019 23.06.28.txt malwarebytes report 190326.txt

Link to post
Share on other sites

Based on advice I got in a follow-up email to this post (thanks!), I checked my C:\Users\rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder, where indeed I found a suspicious item: a shortcut named Pxoxxoigtw (presumably randomly generated), which points to C:\Users\rob\AppData\Roaming\rKEaIR\WMPDMC.exe (file date 4/11/2018 6:33pm, 1,482 kb). Other files in that folder are UxTheme.dll (632 kb) and n5x2DpBk.xDH (769 kb).

Link to post
Share on other sites

  • Root Admin

Hello @plantrob and :welcome:

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thank you

Ron

 

Link to post
Share on other sites

  • Root Admin

The last fix was to clean temp files, rebuild the performance counters, and run a disk check and repair.

 

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

 

Thank you for choosing Malwarebytes
 

Ron

 

Link to post
Share on other sites

Laptop performance has certainly improved - but I still have some sort of malware.

Symptoms are:

- two black command windows flash across screen a minute or two after restarting PC

- shortcut in Startup folder pointing to an exe file in a randomly named subfolder of appdata/roaming

- when I delete that subfolder OR that shortcut, it gets created again - usually quickly, within a minute - as a subfolder with a different name (but the shortcut is always named "Pxoxxoigtw")

- the subfolder contains the exe file (76 kb), which is always named same as a (randomly chosen) legitimate windows executable, along with a dll file (similar naming convention) and an entirely randomly named third file

I thought I outsmarted the scheme by replacing the exe file with some other executable (e.g., notepad.exe), renamed to the filename selected by the malware. Indeed, after restarting, the replacement executable started up, instead of the two command windows. After two more restarts, just to make sure, I removed the shortcut and the folder it pointed to. Half an hour later, the command windows flashed by again, and the shortcut was back in place.

I have no idea what it's doing, but I'm sure it's up to no good, and think it's likely that whatever it's doing was contributing to the gradual slowdown of the laptop. Any ideas on permanently removing it?

Link to post
Share on other sites

Yeah, it found a dll file marked as a trojan in my deleted items folder - it was one of the ones I had deleted in the process I described in post above. Somehow it didn't find the other ones that were in other folders. But I think I may have fixed the problem now. I tracked down an entry in Task Scheduler (another random-name job) that was set up to execute a file in \windows\sytem32\(randomname) folder once an hour - which explains how the blasted items would return mysteriously after some time. Disabled that, as well as (again) the startup item, and knock on wood, it hasn't come back yet.

Thanks again for your help.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.