Jump to content
haleem890

pc infected (cmd popups and weird process in task manager)

Recommended Posts

thanks for re opening the topic

i am still getting the cmd pop ups on startup. 

Started my pc yesterday and three cmd windows flashed for a second or two then gone. Couldn't read anything.

These popups are really bothering me. 

How do i figure out whats causing these cmd pop ups to appear on system startup ? They don't appear on every boot though just sometimes on starting the pc. 

i have clean installed my windows after formatting the hard drive several times and each time i got the cmd pop up. They occur within 2 or three reboots.

 

Could these be related to something like chrome update or windows update?

or is something malicious running on my pc ?

my pc was compromised and my credit card was accessed by someone else for unauthorized transactions a while back.

Thats why i am worried here.

Please help.

Share this post


Link to post
Share on other sites
20 hours ago, haleem890 said:

thanks for re opening the topic

i am still getting the cmd pop ups on startup. 

Started my pc yesterday and three cmd windows flashed for a second or two then gone. Couldn't read anything.

These popups are really bothering me. 

How do i figure out whats causing these cmd pop ups to appear on system startup ? They don't appear on every boot though just sometimes on starting the pc. 

i have clean installed my windows after formatting the hard drive several times and each time i got the cmd pop up. They occur within 2 or three reboots.

 

Could these be related to something like chrome update or windows update?

or is something malicious running on my pc ?

my pc was compromised and my credit card was accessed by someone else for unauthorized transactions a while back.

Thats why i am worried here.

Please help.

 

17 hours ago, nasdaq said:

Haleem890

I'm listening.

nasdaq

hello , please see my above quoted post

 

Share this post


Link to post
Share on other sites

Hi,

Download the AutoRuns program from this link.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Create a folder where you will want this program to run from.
Extract the file to that new created folder.

Depending on your Operating System, run the Autoruns.txt (32 bit) or the Autoruns64.exe (64 bit) program.

Click on the Logon Menu and from the Menu Save the file as MyAutoruns.txt

Post the file for my review.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Post the logs for my review.

Share this post


Link to post
Share on other sites
21 hours ago, nasdaq said:

Hi,

Download the AutoRuns program from this link.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Create a folder where you will want this program to run from.
Extract the file to that new created folder.

Depending on your Operating System, run the Autoruns.txt (32 bit) or the Autoruns64.exe (64 bit) program.

Click on the Logon Menu and from the Menu Save the file as MyAutoruns.txt

Post the file for my review.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.

 


=======

Post the logs for my review.

hello, here are logs for both

roguekiller scan came clean

 

myautoruns.txt roguereport.txt

Share this post


Link to post
Share on other sites

Hi,

The OneDrive service is stopped by MSCONFIG

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.

HKLM\...\StartupApproved\Run: => "HotKeysCmds"
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKLM\...\StartupApproved\Run: => "Persistence"
HKLM\...\StartupApproved\Run32: => "vdcss"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07152019144837380\...\StartupApproved\Run: => "OneDrive"


How ever these keys are listed as runOnce.

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Delete Cached Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Uninstall 19.086.0502.0006\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\amd64"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Uninstall 19.086.0502.0006] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\19.086.0502.0006"

Please execute MSCONFIG and enable the 3 keys for Onedrive.
Restart the computer and find out if the problem persists.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.