Jump to content
haleem890

pc infected (cmd popups and weird process in task manager)

Recommended Posts

thanks for re opening the topic

i am still getting the cmd pop ups on startup. 

Started my pc yesterday and three cmd windows flashed for a second or two then gone. Couldn't read anything.

These popups are really bothering me. 

How do i figure out whats causing these cmd pop ups to appear on system startup ? They don't appear on every boot though just sometimes on starting the pc. 

i have clean installed my windows after formatting the hard drive several times and each time i got the cmd pop up. They occur within 2 or three reboots.

 

Could these be related to something like chrome update or windows update?

or is something malicious running on my pc ?

my pc was compromised and my credit card was accessed by someone else for unauthorized transactions a while back.

Thats why i am worried here.

Please help.

Share this post


Link to post
Share on other sites
20 hours ago, haleem890 said:

thanks for re opening the topic

i am still getting the cmd pop ups on startup. 

Started my pc yesterday and three cmd windows flashed for a second or two then gone. Couldn't read anything.

These popups are really bothering me. 

How do i figure out whats causing these cmd pop ups to appear on system startup ? They don't appear on every boot though just sometimes on starting the pc. 

i have clean installed my windows after formatting the hard drive several times and each time i got the cmd pop up. They occur within 2 or three reboots.

 

Could these be related to something like chrome update or windows update?

or is something malicious running on my pc ?

my pc was compromised and my credit card was accessed by someone else for unauthorized transactions a while back.

Thats why i am worried here.

Please help.

 

17 hours ago, nasdaq said:

Haleem890

I'm listening.

nasdaq

hello , please see my above quoted post

 

Share this post


Link to post
Share on other sites

Hi,

Download the AutoRuns program from this link.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Create a folder where you will want this program to run from.
Extract the file to that new created folder.

Depending on your Operating System, run the Autoruns.txt (32 bit) or the Autoruns64.exe (64 bit) program.

Click on the Logon Menu and from the Menu Save the file as MyAutoruns.txt

Post the file for my review.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Post the logs for my review.

Share this post


Link to post
Share on other sites
21 hours ago, nasdaq said:

Hi,

Download the AutoRuns program from this link.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Create a folder where you will want this program to run from.
Extract the file to that new created folder.

Depending on your Operating System, run the Autoruns.txt (32 bit) or the Autoruns64.exe (64 bit) program.

Click on the Logon Menu and from the Menu Save the file as MyAutoruns.txt

Post the file for my review.
===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.

 


=======

Post the logs for my review.

hello, here are logs for both

roguekiller scan came clean

 

myautoruns.txt roguereport.txt

Share this post


Link to post
Share on other sites

Hi,

The OneDrive service is stopped by MSCONFIG

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.

HKLM\...\StartupApproved\Run: => "HotKeysCmds"
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKLM\...\StartupApproved\Run: => "Persistence"
HKLM\...\StartupApproved\Run32: => "vdcss"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07152019144837380\...\StartupApproved\Run: => "OneDrive"


How ever these keys are listed as runOnce.

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Delete Cached Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Uninstall 19.086.0502.0006\amd64] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\amd64"

HKU\S-1-5-21-4223906402-2744917651-667962621-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-07142019204005650\...\RunOnce: [Uninstall 19.086.0502.0006] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\3nim3\AppData\Local\Microsoft\OneDrive\19.086.0502.0006"

Please execute MSCONFIG and enable the 3 keys for Onedrive.
Restart the computer and find out if the problem persists.

Share this post


Link to post
Share on other sites
On 8/18/2019 at 7:49 PM, nasdaq said:

Hi,

The OneDrive service is stopped by MSCONFIG

 

hello, sorry for the late reply

is onedrive causing those cmd pop ups ?

i dont use onedrive, its installed by default. should i just disable it from system startup ?

Share this post


Link to post
Share on other sites
2 hours ago, nasdaq said:

haleem890 I'm listening.

is onedrive causing those cmd pop ups ?

i dont use onedrive, its installed by default. should i just disable it from system startup ?

Share this post


Link to post
Share on other sites

Hi,

Lets stop OneDrive for now.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists and Chrome is Synced with other Devices check this out.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.

Restart the computer normally.
===========

Please post the Fixlog.txt and let me know if the problem is solved.

fixlist.txt

Share this post


Link to post
Share on other sites
22 hours ago, nasdaq said:

Hi,

Lets stop OneDrive for now.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists and Chrome is Synced with other Devices check this out.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Execute the suggested fix.

Restart the computer normally.
===========

Please post the Fixlog.txt and let me know if the problem is solved.

fixlist.txt 2.07 kB · 2 downloads

here is the fixlog

Fixlog.txt

Share this post


Link to post
Share on other sites
On 8/25/2019 at 7:23 PM, nasdaq said:

His your problem solved?

hi, sorry for the late reply

i am still not sure what caused the pop ups or is there any infection still on my pc 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.