Jump to content

I suspect my Pc is infected: random cmd screen popping

nicotela94
 Share

Recommended Posts

SQx

SQx

Posted
Posted (edited)

Greetings,

Could you please clarify if this started after installing Audodesk?

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
    Start::
CreateRestorePoint:
ExportKey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
ExportKey: HKLM\SOFTWARE\Policies\Google
Task: {AD739F7D-7724-4EE3-8710-822D5BE6325D} - System32\Tasks\Microsoft\Office\Office Serviceability Manager => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\officesvcmgr.exe  /checkin (No File)
Task: {1A0ADBD1-0C64-469F-9500-464FFB9B61A7} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {407FF390-2B3D-4145-86D4-849FAB947DBB} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
File: C:\WINDOWS\system32\drivers\dfx11_1x64.sys
CMD: type C:\Users\Nicolás\AppData\Local\r18fpz9gq0
2017-12-16 00:54 - 2017-12-16 00:54 - 000000052 _____ () C:\Users\Nicolás\AppData\Local\r18fpz9gq0
AlternateDataStreams: C:\Users\Nicolás\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Nicolás\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\Public\AppData:CSM [472]
FirewallRules: [{0A519432-22C6-4225-831C-6476B5DFB199}] => (Allow) D:\Games Location\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [{3C347766-F288-498E-BC88-97C45BC21810}] => (Allow) D:\Games Location\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe => No File
FirewallRules: [UDP Query User{976EE374-266B-482D-9E2C-B5717AC2CCD3}D:\games location\black mesa\bms.exe] => (Allow) D:\games location\black mesa\bms.exe => No File
FirewallRules: [TCP Query User{9DCDDBF1-A0B7-48C2-B193-5BBE34C77756}D:\games location\black mesa\bms.exe] => (Allow) D:\games location\black mesa\bms.exe => No File
FirewallRules: [UDP Query User{ABE97CF6-0557-4B8A-A24A-B79362D26E9D}D:\games location\subnautica.v58064\subnautica.exe] => (Allow) D:\games location\subnautica.v58064\subnautica.exe => No File
FirewallRules: [TCP Query User{879BE949-3A80-4D87-95B7-CED5240BB572}D:\games location\subnautica.v58064\subnautica.exe] => (Allow) D:\games location\subnautica.v58064\subnautica.exe => No File
FirewallRules: [UDP Query User{67E9AD75-12CC-4DD6-81CB-DDE5AD088B62}D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
FirewallRules: [TCP Query User{E617877B-E9EC-48CD-B660-6C8063DF46A7}D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe] => (Allow) D:\games location\fortnite\fortnitegame\binaries\win64\fortniteclient-win64-shipping.exe => No File
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
End::

     

  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
     
Edited by SQx
Link to post
Share on other sites
SQx

SQx

Posted
Posted

Hello nicotela94,

Please let me know if you are still experiencing the mentioned issue?

Thanks.

Link to post
Share on other sites
SQx

SQx

Posted
Posted

Also It looks like the schedule task that related to Autodesk is a part of the crack regarding the following discussion in the Autodesk forum: https://forums.autodesk.com/t5/installation-licensing/service-vbs-script-issue/td-p/10614551

Please read about Piracy on the forum.  

We do not recommend installing or using any pirated programs (cracks, keygens, etc.).
Please remove the pirated programs (like Autodesk, and so on) otherwise our help will be useless.

I found this task which can pop-up cmd window that related to Autodesk (a part of crack) on your logs: 

Task: {3E970D85-A300-48AB-84B6-A346ED80D134} - System32\Tasks\Microsoft\Windows\Autodesk\Autodesk => C:\Windows\system32\wscript.exe [170496 2021-09-16] (Microsoft Windows -> Microsoft Corporation) -> "%CommonProgramFiles(x86)%\Autodesk Shared\Network License Manager\Service.vbs" "%CommonProgramFiles(x86)%\Autodesk Shared\Network License Manager\Service.bat"

Please let me know if you need help removing the mentioned above schedule task?

  • Like 1
  • Thanks 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
SQx

SQx

Posted
Posted

Hello nicotela94,

Could you please provide the new FRST log, I would like to make sure nothing has changed?

Link to post
Share on other sites
SQx

SQx

Posted
Posted

Hello,

Please do the following to run a FRST fix, that will disable scheduler task (related to Autodesk).

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere. 
    Start::
CreateRestorePoint:
HKLM-x32\...\Run: [TeamsMachineUninstallerProgramData] => %ProgramData%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (No File)
HKU\S-1-5-21-1913691612-628984878-397764100-1001\...\Run: [CiscoMeetingDaemon] => "C:\Program Files (x86)\Webex\CiscoWebExStart.exe" /daemon /from=autorun (No File)
CMD: type C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.vbs
CMD: type C:\Program Files (x86)\Common Files\Autodesk Shared\Network License Manager\Service.bat
CMD: schtasks /Change /TN "System32\Tasks\Microsoft\Windows\Autodesk\Autodesk" /Disable
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.

    Please let me know if this solved the issue.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.