Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command Prompt Popping Up


  • Please log in to reply
14 replies to this topic

#1 Ghoulio

Ghoulio

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 11:03 AM

A few days ago I attempted to download a freeware program. I don't remember the site it was on. As I was installing it it was taking a long time and I got suspicious so I stopped it. My suspicions were correct. There was a bunch of new programs installed on my computer. Because of the amount of programs I decided to do a system restore. That got a lot of the junk off my computer. I then ran a full scan with Windows Defender and it found a trojan which I removed. I then ran a Malewarebytes premium scan and it found a bunch of stuff which I removed. I think most of the bad stuff has been removed but I am still having one issue. Every hour or so two command prompt windows will pop up one after the other for less than a second. It happens so fast that I am unable to get a screen shot from it or see if anything comes up in task manager when it happens. I did manage to see something one time when it popped up, it said bitsadmn.exe. I searched for that on google and found that it is a windows process but the file could be infected so I searched my computer for that file but it's not on my computer. I am thinking that it could be something trying to update some of those programs that were installed but I am not sure and I still want to get rid of it because if it happens while I am playing a game it causes the game to minimize for several seconds and puts it in windowed mode. I am running Windows 10 Version 10.0.14393 Build 14393 on a Lenovo Z70 laptop. This is kind of embarrassing for me because I am currently studying for my A+ certification and I can't figure this out. I appreciate any help you folks can give me.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 PM

Posted 07 November 2016 - 12:15 PM

Hi, you may still have a bit of junk or during the install a file may be broke. Run theses next and see..

zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Now run SFC /Scannow (System File Checker) to Repair System Files.

Open the Command Prompt with Admin rights.
Right-click the Start button and select Command Prompt (Admin).
Type or copy/paste the following command into the Command Prompt window and press Enter to run a full system scan:
sfc /scannow
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:30 PM

Thanks for the quick response
 
AdwCleaner log file:
 
 
File Found:  C:\Users\joeel\AppData\Local\Microsoft\Internet Explorer\DOMStore\A2NE05MI\mytransitguide.dl.myway[1].xml
File Found:  C:\Users\joeel\AppData\Local\Microsoft\Internet Explorer\DOMStore\386HSAEO\www.mytransitguide[1].xml
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
Shortcut infected:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk ( "hxxp://trustedsurf.com/?ssid=1458667475&a=1040860&src=sh&uuid=b6bbcf5b-8019-4159-8816-13caf01bf779" )
Shortcut infected:  C:\Users\joeel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ( "hxxp://trustedsurf.com/?ssid=1458667475&a=1040860&src=sh&uuid=b6bbcf5b-8019-4159-8816-13caf01b
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK
Key Found:  [x64] HKLM\SOFTWARE\Classes\OCComSDK.ComSDK.1
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
Key Found:  HKU\S-1-5-21-2319018412-550598636-103372762-1001\Software\Microsoft\Tinstalls
Key Found:  HKCU\Software\Microsoft\Tinstalls
Key Found:  HKLM\SOFTWARE\SprgFiles
Key Found:  HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
Key Found:  [x64] HKCU\Software\Microsoft\Tinstalls
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
Key Found:  HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found:  HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Data Found:  HKU\S-1-5-21-2319018412-550598636-103372762-1001\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.lenovo.com
Data Found:  HKU\S-1-5-21-2319018412-550598636-103372762-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.lenovo.com
Data Found:  HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.lenovo.com
Data Found:  HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.lenovo.com
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.lenovo.com
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.lenovo.com
Value Found:  HKU\S-1-5-21-2319018412-550598636-103372762-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Itibiti.exe]
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\joeel\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - jlcgehabolcakkjhgmgpkagpolbjlhfa
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [4655 Bytes] - [07/11/2016 12:23:54]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4728 Bytes] ##########
 
 
Running Junkware Removal Tool now


#4 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:31 PM

Should I click clean button on AdwCleaner?



#5 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:34 PM

when I try to run Junkware Removal Tool it says this app can't run on your pc. To find a version for your pc, check with the software publisher.



#6 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:38 PM

when I right click JRT.exe and select properties it says the file is 0 kb.



#7 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:42 PM

I just downloaded it from Malwarebytes website. Running it now.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 PM

Posted 07 November 2016 - 12:46 PM

Ok good with JRT. Yes clean ADWCleaner.

Edited by boopme, 07 November 2016 - 01:31 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 07 November 2016 - 12:48 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 10 Home x64 
Ran by joeel (Administrator) on Mon 11/07/2016 at 12:38:09.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\Users\joeel\Appdata\LocalLow\company (Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 11/07/2016 at 12:44:13.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Now running System File Checker


#10 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 09 November 2016 - 01:20 AM

Sorry it's been so long since I've updated this. I've been very busy. The system file checker didn't show anything wrong. The pop-up is still happening. I don't understand why defender or Malwarebytes premium isn't catching it. I'm terrified that I'm going to have to reformat and reinstall Windows. That would suck as I would have about 100 GB of games to download on a 1.5 MB connection that doesn't break 256 KB. I am sure my ISP is throttling my connection because the only time I get near 1.5 MB speeds is when I run a test.



#11 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 09 November 2016 - 01:24 AM

I just had an idea. I am downloading a screen recorder and I will post an image of the command prompt window next time it happens.



#12 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 09 November 2016 - 02:13 AM

Ha, got it.

 

cpw1.jpg

 

cpw2.jpg



#13 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 09 November 2016 - 02:27 AM

Should I simply delete the cmd.exe file? I'm assuming it is not a valid Windows file. That file is 228kb.



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 PM

Posted 09 November 2016 - 11:04 AM

It is a Windows file
https://msdn.microsoft.com/en-us/library/windows/desktop/aa362813(v=vs.85).aspx

Ask in WIN10 as they'll know the best treatment to replace or remove it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Ghoulio

Ghoulio
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  

Posted 11 November 2016 - 05:18 PM

OK, I finally got the window to stop popping up. I am posting what worked for me but I'm not sure this would fix it for everyone who encounters this problem and I would start your own thread to make sure people who know more about this than me think it's a good idea for you to do this. I did some more searching and found a thread on a forum at http://www.tenforums.com/antivirus-firewalls-system-security/51063-bitsadmin-pops-up-randomly-immediately-disappears.html. On the second page of that thread they suggest clicking start - typing powershell - right clicking it - running it as administrator. Then copy and paste the following code in there:
 
Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName
 
This should give you a list of "what is downloading from where". My results were different from what his were but I had a few entries although I can't remember what they were now. They then suggest he enter the following in powershell to "get rid of the (non-Windows update downloads)":
 
Get-BitsTransfer -AllUsers | Remove-BitsTransfer
 
I did the same and I have not had the pop up for several days now. As I said before, if you are having the same problem I would start your own thread and ask if this is what you should do. Thanks for all the help and I hope this helps someone else.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users