Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Command Processor extracted package, PC appears normal


  • This topic is locked This topic is locked
3 replies to this topic

#1 HrFrosk

HrFrosk

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 02 September 2017 - 04:01 AM

I have a Lenovo Ideapad Yoga 2 Pro running Windows 10 Home version 1703.

Two nights ago I was in Android Studio when it started reporting errors saving a Java file. It created a temporary Java file, and when I restarted it, it appeared as if my workspace.xml file (part of the configurations) had been altered, and I had to regenerate it. I was not allowed to delete the temporary Java files, even when I opened file manager with administrator access. While trying to delete the file, I opened a power shell window, and decided to do the pending android studio updates. I let the computer do the updates over night, but I had to start the Intel Haxm Accelerator update the morning after. A couple of moments later Windows Command Processor asked to make changes to the computer. In this context there often appear such requests so I accepted it almost as a habit. It then extracted a package in about a second. This triggered an alarm in me, and I googled "Windows Command Processor" to find it being associated with viruses. I immediately ended the respective task in task manager. After a bit more reading I decided to turn off Wi-Fi as a precautionary measure. I did a full windows defender scan and as well as an offline scan. These returned no threats (and the full scan ran for many hours). Doing some more googling I didn't find any of the other symptoms others had mentioned such as the process running on startup, it imitating windows notifications or asking me to download other software. The computer has in fact been behaving normally. Except this morning the login screen went through some cycles of login screen -> grey screen - > white screen -> login screen. I would be somewhat hesitant to draw conclusions from the correlation between the Android Studio / login screen behavior and Windows Command Processor as sometimes abnormal things just happen, but I thought I should include it anyways.

I don't have any antivirus installed except for Windows Defender, but I do take security seriously, and check essentially all installs with virustotal.com. The only recent installs include Grammarly for Office (same day), LastPass, Google Backup and Sync and Origin (with SimCity 4) (all about a week or older). I technically didn't check these with virustotal.com as I trusted the sources. In addition I have been installing MiKTeX packages, but none on the day of the issue.

I have access to other computers so that I can install other antivirus scanners without turning on wifi, but googling similar issues have suggested that none of these checks have returned any threats. This googling has also returned various suggestions of what this possibly could be. All the way from rootkit to that it is just trying to make me install other other software. Am I infected? What should I do?

Despite what it may appear as, I am not particularly tech savvy, and don't really know what I'm doing, but I am very willing to learn.

All help is appreciated.

Edit:
I have also had Git installed for my Android Studio Project but can't remember having linked Git to this Android Studio project, but gut was suddenly connected when I reopened it. Also, the temporary file was now deleted.

Edit 2:
Also,I have no application called Windows Command Processor in programs and features installed, as others have reported.

Edit 3:
I guess my real question really is if I am safe if I don't give it priveliges again and as I stopped the process very early?

Edited by HrFrosk, 02 September 2017 - 09:43 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:24 PM

Posted 02 September 2017 - 08:08 PM

Welcome to BC...

 

I think it best for you to start a new topic in the malware removal forum. Follow the directions below for doing that.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 HrFrosk

HrFrosk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 03 September 2017 - 04:23 AM

Ok, thanks for the reply BC Advisor: https://www.bleepingcomputer.com/forums/t/656073/windows-command-processor-extracted-package-stopped-the-process-am-i-safe/



#4 hamluis

hamluis

    Moderator


  • Moderator
  • 55,263 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:24 PM

Posted 03 September 2017 - 04:32 AM

New topic at MRL forum, https://www.bleepingcomputer.com/forums/t/656072/windows-command-processor-extracted-package-stopped-the-process-am-i-safe/ .

 

Now that you have properly posted a topic in the Malware Removal Logs forum, this Am I Infected topic is now closed to avoid confusion.

 

Thanks :).

 

Louis






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users