Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command Box Comes Up At Random


  • Please log in to reply
4 replies to this topic

#1 johnkromka

johnkromka

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 06 September 2017 - 01:33 AM

Not sure where to post this, but I have done some preliminary research on this problem, and some say it may be a malware problem.  Here is what is happening:

On my wife's notebook(HP 2000) she has been experiencing a strange thing over the last month or so.  The command box will pop up seemingly whenever it wants(we have kept a record of the times, but no apparent pattern), stay there for no more than 1-2 seconds then disappear. She is trying to get a print screen, because there is something written in there which I am sure might reveal why the box keeps coming up.  However, it is up so short of time we can't tell what's written in there(not much).  One thing we are worried about is that someone said this could be a hacker trying to attempt to connect to our computer.  Another said it could be due to some kind of malware causing this.  Another said check the Task Scheduler. We went to Microsoft with it and they did a Remote Access, but because they cannot actually see what we are talking about they admitted they are limited in what they can do and as to what is causing it.  They did change some setting on command prompt(cannot remember exactly what) and said this might work.  It didn't. Then they recommended a drastic move, an upgrade of Windows 10.  So we just finished that.  Still comes up. Haven't gone back to Microsoft, thought would post in forum for ideas as to what this is, what might be the cause, and what we can do to try and stop it. It is just an annoyance, but it also could be something serious, like the hacker trying to connect thing(although the guy said this was "unlikely").  Bottom line, it is not normal and we don't really want to bring it to the shop unless we have to.  We want it to stop, so any ideas or suggestions would be most appreciated.  Thanks.

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:47 PM

Posted 06 September 2017 - 03:42 PM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
  • List Restore Points

Click Go and post the result.

p22002970.gif Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.


p22002970.gifDownload 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 johnkromka

johnkromka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 11 September 2017 - 12:17 AM

I will run the scans shortly but a lot has happened since my initial post and should be included as I believe the more information you have the better you will be able to possibly help me:

I am now POSITIVE my machine has been hacked! Much more insanity has happened to my machine other than the command prompt box coming up. I will outline what has happened since my post and you decide, but I don't think any rational thinking person would disagree with me after you hear this evidence:
1) I was just browsing my Hotmail(Outlook) tonight and was floored to see 7 messages in my Drafts folder. I knew that was too many so I opened it up. 3 were written by me, but the last four were written by "somebody else" all 4 at exactly the same time 8:37pm. 3 of the 4 simply had Draft written in red print, followed by the time(all 8:37), There was no text message for all 4, but 3 said " Sent From Mail For Windows 10". The most telling one was one. It was sent to a ron_barkay@walla.co.il. I investigated this. I found out that .il is a domain from Israel, and that "walla" is a company in Israel, providing news and other services. I also checked "ron barkay" and all I could come up with was a ron barkay on Facebook, and guess where he's located? You're right....Israel. I googled walla a few times and found it associated with scam activities. I DID NOT WRITE ANY OF THESE EMAILS!! So how can I not be hacked from someone who has gotten control of my computer?? It HAS to be. And you haven't even heard the half of it yet. Before I continue, let me say that I hooked up another notebook a couple of days ago, to rule out that it was the computer(or not). Well, we are experiencing the same troubles on TWO DIFFERENT COMPUTERS connected to the same router. No wifi, Ethernet connected. Plus the second computer just connected was a clean install to Windows 10, nothing on it.
These are all of the events that have happened on the two computers that I have recorded:
1) Command Prompt box comes up randomly and for one second on BOTH computers. We cannot get a print screen, but are trying so hard, but it goes by so fast. There IS writing, but we can't make it out, except we did catch the word "error" several times when it popped up, but we cannot make out anything else.
2) Malwarebytes Problem: On Sept. 4, I decided to run a scan. However, I got a message stating "could not connect to the service". So the first thing I decided to check out was Services. I found Malwarebytes and it was set to disabled and stopped. I set it to automatic and start and it started running normally again. I could not understand why it had been set to disabled and stopped, but gave it no further thought. Until Sept. 8. I noticed the Malwarebytes icon was gone from my desktop! Greatly disturbed by this, I investigated. I first checked to see if it was on my system somewhere, so I did a systemwide search. Yes, I found files, but when I clicked on ones that said application, it would not load, none of them. I looked in the add/remove programs list, and it was there. So I was confused. It wasn't uninstalled, yet it wasn't working. I got Microsoft online and they did a remote session with me to investigate. They looked at the files and some other things and came to the conclusion my Malwarebytes was "corrupted". I said how, they would not offer any theories. I said what do we do now? They advised the best thing would be to uninstall it, and re-install it. I agreed, but was worried as I had the premium version of Malwarebytes and was worried the reinstalled app. might not take the license codes. But they said it "should", so I reluctantly went ahead with their suggestion. First they tried to uninstall it from the add/remove programs list, but got an error message which prevented them from uninstalling it. So the tech downloaded a 3rd party uninstaller Revo Plus. Same thing even with that so-called superior uninstaller, error messages all over the places, bottom line would not uninstall. The tech said it appeared the "corruption was preventing the uninstall". I asked what to do now, and they did not know. I asked for a high level tech, but they said none was available, so I just signed out in disgust. This is getting long and I don't want to get cut off and have MUCH more I NEED to tell you for you all to get an accurate picture of what is going on here, so I will continue my post after this in a new post.



#4 johnkromka

johnkromka
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 11 September 2017 - 12:20 AM

Continuing from previous post...
3) I use Kaspersky Total Security and also bought the VPN that goes with it called Secure Connection. On Sept. 3 I started my Kaspersky as usual, and the Total Security loaded okay, but I had a problem with the Secure Connection. It said "error loading Kaspersky Secure Connection". So we contacted support on the phone and they recommended we uninstall both and reinstall and assured us the license codes we had purchased would work. So that is what I did. Uninstalled both, re-installed both, put in the licenses, and everything back to normal. Secure Connection now working. Sept.9-Turned on Kaspersky and once again, like last time, Total Security loaded fine, but got the same error message on the Secure Connection....it would not load. This time the tech said he was going to send us a diagnostic tool to run to check out our system and then send it back to them to analyze and see what may be happening. So we ran the tool and sent it back last night and are awaiting to hear from them. I was so disgusted that, like Malwarebytes, I was suddenly having these problems. It seemed too coincidental to me. I was definitely thinking hacker at this point, because a hacker would not want things like Malwarebytes Premium or the Kaspersky VPN Secure Connection to be in working order to make it harder to catch him. All of my other apps. are working(I checked everything else out).
4) "Your Hotmail settings are out of date"- we have been getting this message the past few days. At first that didn't make any sense to me, but then I googled it, and seen others had this come up, as well. So maybe it was legitimate. I found a fix for it and when it popped up, I applied the fix and all appears to be fine now. I only bring this up because of the very suspicious activity I reported earlier in my Drafts folder of Hotmail. There might be a connection. Worth mentioning.
5) Mouse-At times, moves by itself. Other times, moves sluggishly or not at all. Other time, it is like we are "fighting" with someone for use of it. Very weird.
6) Shutdown of Computer-could not shut it down normally. Nothing happened. So had to shut it down manually. This has only happened once.
7) A blue screen-covered the entire desktop(no this is not the blue screen of death, I've seen that before). It just appeared out of nowhere and it said "you have errors"...correcting them, and it started some activity. No way to stop it, so decided had to turn off computer.
8) Box came up and I couldn't catch all of it, was so fast. Said something like "if you trust this device..." followed by some options to do. This is not normal.
9) Site in history we DID NOT go to-lockerdome.com/referral_redirected?cid=98, when put mouse over it there was a huge box full of numbers and letters.
10) Box comes up and said "this page has malicious malware" with sound"(This was on the computer we just connected which has no Kaspersky on it yet), so don't know why a warning like that would come up.
11) "Webcam access blocked"-this has come up on Kaspersky a few times in the past week
12) Clock/calendar popped up once on its own

I may have forgotten a couple of things. But you can see this computer is all messed up. I DO NOT believe it is malware infected, due to the things I have described on the list, especially those draft emails. I understand what you want me to read and do, but I felt it was necessary to list all of this additional information to give you the full picture of what is happening, and can therefore give me an informed reply on what you think is going on and recommend I do in response to all of this.

What we have done so far in response:
1) Did the upgrade on Windows 10 on Sept. 6. The tech told us this would solve the corruption. They were obviously wrong, and I am losing faith in Microsoft and their knowledge of computer problems.
2) Ran autoruns. However, when I saved the file and opened it, it said "the file is corrupted". That must show you how bad my situation is if the scan by autoruns became corrupted somehow.
3) Unticked the box in security where it says allow remote assistance, and in the firewall as well. But we just did that a few hours ago and since we did that, nothing has changed, but we felt it might help. It did not.
4) Ran Tweaking.com Windows Repair-it found a lot of stuff, but proved useless with all of these problems.
5) Turned off command prompt, yet it still comes up

Now I am no geek, but this is my opinion of what has happened. My computer has been hacked. The Israeli email suddenly appearing in my email Drafts folder is proof of that. There is someone, or some entity that somehow gotten onto my computer(actually not computer...through the internet connection, because I said BOTH computers are all messed up, so don't tell me it is a computer issue. Both computers are equally messed up, and as I said the second one was just connected a few days ago, and was a clean install of windows 10, not used. So how do we stop this insanity?? I called Microsoft and all they can tell me is to do a clean install again. No I will not, you idiots, that will NOT SOLVE THIS PROBLEM! Why can't they see that?? And what responsibility, if any, does my ISP have in this matter? Probably nothing...something in the fine print saying we are not responsible for hacker activity, etc., but I am still going to call them about it to see if others are having similar problems and can they help in any way. I could change internet service providers, but would that even stop this, I don't know. And then there is my local computer shop, which I haven't called yet. But I am hoping some of you fellas came help me out of this extremely discouraging, depressing situation. In all my years computing, I have NEVER remotely experienced anything like this. I WANT MY COMPUTER BACK!!!! Thank you!



#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:47 PM

Posted 11 September 2017 - 08:09 PM

I can't really comment without seeing logs I asked for.


My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users