Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Internet Connection Sharing cmd window pops up at startup


16 May 2013   #11

Windows 7 Ult, Windows 8.1 Pro,
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.


Any idea what's happening?
Try this:

Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore

My System SpecsSystem Spec
.

17 May 2013   #12

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.


Any idea what's happening?
As Sub Styler mentioned:
It looks like some file is attempting to stat the Internet Connection Sharing service.

Since you have that service disabled, it displays the first line that you see in the cmd prompt screenshot. We will not know what the next few lines attempt to do until you locate the file like Kaktussoft suggested.

After those "Access is Denied" lines, the file attempts to open an FTP session with a server that seems to be located in China to download a file named 1.exe to your computer. That is the scary part that I've not seen anyone mention.

Once you locate the file, you might try Autoruns to see what is launching it. Maybe it is a scheduled task or maybe the file is started another way. If you set the filters in Autoruns to look like this...
Name:  autoruns.png
Views: 12
Size:  5.2 KB
...then you might be amazed at how many places there are to start a file from.

(Use Options > Filter Options... to get to the screen shown above.)


My System SpecsSystem Spec
17 May 2013   #13

Windows 7 Ultimate x64
 
 

Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
My System SpecsSystem Spec
.


17 May 2013   #14

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Sub Styler View Post
Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work :-)
My System SpecsSystem Spec
17 May 2013   #15

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work :-)
Lol I didn't sam spade it

un and pwd appear to be 123 123
My System SpecsSystem Spec
17 May 2013   #16

Windows 7 32 bit
 
 

Quote   Quote: Originally Posted by Kaktussoft
Same problem in clean startup? Revert to normal boot after testing!
Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

Quote   Quote: Originally Posted by Kaktussoft
A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
I followed your steps. I've attached the FileFound_C.txt.

Quote   Quote: Originally Posted by chev65
Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
Hey, I tried that but it didn't work.

Quote   Quote: Originally Posted by "chev65
You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore
I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help


Attached Files
File Type: txt FilesFound_C.txt (20.2 KB, 4 views)
My System SpecsSystem Spec
17 May 2013   #17

W7 Pro SP1 64bit
 
 

The warning not to go searching for more info was meant more for non-forum members that find this thread via search engines. My hope is that forum members already know not to do that.

I (perhaps foolishly) searched for more info using a frozen VM that is the only computer on its isolated subnet. The VM is behind 3 NATs, each with different levels of security turned on. And I used two levels of web proxy services to render the web pages. Each proxy service is setup to filter out certain types of junk. In other words, I just wanted to see the text on the websites. I did not want the websites sending me malware.

I did try 123 and 123 but that did not work. There is a lot more that I could say about this malware because so much of what it seems to be doing does not make much sense. But we don't want to document "how to build a better bot" in these forums.

If this file is malware, it is pretty clumsy. There is a chance that this is not malware per se. There is a chance that it is a joke that was placed on the OP's computer for "fun".

@OP,
What antivirus tool are you using?
My System SpecsSystem Spec
17 May 2013   #18

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
~~~
Did someone hack my PC?
~~~
I see from the file that you attached that you have Norton Antivirus. Which Norton product do you have?

Do you have more than one antivirus tool installed?

Has ESET6 ever been installed on this computer? It can make user profiles with random names. I am not talking about ESET's online scanner.

Hopefully Kaktussoft will stop by soon to help you with the file you attached.
My System SpecsSystem Spec
17 May 2013   #19

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Quote   Quote: Originally Posted by Kaktussoft
Same problem in clean startup? Revert to normal boot after testing!
Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

Quote   Quote: Originally Posted by Kaktussoft
A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
I followed your steps. I've attached the FileFound_C.txt.

Quote   Quote: Originally Posted by chev65
Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
Hey, I tried that but it didn't work.

Quote   Quote: Originally Posted by "chev65
You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore
I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help
As you can see in output file.... I want C:\Windows\System32\cmd.txt (5/4/2013 8:19:26 PM 59) and C:\Program Files\Symantec\Norton Utilities 16\sMonitor\PCTProcess.txt (5/16/2013 10:39:43 PM 7,558)

post both files

Also search whole registry (using regedit) for strings PCTProcess.txt and cmd.txt. Found it?
My System SpecsSystem Spec
17 May 2013   #20

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Logoff on logon again. cmd popup appears? If so disable Norton Utilities 16. logoff and logon again. cmd popup appears?
My System SpecsSystem Spec
Reply

 Internet Connection Sharing cmd window pops up at startup




Thread Tools



Similar help and support threads for2: Internet Connection Sharing cmd window pops up at startup
Thread Forum
Internet Connection Sharing: No internet Access Network & Sharing
internet connection sharing bug ! Network & Sharing
Windows Defender pops-up its window upon startup, even if disabled System Security
Internet Connection Sharing Network & Sharing
internet connection sharing Network & Sharing
sharing internet connection Network & Sharing
Internet connection sharing Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:30 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33