Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Internet Connection Sharing cmd window pops up at startup

16 May 2013   #11
chev65

Windows 7 Ult, Windows 8.1 Pro,
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.


Any idea what's happening?
Try this:

Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore


My System SpecsSystem Spec
.

17 May 2013   #12
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.


Any idea what's happening?
As Sub Styler mentioned:
It looks like some file is attempting to stat the Internet Connection Sharing service.

Since you have that service disabled, it displays the first line that you see in the cmd prompt screenshot. We will not know what the next few lines attempt to do until you locate the file like Kaktussoft suggested.

After those "Access is Denied" lines, the file attempts to open an FTP session with a server that seems to be located in China to download a file named 1.exe to your computer. That is the scary part that I've not seen anyone mention.

Once you locate the file, you might try Autoruns to see what is launching it. Maybe it is a scheduled task or maybe the file is started another way. If you set the filters in Autoruns to look like this...
Name:  autoruns.png
Views: 13
Size:  5.2 KB
...then you might be amazed at how many places there are to start a file from.

(Use Options > Filter Options... to get to the screen shown above.)


My System SpecsSystem Spec
17 May 2013   #13
Sub Styler

Windows 7 Ultimate x64
 
 

Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
My System SpecsSystem Spec
.


17 May 2013   #14
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Sub Styler View Post
Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work :-)
My System SpecsSystem Spec
17 May 2013   #15
Sub Styler

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work :-)
Lol I didn't sam spade it

un and pwd appear to be 123 123
My System SpecsSystem Spec
17 May 2013   #16
Wdingdong

Windows 7 32 bit
 
 

Quote   Quote: Originally Posted by Kaktussoft
Same problem in clean startup? Revert to normal boot after testing!
Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

Quote   Quote: Originally Posted by Kaktussoft
A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
I followed your steps. I've attached the FileFound_C.txt.

Quote   Quote: Originally Posted by chev65
Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
Hey, I tried that but it didn't work.

Quote   Quote: Originally Posted by "chev65
You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore
I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help


Attached Files
File Type: txt FilesFound_C.txt (20.2 KB, 4 views)
My System SpecsSystem Spec
17 May 2013   #17
UsernameIssues

W7 Pro SP1 64bit
 
 

The warning not to go searching for more info was meant more for non-forum members that find this thread via search engines. My hope is that forum members already know not to do that.

I (perhaps foolishly) searched for more info using a frozen VM that is the only computer on its isolated subnet. The VM is behind 3 NATs, each with different levels of security turned on. And I used two levels of web proxy services to render the web pages. Each proxy service is setup to filter out certain types of junk. In other words, I just wanted to see the text on the websites. I did not want the websites sending me malware.

I did try 123 and 123 but that did not work. There is a lot more that I could say about this malware because so much of what it seems to be doing does not make much sense. But we don't want to document "how to build a better bot" in these forums.

If this file is malware, it is pretty clumsy. There is a chance that this is not malware per se. There is a chance that it is a joke that was placed on the OP's computer for "fun".

@OP,
What antivirus tool are you using?
My System SpecsSystem Spec
17 May 2013   #18
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
~~~
Did someone hack my PC?
~~~
I see from the file that you attached that you have Norton Antivirus. Which Norton product do you have?

Do you have more than one antivirus tool installed?

Has ESET6 ever been installed on this computer? It can make user profiles with random names. I am not talking about ESET's online scanner.

Hopefully Kaktussoft will stop by soon to help you with the file you attached.
My System SpecsSystem Spec
17 May 2013   #19
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Quote   Quote: Originally Posted by Wdingdong View Post
Quote   Quote: Originally Posted by Kaktussoft
Same problem in clean startup? Revert to normal boot after testing!
Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

Quote   Quote: Originally Posted by Kaktussoft
A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
I followed your steps. I've attached the FileFound_C.txt.

Quote   Quote: Originally Posted by chev65
Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
Hey, I tried that but it didn't work.

Quote   Quote: Originally Posted by "chev65
You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore
I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help
As you can see in output file.... I want C:\Windows\System32\cmd.txt (5/4/2013 8:19:26 PM 59) and C:\Program Files\Symantec\Norton Utilities 16\sMonitor\PCTProcess.txt (5/16/2013 10:39:43 PM 7,558)

post both files

Also search whole registry (using regedit) for strings PCTProcess.txt and cmd.txt. Found it?
My System SpecsSystem Spec
17 May 2013   #20
Kaktussoft

Microsoft Community Contributor Award Recipient

Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
 
 

Logoff on logon again. cmd popup appears? If so disable Norton Utilities 16. logoff and logon again. cmd popup appears?
My System SpecsSystem Spec
Reply

 Internet Connection Sharing cmd window pops up at startup




Thread Tools





Similar help and support threads
Thread Forum
Internet Connection Sharing between 7 and XP
Hi guys, first time user, Everything up to this point with windows 7 has been a breeze - am really enjoying it - but now i've lost 4+ hours trying to get this to work and it doesnt. I have 2 systems one with windows 7 and an older one with XP. The Windows 7 machine connects to the internet...
Network & Sharing
Internet Connection Sharing: No internet Access
I am trying to setup internet connection sharing between my laptop (Connected to WiFi) and my pc which has no wireless connection. I've spent a day or two troubleshooting problems such as 'LAN' doesn't have valid configuration and such, i found a solution and I've got the two connections to be able...
Network & Sharing
Windows Defender pops-up its window upon startup, even if disabled
When Windows Update prompted to restart upon installation of updates (Nov. 10, 2011), and I restarted my computer, this Windows Defender window now pops-up everytime I start my computer: http://i.imgur.com/3HB3V.png I had Windows Defender enabled for months now, when this happened. I then...
System Security
Internet Connection Sharing
Hi all , here is the scenario : I have 2 laptops A and B A is connected to a broadband connection, so my purpose is to give B internet connection. My question is : If I connect A and B to a wireless router then I share the broadband connection on laptop A using ICS , will this work??? and can...
Network & Sharing
internet connection sharing
hi, i have a problem with my internet sharing, i have my windows 7 laptop connecte to modem(not wirelessly), and i set up an ad hoc network so that i can share internet on the other windows Vista laptop. The ad hoc network is connected, but the internet sharing is not enabled i tried checking the...
Network & Sharing
Internet connection sharing
I'm using LAN internet on my laptop and I want to share it to my phone or another laptop through WiFi. But I have some problems. First of all (and probably the root of the problem) is that the Internet connection sharing service is not working properly. When I start it it shows me a box, saying...
Network & Sharing

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App