Solved Internet Connection Sharing cmd window pops up at startup

[Wdingdong]

Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.

Any idea what's happening?

 

[Sub Styler]

Do you use ICS? if not I would just remove the startup entry. If you need the OCS service running you will need to be enabled in "control Panel" - Administrative tools" - "Services". It would appear that the service has been disabled and a batch file is asking it to start. Please can you post screenshots of the startup section in msconfig (just type "msconfig" into the start menu).

 

[Wdingdong]

No, I don't use ICS. Also, it is disabled in the Control Panel->Administrative Tools->Services.
Here's the image of msconfig->Startup

 

[Kaktussoft]

Please check this

In Windows 7 the location of your personal startup folder is:

%appdata%\Microsoft\Windows\Start Menu\Programs\Startup​

For all users, you will find the startup folder in:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup​

What is in those folders?

 

[Wdingdong]

In the first Startup folder there's only OneNote and in the second one there's WinZip. I found nothing about ICS or cmd.

 

[Kaktussoft]

In the first Startup folder there's only OneNote and in the second one there's WinZip. I found nothing about ICS or cmd.

Does it also show the cmd window if you logon as another user? Create a temporary test account in case no other account has been setup yet.

 

[Wdingdong]

Yes, the same cmd window appears when I login with a different account.

 

[Wdingdong]

@Moderators, Can you move this thread to networking section please? I might get some help there.

Edit: Thanks, that was quick.

 

[Kaktussoft]

Same problem in clean startup? Revert to normal boot after testing!
http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

 

[Kaktussoft]

Post both attached files in 1 folder
rename findf.txt to findf.cmd (I couldn't upload cmd files).
Now rightclick findf.cmd -> run as admin
A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it

 

[chev65]

Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.

Any idea what's happening?

Try this:

Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

http://www.sevenforums.com/tutorials/700-system-restore.html

 

[UsernameIssues]

Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

Following window appears on the startup and displays some command automatically.

Any idea what's happening?

As Sub Styler mentioned:
It looks like some file is attempting to stat the Internet Connection Sharing service.

Since you have that service disabled, it displays the first line that you see in the cmd prompt screenshot. We will not know what the next few lines attempt to do until you locate the file like Kaktussoft suggested.

After those "Access is Denied" lines, the file attempts to open an FTP session with a server that seems to be located in China to download a file named 1.exe to your computer. That is the scary part that I've not seen anyone mention.

Once you locate the file, you might try Autoruns to see what is launching it. Maybe it is a scheduled task or maybe the file is started another way. If you set the filters in Autoruns to look like this...

...then you might be amazed at how many places there are to start a file from.

(Use Options > Filter Options... to get to the screen shown above.)

 

[Sub Styler]

Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21

 

[UsernameIssues]

Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21

I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work

 

[Sub Styler]

I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

Again, don't try this at home (or at work

Lol I didn't sam spade it

un and pwd appear to be 123 123

 

[Wdingdong]

Same problem in clean startup? Revert to normal boot after testing!

Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it

I followed your steps. I've attached the FileFound_C.txt.

Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

Hey, I tried that but it didn't work.

You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore

I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help

 

[UsernameIssues]

The warning not to go searching for more info was meant more for non-forum members that find this thread via search engines. My hope is that forum members already know not to do that.

I (perhaps foolishly) searched for more info using a frozen VM that is the only computer on its isolated subnet. The VM is behind 3 NATs, each with different levels of security turned on. And I used two levels of web proxy services to render the web pages. Each proxy service is setup to filter out certain types of junk. In other words, I just wanted to see the text on the websites. I did not want the websites sending me malware.

I did try 123 and 123 but that did not work. There is a lot more that I could say about this malware because so much of what it seems to be doing does not make much sense. But we don't want to document "how to build a better bot" in these forums.

If this file is malware, it is pretty clumsy. There is a chance that this is not malware per se. There is a chance that it is a joke that was placed on the OP's computer for "fun".

@OP,
What antivirus tool are you using?

 

[UsernameIssues]

~~~
Did someone hack my PC?
~~~

I see from the file that you attached that you have Norton Antivirus. Which Norton product do you have?

Do you have more than one antivirus tool installed?

Has ESET6 ever been installed on this computer? It can make user profiles with random names. I am not talking about ESET's online scanner.

Hopefully Kaktussoft will stop by soon to help you with the file you attached.

 

[Kaktussoft]

Same problem in clean startup? Revert to normal boot after testing!

Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it

I followed your steps. I've attached the FileFound_C.txt.

Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

Hey, I tried that but it didn't work.

You should also have the option of using system restore to take your system back to a point in time before the problem occurred.

System Restore

I didn't do that because I would lose programs I've installed recently.

@UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

Thanks everyone for your help

As you can see in output file.... I want C:\Windows\System32\cmd.txt (5/4/2013 8:19:26 PM 59) and C:\Program Files\Symantec\Norton Utilities 16\sMonitor\PCTProcess.txt (5/16/2013 10:39:43 PM 7,558)

post both files

Also search whole registry (using regedit) for strings PCTProcess.txt and cmd.txt. Found it?

 

[Kaktussoft]

Logoff on logon again. cmd popup appears? If so disable Norton Utilities 16. logoff and logon again. cmd popup appears?