Internet Connection Sharing cmd window pops up at startup

Page 2 of 3 FirstFirst 123 LastLast

  1. Posts : 8,870
    Windows 7 Ult, Windows 8.1 Pro,
       #11

    Wdingdong said:
    Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

    Following window appears on the startup and displays some command automatically.


    Any idea what's happening?
    Try this:

    Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.

    You should also have the option of using system restore to take your system back to a point in time before the problem occurred. :)

    System Restore
    Last edited by chev65; 16 May 2013 at 12:05.
      My Computer


  2. Posts : 10,485
    W7 Pro SP1 64bit
       #12

    Wdingdong said:
    Every time I start my PC, this Internet Connection Sharing cmd window pops up. It displays some commands and halts. Then I need to close it. It never used to happen earlier, but since a couple of week its happening continuously.

    Following window appears on the startup and displays some command automatically.


    Any idea what's happening?
    As Sub Styler mentioned:
    It looks like some file is attempting to stat the Internet Connection Sharing service.

    Since you have that service disabled, it displays the first line that you see in the cmd prompt screenshot. We will not know what the next few lines attempt to do until you locate the file like Kaktussoft suggested.

    After those "Access is Denied" lines, the file attempts to open an FTP session with a server that seems to be located in China to download a file named 1.exe to your computer. That is the scary part that I've not seen anyone mention.

    Once you locate the file, you might try Autoruns to see what is launching it. Maybe it is a scheduled task or maybe the file is started another way. If you set the filters in Autoruns to look like this...
    Internet Connection Sharing cmd window pops up at startup-autoruns.png
    ...then you might be amazed at how many places there are to start a file from.

    (Use Options > Filter Options... to get to the screen shown above.)
      My Computer


  3. Posts : 740
    Windows 7 Ultimate x64
       #13

    Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

    I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
      My Computer


  4. Posts : 10,485
    W7 Pro SP1 64bit
       #14

    Sub Styler said:
    Yes, I just re-read the OP. I had not actually got very far through the log before starting a diagnosis. Certainly looks like a malware issue!

    I couldnt actually connect to the server though. Got a few unsafe port errors and timeouts on port 21
    I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

    That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

    Again, don't try this at home (or at work
      My Computer


  5. Posts : 740
    Windows 7 Ultimate x64
       #15

    UsernameIssues said:
    I should have mentioned that I am NOT encouraging people to go searching for more info on this, but (before I posted in this thread) I did manage to locate a security related website that linked the IP shown in the OP to a URL. The security website called the URL unsafe.

    That unsafe URL now resolves to a new IP address. I was able to FTP to that new IP, but I could not authenticate.

    Again, don't try this at home (or at work
    Lol I didn't sam spade it :)

    un and pwd appear to be 123 123
      My Computer


  6. Posts : 11
    Windows 7 32 bit
    Thread Starter
       #16

    Kaktussoft said:
    Same problem in clean startup? Revert to normal boot after testing!
    Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

    Kaktussoft said:
    A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
    I followed your steps. I've attached the FileFound_C.txt.

    chev65 said:
    Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
    Hey, I tried that but it didn't work.

    "chev65 said:
    You should also have the option of using system restore to take your system back to a point in time before the problem occurred. :)

    System Restore
    I didn't do that because I would lose programs I've installed recently.

    @UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
    Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

    Thanks everyone for your help
    Internet Connection Sharing cmd window pops up at startup Attached Files
      My Computer


  7. Posts : 10,485
    W7 Pro SP1 64bit
       #17

    The warning not to go searching for more info was meant more for non-forum members that find this thread via search engines. My hope is that forum members already know not to do that.

    I (perhaps foolishly) searched for more info using a frozen VM that is the only computer on its isolated subnet. The VM is behind 3 NATs, each with different levels of security turned on. And I used two levels of web proxy services to render the web pages. Each proxy service is setup to filter out certain types of junk. In other words, I just wanted to see the text on the websites. I did not want the websites sending me malware.

    I did try 123 and 123 but that did not work. There is a lot more that I could say about this malware because so much of what it seems to be doing does not make much sense. But we don't want to document "how to build a better bot" in these forums.

    If this file is malware, it is pretty clumsy. There is a chance that this is not malware per se. There is a chance that it is a joke that was placed on the OP's computer for "fun".

    @OP,
    What antivirus tool are you using?
      My Computer


  8. Posts : 10,485
    W7 Pro SP1 64bit
       #18

    Wdingdong said:
    ~~~
    Did someone hack my PC?
    ~~~
    I see from the file that you attached that you have Norton Antivirus. Which Norton product do you have?

    Do you have more than one antivirus tool installed?

    Has ESET6 ever been installed on this computer? It can make user profiles with random names. I am not talking about ESET's online scanner.

    Hopefully Kaktussoft will stop by soon to help you with the file you attached.
      My Computer


  9. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #19

    Wdingdong said:
    Kaktussoft said:
    Same problem in clean startup? Revert to normal boot after testing!
    Hey, I did the clean startup like you said and the cmd window didnt appear! I think some startup program is attempting to do that.

    Kaktussoft said:
    A file called FilesFound_C.txt will be created in same folder. Script runs a long time!! Post FilesFound_C.txt please. It will contain all txt,vbs,cmd,bat files on C:\ with text "116.255.163.41" in it
    I followed your steps. I've attached the FileFound_C.txt.

    chev65 said:
    Open an elevated command prompt then Type netsh winsock reset then click ok. Restart machine.
    Hey, I tried that but it didn't work.

    "chev65 said:
    You should also have the option of using system restore to take your system back to a point in time before the problem occurred. :)

    System Restore
    I didn't do that because I would lose programs I've installed recently.

    @UsernameIssues: I'll tell you what exactly happened(I don't know how I forgot to mention this).
    Everything was fine and then suddenly lot of system profiles appeared automatically with weird name(random nos., $system,etc). I immediately deleted all those profiles. And after this incident this cmd started appearing. Did someone hack my PC?

    Thanks everyone for your help
    As you can see in output file.... I want C:\Windows\System32\cmd.txt (5/4/2013 8:19:26 PM 59) and C:\Program Files\Symantec\Norton Utilities 16\sMonitor\PCTProcess.txt (5/16/2013 10:39:43 PM 7,558)

    post both files

    Also search whole registry (using regedit) for strings PCTProcess.txt and cmd.txt. Found it?
      My Computer


  10. Posts : 10,796
    Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
       #20

    Logoff on logon again. cmd popup appears? If so disable Norton Utilities 16. logoff and logon again. cmd popup appears?
      My Computer


 
Page 2 of 3 FirstFirst 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:05.
Find Us