3

Maybe I am just being paranoid but I suspect a malware or maybe a bitcoin miner. Command Prompts opens at random intervals and I notice random FPS drops while gaming (10-20 seconds long). I'm using a HP-15 Windows 10 x64 System and have Quick Heal AntiVirus (Paid Version) installed. Intel 4005U 1.7Ghz and Nvidia 820M .Full System scans yielded no results. System also feels a bit unresponsive. This and FPS drop might be due to heat but that still doesn't explain CMD's behaviour.

No other unusual behaviour or change in system file was noticed.

What steps do i need to take and can I log what CMD is doing?

Anvit
  • 133
  • 1
  • 1
  • 5
  • Possible duplicate of [Help! My home PC has been infected by a virus! What do I do now?](https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now) – MiaoHatola Jun 10 '17 at 15:10
  • You should nuke your data from orbit a.k.a. wipe everything and do a fresh install – VincBreaker Jun 10 '17 at 15:22
  • 3
    On windows this may also be caused by an office update background handler. This will flash a cmd window every hour. More info on [Windows forum](https://answers.microsoft.com/en-us/msoffice/forum/msoffice_officeinsider-mso_win10/officebackgroundtaskhandlerregistration-flashes-a/2600497e-78e4-41a1-9040-461cd2c3ea13). – Eelke Jun 10 '17 at 20:31
  • @Eelke Yep.... I caught a glimpse of the process name when cmd showed up... office background service :( – Anvit Jun 13 '17 at 04:15

3 Answers3

4

If your version of Windows allows you to run Local Security Policy or Local Group Policy editor, you can enable advanced audit logging of process start and stop in the system, and the next time it occurs, look in the Security event log to see what process was launched.

To do this, run Local Security Policy editor (in "Control Panel"->"Administrative Tools") as Administrator (right-click on its icon and select "Run as Administrator"), and expand the left-hand tree "Advanced Audit Policy Configuration"->"System Audit Policies"->"Detailed Tracking". Select "Detailed Tracking", and on the right-hand side, double-click on "Audit Process Creation" to bring up the properties dialog. Tick "Configure the following audit events:", and "Success", then click on [OK] to save the setting. It should take effect immediately.

The next time the window appears briefly, record the system time (not the time on the clock on the wall), run Event Viewer (in "Control Panel"->"Administrative Tools") as Administrator (see above) and expand "Windows Logs" to select "Security". You should see a number of events; you're interested in the ones with Task Category "Process Creation" with Event ID 4688, at about the time that you recorded. You'll probably see a few events; look at the General tab in the details. You're interested in the Process Information bit, specifically the New Process ID, New Process Name, Creator Process ID and Creator Process Name. There should be a "C:\Windows\System32\conhost.exe" process, which is the Command Prompt window that you see. Its Creator Process Name value will tell you how it was launched. Look at the following events to find one whose Creator Process ID is the same as the conhost's New Process ID. That's the program that actually ran in the Command Prompt.

Hope that helps.

Pak
  • 341
  • 1
  • 5
4

The cmd window popping up may be caused by an office background task.
Microsoft has fixed this in build 16.8210.2075, but as of 6/6/17 it is only available for the insiders program.

If you would like to stop the window from popping up you can disable the background task in the Task Scheduler => Microsoft => Office => OfficeBackgroundTaskHandlerRegistration and disable it there.
If you do want to keep running the background task you can change the user to system (be aware that this is a security risk!). This can be done via the Task Scheduler => Microsoft => Office => OfficeBackgroundTaskHandlerRegistration, rightclick and select properties. Here click change User Or Group and type 'System'.

I am not aware of any consequences other than stopping the cmd window from popping up.

Eelke
  • 506
  • 1
  • 5
  • 18
0

Your options, as I see them, in the order of preference:

  1. Get professional help. Preferably a Security Incident Response pro.
  2. Wipe the system clean, do a fresh install and restore only data from a clean backup (this is a hard one... to make sure your backup is clean).
  3. DIY: Use SysInternals Process Explorer (download it from Microsoft Site, not any other) and try to account for all the processes running. Google is your friend for the most part - in trying to identify running processes.
Sas3
  • 2,648
  • 9
  • 20
  • I suppose wiping just C drive won't work.. I'll have to wipe D drive too? – Anvit Jun 10 '17 at 15:30
  • When the nature of the malware (if any) is unknown, even taking a backup is a hard problem. To be safe, I suggest - you first boot from a known-clean CD or USB drive (don't create it on the suspect system) - and then take th backups. - backup the data on D-Drive (and any other drives) - wipe all the drives clean and then re-install. – Sas3 Jun 10 '17 at 15:35
  • Anyway I can log what CMD is doing? – Anvit Jun 10 '17 at 15:38
  • I'm not much of a Windows guy, sorry. You could try Event Log settings (it should be there somewhere in Manage Computer) - and look for "Application Logs" - at *Information* level. If set correctly, they should log the successful completion of a program. Your task then would be to identify those in a particular time window and account for all of them. – Sas3 Jun 10 '17 at 15:42
  • Check this out: https://answers.microsoft.com/en-us/windows/wiki/windows_10-update/event-viewer-what-is-going-on-in-your-computer/fdda2010-d4df-4fed-863b-89ce0142419d – Sas3 Jun 10 '17 at 15:45
  • 1
    After nuking it from the orbit the same thing was happening again... Turns out it was office background service... RIP – Anvit Jun 13 '17 at 04:16