1

I've got a laptop that has what appears to be a command prompt pop up and vanish, whenever it connects to the net. I can repeat it, by turning off/on wifi, it flashes up and vanishes too fast to see, or show up in procmon/taskman. Is there any way I can slow it down, log its execution, or otherwise figure out what it is?

Procmon seems to be able to log fast enough to catch it, but between not knowing what I'm looking for, and the fact it's thousands of lines long, it might as well not log at all. There are several 'cmd.exe' entries in the log, but none seem to be relevant or happening at the (apparent) time this executes.

I'm not even sure it IS cmd.exe, but it's the same 'dos window' look, it just vanishes before I can see what it is :( Anyone have any ideas at all?

Christiebunny
  • 53
  • 6
  • Obligatory question: Do you have a virus scanner running and/or did you run an on-demand scan? Even if so, it may be a good idea to run a virus scanner from a boot-able disk/USB-drive (sometimes called Rescue Disk/System). – Adaephon Jan 30 '15 at 09:02
  • Malwarebytes, and panda antivirus, but I'll dig out my copy of Hiram's Boot CD, I think there's an anti-virus on there I could run from the live OS on it. What I've ran so far, though, shows clean. – Christiebunny Jan 31 '15 at 06:14
  • I need to poke around a bit, but I'd try some kind of video capture here - I like VLC, repeat it, and go frame by frame. Slightly annoying, but it should probably catch what it is. – Journeyman Geek Jan 31 '15 at 14:28
  • I tried filming it with my smartphone -- caught it, but it faded in and out between frames, so I only got the fade-in and fade-out, neither clear enough to make anything out. it _appeared_ to be just a blank cmd.exe window, from what I could make out between the console prompt and titlebar.... so I'm still clueless. – Christiebunny Mar 20 '15 at 05:57
  • NOTE: The original laptop was reinstalled from factory discs, which cleaned it, but I'm still poking at it in a VM, trying to figure out what's going on, when I have the time. – Christiebunny Mar 20 '15 at 06:00

1 Answers1

0

You may look at the following locations for programs, links & scripts:

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /f shell /e
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system" /f shell /e
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /f PendingFileRenameOperations /e
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /f ExcludeFromKnownDlls /e
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f run /e
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f load /e
reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" /f shell /e
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
msconfig -4

See also the task manager's "Start-up" tab (taskmgr.exe)

Endoro
  • 2,854
  • 1
  • 17
  • 17