So this one is a bit weird. My new laptop had windows freshly installed only last week, in addition I have done zero web browsing on it. Starting today on every boot cmd.exe tries to make outbound connections to port 80. All the ip's it attempts are hosted within my isp's network. (possibly CDN, as owned by cloudflare). here is some ip's 104.16.90.188 104.16,92.188 104.16.89.188 104.16.93.188 This one is in a different block and has a rdns, pointing to comodo. 178.255.83.1 Also it may possibly be related, the desktop acts weird although this has been since the day of installation, occasionally all windows will quickly cycle alternating going on top of each other, this lasts for 1-2 seconds and seems to happen 1-2 times an hour. Laptop is infected? I might consider giving people access if they want to research.
Maybe try one of these Antimalware programs to scan the PC. Zemana Anti-Malware, HitmanPro, ESET Online Scanner, etc. Another possibility is to boot a Rescue Disk that can detect and remove malware: Kaspersky Rescue Disk, Avira AntiVir Rescue System, ...
You need to find out what cmd.exe is running. For example if it is executing something along these lines: start /b regsvr32.exe /s /n /i:"" "C:\Documents and Settings\All Users\Application Data\2308189059\BIT4F.tmp" you probably are infected. -EDIT- Also check your registry "run" keys for anything present.
How is this possible? Taking into account his comment: I also assume he downloads software from trusted vendors/sites and have the experience/judgement to not use keygens or patches to alter exes.
He has to elaborate on this: "My new laptop had windows freshly installed only last week, in addition I have done zero web browsing on it." Who is the laptop manufacturer? Was the OS factory installed? If not, was the HDD wiped using a top security wiper and then reformatted prior to OS install? Finally, just because he never did any web browsing does not mean his laptop did not have any Internet connections e.g. Win and vendor installed updates, etc..
You can check for startup entries using: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx I recall being infected twice before I finished installing Windows, because the update, which prevented botnet from being installed, was not there.
Exactly. Normally when you install Windows, Windows Firewall is enabled to prevent such attacks, afaik. So it remains why the OP got infected, in case he really got infected as he hasn't come back and post his findings.
If I would have such problem I would use Autoruns as mentioned before and if I wouldn't find out what's going on I would probably run Process monitor with boot logging and see what's going on.
sorry guys I have been diagnosing issues on my desktop that cropped up around the same time. The weird window behaviour started happening on my desktop as well and I have been working on it for a couple of days, rolling back updates 5 at a time (70 total) to see if an update caused it and it did not. However I have found the cause of the flickering windows. (this applies to my laptop as well). There is a registry setting to detect hung apps, I dont know what the default value is (could be null), but I used it for a long time on windows 7 without such issues and it was applied on my new laptop (and my desktop starting 2 days ago win8.1 both), this was causing app windows to momentarily show not responding and it caused issues like loss of focus, flickering etc. So the good news is the weird desktop behaviour is not malware related. However I still get the cmd.exe begging for internet access on bootup on my laptop when HMPA is not protecting cmd.exe process, when HMPA is protecting it, it doesnt occur. For now the laptop is disconnected from any network and anything on it of security value has been made stale (changed ssh keys etc.). I can confirm the following. No internet web browsing. Anything I needed, installers, drivers etc. was already downloaded. Lenova software was downloaded on my desktop. No pirated software, keygen's etc. Software installed is what I believe to be trusted and I used for a long time, with the exception of the following. GWX control panel I had installed as a first time ever, no one is complaining about it on the net, but was new on the laptop. Lenova utilities. These were downloaded directly from lenova's site. All scan's come up as clean. The security setup is as follows. No HIPS SRP which has locked down temp folders, programdata, user profile folders including public user, and has some certificate based exceptions for vendors such as surfright and microsoft. Avast using hardened aggressive mode I know recently it has been discovered this falls back to a blacklist not whitelist mode when no internet connectivity. HMPA Windows firewall with default deny policy both ways. dllhost and runonce both have no internet access. svchost does on ports 80,443 Various hardening stuff has been done to the OS which would be a lot to list here. No comodo installed. finally sfc scan is clean.
Talking about Lenovo, you might find this interesting: http://news.softpedia.com/news/leno...-come-with-pre-installed-spyware-492719.shtml
anything preinstalled is gone, it came with windows 10 preinstalled, that hdd was removed, ssd put in and windows installed a fresh. I never keep OEM installations Turns out that lenova utility i installed added no gui app, all it seemed to do was enable the airplane function key to work, all other function keys work without it so when i reinstall windows I wont reinstall any lenova software.
Would that get rid of Lenovo's supposed "rootkit"? http://www.zdnet.com/article/lenovo-rootkit-ensured-its-software-could-not-be-deleted/
thanks, I have an ideapad 305 which isnt listed, but regardless will research some more into that LSE bios.
Did you check your HMPA logs and determine if cmd.exe is blocked? If so, what details are associated with the cmd.exe entry in the log? As Minimialist suggested, did you install Autoruns and look for anything starting up at boot time with cmd.exe?
yep I checked autoruns first thing, I couldnt see anything unusual. I will check HMPA logs. I have spent pretty much no time on this since I made the original post, as things suddenly got busy my end and with the issue on my desktop.
its damn hot here and am tired, but before some chill out time I have just spent some more time on the laptop. runonce begging to access - anycast1.cachefly.net (seems also comodo affiliated) 93.184.220.29 Just installed zemana and ran a deep scan, clean. Damn this software is pretty fast at scans.
I wiped the OS and reinstalled it, then up comes again the popup on the first reboot after I enabled windows firewall notifier. Wiped the OS a second time and reinstalled but this time installed one driver at a time, and it started popping up after I installed synaptics touchpad driver. This driver was downloaded from lenova and is branded by them. I found a driver that isnt branded by them and the prompts stopped, so seems lenova added some type of spyware to their branded synaptics driver. I dont know how they made cmd.exe itself do the network request tho, that to me is very odd.