weird behaviour from cmd.exe on startup

Discussion in 'other software & services' started by chrcol, May 5, 2016.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    So this one is a bit weird.

    My new laptop had windows freshly installed only last week, in addition I have done zero web browsing on it.

    Starting today on every boot cmd.exe tries to make outbound connections to port 80.

    All the ip's it attempts are hosted within my isp's network. (possibly CDN, as owned by cloudflare).

    here is some ip's

    104.16.90.188
    104.16,92.188
    104.16.89.188
    104.16.93.188

    This one is in a different block and has a rdns, pointing to comodo.

    178.255.83.1

    Also it may possibly be related, the desktop acts weird although this has been since the day of installation, occasionally all windows will quickly cycle alternating going on top of each other, this lasts for 1-2 seconds and seems to happen 1-2 times an hour.

    Laptop is infected?

    I might consider giving people access if they want to research.
     
  2. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
  3. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    879
    Maybe try one of these Antimalware programs to scan the PC.
    Zemana Anti-Malware, HitmanPro, ESET Online Scanner, etc.
    Another possibility is to boot a Rescue Disk that can detect and remove malware:
    Kaspersky Rescue Disk, Avira AntiVir Rescue System, ...
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    You need to find out what cmd.exe is running. For example if it is executing something along these lines:

    start /b regsvr32.exe /s /n /i:"" "C:\Documents and Settings\All Users\Application Data\2308189059\BIT4F.tmp"

    you probably are infected.

    -EDIT-

    Also check your registry "run" keys for anything present.
     
  5. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,765
    Location:
    Mexico
    How is this possible? Taking into account his comment:
    I also assume he downloads software from trusted vendors/sites and have the experience/judgement to not use keygens or patches to alter exes.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    He has to elaborate on this: "My new laptop had windows freshly installed only last week, in addition I have done zero web browsing on it."

    Who is the laptop manufacturer? Was the OS factory installed? If not, was the HDD wiped using a top security wiper and then reformatted prior to OS install? Finally, just because he never did any web browsing does not mean his laptop did not have any Internet connections e.g. Win and vendor installed updates, etc..
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Also, do you have anything Comodo based installed?
     
  8. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    You can check for startup entries using: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    I recall being infected twice before I finished installing Windows, because the update, which prevented botnet from being installed, was not there.
     
  9. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,765
    Location:
    Mexico
    What OS and which update?
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    Would that be Sasser worm before Windows XP enabled Windows firewall with SP2?
     
  11. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,765
    Location:
    Mexico
    Exactly. Normally when you install Windows, Windows Firewall is enabled to prevent such attacks, afaik. So it remains why the OP got infected, in case he really got infected as he hasn't come back and post his findings.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,067
    If I would have such problem I would use Autoruns as mentioned before and if I wouldn't find out what's going on I would probably run Process monitor with boot logging and see what's going on.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    sorry guys I have been diagnosing issues on my desktop that cropped up around the same time. The weird window behaviour started happening on my desktop as well and I have been working on it for a couple of days, rolling back updates 5 at a time (70 total) to see if an update caused it and it did not.

    However I have found the cause of the flickering windows. (this applies to my laptop as well).

    There is a registry setting to detect hung apps, I dont know what the default value is (could be null), but I used it for a long time on windows 7 without such issues and it was applied on my new laptop (and my desktop starting 2 days ago win8.1 both), this was causing app windows to momentarily show not responding and it caused issues like loss of focus, flickering etc. So the good news is the weird desktop behaviour is not malware related.

    However I still get the cmd.exe begging for internet access on bootup on my laptop when HMPA is not protecting cmd.exe process, when HMPA is protecting it, it doesnt occur.

    For now the laptop is disconnected from any network and anything on it of security value has been made stale (changed ssh keys etc.).

    I can confirm the following.

    No internet web browsing. Anything I needed, installers, drivers etc. was already downloaded. Lenova software was downloaded on my desktop.
    No pirated software, keygen's etc.
    Software installed is what I believe to be trusted and I used for a long time, with the exception of the following.

    GWX control panel I had installed as a first time ever, no one is complaining about it on the net, but was new on the laptop.
    Lenova utilities. These were downloaded directly from lenova's site.

    All scan's come up as clean.

    The security setup is as follows.

    No HIPS
    SRP which has locked down temp folders, programdata, user profile folders including public user, and has some certificate based exceptions for vendors such as surfright and microsoft.
    Avast using hardened aggressive mode I know recently it has been discovered this falls back to a blacklist not whitelist mode when no internet connectivity.
    HMPA
    Windows firewall with default deny policy both ways. dllhost and runonce both have no internet access. svchost does on ports 80,443
    Various hardening stuff has been done to the OS which would be a lot to list here.

    No comodo installed.

    finally sfc scan is clean.
     
    Last edited: May 9, 2016
  14. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    anything preinstalled is gone, it came with windows 10 preinstalled, that hdd was removed, ssd put in and windows installed a fresh. I never keep OEM installations :)

    Turns out that lenova utility i installed added no gui app, all it seemed to do was enable the airplane function key to work, all other function keys work without it so when i reinstall windows I wont reinstall any lenova software.
     
  16. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    359
    Would that get rid of Lenovo's supposed "rootkit"?
    http://www.zdnet.com/article/lenovo-rootkit-ensured-its-software-could-not-be-deleted/
     
  17. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    thanks, I have an ideapad 305 which isnt listed, but regardless will research some more into that LSE bios.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Did you check your HMPA logs and determine if cmd.exe is blocked? If so, what details are associated with the cmd.exe entry in the log?

    As Minimialist suggested, did you install Autoruns and look for anything starting up at boot time with cmd.exe?
     
  19. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    yep I checked autoruns first thing, I couldnt see anything unusual.

    I will check HMPA logs.

    I have spent pretty much no time on this since I made the original post, as things suddenly got busy my end and with the issue on my desktop.
     
  20. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    its damn hot here and am tired, but before some chill out time I have just spent some more time on the laptop.

    runonce begging to access -
    anycast1.cachefly.net (seems also comodo affiliated)
    93.184.220.29

    Just installed zemana and ran a deep scan, clean. Damn this software is pretty fast at scans.
     
  21. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    765
    Location:
    UK
    I wiped the OS and reinstalled it, then up comes again the popup on the first reboot after I enabled windows firewall notifier.

    Wiped the OS a second time and reinstalled but this time installed one driver at a time, and it started popping up after I installed synaptics touchpad driver. This driver was downloaded from lenova and is branded by them. I found a driver that isnt branded by them and the prompts stopped, so seems lenova added some type of spyware to their branded synaptics driver. I dont know how they made cmd.exe itself do the network request tho, that to me is very odd.
     
Loading...