Unknown causing cmd.exe to launch with suspicious cmd call

Get your PC tech problems solved here. Quick response time.

Moderator: The Mod Squad

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Fri Jan 16, 2015 4:36 pm

one of those reg keys I AXED above must have done the trick....

no cmd window popup this boot (I slept all day).. O_o O_O :lol: 8) :D



Code: Select all
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
  5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6c,00,6c,\
  00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2f,00,50,00,72,00,\
  6f,00,63,00,65,00,73,00,73,00,69,00,64,00,3a,00,7b,00,30,00,32,00,44,00,34,\
  00,42,00,33,00,46,00,31,00,2d,00,46,00,44,00,38,00,38,00,2d,00,31,00,31,00,\
  44,00,31,00,2d,00,39,00,36,00,30,00,44,00,2d,00,30,00,30,00,38,00,30,00,35,\
  00,46,00,43,00,37,00,39,00,32,00,33,00,35,00,7d,00,00,00

Hex to ASSII got this
C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

img path was in hex.. possible this is why I couldn't search for the cmd string.... or maybe it was in binary.
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby Karlsweldt » Fri Jan 16, 2015 5:45 pm

After all that work and gray hairs, hope it is fixed!
Was looking at the specs of your motherboard.. http://www.asus.com/Motherboards/P5NSLI/
And the only feature that may be involved is the auto-sense for LAN connections, to check if they are good..
AI NET 2
ASUS AI NET2 remotely detects cable connection the second you turn on the system, and any faulty connections are reported back up to 100 meters at 1 meter accuracy.
F@H.. to solve mankind's maladies.. in our lifetimes!
Karlsweldt
Mobo-fu Master
Mobo-fu Master
 
Posts: 20659
Joined: Wed Nov 12, 2003 11:57 am
Location: 07438

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Fri Jan 16, 2015 6:28 pm

Karlsweldt wrote:After all that work and gray hairs, hope it is fixed!
Was looking at the specs of your motherboard.. http://www.asus.com/Motherboards/P5NSLI/
And the only feature that may be involved is the auto-sense for LAN connections, to check if they are good..
AI NET 2
ASUS AI NET2 remotely detects cable connection the second you turn on the system, and any faulty connections are reported back up to 100 meters at 1 meter accuracy.


lol yah i know that feature, but I leave the AI mode disabled...
it does look like it checks the cable when I go into that area of the bios though....

as far as AI NET loading with windows... I don't know of any such feature existing outside of the BIOS...



I did notice something bizarre, my pagefile.sys usually sat nearer the middle of the HDD.... but today I found it towards the end of the HDD O_O...

its size is as I set it.. 6141MB (or at least that's what Windows recommended for WinXP 64bit w/ 4GB of RAM loi ;D )

its one of the first things I do when doing a clean Install of Windows is set the pagefile to a fixed size this prevents fragmentation
and because the page file is NOT easily defragmented....







Eyy Karl, Evasive Thx for your help/time, maybe I'll stop by again some time loi ;D...
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Sun Jan 18, 2015 10:40 pm

http://support.microsoft.com/kb/916254/en-us
seems to be related with this system going in or out a windows domain when SP2 was still installed.

I am quite thankful for your perseverance, you may help other people with the same or a similar issue greatly.
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Sun Jan 18, 2015 11:03 pm

evasive wrote:http://support.microsoft.com/kb/916254/en-us
seems to be related with this system going in or out a windows domain when SP2 was still installed.

I am quite thankful for your perseverance, you may help other people with the same or a similar issue greatly.


u miss understand maybe on the SP2 bit
Back mid December, I bought off of eBay ($65+S&H, so around $80)

Windows XP Professional 64bit SP2 (uses the Server 2003 kernel or at least so I read/heard)

upgrading from from 32bit(SP3) to 64bit (SP2)

so I could finally make use of the full potential of this old LAN center's gaming rig.
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Sun Jan 18, 2015 11:15 pm

I am merely reporting what Microsoft is giving as possible cause related to the registry key you changed.

HOW it actually got fubar'd is beyond me, I am just glad you found it :)
We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 19, 2015 1:39 am

thx for all your help over the years ^_^.

I'm starting a new thread over a crypt32 issue and Root cert cab update fails

well at least I will when it gets logged to the event viewer again....

I kinda went and cleared it out so I could see more clearly the nnext time anything logged...
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby evasive » Mon Jan 19, 2015 5:21 am

We hate rut, but we fear change.
********************************
System error, strike any user to continue...
evasive
Mobo-fu Master
Mobo-fu Master
 
Posts: 37389
Joined: Sun May 06, 2001 12:01 am
Location: Netherlands

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Mon Jan 19, 2015 7:26 am





.... I had already tried that one back in December when I was first installing all the updates....
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

Re: Unknown causing cmd.exe to launch with suspicious cmd c

Postby joe_devore » Wed Jan 28, 2015 6:17 pm

I FOUND something new to add....

while doing a defrag with Defraggler I noticed these two files located in this folder:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader
- qmgr0.dat
- qmgr1.dat

doing a search with Process Explorer, I turned up one service using them

BITS (Background Intelligent Transfer Service)

when I opened the two files to examine them I found this!!
Code: Select all
C:\Documents and Settings\All Users\Application Data\1837308050

"cmd.exe" /c start /b /min for /F %i in ('dir /b /a:h-d /w "C:\Documents and Settings\All Users\Application Data\1837308050\*"') do start /b regsvr32.exe /s /n /i:"/64 QV0RLkDNJMohCCDWYSLNtdRXIPOZUAogex4Cn5ppPJig1KKm3 " "C:\Documents and Settings\All Users\Application Data\1837308050\%i"


its no wonder my basic windows searches didn't turn it up...
it couldn't search UTF16..

I had to stop BITS but once I did I deleted those two files
and restarted BITS, two NEW and CLEAN files were generated. ^_^

since these two files DID not show up in searches I will submit them to whoever I can if anyone knows some, please let me know =D
Attachments
BITS's [qmgr0.dat & qmgr1.dat] FILES [16bit_UTF File Encoding].rar
BITS (Background Intelligent Transfer Service) FILES
- qmgr0.dat
- qmgr1.dat

they are detected as ANSI file encoding but they are really
- UNICODE (16bit UTF little-endian)
(2.42 KiB) Downloaded 29 times
(PC Specs)
CPU: AMD FX-9590 4.7GHz 8-core
CPU Instructions: MMX(+), SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, x86-64, AMD-V, AES, AVX, XOP, FMA3, FMA4
Motherboard: Asus SABERTOOTH 990FX R2.0
GPU: nVidia GTX 750Ti SC 2GB
GFX Drivers: Nvidia v387.92
OS: Windows 7 Ultimate 64-bit SP1
RAM: 16GB Kingston 1866MHz DDR3
joe_devore
Green Belt
Green Belt
 
Posts: 209
Joined: Tue Apr 15, 2003 12:56 pm
Location: Dover, NH USA

PreviousNext

Return to Tech Support

Who is online

Users browsing this forum: Bing [Bot] and 2 guests