Command prompt windows appear after I log in

Topic

New Reply

I’m a Windows 10 Pro (1903. Build 18362.239) x64 user on a HP desktop.  I started up my computer and logged into my account a few weeks back and a few black command prompt windows quickly appeared and disappeared on my desktop. I ran Autoruns and Process Monitor to try to determine what happened, but wasn’t sure how to interpret the results.  There were some yellow and pink highlighted items in Autoruns that seemed odd to me, but also didn’t have any obvious connection to the command prompt windows.

This happened again when I logged into my admin account and also happened again several days later when I logged into my regular account. The only changes that I made on my computer were uninstalling Avast and Adobe Flash.  Now that my schedule has finally freed up, I was hoping someone here could help me to figure out what happened.  I still have the Autoruns log if that would help.

Reply | Quote

Replies

It sounds like a script ran. autoexe.bat for instance, but I thought those were a Win7 thing.

We have had a thread where someone was looking for VBscript help to stop the “blink” Cmd window from appearing when the script ran at startup. Not sure if it’s the same problem though, just a thought.

1 user thanked author for this post.

crimsoncricket

Reply | Quote

Bluetrix wrote:

It sounds like a script ran. autoexe.bat for instance, but I thought those were a Win7 thing.

We have had a thread where someone was looking for VBscript help to stop the “blink” Cmd window from appearing when the script ran at startup. Not sure if it’s the same problem though, just a thought.

I did upgrade from Windows 7, so you could be onto something here.  Especially since an error window about OnDrive.exe failing to run appeared when I logged into my admin account earlier.

Reply | Quote

You may have a virus/malware.. running.
Run a thorough check of your system.

1 user thanked author for this post.

crimsoncricket

Reply | Quote

crimsoncricket wrote:

There were some yellow and pink highlighted items in Autoruns that seemed odd to me

This is normal. Yellow just means that an expected item couldn’t be found. This can happen with badly-written uninstallers that remove files but leave the ‘run’ call. Pink indicates unsigned entries or entries missing publisher information.

If you still have the saved .ARN file then by all means attach it for someone to have a look at. (You’ll very probably need to ZIP it… I don’t think .ARN is an approved filetype for uploading.)

Do you have any HP bloatware installed? I’ve noticed that their scheduled tasks sometimes use DOS-type commands (like wget) to download version info to check if the bloatware is up-to-date.

Hope this helps…

1 user thanked author for this post.

crimsoncricket

Reply | Quote

Rick Corbett wrote:

crimsoncricket wrote:

There were some yellow and pink highlighted items in Autoruns that seemed odd to me

This is normal. Yellow just means that an expected item couldn’t be found. This can happen with badly-written uninstallers that remove files but leave the ‘run’ call. Pink indicates unsigned entries or entries missing publisher information.

If you still have the saved .ARN file then by all means attach it for someone to have a look at. (You’ll very probably need to ZIP it… I don’t think .ARN is an approved filetype for uploading.)

Do you have any HP bloatware installed? I’ve noticed that their scheduled tasks sometimes use DOS-type commands (like wget) to download version info to check if the bloatware is up-to-date.

Hope this helps…

Thanks for clearing that up.  I’m having trouble getting the .ARN files to open, so I’m going to tackle that sometime over the next day or so.  Worst case scenario is that I’ll have to run Autoruns again and take some screenshots.

As for your other question, I might still have some HP bloatware (but it seems to be eclipsed by all of Windows 10’s bloatware).

Reply | Quote

I run Windows Defender on my Win 10 laptop, and every time it gets signature updates I see a command prompt window flash up on the screen.

Windows 10 Pro 22H2

1 user thanked author for this post.

crimsoncricket

Reply | Quote

Alex5723 wrote:

You may have a virus/malware.. running.
Run a thorough check of your system.

I’ve only run Windows Security so far, but it looks like I’m clean.  I’ll update if I find anything using other tools.

Reply | Quote

For peace of mind, I would also suggest getting Malwarebytes free edition and running an on-demand malware scan. This is my first, second opinion scanner.  The download includes a 14-day premium trial, which you can turn off at any time, thus reverting early to the free edition. The premium adds real-time support. https://www.malwarebytes.com/premium/

I also use the free Emsisoft Emergency Kit scanner as another second opinion malware scanner. It is totally portable, no installation required! https://www.emsisoft.com/en/home/emergencykit/

Emsisoft Emergency Kit is a free portable antivirus that you can use as a secondary scanner or to disinfect PCs

https://www.ghacks.net/2019/07/26/emsisoft-emergency-kit-free-portable-antivirus/

Windows 10 Pro 22H2

1 user thanked author for this post.

crimsoncricket

Reply | Quote

JohnW wrote:

For peace of mind, I would also suggest getting Malwarebytes free edition and running an on-demand malware scan. This is my first, second opinion scanner.  The download includes a 14-day premium trial, which you can turn off at any time, thus reverting early to the free edition. The premium adds real-time support. https://www.malwarebytes.com/premium/

I also use the free Emsisoft Emergency Kit scanner as another second opinion malware scanner. It is totally portable, no installation required! https://www.emsisoft.com/en/home/emergencykit/

Emsisoft Emergency Kit is a free portable antivirus that you can use as a secondary scanner or to disinfect PCs

https://www.ghacks.net/2019/07/26/emsisoft-emergency-kit-free-portable-antivirus/

Thanks for the advice!  I was all clear with Malwarebytes but Emsisoft failed to run due to a “Failed to create bin64/epp.sys” error message.  Do you have any advice on resolving that?

Reply | Quote

The command prompts appeared again.  Although they vanished too quickly for me to get a screenshot, I did notice how they mentioned “System32.”  I’m attaching two zipped Autoruns logs in the hope that someone can help me figure out what’s going on.  I can also post the results of my Rkill scan if anyone thinks it’ll help.

Reply | Quote

I’d disable SuperAntiSpyware and test.

cheers, Paul

p.s. The reviews I’ve seen don’t rate it well.

1 user thanked author for this post.

crimsoncricket

Reply | Quote

Paul T wrote:

I’d disable SuperAntiSpyware and test.

cheers, Paul

p.s. The reviews I’ve seen don’t rate it well.

I only use SuperAntiSpyware free edition, which doesn’t have any real-time protection to disable.  Do you mean I should uncheck “Run in the background (system tray)” and “Start SuperAntiSpyware with Windows” prior to running Emsisoft?

Reply | Quote

I bought the paid edition of SuperAntiSpyware more than 10+ years ago.

Don’t even have it installed anymore, as there are apparently better products available now. So haven’t any current experience with it to comment on it.

I Googled your error with Emsisoft Emergency Kit and apparently there is sometimes an issue with the EEK folder at: “C:\EEK”, or “C:\Program Files (x86)\EEK”, or whatever location it was directed to at run time.

Try deleting that folder if it exists, and try again.

Download: If you don’t have the Emsisoft Emergency Kit yet, download it here. It’s free for private use and it’s fully portable, which means no installation is required. The download package just unpacks to “C:EEK” or any other destination of your choice and place a shortcut on your Desktop.

Note: If you don’t need the software anymore, just delete the whole folder and the shortcut at any time.

How to find and clean malware infections with Emsisoft Emergency Kit

https://blog.emsisoft.com/en/16796/how-to-find-and-clean-malware-infections-with-emsisoft-emergency-kit-2/#download

Dual malware scanner engines – EMSI + Bitdefender

https://blog.emsisoft.com/en/17657/an-in-depth-look-at-the-emsisoft-scanner-technology/

Windows 10 Pro 22H2

Reply | Quote

@crimsoncricket – I’ve just had a look at your autorunsfeb82020 – Copy.arn file and you have a whole bunch of programs (including services and scheduled tasks) that could be the cause of command prompt windows appearing as they carry out checks and updates.

However you mention that the issue began after you had uninstalled Avast and Adobe Flash. If you type Avast into Autoruns’ Filter box it will show you that Avast has not removed a Scheduled Task for its SafeZone browser:

I wonder if one of the command prompt windows is a warning that the task has run but cannot find the launcher file? To check, remove the tick from the checkbox and restart.

Next, before investigating other scheduled tasks and services, in Autoruns just remove the tick marks against the 8 programs that run automatically from the registry then restart the PC:

This is just a quick check to see if the command windows continue to pop up. Once you’re restarted the PC, put the 8 ticks back into the checkboxes and report back.

(Was this PC updated from Windows 8? The first ARN file I looked at showed stuff that I hadn’t seen before.)

Hope this helps…

Reply | Quote

JohnW wrote:

If you don’t have the Emsisoft Emergency Kit yet, download it here

Thanks, Emsisoft says I’m all clear!

Reply | Quote

Rick Corbett wrote:

@crimsoncricket – I’ve just had a look at your autorunsfeb82020 – Copy.arn file and you have a whole bunch of programs (including services and scheduled tasks) that could be the cause of command prompt windows appearing as they carry out checks and updates.

However you mention that the issue began after you had uninstalled Avast and Adobe Flash. If you type Avast into Autoruns’ Filter box it will show you that Avast has not removed a Scheduled Task for its SafeZone browser:

I wonder if one of the command prompt windows is a warning that the task has run but cannot find the launcher file? To check, remove the tick from the checkbox and restart.

Next, before investigating other scheduled tasks and services, in Autoruns just remove the tick marks against the 8 programs that run automatically from the registry then restart the PC:

This is just a quick check to see if the command windows continue to pop up. Once you’re restarted the PC, put the 8 ticks back into the checkboxes and report back.

(Was this PC updated from Windows 8? The first ARN file I looked at showed stuff that I hadn’t seen before.)

Hope this helps…

I’ve tried to post this two times without success, hopefully third time’s the charm:

Thanks!  I didn’t see any command prompts after following your instructions.  But since the command prompts only randomly appear at startup and not every time, I’m not sure that one of those services is the culprit.  Especially since the Windows Defender entry didn’t appear in Autoruns this time when I was unchecking stuff!

I’ve never had Windows 8.  What was the stuff you didn’t recognize?  Perhaps the Windows Defender file is a holdover from when I had the standalone tool of that name installed on Windows 7?  I think one of the .ARN files was generated in my regular account and the other was from my admin account.  I have some screenshots of another Autoruns scan in did in my admin account that had some differences from the .ARN files.  There’s also an interesting rkill scan log from my regular account that could potentially be of use due to its “Checking Windows Service Integrity” results.  Do you want me to post them?

Reply | Quote

It’s good you haven’t seen the popups since. It more or less confirms that they were caused by one of the autostarting programs that are run from the registry rather than a scheduled task or service.

Delete the autorun entry for the Avast Safe Browser then start putting the ticks back in the checkboxes – just a couple at a time and test for a few days – to see if/when the popups return. This is to try to narrow down which of the autostarting programs cause the popups.

If you’ve never had Windows 8 then it must have a leftover from the standalone version of Defender. I don’t think there’s much reason to see any further .ARN files but I’m happy to have a look at the rkill scan log if you want to attach it.

Hope this helps…

Reply | Quote

Rick Corbett wrote:

It’s good you haven’t seen the popups since. It more or less confirms that they were caused by one of the autostarting programs that are run from the registry rather than a scheduled task or service.

Delete the autorun entry for the Avast Safe Browser then start putting the ticks back in the checkboxes – just a couple at a time and test for a few days – to see if/when the popups return. This is to try to narrow down which of the autostarting programs cause the popups.

If you’ve never had Windows 8 then it must have a leftover from the standalone version of Defender. I don’t think there’s much reason to see any further .ARN files but I’m happy to have a look at the rkill scan log if you want to attach it.

Hope this helps…

Great, I’ll definitely do that.  Here’s the Rkill log; you’ve been extremely helpful!

Reply | Quote

Please don’t quote the whole post for a line or two answer. Highlight the relevant section of the post then click the quote button.

cheers, Paul

1 user thanked author for this post.

crimsoncricket

Reply | Quote

crimsoncricket wrote:

Here’s the Rkill log

I can’t see any issues with the Rkill log.

All the ‘[Incorrect ImagePath]’ entries are because Rkill apparently is still not fully compatible with Windows 10.

Hope this helps…

1 user thanked author for this post.

crimsoncricket

Reply | Quote