Command Prompt Popping Up

Status
Not open for further replies.

Ghoulio

Estimable
Sep 8, 2014
8
0
4,520
A few days ago I attempted to download a freeware program. I don't remember the site it was on. As I was installing it it was taking a long time and I got suspicious so I stopped it. My suspicions were correct. There was a bunch of new programs installed on my computer. Because of the amount of programs I decided to do a system restore. That got a lot of the junk off my computer. I then ran a full scan with Windows Defender and it found a trojan which I removed. I then ran a Malewarebytes premium scan and it found a bunch of stuff which I removed. I think most of the bad stuff has been removed but I am still having one issue. Every hour or so two command prompt windows will pop up one after the other for less than a second. It happens so fast that I am unable to get a screen shot from it or see if anything comes up in task manager when it happens. I did manage to see something one time when it popped up, it said bitsadmn.exe. I searched for that on google and found that it is a windows process but the file could be infected so I searched my computer for that file but it's not on my computer. I am thinking that it could be something trying to update some of those programs that were installed but I am not sure and I still want to get rid of it because if it happens while I am playing a game it causes the game to minimize for several seconds and puts it in windowed mode. I am running Windows 10 Version 10.0.14393 Build 14393 on a Lenovo Z70 laptop. This is kind of embarrassing for me because I am currently studying for my A+ certification and I can't figure this out. I appreciate any help you folks can give me.

 
Solution
OK, I finally got the window to stop popping up. I am posting what worked for me but I'm not sure this would fix it for everyone who encounters this problem and I would start your own thread to make sure people who know more about this than me think it's a good idea for you to do this. I did some more searching and found a thread on a forum at http://www.tenforums.com/antivirus-firewalls-system-security/51063-bitsadmin-pops-up-randomly-immediately-disappears.html. On the second page of that thread they suggest clicking start - typing powershell - right clicking it - running it as administrator. Then copy and paste the following code in there:

Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty...
Not uncommon for malware etc. to mask itself as something else.

Event Viewer may provide some information: explicitly via some entry that bitsadmn.exe was started. Or the Command Prompt....

Focus on narrowing down the circumstances (what, when, where, etc.) relevant to the command window's "pop up" appearence.

Find a pattern, find a common link, takes time and attention. Very good chance that if you find a pattern you will find the solution.

Otherwise, post accordingly.....

And do not be embarrased ala " studying for your A+ exam". That is only part of the real world and most of your real world work will be related to what you can figure out and solve versus what you know. Knowledge helps but that is only part of the process.
 

Ghoulio

Estimable
Sep 8, 2014
8
0
4,520
Thanks for the advice Ralston18. I also posted this question in another forum and have been getting some help there. I think we have this just about figured out. They suggested I download 2 programs, AdwCleaner and Junkware removal tool. Those are both made by Malwarebytes so they come from a reputable company and both programs found and removed infections on my computer. I was then told to open command prompt as an admin and run system file checker by entering sfc /scannow. That didn't return any problems. I was still getting the window popping up so I thought I should use a screen recording program to get a screenshot of it. I was able to do that and I am posting the screenshots here. The file that runs when the window pops up is cmd.exe and is located in the System32 folder. I am assuming all I need to do now is delete that file as I don't think it is a valid Windows file but I am waiting until someone lets me know if that is correct. I will post again when I finally figure this out so if someone else has this problem they will know what to do.

cpw1.jpg


cpw2.jpg
 
Yes: hold off on deleting that cmd.exe file.

From what I could read of the text in the posted screen I understand that "bitsadmin" is/was some tool within Windows that is now "deprecated" and not guaranteed to be in future versions of Windows. Also there is something about "BITS cmdlet". Powershell...

Googled and found this:

https://technet.microsoft.com/en-us/library/jj590836.aspx

The popup could be the result of some leftover fragment of code that was not deleted or fixed during some Windows update.

See if you can identify any .bat or .ps (Powershell) scripts being launched at boot time. Or some process or service with BITS in its name or description.

If the time ("every hour or so") is very consistent look for some power saving app or screensaver. Or since data transfers seem to be involved look for any automatic backups that may be scheduled.

You might even search the registry for references to "bitsadmin.exe".

Just be sure to back up the registry first and do not make any changes while searching. Note any relevant registry entries and then research those entries accordingly.

 

Ghoulio

Estimable
Sep 8, 2014
8
0
4,520
OK, I finally got the window to stop popping up. I am posting what worked for me but I'm not sure this would fix it for everyone who encounters this problem and I would start your own thread to make sure people who know more about this than me think it's a good idea for you to do this. I did some more searching and found a thread on a forum at http://www.tenforums.com/antivirus-firewalls-system-security/51063-bitsadmin-pops-up-randomly-immediately-disappears.html. On the second page of that thread they suggest clicking start - typing powershell - right clicking it - running it as administrator. Then copy and paste the following code in there:

Get-BitsTransfer -AllUsers | select -ExpandProperty FileList | Select -ExpandProperty RemoteName

This should give you a list of "what is downloading from where". My results were different from what his were but I had a few entries although I can't remember what they were now. They then suggest he enter the following in powershell to "get rid of the (non-Windows update downloads)":

Get-BitsTransfer -AllUsers | Remove-BitsTransfer

I did the same and I have not had the pop up for several days now. As I said before, if you are having the same problem I would start your own thread and ask if this is what you should do. Thanks for all the help and I hope this helps someone else.
 
Solution
Status
Not open for further replies.