Command prompt window opening and closing(split second) a few times every hour

[Good Ole Spens]

So last week, I downloaded something that turned out to be to be pretty nasty and chalk full of malware. I immediately opened up Malwarebytes and Hitman Pro and started cleaning the gunk out, and ran 5-6 followup scans to be extra safe and thorough. I cleaned it up pretty good and eventually the software stopped detecting items. But on the same day after everything was cleaned up, I noticed that 3-4 times every hour, a command prompt window would open up just for a tenth of a second and disappear. I couldn't figure out why the hell it was happening, and then it dawned on me the other day to check event viewer. I noticed that event viewer was logging events for powershell, which I'm pretty sure shouldn't be happening, and the logs were concurrent with the date that I clogged my system with all that malware.

The powershell logs are occurring in a 10-step pattern. I will list them in the order that they occur:

1. Provider "WSMan" is Started (I looked it up, and it's a cmdlet to connect to the WinRM service for a remote computer)
2. Provider "Alias" is Started
3. Provider "Environment" is Started
4. Provider "FileSystem" is Started
5. Provider "Function" is Started
6. Provider "Registry" is Started
7. Provider "Variable" is Started
8. Provider "Certificate" is Started
9. Engine state is changed from None to Available
10. Engine state is changed from Available to Stopped

And that's the pattern the logs are repeating in. Now I could be entirely wrong about these logs, I have no idea what any of those commands represent or do, but it definitely looks suspicious to me. Can anyone shed some light for me?

 

[SBMfromLA]

I sounds like something is trying to open up and then promptly closes. Have you looked at either your Startup Program or Task Manager to see if something is trying to run?

 

[Good Ole Spens]

I haven't noticed anything weird in task manger or in my msconfig, so no.

 

[SBMfromLA]

I haven't noticed anything weird in task manger or in my msconfig, so no.

MSConfig only shows a small handful of startup programs. You need something that's shows everything like Autoruns. It's free.

https/technet.microsoft.com/en-us/sysinternals/bb963902.aspx?f=255&MSPPError=-2147217396

 

[Good Ole Spens]

I haven't noticed anything weird in task manger or in my msconfig, so no.

MSConfig only shows a small handful of startup programs. You need something that's shows everything like Autoruns. It's free.

https/technet.microsoft.com/en-us/sysinternals/bb963902.aspx?f=255&MSPPError=-2147217396

Alright cool, I'll take a look at that, thanks!

 

[Good Ole Spens]

Well I've taken a look at Autoruns, and while it is very in depth, I still don't see anything out of the ordinary.

 

[CJW1951]

Well I've taken a look at Autoruns, and while it is very in depth, I still don't see anything out of the ordinary.

Try this. Run your virus check, then Malware Bytes in that order. Shut down your system for at least 10 minuets. If possible also shut down your internet and take the system off line for the same time. Power the systems back up and then immediately run Malware Bytes. Your post is old and I don't see any repost on it so perhaps you fixed the problem.

 

[Good Ole Spens]

Well I've taken a look at Autoruns, and while it is very in depth, I still don't see anything out of the ordinary.

Try this. Run your virus check, then Malware Bytes in that order. Shut down your system for at least 10 minuets. If possible also shut down your internet and take the system off line for the same time. Power the systems back up and then immediately run Malware Bytes. Your post is old and I don't see any repost on it so perhaps you fixed the problem.

Thanks for the reply, but I actually was able to fix the problem after some extensive research. I was able to get a screenshot of the cmd window that was popping up for a second, and found out that it was being caused by BITSAdmin, which is a component of Powershell I think. There were 2 files(which I'm assuming were malicious) being constantly queued for download by BITSAdmin, but failing to download for some reason, and everytime the files were queued up, it would cause BITSAdmin to open up a cmd window. I had to go into to powershell and run a few commands pertaining to BITSAdmin to remove the files from the queue, which has since fixed the problem completely.

 

[Jake_119]

Hello, I am having the same problems can you tell me how you managed to screenshot one of them or record what it's saying?

 

[chewyalf]

Can you tell me which file was deleted from powershell and how to do this? I'm having the same problem, with BTadmin and those annoying pop-up dos-type windows. Please respond. Thanks!

 

[mannyph2003]

Hello, I am having the same problems can you tell me how you managed to screenshot one of them or record what it's saying?

I started noticing the same behavior a few weeks ago (around May 29th-31st). I noticed a DOS window opening and closing quickly, too quickly to see what was being done. I noticed that the window would run every hour at the 27th minute of every hour. Upon inspection, I found that I had a bunch of Kaspersky events occurring in the Details section of Task Manager. When I drilled down on the properties and details for those events every one occurred at the 27th minute of the hour. The 27th minute thing is coincidental since it seems I installed Kaspersky's anti-ransomware app on the 27th minute of a specific hour last year, your event might be happening at a different time.

I now know what's causing the window, now I need to figure out why.

 

[jin.park.2011]

For me, this explained it!
https/jwiese.eu/en/2017/03/20/driversetuputility-a-black-popup-once-every-hour/