Cmd And Powershell On Startup

Hey, so i was referred here from the malware section of the forums by Dr. Moriarty after dealing with the malware my PC had.

The problem is I get a 1 millisecond CMD and Powershell window on startup every time. I could not screenshot these windows as they appeared so fast, even when using a 1 millisecond interval screenshot program that made 70 screenshots in 20 seconds or something.

Unsure why they could not be screenshotted, however, i did manage to capture the issue using a video capture program. Here is the link to the video, the event happens at 26-27 seconds in. https://ufile.io/in47t

I googled the issue, and i found this website.
http://www.tomshardware.com/answers/id-2858821/windows-powershell-appears-startup.html

At first I went to windows 10 startup section and i didn't see anything there. But then i re-read the thread and it said to do this in ccleaner, so i did, and this was what i found.

https://ibb.co/PTF0kyZ

So AudiTVID is definitely a malware right or some type of PUP but my PC has been cleared of malware over at the malware section of the forums.

When I delete this from ccleaner it just comes back. When I go into the registry and delete it https://ibb.co/b3wBCSx it still ends up coming back upon a restart. i would like to get rid of these popups on startup... even if they don't amount to any active processes running i don't want to see the popups, and i'd prefer not to delete powershell... mainly because i had powershell as a windows program this whole time and my PC was never popping up 1 second windows on startup before... so i'd like to achieve that same condition again.

thank you! hopefully it's something easy to fix.

 

It's probably showing in MS Autoruns but may not be easy to identify. You don't install Autoruns, just run the executable.

 

Thanks! so i'm not entirely sure what to do here...

https://ibb.co/8btCzKH
https://ibb.co/TgKQG7n
https://ibb.co/g6ZMpYk
https://ibb.co/SrqjZ5F
https://ibb.co/SyDvX05

Should i delete everything in yellow?
What's with the yellow DLLs?
And the pink listing?
And is the CMD listed there the culprit or is that a legit thing?
Lasty, should i remove that image hijack?

Also i don't see any powershell here...

 

No! Everything in yellow shouldn't necessarily be deleted. You can usually just check for a Microsoft signature and/or consider the VirusTotal analysis option, keeping in mind 1/60 does not warrant immediate quarantine or deletion. To be more thorough, you want to make sure the MSAutoruns program is ran with elevated privileges (Right-Click --> 'Run as Administrator'), then wait for the menu bar to become available. On initial launch, the options on the title/menu bar are grayed out until the program is finished scanning. Once the 'User' menu is available, change the authority level to NT AUTHORITY\SYSTEM. This will sometimes reveal those persistent files or registry entries that cannot be seen or accessed by normal user accounts.
https://scontent.fftk1-1.fna.fbcdn.net/v/t1.0-9/48194149_10210573690977445_6631002538030137344_o.jpg?_nc_cat=105&_nc_ht=scontent.fftk1-1.fna&oh=e9c8609c4f5648f1d4d802f7d876d866&oe=5C9C1B79

From here, I would suggest skimming through the entire list fairly quick as an initial review of the results, watching the row colors for red or yellow highlights as you scroll. Any entries noticed in doing this should be considered innocent until proven guilty. I've discovered numerous types of items in this list that have no publisher verification, causing it to be highlighted in red. There are occasions in which some of these may look highly suspicious, however... it seems there are several 3rd party applications with perfectly legitimate components/entries in the system, though lack the digital identifier (SHA- hash or whatever) for authenticity. It is my theory that most of the programs detected of this are likely older, outdated, and/or no longer continued or supported. Here are some of my applications which I know for certain are legitimate, yet were colored 'high alert red' :

https://scontent.fftk1-1.fna.fbcdn.net/v/t1.0-9/48363455_10210574009265402_751923781391351808_o.jpg?_nc_cat=101&_nc_ht=scontent.fftk1-1.fna&oh=a5dfadc5495b5b9b3e73d965399279c9&oe=5C657151

The items highlighted in red are all from a video capturing and editing program, and one that isn't freeware or shareware but actually priced and marketed as professional software. Certain entries you find in this list may be entirely unfamiliar, in which case it'd be advisable to investigate it further to determine whether or not it can be recognized. Sometimes, not always... but sometimes, a good indication as to whether or not what you've found is harmful... is the VirusTotal analysis, an available feature found under the scan options. You have to be cautious judging by this, as well, though... take, for instance, my old Kodak ESP3 AiO printer/scanner/copier was detected by 7 out of 60 antivirus programs tested by VirusTotal:

https://scontent.fftk1-1.fna.fbcdn.net/v/t1.0-9/48194714_10210574122788240_5668118716202614784_o.jpg?_nc_cat=104&_nc_ht=scontent.fftk1-1.fna&oh=546a403cf891aa7efe7a8c558557d76e&oe=5CA43897

If you would prefer ... perhaps to lend you some reassurance, you could post the Autoruns scan here, should there be any particularly questionable items you might have found. To be completely honest, though... a persistent infection such as you've described doesn't necessarily have to be listed under the autoruns of your system. There are deeper rooted viruses than that, but I hope that isn't the case in your situation. Good luck!

 

Alright here is my scan. I deleted the file not found entries.

https://ufile.io/qtcg9

the CMD virus check total is 3 negative and 4 positive, so unsure what to do? Someone commented it's a worm, another guy commented it's safe.

My problem looks like it will be unresolved though/or it's a deeper rooted issue, i don't know.

 

I didn't spot a single suspicious item in the autoruns file you provided... I think perhaps you removed the entries you mentioned before saving and posting the list ? However... as embarrassing and amateur as this may sound, I just now read and understood your original concern... I must have been half buzzed the first time I read through it.

With that being said (or reluctantly admitted...), I feel fairly confident in informing you that what you're seeing/experiencing is not likely harmful. As a matter of fact, even though I saw no obvious threats in your list, there are far more programs launching at start up than would be even slightly necessary. I would advise disabling several applications, if not all, under the CurrentVersion\Run categories (unchecking in autoruns or use the 'Startup' tab within the Task Manager). The only apps I would leave enabled, personally... would be the Realtek startups, indicated by the little audio speakers, and your antivirus/security programs, obviously (SecurityHealth and IseUI - Comodo).

If my credibility hasn't been compromised by the rookie move I pulled when initially responding to this thread, I'm almost 100% certain that if you disabled those totally unnecessary startups, you'll no longer see a lightening-quick flash of a Command Prompt or PowerShell at login.

If you still feel this is a much deeper issue, I think I recall a tool included in Microsoft's SysInternals that will allow you to create a boot time log file. This should provide you with some clue as to the culprit behind the startup scripts running upon login, if it doesn't just outright identify it in black and white. Just a suggestion, should you consider this to be the right direction to take. If so, perhaps search google for 'boot time log or logger or dump file'

 

Well the problem is two fold...

I never had a CMD or powershell window appearing for 1 millisecond on startup before I accidently downloaded what I thought was a free photoshop plugin but was actually some russian installer packed with PUPS. Even when I clicked no to install, it installed everything anyway, and I had to go to the malware part of the forums to remove the malware I got....

AudiTVID is one of the russian PUPS... I can't find it on my PC, but why is it appearing in my registry none-stop? even after I delete it from the registry? And coincidentally it has 'powershell' in it's path.
https://ibb.co/PTF0kyZ

I can try disable startups and see what that does... but none of my startups are new things... the only new things are the anti-malware programs i downloaded, so i guess i can uninstall those, maybe they are making CMD and powershell? But.. otherwise nothing is new and I never had this issue before with those startup programs.

i don't think it's harmful either/ or minimally if it was then a lot of the harm was taken away by the malware removal, but i still want to figure out what is causing it... i will get back to you on the results of disabling all the startups on thursday when i'll have some free time!

thank you all for the help so far!

 

Open Task Scheduler > Task Scheduler Library.
Take a screenshot and post it.

 

It's definitely the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run entry - AudiTVID that is the cause of the powershell and command windows.
Here is the powershell command:

Code:

C:\WINDOWS\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\9EB5E9E3-6520-80D6-DFB2-69B48306AD28').batmInst))"

Have you tried deleting the AudiTVID entry in safe mode?

 

Hey guys, thanks for the interest lately...

I was busy/lazy to remove all the startup programs... (which is actually a good process of elimination tactic) so i took a risk and deleted that CMD that was shown in my MSAutoruns scan. The one that said it was 3 dangerous and 4 safe - which could be a worm. There doesn't seem to be adverse effects from deleting the registry entry. CMD still opens. What I ALSO did was go into CCleaner again and delete the AudiTVID entry for the 10th time.

And guess what happened? the powershell and CMD disappeared. I checked autoruns and that CMD entry is gone. I checked CCleaner and the AudiTVID entry is finally gone too! It would always come back before!

So i think my problem is resolved! thanks to everyone for pointing me to these programs and offering your support and input and advice on what i can do to find the issue! you guys the are best.