This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log submission

I am a new user of Sophos and ran the program for the first time. I have a windows command processor virus. I get a square pop-up every 15 minutes. I ran the program and it identified that I have a trojan. I clicked on the submit log button and I get a failed network error. So the program won't fix the trojan. Do you have any suggestions as what to do? Can you bypass the submit log and still fix the issue? I am at the "might be time to invest in a new computer" time. Thanks 



This thread was automatically locked due to age.
Parents
  • Is this a Windows client or Mac?

    Are you running Sophos Home?

    Regards,

    Jak

  • Windows home computer. Sorry forgot to include that in my original post. I have just ran the scan again and now it says I have no threats. Except the pop-up is still appearing.

  • In that case I would download and run Process Explorer as administrator.

    https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

    When you have the pop-up Windows, drag the cross-hairs icon of Process Explorer over the popup window and it will highlight the process that is responsible for it in Process Explorer.  It will also show the parent process, etc. as the processes are shown in a tree view.

    You can also gather from this tool the autostart location of the process.  Maybe you can post a screenshot of the process details and tree information?

    AutoRuns - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns is also a valuable tool here.

    Regards,

    Jak

  • This is what the pop-up looks like. It appears every 15 minutes. But what is odd is I can still get on the internet, personal files and everything I can think of. I am running in windows 10 and tried to do a system restore from a previous date and there is no dates showing. I tried to do a system reset and still keep my personal files and it gets to about 35% complete and stops. I have googled the issue and done everything I can think of and it is still there. Nothing seems to be able to remove it.

  • OK so a command prompt is shown, in that case you need to know the parent process, i.e. which process launched it.

    Are you able to run Process Explorer when this is on screen?  

    If you run Process Explorer, you can make it the top most window before the pop-up if there is an issue with this command prompt "covering it up".

    Regards,

    Jak

  • Well, I took my computer to get looked at by computer tech's yesterday and they told me they fixed it. Well, they didn't. I am still getting the pop-up. I have downloaded process explorer as you suggested but have never used it before and don't know how it works am not sure if I am running it as Administrator. 

  •  

    I have this screen shot of something that I am not sure if it is the culprit or not. Under system there is something called hardware interrupts and DPC's.

  • If it's still the same as before, i.e. cmd.exe, then you're looking for the cmd.exe process and then the parent of this process.

    If you right click on procexp.exe and choose "Run as administrator" then it will be running as admin.  Optionally you can configure Process Explorer to be the top most window if it's being obscured in any way. This can be set under the "Options" menu, by choosing the "Always On Top" option.

    Next time the cmd.exe window pops up, drag the cross-hairs icon of Process Explorer...

    ...onto the mysterious cmd.exe window and it will highlight cmd.exe in the tree view of processes.  

    You can then see from the tree the parent process of this cmd.exe process. i.e. which process launched it.  What is it?  It maybe significant to know the parent of that process as well, all the way up the tree.  

    I've just taken a random Process Explorer image from the net below but for reference it will suffice.  Below you can see that the Explorer.exe process has launched a number of child processes, cmd.exe being one of them.  You can also see that Procexp.exe was launched from that cmd.exe process.  It is this child parent hierarchy that will hopefully tell you where your cmd.exe process has come from.

    So given your process tree to work with, one check would be to look at the Properties of the processes in Process Explorer.  Right click - Properties. You can see the Autostart Location value.  This could be useful.  I would suggest cross referencing this with the output of the tool Autoruns [https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns]. This will give you a good way to disable any startup items.

    Other useful options in Process Explorer is to add the column, "Virus Total". Under the Process menu, then is a "Check VirusTotal" option.  This will submit a hash of the file to Virus Total and will give you a result from a number of vendors.

    Regards,

    Jak

  •  

    To help explain what  is describing in Process Explorer see this demo...

    Note: In the video, and for demo purposes, it shows Process Explorer finding that the cmd.exe process was run from a scheduled task.

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • If a picture is worth a thousand words, then that video is probably around 300,000 - accounting for length and framerate.

    Thanks!

Reply Children
No Data