I've just built a new PC and installed Windows 10 Pro. Recently, I noticed a Command Prompt box appeared for a second at startup. I took a screenshot with the Snipping Tool and found that a file called 'vhshiaug.lnk' was being run from 'C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'. I can't 'Right Click' to get the location of the file it runs so exported to Notepad which gave the following text:
L À F« 90KçݬÕïˆì>Ö90KçÝ¬Õ l 5 PàOÐ ê:i¢Ø +00 /C:\ V 1 ÉP“¤ Windows @ ヌOwHÉP«¤. XI I W i n d o w s Z 1 ÉP”¤ System32 B ヌOwHÉP¬¤. P ñ))S y s t e m 3 2 V 2 l ‡OI cmd.exe @ ヌOIÉP³¤. N” ü ÇÝ c m d . e x e J - I e<D C:\Windows\System32\cmd.exe 3 . . \ . . \ . . \ . . \ . . \ . . \ . . \ . . \ . . \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e S / c s t a r t " " " C : \ U s e r s \ J o h n \ A p p D a t a \ R o a m i n g \ M i c r o s o f t \ W i n d o w s \ v h s h i a u g \ e e b b d t g f . e x e " % Ý wNÁç]N·D.±®Q˜·Ý ` X desktop-1l373eb ˆâùðçÉOzÌ~
‰2½…ü5H¨ê‡—@tà®gaˆâùðçÉOzÌ~
‰2½…ü5H¨ê‡—@tà®gaÒ 1SPSâŠXF¼L8C»ü“&˜mÎq / S - 1 - 5 - 2 1 - 3 9 3 5 0 6 8 7 3 0 - 4 1 6 0 3 8 3 9 2 3 - 2 4 5 7 9 4 3 3 0 2 - 1 0 0 1 9 1SPS±mDpH§H@.¤=xŒ h H yÃfJ£1Á[’¥¦
I assume that it opens a Command Prompt then runs 'C:\Users\John\AppData\Roaming\Microsoft\Windows\vhshiaug\eebbdtgf.exe'
I've looked here but cannot find a folder named 'vhshiaug' even when showing hidden files and folders. To delete the shortcut, I needed to enter Safe Mode. When rebooted into Normal Mode after a while, the shortcut returns. I can't find any suspect processes, any reference to these files in the Registry, and have done a virus scan with no faults found.
Anyone know how to proceed?
L À F« 90KçݬÕïˆì>Ö90KçÝ¬Õ l 5 PàOÐ ê:i¢Ø +00 /C:\ V 1 ÉP“¤ Windows @ ヌOwHÉP«¤. XI I W i n d o w s Z 1 ÉP”¤ System32 B ヌOwHÉP¬¤. P ñ))S y s t e m 3 2 V 2 l ‡OI cmd.exe @ ヌOIÉP³¤. N” ü ÇÝ c m d . e x e J - I e<D C:\Windows\System32\cmd.exe 3 . . \ . . \ . . \ . . \ . . \ . . \ . . \ . . \ . . \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e S / c s t a r t " " " C : \ U s e r s \ J o h n \ A p p D a t a \ R o a m i n g \ M i c r o s o f t \ W i n d o w s \ v h s h i a u g \ e e b b d t g f . e x e " % Ý wNÁç]N·D.±®Q˜·Ý ` X desktop-1l373eb ˆâùðçÉOzÌ~
‰2½…ü5H¨ê‡—@tà®gaˆâùðçÉOzÌ~
‰2½…ü5H¨ê‡—@tà®gaÒ 1SPSâŠXF¼L8C»ü“&˜mÎq / S - 1 - 5 - 2 1 - 3 9 3 5 0 6 8 7 3 0 - 4 1 6 0 3 8 3 9 2 3 - 2 4 5 7 9 4 3 3 0 2 - 1 0 0 1 9 1SPS±mDpH§H@.¤=xŒ h H yÃfJ£1Á[’¥¦
I assume that it opens a Command Prompt then runs 'C:\Users\John\AppData\Roaming\Microsoft\Windows\vhshiaug\eebbdtgf.exe'
I've looked here but cannot find a folder named 'vhshiaug' even when showing hidden files and folders. To delete the shortcut, I needed to enter Safe Mode. When rebooted into Normal Mode after a while, the shortcut returns. I can't find any suspect processes, any reference to these files in the Registry, and have done a virus scan with no faults found.
Anyone know how to proceed?
