Wikipedia:Reference desk/Archives/Computing/2021 March 18

= March 18 =

I suspect virus on my computer, related to "Windows Command Process". My anti-virus can't find any virus. Strange stuff going on.
Last few days I've gotten some suspicious behaviour from my PC.

It has worked slower and I frequently get a temporary folder placed on my desktop in which my whole hardrive supposedly is placed (local drive C:). I cannot delete this folder or move it whatsover. As far as I can tell, it shows up if I download something, but only sometimes. When I say download, it doesn't have to be a big file or anything. I might f.ex. simply save an image from online. The temporary folder disappears automatically after not too long. I do not remember what the temporary folder is called. "temporary" something, I think.

Furthermore, when I started my computer today, due to it being so slow, I opened my taskmanager and there were two identical listings called "Windows command process". Right clicking them, I couldn't do anything with them. I could not delete them or anything. This was when I started getting really supicious. They disappeared after a while. I have no computer skill or real knowledge of computers. I'm your average PC-user who know next to nothing about any advanced stuff.

My anti-virus doesn't find anything out of the ordinary. Reading online about "Windows command process" I see that this is supposedly a natural part of a PC (I have windows 10), but those losers who make virus will apparently often name malware "windows command process" to create confusion and to go unnoticed. I've tried following some directions provided online on this topic, such as "go to this folder C:\Users\’Your UserName’\AppData\Roaming and look for executable (exe) files and files with random names." But the truth is that I cannot find any 'AppData' folder or 'Roaming' folder in my username folder. They're not there... Which means I can't follow these instructions.

I meant to search for AppData, but strangely, right clicking the windows symbol down in the left corner of the desktop and clicking 'search' doesn't work either, which means I now can't search for files on my own computer.

Also, my local drive (C:) now shows that I have 1,21 / 1,81 TB available. TB rather than GB ?? I swear I've never had that big a drive, I think... I'm not even sure, I guess I haven't even thought about it much, but I thought maybe I had a few hundred GB storage space, at best. 1,81 TB is very unlikely, no? Thanks in advance.

84.208.138.179 (talk) 09:11, 18 March 2021 (UTC)


 * "I cannot find any 'AppData' folder or 'Roaming' folder": Roaming is inside of AppData, and AppData is normally hidden. You'll need to go to the file explorer settings and disable "hide hidden files and folders" and maybe "hide protected operating system files", or you could directly type AppData in the file explorer location bar after C:\Users\YourUserName\
 * "1,81 TB is very unlikely, no?" Depends on how new or high-end the computer is. One-terabyte hard drives were apparently available in 2009. Xnft (talk) 14:14, 18 March 2021 (UTC)

Okay. I did as you said and typed it into the box and the folder showed up. There is one folder in there that maybe looks odd. It's called {2A82324E-1E3C-4E88-A68A-8BA11B0417FE} and contains one file called "tokens_16". There is no info of what sort of file it is, but it opens in Wordpad and there is about 4 or 5 lines with gibberish text that means nothing. I searched the folder called 'roaming' with anti-virus and it found nothing. I also searched for 2A82324E-1E3C-4E88-A68A-8BA11B0417FE in google, and it turns out that there are others who have gotten the same exact file at a previous time with the same tokens_16 file in it. It is claimed that it is a "ZeroAccess rootkit" virus. It seems complicated to get rid of, but isn't it always?

Anyway, isn't the 'roaming' folder supposed to only be a place for temporary internet files to be stored ?? If so, I can delete all the files in the 'roaming' folder, right, with out any danger whatsoever? There are only 37 files in the folder and the oldest ones trace all the way back to 2017. the same is true for this file, but I suppose that doesn't mean anything. It can still recently have shown up there, I should think. And simply removing the folder probably won't solve my problem... Strangely, my PC has worked fairly normally today, except when I turned it on and entered windows. 84.208.138.179 (talk) 19:12, 18 March 2021 (UTC)

Anyway, I decided to contact this PC guy I know. When I told him about the "ZeroAccess rootkit" virus, he told me this is potentially serious stuff and that he'll help as soon as he can. I just wanted to say thanks for your reply. And one question : If they take over my PC, can they work through my PC 24/7, or only when my PC is turned on ?? For the former to be true they would first have to transfer over my files, I suppose. So, I guess what I am asking is whether or not using the PC until I get help will protect me. 84.208.138.179 (talk) 21:04, 18 March 2021 (UTC)
 * If some hacker takes over your computer (or more likely plants some malware that runs in the background) the malware can only run while your computer is turned on. So turning off your computer would limit any additional harm. However, you could also just disconnect from your WiFi/Ethernet or however you connect to the Internet. If you do that it is probably a good idea to check once in a while to make sure the potential malware hasn't automatically connected but I think the chance of that is really slim. Actually, to be sure what I would do is first disconnect your machine from WiF, then use another device to change your WiFi Password. That way even if the Malware has stored your WiFi password it sill won't be able to connect. They could use Bluetooth but you have to be close to the computer so the hacker would need to be in your home or in a nearby apartment if you live in an apartment. You can also disable bluetooth. Have you tried emailing your security vendor? In the past when I suspected I had a problem I emailed the vendor of the security software I had on my Mac and they were very helpful with suggestions for things to try. Also, there are different kinds of scans you can do. I imagine you've done more than a QuickScan but you might want to double check the parameters on your virus scanner, there might be less common things it isn't checking for. There are also tools you can use to check your network itself which might not be a bad idea. It could be that someone has hacked your network and that is what is causing the slowdown, they are stealing your bandwidth. If you have Comcast they have apps for Android and iOS that are really good (and I seldom say that about Comcast). I had that happen to me once because the Apple network protocol I was using was old and easy to hack (this was a very long time ago). Hope that helps, good luck. --MadScientistX11 (talk) 19:55, 23 March 2021 (UTC)

Thank you again. I appreciate it :) 84.208.138.179 (talk) 09:40, 24 March 2021 (UTC)


 * Hi, here's a few ideas, absolutely no guarantees. 1. Unless your friend is a genuine expert in solving Windows problems, I suggest you don't let him near your PC, especially if you have sensitive data. 2. Start your PC in safe mode in Windows 10 with networking. Install Malwarebytes (free version) here, In options, check "Look for rootkits" or similar. Run it. May take some considerable time, like at least an hour. Anything it finds, quarantine or delete it. Reboot into normal mode. This may fix the problem. 3. If this doesn't fix the problem, read Recovery options in Windows 10 and choose "Restore from a system restore point", from before the problem occurred. This may also magically fix the problem. 4. If not, find a local Microsoft-registered PC repair outfit, chat to someone, hope you can tell the difference between bullshit and genuine dedicated geek talk. Cost you maybe £80, or $100. >MinorProphet (talk) 18:17, 24 March 2021 (UTC)

Why do forum thread creators "Reserve" initial replies?
On many forums, the starter of the thread will reply to it, saying "Reserved". Why do they do this? The only guess I have is in case they reach a character limit in the original. Opencooper (talk) 18:55, 18 March 2021 (UTC)


 * If that reply is first and will stay in place, they may wish to reserve that spot for any later notices, as the need arises, that they feel deserve general attention. --Lambiam 21:03, 18 March 2021 (UTC)
 * That makes sense, since threads are ordered chronologically and can grow several pages long. Thanks. Opencooper (talk) 02:10, 19 March 2021 (UTC)
 * Like for example change logs for a custom Android ROM or a mod for a particular video game. Rather than pile them up on the main thread they'd edit the reserved replies instead to indicate any changes they made. Blake Gripling (talk) 01:46, 25 March 2021 (UTC)