What just happened to my PC?

I was trying to open a .png picture today and clicked edit instead of open, which in my opinion wouldn't affect anything. However, most likely coincidentally, as soon as I clicked edit, a large number of cmd prompts opened and closed quickly.

I noticed that the file location was on the headers of the cmd prompts. This is what it said, from what I gathered before it stopped: C:\<user>\AppData\Google.

Does anyone have any idea what happened and what can I do to fix it or keep it from happening again?

virus

A Child of God

Posted 2015-12-17T15:02:43.233

Reputation: 279

This probably should go to superuser, but ....Where did the picture come from? Did you run a Virus/Malware scan? Does it do that with all pictures? – N. Greene – 2015-12-17T15:05:11.050

I saved a picture from online (wiki commons or wikimedia) and wanted to look at it with Microsoft Paint. I hit edit and all that happened. – A Child of God – 2015-12-17T15:08:50.930

I didn't run any scans, no – A Child of God – 2015-12-17T15:09:05.087

just scanned the pic, no threats. Working on scanning the entire PC. – A Child of God – 2015-12-17T15:17:47.677

What do you use to scan your PC? I mean what kind of antivirus? – Vilican – 2015-12-17T15:20:54.843

7What is the default app to edit png files on your PC? I'd be more inclined to investigate an issue with that software as opposed to a png file (not that png files can be harmless). That is if there even is an 'issue' - it could just be an update/initialization process of whatever it is you're running. – JᴀʏMᴇᴇ – 2015-12-17T15:21:02.017

@Vilican I am using Panda Free Antivirus. – A Child of God – 2015-12-17T15:22:39.817

@JᴀʏMᴇᴇ I use Microsoft's Paint. I use a Windows PC, so it came with it. – A Child of God – 2015-12-17T15:23:38.773

Could even just be coincidence that they opened at the point at which you tried to edit a PNG. Could be a service or job running on your computer that launches this. – JᴀʏMᴇᴇ – 2015-12-17T15:25:08.890

Panda antivirus ... I do not know that brand. Probably less used than others. And "Free Antivirus" - my own experience is that free antiviruses may find less viruses than the paid ones (but this time is might be false). – Vilican – 2015-12-17T15:26:01.050

What kind of virus would open up cmd prompts and close them in great numbers? – A Child of God – 2015-12-17T15:27:11.457

1Well ... many of them. Also, I seen legitimate app doing this when installing. – Vilican – 2015-12-17T15:28:25.980

After it happened, I searched my files for the possible location of whatever it is. I came up with three possible locations: C:\Users<user>\AppData\Local\Google
C:\Users<user>\AppData\LocalLow\Google
C:\Users<user>\AppData\Roaming\Google – A Child of God – 2015-12-17T15:33:04.010

@Vilican, actually Panda Free Antivirus made 2015's "Editor's Choice" for PC Magazine (http://www.pcmag.com/article2/0,2817,2388652,00.asp). They were near the top of various antivirus benchmarks and testing that I looked at a year or so ago when my Kaspersky subscription expired and I was looking into new antivirus. Although, I did end up choosing something else at the time.

– Ben – 2015-12-17T15:35:01.493

@Ben - Thanks for the info. However, ... how much trustworthy is PCMag? You may notice that they obviously did not compare them with Norton or Eset. And also, this is a comparison of free versions of them all. – Vilican – 2015-12-17T15:41:02.190

Yeah, they have a separate page comparing the paid versions: http://www.pcmag.com/article2/0,2817,2372364,00.asp

I think they're fairly trustworthy...but I do look up several third-party well-known AV testers to verify the info PCMag shows when I look at these.

– Ben – 2015-12-17T16:11:10.087

What is the URL for the picture? Can you remember? – DavidPostill – 2015-12-17T18:17:22.607

I saved this pic: https://upload.wikimedia.org/wikipedia/commons/thumb/7/7b/Simple_Labarum2.svg/2000px-Simple_Labarum2.svg.png

– A Child of God – 2015-12-17T18:20:48.653

My antivirus finished scanning my PC and removed 33 threats. I clicked edit on the pic and what is supposed to happen happened: Paint opened up. – A Child of God – 2015-12-18T14:21:05.857

Answers

It might be that some virus/application modified the registry key that executes which command when clicked on edit. Check yourself first in the registry.

Browsing the file extension key in HKEY_CLASSES_ROOT will say the key for the shell menus. Now find that shell key in the registry editor.

If there is another app that modified, like I have 'Edit with GIMP' here, new shell item appears. If there is something there, just check the command.

It might be that the program that is opening that file from the context menu might be faulty and it generates the errors. If that program is having errors, just delete that entire key, and the edit should ask you to select the program to launch.

Sri Harsha Chilakapati

Posted 2015-12-17T15:02:43.233

Reputation: 397

It might be as stated by @SriHarsha, but there are also the following cases

Virus in PNG

Unlikely but even worse case:

the PNG file itself is prepared in a special way and contains a virus that opens a command prompt in order to perform a special operation (whatever the virus wants it to be).

Depending on the program which is used to open the PNG file, the virus may become active or not. E.g. it may not become active in Windows Image Viewer, because that program uses a newer graphics library which checks for buffer overflows.

But since you accidentally clicked "edit", it was opened in MS Paint, which might use a different library that does not perform buffer overflow checks, therefore crashes and the crash causes the virus to become active. The virus manages to run a command via the command line.

In such a case, the application is likely to crash or be unusable.

Fix: no fix. Run an antivirus program. If the virus is very new, it may not be detected. Don't use the PNG, but maybe keep it if you want to contact an anti-virus vendor.

Debugger

It is possible to set up a debugger to launch automatically when a program is started. This is done via the Registry Key ImageFileExecutionOptions. Depending on what type of debugger it is, it may open a console window. When the debugger decides to detach, the console window may close.

In that case, the application is likely to run normally.

Fix: remove the Registry Key for the affected program.

Thomas Weller

Posted 2015-12-17T15:02:43.233

Reputation: 4 102

1I would think that if someone went to the trouble of embedding an exploit in an image they would also make sure it was invisible to the user. – JAB – 2015-12-17T17:41:48.383

I clicked on edit more purposely than accidentally. – A Child of God – 2015-12-17T18:16:44.817

1my antivirus detected no threat/virus in the png pic. – A Child of God – 2015-12-17T18:19:13.043

It could be a virus masked/binded to a PNG/JPG file. With your accidental 'edit' of the image file, it may have caused the virus binded/masked to it to run.

Some viruses can be set to mask or bind into images. That way when you open the image file, it opens up the virus too. The way most of these things work is, the virus is stored into a .rar file and then placed inside the actual image. But most other binders work too.

You should run an anti-virus scan your entire system and the image file, as soon as possible. And delete the image file so you won't accidently edit it/run it again.

DraggyWolf

Posted 2015-12-17T15:02:43.233

Reputation: 11

As I have said previously, I did not click edit accidental. – A Child of God – 2015-12-22T16:10:28.100