Suspicious autoruns

[poisonedSYS]

Are these normal processes?

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
+ "Delete Cached Standalone Update Binary" "Windows Command Processor" "(Verified) Microsoft Windows" "C:\WINDOWS\system32\cmd.exe" "Wed Oct 11 13:03:36 2023" "
+ "Delete Cached Update Binary" "Windows Command Processor" "(Verified) Microsoft Windows" "C:\WINDOWS\system32\cmd.exe" "Wed Oct 11 13:03:36 2023" "
+ "Uninstall 23.209.1008.0002" "Windows Command Processor" "(Verified) Microsoft Windows" "C:\WINDOWS\system32\cmd.exe" "Wed Oct 11 13:03:36 2023" "
+ "\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler" "Performs periodic Windows Update maintenance tasks." "(Verified) Microsoft Windows" "C:\Program Files\RUXIM\PLUGscheduler.exe" "Fri Sep 15 20:37:12 2023" "

 

[poisonedSYS]

These are marked as positive 1/76 on VirusTotal

 

[Maxstar]

Hi,

These runonce entry's (RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE)) are legit and a part of Windows Update.

windows-itpro-docs/windows/privacy/required-windows-11-diagnostic-events-and-fields.md at public · MicrosoftDocs/windows-itpro-docs

 

[poisonedSYS]

and what about the images I posted?

 

[Maxstar]

You mean the VirusTotal detection? This will definitely be a false positive of one of the engines. Can you please share the VT links to see which engine it is?

 

[poisonedSYS]

There was a fourth user profile in Autoruns...IIS, what is this?

 

[Maxstar]

IIS (Internet Information Services) is also a part of Windows and used by different services e.g.

 

[poisonedSYS]

You mean the VirusTotal detection? This will definitely be a false positive of one of the engines. Can you please share the VT links to see which engine it is?

it says error now...

 

[poisonedSYS]

now IIS doesn't appear anymore...

 

[Maxstar]

it says error now...

Which error?

 

[poisonedSYS]

VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal

Done thanks using a hotspot wifi, someone is blocking my wifi home connection

 

[poisonedSYS]

i can try also to use wireshark to see what's wrong on the home wifi connection

 

[poisonedSYS]

It is saying hash submitted and then error...this is from wireshark

 

[Maxstar]

The results of the engines SecureAge and Skyhigh (SWG) are definitely false positives and can be ignored.

 

[poisonedSYS]

https://file.io/AXxeNdGB2POe this is from the corrupted network by wireshark

 

[poisonedSYS]

 

[poisonedSYS]

 

[poisonedSYS]

 

[Maxstar]

I don't know what you want to tell us with the above screenshots? Can you please describe the issue if you are experiencing problems with the internal (WiFi) network?

 

[poisonedSYS]

Multiple tcp port scan attacks, icmp redirect attacks, udp and tcp flooding, syn flooding and everytime it is from a different IP, surely masked by proxy.