Looks like remote attacker?

Hello, new to the forum but stumbled across something disturbing and came here to post. Hope I’m in the right area for this as the amount of locations in the forum to post is overwhelming and I just want to get this up ASAP and hopefully someone knowledgeable can assist.

OK, I downloaded REVO Uninstaller and was deleting old registry keys and getting rid of old programs that Windows Uninstall had troubles with. I decided to go into “Start” then type “Run” as I was going to do something and was startled to see this already in the “Run” box when it appeared:

C:\windows\system32\slmgr.vbs wkstn0064 administrator password1 -dlv

I know full well what slmgr is… but WTF is “wkstn0064 administrator password1 -dlv” doing there in the “RUN” box??? NO ONE has access to the computer but me. I also have a rather long password for Windows, and am careful with what I download. I’ve also NEVER typed the above into the run box or anywhere else (meaning the computer should NOT of auto applied it in the box like it was the last typed instance) so my only other conclusion is someone has gotten in somehow and was trying to what, skip my password or something? Please help as if this is the case I’d like to know and block the leak in the firewall as well as figure out it’s location.

Slmgr.vbs is the Server License Manager Script. It’s used to manage licensing on Windows 7/Server 2008 systems. the -dlv command option just displays the current licence information. Are you using a rearm program?

Yes. I switched computer HD and have been using rearm for a little while. I’ve only used the rearm and the lic key suffix prompts with slmgr, so I’m trying to figure out why this was in the Run box as if it was something I’ve typed in the past when it wasn’t. And the “workstation0064” bit being in the same line as “administrator password1 -dlv” has me concerned. My actual password is much more complex, I’m just trying to figure out why it was there and if someone was remotely trying to bypass my password as if they were logged on as me to gain access to the desktop and files?

Is this computer bought from a big company like Dell, HP, Lenovo, etc? They use volume licensing.Tthat means that one license is being used for whole groups of their computers. May be it is from the factory image then.

No, it’s a 100% custom build. Changed motherboard recently though but didn’t want to register to this board thus using rearm for the time being. If it doesn’t sound serious, I won’t fuss anymore. Been watching the In/OUT activity as well as making the Stealth Ports which I never messed with before. Looks like Comodo finally fixed Defense+ to stop hogging CPU resources so I turned back on as well and might as well update PW’s anyways to play it safe. Just thought someone might of gotten in and tried an internal code to bypass my Password to gain access as Google kept bring up “windows password hacking” when I tried Googling “administrator password1 -dlv”. Never know anymore what people can and can’t truly do as I suspect it’ll be a new warfare technique at some point, especially with the way some of the Asian countries are acting lately, but until then I like to stay vigilant and protect my files and make sure something I downloaded didn’t have a little something something I’d rather not see :-TU

I can’t really see why someone would ‘hack’ your PC, then run a licence check, which doesn’t really provide anything useful and doesn’t require elevated privileges. It’s more likely to be something to do with whichever rearm application you’re using. Most or the ones I’ve seen create a scheduled task to perform these kinds of check.