windows 7: windows command processor asking to run pop-ups

It was suspected that this came from the malicious pif attached email from supposedly DHL (from the email source we see that it was from:

Received: from [] (
by with esmtpa (Exim 4.69)
(envelope-from )
id 1MMK41-8793sc-NB
xxx<a title=”; Thu, 7 Aug 2014 10:09:26 +0100
Received: from [] (
by with esmtpa (Exim 4.69)
(envelope-from )
id 1MM14N-1537gl-XZ
xxx<a href=”; Thu, 7 Aug 2014 10:09:26 +0100

Even though we doubt it as the source, the windows 7, continue to give pop up warning that windows command processor need to be run, since we already suspect something, we choose no. it happened several times that it started to be annoying.

Looking in the net we saw that it was highly suspected as malware, but since we didn’t detect it with norton antivirus. even after using malwarebytes and superantispyware we found nothing.
So after browsing for several solution pages, we saw that a program called combofix accidentally fix the problem. I say accidentally because from the forum, the solution expert use the program as the diagnostic tools not as the “cure” tool.
you can download the program from or
Thanks to the guide from Elise from Romania…
Ok after you download it, just run the program, it will by default extract itself to system drive root (usually drive c), you just wait, it will run by itself and need minimal confirmation when it run.
After it finished, it will create a log file named combofix.txt, you can look inside for unusual entry for your system and do a necessary steps to change/delete it.
In my case I didn’t do anything, after scan, because the popup is not there anymore…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s