windows 7: windows command processor asking to run pop-ups


It was suspected that this came from the malicious pif attached email from supposedly DHL (from the email source we see that it was from:

Received: from [24.78.30.47] (helo=twigykjcqex.glliycjcsuhgjca.ua)
by host176-116-static.39-79-b.business.telecomitalia.it with esmtpa (Exim 4.69)
(envelope-from )
id 1MMK41-8793sc-NB
for
xxx<a title=”mailto:xxxxxx.com; Thu, 7 Aug 2014 10:09:26 +0100
Received: from [148.24.38.24] (helo=cdgkgvjh.cyyxwzais.info)
by host176-116-static.39-79-b.business.telecomitalia.it with esmtpa (Exim 4.69)
(envelope-from )
id 1MM14N-1537gl-XZ
for
xxx<a href=”mailto:xxxxxx.com; Thu, 7 Aug 2014 10:09:26 +0100

Even though we doubt it as the source, the windows 7, continue to give pop up warning that windows command processor need to be run, since we already suspect something, we choose no. it happened several times that it started to be annoying.

Looking in the net we saw that it was highly suspected as malware, but since we didn’t detect it with norton antivirus. even after using malwarebytes and superantispyware we found nothing.
So after browsing for several solution pages, we saw that a program called combofix accidentally fix the problem. I say accidentally because from the forum, the solution expert use the program as the diagnostic tools not as the “cure” tool.
you can download the program from http://download.bleepingcomputer.com/sUBs/ComboFix.exe or http://www.infospyware.net/antimalware/combofix/
Thanks to the guide from Elise from Romania…
Ok after you download it, just run the program, it will by default extract itself to system drive root (usually drive c), you just wait, it will run by itself and need minimal confirmation when it run.
After it finished, it will create a log file named combofix.txt, you can look inside for unusual entry for your system and do a necessary steps to change/delete it.
In my case I didn’t do anything, after scan, because the popup is not there anymore…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s