Windows Command Processor notification - Please help!

[d0n]

On my laptop which is running Windows 7 64 bit a Windows Command Processor notification appeared verified by Microsoft Windows so I clicked yes.

Later that day when starting up the laptop again the same notification appeared again, after clicking yes I noticed my anti virus wasn't running and would now not start up.

The anti virus I am running is Mcafee. The windows command processor notification will keep appearing every time i restart and will not go untill i click yes, selecting no will not do anything.

The details of the notification follow -

User Account Control
Do you want to allow the following program to make changes to this computer?

Program name: Windows Command Processor
Verified publisher: Microsoft Windows
Program location: "C:\Windows\SysWOW64\cmd.exe" /C "C:Users\Alex\AppData\Local\Temp\fsayopphnkpmiicu.exe"

If anyone could help it would be greatly appriciated.

Thanks.

 

[mjf]

I suggest you download Malwarebytes (see link in free programs section) and run a full scan.
As well consider
http://www.sevenforums.com/tutorials/157118-microsoft-safety-scanner.html
and
http://www.sevenforums.com/tutorials/166445-microsoft-standalone-system-sweeper.html

 

[richnrockville]

Welcome to the windows 7 forums.
As MJF has said, you need to run malwarebytes to get rid of this trojan/virus.

Program name: Windows Command Processor
Verified publisher: Microsoft Windows
Program location: "C:\Windows\SysWOW64\cmd.exe" /C "C:Users\Alex\AppData\Local\Temp\fsayopphnkpmiicu.exe"

this is the way they get it to run each time, It could be stealing all of your information. I would not go to any
financial site.

goto malwarebytes.org and download the free version of malwarebytes, and run it allow it to update.

Malwarebytes : Free anti-malware, anti-virus and spyware removal download

is the site.
If your virus/trojan won't allow you to run it or download it.
then you will need to go to another computer and download it, then run it on your bad machine.

rich

 

[d0n]

Thanks for your replys I installed Malwarebytes Anti Malware and did a full system scan but no infected items where detected.

 

[mjf]

I have run the MS standalone sweeper and it appears very thorough but takes awhile.
It's not my area but of course new malware can be missed.

That .exe you refer to looks suspicious. At the very least I wouldn't answer "yes" if the Window pops up.
Given you already have McAfee and if it has been permantly disabled I suggest you use the McAfee unistall tool and reinstall. You may want to get onto McAfee "chat" help before.

 

[karlsnooks]

D0n,

You must run a FULL SCAN by MalwareBytes.


Please run a full scan by MalwareBytes.

Report back the results.

I strongly recommend getting rid of MuckAfee and using Microsoft Security Essentials (MSE) which is free, non-interfering and my av of choice. MSE is the one and only AV i will recommend and install. Link in my sig.

 

[mjf]

He said he already ran a full scan using Malwarebytes.

The pros and cons of Anti Malware software maybe for another thread.
@OP
If you've already paid your McAfee subscription dumping it is your choice. This is not your immediate issue.

 

[d0n]

I did a full scan and it reported back with 0 infections. I've had a look and programme which runs on startup called nncemnnx and is an application with a size of 78kb modified around the time the problem started.

The location of the file is C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

The only other item in this location is Dell Dock

I cannot terminate the programme, could this be the root of my problem?

When i try and delete it, it says the action can't be completed because the file is open in host process for windows services.

 

[karlsnooks]

I suggest the following two:
1. run a full scan by Microsoft Standalone System Sweeper.

2. download, install, run as admin Autoruns.exe from SystInternals.
Carefully, examine the list of programs and services which are not from microsoft that are running on your system. You can always disable them and then reenable later if you thing such should be done.

Autoruns is the primary tool used by Mark Russonivich to detect malware and problem-children.

http://www.sevenforums.com/tutorials/166445-microsoft-standalone-system-sweeper.html

 

[mjf]

A google comes up with no reference to a program "nncemnnx" in a windows context. It may be legit but I'd be suspicious.

If you have an earlier system image I would go back to that as well as my other suggestions.

But it really looks like you need a malware expert. If someone doesn't come long you may wish to summarize the current status of your question and post under "System Security".

 

[karlsnooks]

I'm also suspicious of that one.

If he runs the standalone sweep, I suspect that this one could be caught. The standalone sweep doesn't boot up into his win 7 but rather into a ram disk Pre-execution Environment version of Win 7 running only on the ram disk. Thus the win 7 on the hard disk can be checked without "alerting' the malware.

Also autoruns would cast some light on that one as to whether it is "verified" and the source.

 

[d0n]

I ran the Mircrosoft Standalone System Sweeper Tool and 35 items where detected and cured. Restarted and the same problem still occured.

Did a system restore to earlier last month and everything seems fine, Mcafee is working fine and there doesn't seem to be any problems. Now could this be the end of the matter?

Should I do anything else now I've done the system restore, such as another stand alone scan or a sweep with Malware bytes? I've just set a full scan running with Mcafee, not that it does much good by the sounds of you guys haha.

 

[Dwarf]

First of all, whenever you get this sort of message on booting up or logging in it is invariably malware. A quick google of that file name has only returned 1 result, namely this thread. You should never click anywhere on the message, either Yes or No. Instead, end the program through Task Manager.

Can you let us know what you have got in the following Registry locations:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also, do a full registry search for fsayopphnkpmiicu and nncemnnx and report back with any results.

As mentioned above, a Google search for the first term returned this thread as its only result. The second term returned no results whatsoever, another clear indication of possible/likely malware.

 

[MilesAhead]

I would get WinPatrol
At least the free version. When it detects something is added to start with Windows, it pops up a dialog and asks you to allow it or not.

Just a precaution for the future. Unlike real-time av shields, there's just about zero performance penalty for running WinPatrol. It checks what it checks every so often. The time between checks is adjustable in settings.

Also it has a tab where you can see auto start entries. Not as comprehensive as autoruns but a lot easier to see what's going on and catches most auto start stuff. Also has a delay start feature that's handy.

 

[d0n]

Can you let us know what you have got in the following Registry locations:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also, do a full registry search for fsayopphnkpmiicu and nncemnnx and report back with any results.

How would I go about doing this?

Also thanks for everyones replies.

 

[Dwarf]

Click rb: and type regedit.exe into the search box and press Enter/Return. Now browse for the locations I mentioned in exactly the same way as you would in Windows Explorer.

For the registry search, click on Edit and then Find... (or use the Ctrl+F shortcut). Type the term that you wish to search for in the box Find what:. Leave the other options at their default, and click on Find Next. Make a note of the location of any matches and then press F3 to continue the search. Keep doing this until you get the message Finished searching through the registry.

 

[mjf]

As I mentioned earlier a 10 second google search produced no hits on the rogue software - a dead giveaway. Unfortunately you may get some warnings by googling on some essential windows elements.

The best security is to keep sufficient images so you can reimage to a point before you took the malware onboard.

 

[d0n]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run -
Name (Default)
Type REG_SZ
Data (value not set)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
Name (Default)
Type REG_SZ
Data (value not set)

Name Apoint
Type REG_SZ
Data C:\Program Files\DellTPad\Apoint.exe

Name Broadcom Wireless Manager UI
Type REG_SZ
Data C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.exe

Name HotKeysCmds
Type REG_SZ
Data C:\Windows\system32\hkcmd.exe

Name IAAnotif
Type REG_SZ
Data C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe

Name IgfxTray
Type REG_SZ
Data C:\Windows\system32\igfxtray.exe

Name Persistence
Type REG_SZ
Data C:\Qindows\system32\igfxpers.exe

Name Quickset
Type REG_SZ
Data C:\Program Files\Dell\QuickSet\QuickSet.exe

Name SysTrayApp
Type REG_EXPAND_SZ
Data C:\Program Files\IDT\WDM\sttray64.exe

Also searching the registry for fsayopphnkpmiicu and nncemnnx came up with nothing.

 

[karlsnooks]

I ran the Mircrosoft Standalone System Sweeper Tool and 35 items where detected and cured. Restarted and the same problem still occured.

Did a system restore to earlier last month and everything seems fine, Mcafee is working fine and there doesn't seem to be any problems. Now could this be the end of the matter?

Should I do anything else now I've done the system restore, such as another stand alone scan or a sweep with Malware bytes? I've just set a full scan running with Mcafee, not that it does much good by the sounds of you guys haha.

Replace MuckAfee with Microsoft Security Essentials (MSE). Link in my sig.

Run the Standalone System Sweeper again please. A Full Scan.

Until Standalone System Sweeper runs and comes up empty-handed then proceeding is senseless.

Stay away from Torrent sites. Stay away from P2P sites. Use the Web Of Trust add-in for your browser so can be aware of the bad sites. Do this after the Systerm Sweep. The System Sweep is priority number one.

 

[Tedri Mark]

Hi there, just registered to let you know how I got on with this problem.

I had the annoying upgrade popup, which I couldn't cancel (and obviously didn't want to approve), so I clicked on further information and found that it was to do with a file in users/MYUSERNAME/appdata/temp/ (I'm typing this from memory, so that might not be entirely correct)

So I deleted that file, only to find I still had the same problem.

I booted into safe mode (f8 before the windows logo appears), and I found that it was in my recycle bin (Even though I had shift+deleted everything in the temp folder) so I once more deleted it.

I also disabled a few items that I didn't recognise from my startup programs (Click 'start' and type msconfig into the box, then click the startup tab and have a look), they were called something like jkhlwafi (again, I'm typing from memory, and I could not find any mention of them when I searched google)

Not sure which of those steps sorted my problem out, but on booting back in normal mode, I have no more request to install the software.