Windows Command Processor notification - Please help!

[Tedri Mark]

Also, previously I had tried to log into my Lloyds TSB internet banking, and after entering the correct login, password, and the requested letter from my memorable information, I was taken to a legit looking screen which asked for my password again and the whole of my memorable info (something which LLoyds and I think pretty much all banks state that they will never do...)

Now I seem to be able to log in fine...

 

[karlsnooks]

Also, previously I had tried to log into my Lloyds TSB internet banking, and after entering the correct login, password, and the requested letter from my memorable information, I was taken to a legit looking screen which asked for my password again and the whole of my memorable info (something which LLoyds and I think pretty much all banks state that they will never do...)

Now I seem to be able to log in fine...

Thanks for letting us know the status.

Since some malware will also go to to sleep or run only every n starts, then I strongly recommend running the Microsoft Standalone System Sweeper as mentioned in a previous post.

Karl

 

[Tedri Mark]

Okay, it's back - It re-appeared once I opened a photoshop file which i was sent from a guy I'm supposed to be doing some freelance work for..

Not sure if it is definitely due to that file, and I highly doubt that he has put it in there himself maliciously (Although it would be a good way of spreading the file, he only sent me the zip file after accepting me for the project (You can only accept one person), rather than attaching the zip to the poject proposal, which would have potentially been opened by a lot more people..

But sure enough "mieehyvoumnpwgcq" has re-appeared in my local/temp folder and another udgjfawi entries are in my startup list in msconfig...

And sure enough, once again trying to log into Loyds takes me to: https://secure2.lloydstsb.co.uk/personal/a/logon/reentermemorableinformation.jsp

Schneeeaaky!

Before I sucessfully deleted it, it would prompt the install every time, which was at least 5 reboots..

 

[Tedri Mark]

Oh it also seems to cause skype to crash, and stops me sending mail via thunderbird...

I had wondered if the thunderbird mail thing was related, and it seems so, as it was not working yesterday, and then started working again after I fixed the problem, and now isn't working again... Going to email Lloyds from another computer...

 

[karlsnooks]

We have a tutorial on running Microsoft Standalone System Sweeper.

Run that and attach the logs mentioned in the procedure I give you to your next post.

Be forewarned, this is a very thorough and excellent program and will take several hours.

ESET is a decent AV program. Keep your AV software current.

Never open a file or attachment before you open the file or attachment.

What browser are you using?

The important reply from you is the one where you attach the logs from running the Microsoft Standalone System Sweeper.

 

[Tedri Mark]

Okay, so I just went to open an attachment sent to me by a guy I'm doing some freelance work for, and hey presto, it cropped up again.. Not sure if it is the attachment itself (a photoshop file) or something now embedded in photoshop (as clicking on the file automatically opened photoshop..)

I can confirm that it re-introduced the re-direct in Lloyds log in.. And also, the 2 startup processes are called UdgJfawi and udgjfawi in HKCU/Software/Microsoft/Windows/CurrentVersion/Run and C:/Users/MYUSERNAME/Roaming/Microsoft/Windows/Start Menu/Programs respectively..

EDIT: Sorry I thought the post before this one hadn't posted - I'll leave this here as it has a bit of extra info..

Just opened photoshop on its own after once more going through the previous procedure to remove the problem and sure enough, the update request starts up again..

EDIT 2: I'm using Firefox, I'm going to do my quick fix for the time being, and not use photoshop, and then run the system sweeper over night. Logs to follow...

 

[karlsnooks]

We have a tutorial on running Microsoft Standalone System Sweeper.

Run that and attach the logs mentioned in the procedure I give you to your next post.

Be forewarned, this is a very thorough and excellent program and will take several hours.

ESET is a decent AV program. Keep your AV software current.

Never open a file or attachment before you open the file or attachment.

What browser are you using?

The important reply from you is the one where you attach the logs from running the Microsoft Standalone System Sweeper.

In case you missed my last post.

 

[Strange]

Hiya,

Just dropping by, I think I had the same virus/trojan/whatever as the OP.

I can't now recall what the malicious files were named, but they seemed like random generated e.g. gfdilfgd.exe (not the actual name, but used for demonstration).

I tried and ran several anti-virus and malware removal softwares, but none of them detected what was causing the problem. I couldn't get Microsoft Standalone System Sweeper to install on my USB Stick, so I didn't use it.

But I think I got it solved and the files removed in the following way:

I examined the filepath that was causing the Command Process notification to display (it shows the filepath in the notification and you can force the notification to stay in the background by pressing ESC in the notification screen and quickly opening for example Windows Explorer). I also used Autoruns (Autoruns for Windows) to find out what program was ran in logon to cause the malicious software to run, similarly there were entries such as gfdilfgd.exe.

Comparing information from these I found out that they were pointing at C:\Users\(Your Username)\AppData\ , which is a hidden folder and you have to enable seeing hidden files in Folder Options in the Control Panel. Specifially the malicious files were in the folders Local, Roaming and \Roaming\Temp. The files had random generated, but rather short names such as "sadfispodcixg" or "gsdgsodpgsd.exe" so they were easy to spot. I also checked the file creation times to find out that the suspicious files were created closely on the same time, which helped to spot the malicious files in different folders. There were different types of files, some folders, .exes in the folders and .txt documents or logs that seemed to be generated by the malicious software, because more of them were appearing on time intervals.

To remove the files by hand, I booted Windows into Safe Mode. I started by running Autoruns and removing the malicious entries (there were 2 of them) from the logon tab so they wouldn't run on startup. Then I went on removing all suspicious files from the previously mentioned folders and double checking that I didn't leave anything that could be part of the malicious program.

Booted back into Windows 7 and the notification isn't appearing anymore and I can't see any traces of the malicious software.

 

[curtiswardwell]

Just a Suggestion, Sometimes when I have not been able to remove a suspicous file and the A.V. does not cahtch it or malwarebytes, I go to search and run regedit, I then type the name of the progam "winodws command processor" and wait for the file to be found I then start deleting one file at a time by hitting f3. I do not know how much easier to expalin this. Just remember playing the Windows Registry is very tricky and if you delete the wrong file or item it could crash you computer. If you decide to use regedit after removing all the file contents. Run Malware bytes and download ccleaner or glary utilities to clean and repair the registry. Again, somone else may have better advice or explain what I am trying to convey in a better way.

Still Learniing, Learning Still

Curtis

 

[ganesan]

1. Uninstall any virus software like McCafe
2. Down load trial version of Kasper sky
3. Do fulll scan
4. Then re install virus software either McCafe or Kaspersky. I continued with Kaspersky.

Problem is solved for me..I hope it is a virus associated.

Ganesan P

 

[annefire]

I know this is quite late but if anyone else has got similar problems, then you might find this useful.

I had the same problem as described on the title of this thread. On start up, a message from microsoft kept popping up asking me to allow it to make changes to the computer. The only way I could do anything without clicking yes was to constantly click no and and escape and somehow it let me work on the computer with the message still flashing. I went to the registry into the following location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

In that I found labsdhtv.exe and I tried to delete it but it didn't allow me as the program was already open. I rebooted the systed in safe mode and I entered the location on the C drive in users/appdata/local (or similar to that) deleted the labsdhtv and deleted all the additional files created on the day of the virus attack. Once I rebooted the system the virus disappeared and my computer is now back to normal.

I found this forum extremely helpful so thank you for all the information. I hope my post helps anyone that's got similar problems.

 

[SnM]

Today morning I woke up to use my laptop but the firt message that popped up was a "windows command processor" message and it jus wouldn't leave te screen so at first I checked the publisher and it was verified by windows but the funny thing was the certification was expired but it kept bothering me so I allowed it to go through and it disappeared for a while, but I still was curious on why it kept popping up several times so I went onto google to search the programme up but the screen blanks off so I shut the laptop down straight away... I was reding this thread and there was a lot of helpful info on it, unlike many of you that are technically gifted here I'm not too good with that kind of stuff so please can someone take me thru a step by step process of to get rid of this virus it would be great... I'm sorry I couldn't provide you with details of the laptop as its turned off and when I try gettin on the net it blanks off so can you please tell me what to do it would be great help!!

Thanks.