Okay, long story short, I had a popup window that would not go away, and momentarily froze my laptop. When I was eventually able to close the window, I started receiving messages asking for permission for a program called ‘Windows Command Processor’ to make changes to my computer. This message just keeps popping up, no matter how many times you click ‘no’.
So I started running virus scans. While MalwareBytes couldn’t seem to find anything, Microsoft Security Essentials and Avast both tell my they’ve identified the virus and removed them, but once I restart my computer the message just keeps popping up.
Losing my patience, I finally clicked ‘yes’. Avast suggested I run the program in sandbox, which I did, and I immediately received warnings from both Security Essentials and Avast saying I have multiple infections (Security Essentials telling my that I have anywhere between 9 and 90 potential threats). Avast identifies the infection as “win32:Malware-gen”, while Security Essentials detects “Trojan:WinNT/Ramnit.gen!A”
No matter how many virus scans I run that seemingly find and delete the virus, whenever my computer restarts, I am asked for permission for “Windows Command Prompt” to run.
If anyone can help, I’d really appreciate it, because I’m out of ideas. I’m not very computer-savvy, and my usual technique of “run virus scan in safe mode” has failed me.
Running two resident AVs is going to cause you nothing but grief as they fight for control over a file considered infected, like two dogs fighting over a bone.
Having two resident anti-virus scanners installed is one too many and not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avastUI, Real-Time Shields, File System Shield, Shield log.
For detection on on demand scans, check C:\Documents And Settings\All Users\Application Data\Alwil Software\Avast5\Log (Windows 2000, Windows XP). Or C:\ProgramData\Alwil Software\Avast5\log (windows Vista, windows 7).
Thanks for the replies. I know more than one virus scanner causes problems, but when Security Essentials couldn’t solve the problem, I downloaded Avast. Would uninstalling Security Essentials and then running a scan with Avast be an idea?
When the I click yes on the “Windows Command Processor” request, and Avast asks if I want to run it in sandbox, it gives the file location as “C:\Users\Paul\AppData\Local\Temp\ehknywwtsltfshyv.exe”, and says it was opened by “C:\WindowszSysWOW64\cmd.exe”.
But when I run it in sandbox, the virus alerts tell me the object is “C:\Users\Paul\AppData\Local\Temp\tqnaarna.sys”, while giving “C:\Users\Paul\AppData\Local\Temp\ehknywwtsltfshyv.exe” again as the process.
Well in the sandbox it is actually running in a virtual environment and that looks like a file that it created in the temp trying to run the executable again a bit of a weird cyclic issue.
This ehknywwtsltfshyv.exe file is highly suspect in itself as it looks like a randomly created file name and it should be sent to avast for analysis, see #### below.
However, that file aside there is something hidden responsible for using “C:\WindowszSysWOW64\cmd.exe” to launch the ehknywwtsltfshyv.exe file in the first place, that has to be found yet. Thankfully the autosandbox is preventing this suspect file ehknywwtsltfshyv.exe from being run.
You must uninstall MSE as a start point as the two AVs aren’t helping in this matter at all, any conflict between both could well leave you more vulnerable.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Sent a sample of ehknywwtsltfshyv.exe to avast, and cleared temp folders, but should I ignore the “Windows Command Processor” request while I run MBAM, or click yes and let Avast run it in sandbox? I’m just wondering if MBAM will have trouble detecting it if Avast is running it in sandbox?
I ran a full MBAM scan with the “Windows Command Processor” message flashing away, and the scan came back with no malicious items found. Here’s the log:
The MBAM scan has changed nothing. Afterwards, I clicked yes on the “Windows Command Processor” message and ran it in sandbox, and Avast instantly detected the infection again. I moved it to chest and deleted it (again), but when I restart my computer the message just comes back.
Perhaps I should try allowing the program (whatever it is) to run normally, not in sandbox, and then try MBAM scan?
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
OK got it, the files will be zipped in the following location C:_OTS\moved files could you upload the folder to mediafire please for me to collect
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YY -> mcmswuun.exe -> C:\Users\Paul\AppData\Local\evucbsnq\mcmswuun.exe
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-135629090-249397523-1038615723-1001\] > -> HKEY_USERS\S-1-5-21-135629090-249397523-1038615723-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "McmSwuun" -> C:\Users\Paul\AppData\Local\evucbsnq\mcmswuun.exe [C:\Users\Paul\AppData\Local\evucbsnq\mcmswuun.exe]
[Files - No Company Name]
NY -> mcmswuun.exe -> C:\Users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcmswuun.exe
NY -> ~39182072r -> C:\ProgramData\~39182072r
NY -> ~39182072 -> C:\ProgramData\~39182072
NY -> 39182072 -> C:\ProgramData\39182072
NY -> ~43898948r -> C:\ProgramData\~43898948r
NY -> ~43898948 -> C:\ProgramData\~43898948
NY -> 43898948 -> C:\ProgramData\43898948
NY -> ~37740280r -> C:\ProgramData\~37740280r
NY -> ~37740280 -> C:\ProgramData\~37740280
NY -> 37740280 -> C:\ProgramData\37740280
NY -> Ojokimif.dat -> C:\Users\Paul\AppData\Local\Ojokimif.dat
NY -> Nbelewazucoc.bin -> C:\Users\Paul\AppData\Local\Nbelewazucoc.bin
[Custom Items]
:Files
ipconfig /flushdns /c
C:\Users\Paul\AppData\Local\evucbsnq
:end
[Empty Temp Folders]
[CreateRestorePoint]
[ZipFiles]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Is that all you need, or will you need all the contents of the “MovedFiles” folder?
Regardless, your fix seems to have done the trick. There’s no ‘Windows Command Processor’ message, no infection alerts from avast, even the ehknywwtsltfshyv.exe file is gone.
Am I jumping the gun in thinking the problem is solved?
I believe essexboy may want the contents of the moved folder (zipped and uploaded to mediafire) so that he can submit them to avast if required. But hold fire on that until he asks as we don’t want the link to possible undetected malware available to anyone viewing the topic.
So if he needs it he will ask, if you can then upload it to mediafire, he will collect it and ask you to delete the link (modify your post) and or the mediafire upload. That way we don’t give access to it were we have no control over what people might do with it.
Generally essexboy will a) check your OTS log and b) if clear have you monitor your system for a day or so for any symptoms, if clear he will then tell you how to remove his tools.
Hello there,
I have the exact same problem as mentioned here, also can’t shake it. Can you guide me through what to do please? I should add that I haven’t clicked yes to the Windows Command Process alteration request.