• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5119
  • Last Modified:

Windows refusing to run cmd.exe, regedit and batch files

The shortcuts for my backup software don't work any more. Windows says it can't find the batch file listed by full path in the shortcut, but the batch file is there, with no strange permissions. (This is on a colleague's computer. His user account is an administrator.)

So I tried to run a command prompt. Did START->Run->cmd and got the message:
"Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I looked in C:\Windows\System32, and there it was, cmd.exe, file version 5.1.2600,2180, so I double-clicked the icon for cmd.exe, and got this message:
Windows cannot find 'C:\WINDOWS\system32\cmd.exe'. Make sure ...

I copied this file to another name, cmd2.exe, in a different folder, and it works perfectly. Now I have a copy in \Windows\system32 that works perfectly also.

I wanted to check the registry to see if
had been set, but regedit couldn't be found.
Copied it to RegEdit2.exe in another folder, and it works perfectly. Searched the registry for DisableCMD, but the key doesn't exist.

Antivirus running is AVG corporate, last updated June 20, 2008, last complete scan June 21, 2008.

I asked Google, and found EE item ID: 20547191, which is the same problem. I worked through the suggestions there, without success, namely:

Did START->Run sfc /scannow
This started the monitor window, and took 50 minutes to scan. No report of any system files repaired.

Did burrcm's suggestion, renamed cmd.exe to xcmd.exe, but the system didn't notice, even when I ran sfc /scannow again.

Took Milan Ojh's suggestion and ranamed Config.nt, Autoexec.nt and Command.com with an x at the beginning of each one's name (but it seems strange that that would cause the problem, because it seems to me they are things that would be used after cmd.exe starts running.) Ran sfc /scannow again, but it didn't replace them.

Tried the suggestion from and235100, to copy a cmd.exe from Line 228 "Restore CMD.EXE" at

This did no good either.

From here on it seems the experts were thinking there wasn't a valid cmd.exe in c:\windows\system32. But there is, and a copy of it by a different name works perfectly.

I've even used My Computer->Properties to modify the environment variable COMSPEC to point to my cmd2.exe, and if I do START->Run and enter %COMSPEC%, it works perfectly.

The PATH variable seems to be set correctly.

So I think something is stopping Windows from "seeing" certain specified programs, even though it can display their filenames and properties. Do any of you know what happens inside the user tries to run a program?

I could send a HijackThis log if you'd like.

Hope someone can help,
1 Solution
Delphineous SilverwingGood Ol' GeekCommented:
Please post your HiJackThis log - this issue is most likely caused by malicious software.
Run Hijackthis as already suggested and show us its logfile.
Some nasties do stop .exes and batch files from executing, if Hijackthis doesn't run just rename it, change extension to .com if necessary.
Via the command.com prompt, type:

ftype exefile="%1" %*

This will restore the default association for exe files, only temporarily if the virus is still active.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

JEHendersonAuthor Commented:
Thanks, Here's the HiJackThis log.

Sorry about the delay -- I've been away at an appointment.

JEHendersonAuthor Commented:
Thanks for the suggestion, rpggamergirl

I thought I'd check to see what settings were there already, so I did
   ftype /?
and found I could do ftype with no arguments to find the current settings, so I did
   ftype > \temp\ftype-list.txt
I then looked in that file and found these settings (among very many others) already present:

batfile="%1" %*
cmdfile="%1" %*
comfile="%1" %*
exefile="%1" %*

I'll try setting exefile again as you suggested, and let you know what happens.

Back again -- I've tried that, but it had no effect -- Windows still "can't find" what I can see.

I've been looking through the AVG logs, in case any of those ring bells to help you think what's gone wrong, and found it removed the following:

worm/small 2.D from E:\autorun.inf and from C:\autorun.inf

Trojan horse BackDoor Hupigon REA from

C:\System Volume Information\_restore{F6221601-BABC-<snip>\RP320\A0077854.exe
(Why do microsoft put so many unintelligible strings of numbers around the place -- perfect hiding place for malware, I think)

also removed similar paths, ending in A0077863.exe and A0077863.exe
and A0077964.exe

C:\Program FilesSTK018D.exe

and various tracking cookies.

Looking forward to your help,
did you try to reinstall SP2?
So AVG removed those bad autorun.inf in your drives and also the bad file in your System Restore folder.

Try running these tools and attach their logfiles and see if they find more baddies. I'll check back tomorrow, it's midnight right now.

1.  Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back

2.  download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
JEHendersonAuthor Commented:
Thanks again, rpggamergirl,

I downloaded the two things and started working through your instructions.

Got to the point "double-click RunThis.bat", but of course, that gave me the "cannot find" error, so I did START->Run and launched my copy of cmd.exe, "cmd2.exe". Then I was able to cd to the folder where I had extracted the files and typed
and got it to work.

I decided to do A first, to get a system report of the current situation. Three times it complained that my config.nt was not suitable, and I operated the Close button. Went back to reinstate the config.nt that I had renamed in the hope that sfc would replace it, as Milan Ojh had suggested might be the problem for a previous questioner.
Reinstated these files to their proper names:
and ran the program again. It worked this time, and I saved the report.
Ran it again, and did the fixing this time. It said it was going to reboot and run the batch file again, but of course Windows said it couldn't find the batch file, so now I'll run it from a command prompt myself.

It gave me a long menu, so I opened RunThis.bat in notepad, and found that the program sets a registry entry to run it after reboot with argument /second, so I'm about to try
   RunThis.bat /second

It finished the malware scan.
Started Catchme Rootkit Scan


Attaching report.txt, then I'll run ComboFix and report again.


JEHendersonAuthor Commented:
ComboFix worked well, and I think it's the one that finally succeeded.
I decided to do a reboot to restart the antivirus software, and then SDFix started, and succeeded in starting this time!
Then I checked, and I can do START->Run cmd and also regedit, and my shortcuts can now run their batch files!!!

Thanks heaps!

I'm attaching the log files as requested, and if you have time to look at them, I'd love it if you could point out the bits that were causing the problems.

Thanks again,
Thanks for the logs.

It looked like it was a flashdrive infection that was causing it as there are remnants of the infection. This infection also disables regedit.exe, msinfo.exe, cmd.exe and regedit32.exe. It also modifies policies for Autorun setting for all drives, modifies COM+ service to load the backdoor component.

Combofix did not remove any obvious bad files so that means the infection was removed by other scanners. Combofix does fix messed up exes and batch files also.

These are the remnants of the flashdrive infection. You can delete them manually or we can use combofix to delete them using its CFScript function.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedt32.exe]

setuprs1.PIF <-- check if this file is still present(should be in the Windows folder) as it's only showing in the log as reg value, most likely that the physical file is already gone.
JEHendersonAuthor Commented:
Thanks again, rpggamergirl,

The first key, image file execution options for regedit32.exe is gone already.
I removed

Can't find setuprs1.PIF anywhere in the \windows folder tree, neither on the problem computer nor on another XP SP2 machine here. What does it do?


No problem.
I didn't think any bad files would still be present but just wanted to make sure, the reg entry was still showing in the CF log., combofix would've deleted the physical file if they were still there.

setuprs1.PIF is one of the files that the backdoor dropped. It loaded before everything starts inplace of the regedit.exe, regedit32.exe, msconfig.exe and cmd.exe making those utilities not worked.
JEHendersonAuthor Commented:
Thanks again, rpggamergirl, for spending so much time for such a paltry reward in points (all I have) -- but then I guess it's not the points you do this for, because you've reached the highest rank already.

If you have time, I'd still be glad to know if you know the name of the nasty that did this damage.

Thanks again,

Based on the CF log, the culprit was BKDR_DELF.GAX according to Trendmicro (antivirus differs slightly in their virus definitions)

According to McAfee it was BackDoor-AWQ!D12D19B7

You can now uninstall Combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Points are just an added bonus, I'd still participate in any thread even without points, :)
You gave all the points that you've had, which made it worth more than a miliion points.
Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now