Solved

Windows refusing to run cmd.exe, regedit and batch files

Posted on 2008-06-21
14
4,843 Views
Last Modified: 2011-10-19
The shortcuts for my backup software don't work any more. Windows says it can't find the batch file listed by full path in the shortcut, but the batch file is there, with no strange permissions. (This is on a colleague's computer. His user account is an administrator.)

So I tried to run a command prompt. Did START->Run->cmd and got the message:
"Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I looked in C:\Windows\System32, and there it was, cmd.exe, file version 5.1.2600,2180, so I double-clicked the icon for cmd.exe, and got this message:
Windows cannot find 'C:\WINDOWS\system32\cmd.exe'. Make sure ...

I copied this file to another name, cmd2.exe, in a different folder, and it works perfectly. Now I have a copy in \Windows\system32 that works perfectly also.

I wanted to check the registry to see if
HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD
had been set, but regedit couldn't be found.
Copied it to RegEdit2.exe in another folder, and it works perfectly. Searched the registry for DisableCMD, but the key doesn't exist.

Antivirus running is AVG corporate, last updated June 20, 2008, last complete scan June 21, 2008.

I asked Google, and found EE item ID: 20547191, which is the same problem. I worked through the suggestions there, without success, namely:

Did START->Run sfc /scannow
This started the monitor window, and took 50 minutes to scan. No report of any system files repaired.

Did burrcm's suggestion, renamed cmd.exe to xcmd.exe, but the system didn't notice, even when I ran sfc /scannow again.

Took Milan Ojh's suggestion and ranamed Config.nt, Autoexec.nt and Command.com with an x at the beginning of each one's name (but it seems strange that that would cause the problem, because it seems to me they are things that would be used after cmd.exe starts running.) Ran sfc /scannow again, but it didn't replace them.

Tried the suggestion from and235100, to copy a cmd.exe from Line 228 "Restore CMD.EXE" at
http://www.kellys-korner-xp.com/xp_tweaks.htm

This did no good either.

From here on it seems the experts were thinking there wasn't a valid cmd.exe in c:\windows\system32. But there is, and a copy of it by a different name works perfectly.

I've even used My Computer->Properties to modify the environment variable COMSPEC to point to my cmd2.exe, and if I do START->Run and enter %COMSPEC%, it works perfectly.

The PATH variable seems to be set correctly.

So I think something is stopping Windows from "seeing" certain specified programs, even though it can display their filenames and properties. Do any of you know what happens inside the user tries to run a program?

I could send a HijackThis log if you'd like.

Hope someone can help,
   Jim
0
Comment
Question by:JEHenderson
14 Comments
 
LVL 19

Expert Comment

by:Delphineous Silverwing
Comment Utility
Please post your HiJackThis log - this issue is most likely caused by malicious software.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Run Hijackthis as already suggested and show us its logfile.
Some nasties do stop .exes and batch files from executing, if Hijackthis doesn't run just rename it, change extension to .com if necessary.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Via the command.com prompt, type:

ftype exefile="%1" %*

This will restore the default association for exe files, only temporarily if the virus is still active.
0
 

Author Comment

by:JEHenderson
Comment Utility
Thanks, Here's the HiJackThis log.

Sorry about the delay -- I've been away at an appointment.

Jim
Ainde-hijackthis.log
0
 

Author Comment

by:JEHenderson
Comment Utility
Thanks for the suggestion, rpggamergirl

I thought I'd check to see what settings were there already, so I did
   ftype /?
and found I could do ftype with no arguments to find the current settings, so I did
   ftype > \temp\ftype-list.txt
I then looked in that file and found these settings (among very many others) already present:

batfile="%1" %*
cmdfile="%1" %*
comfile="%1" %*
exefile="%1" %*

I'll try setting exefile again as you suggested, and let you know what happens.

Back again -- I've tried that, but it had no effect -- Windows still "can't find" what I can see.

I've been looking through the AVG logs, in case any of those ring bells to help you think what's gone wrong, and found it removed the following:

worm/small 2.D from E:\autorun.inf and from C:\autorun.inf

Trojan horse BackDoor Hupigon REA from

C:\System Volume Information\_restore{F6221601-BABC-<snip>\RP320\A0077854.exe
(Why do microsoft put so many unintelligible strings of numbers around the place -- perfect hiding place for malware, I think)

also removed similar paths, ending in A0077863.exe and A0077863.exe
and A0077964.exe

C:\Program FilesSTK018D.exe

and various tracking cookies.

Looking forward to your help,
   Jim
0
 
LVL 3

Expert Comment

by:XChangingIT
Comment Utility
did you try to reinstall SP2?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
So AVG removed those bad autorun.inf in your drives and also the bad file in your System Restore folder.

Try running these tools and attach their logfiles and see if they find more baddies. I'll check back tomorrow, it's midnight right now.

1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:JEHenderson
Comment Utility
Thanks again, rpggamergirl,

I downloaded the two things and started working through your instructions.

Got to the point "double-click RunThis.bat", but of course, that gave me the "cannot find" error, so I did START->Run and launched my copy of cmd.exe, "cmd2.exe". Then I was able to cd to the folder where I had extracted the files and typed
.\RunThis.bat
and got it to work.

I decided to do A first, to get a system report of the current situation. Three times it complained that my config.nt was not suitable, and I operated the Close button. Went back to reinstate the config.nt that I had renamed in the hope that sfc would replace it, as Milan Ojh had suggested might be the problem for a previous questioner.
Reinstated these files to their proper names:
autoexec.nt
command.com
config.nt
and ran the program again. It worked this time, and I saved the report.
Ran it again, and did the fixing this time. It said it was going to reboot and run the batch file again, but of course Windows said it couldn't find the batch file, so now I'll run it from a command prompt myself.

It gave me a long menu, so I opened RunThis.bat in notepad, and found that the program sets a registry entry to run it after reboot with argument /second, so I'm about to try
   RunThis.bat /second

It finished the malware scan.
Started Catchme Rootkit Scan

Finished.

Attaching report.txt, then I'll run ComboFix and report again.

Jim

Ainde-report.txt
0
 

Author Comment

by:JEHenderson
Comment Utility
ComboFix worked well, and I think it's the one that finally succeeded.
I decided to do a reboot to restart the antivirus software, and then SDFix started, and succeeded in starting this time!
Then I checked, and I can do START->Run cmd and also regedit, and my shortcuts can now run their batch files!!!

Thanks heaps!

I'm attaching the log files as requested, and if you have time to look at them, I'd love it if you could point out the bits that were causing the problems.

Thanks again,
   Jim
ComboFix-quarantined-files.txt
ComboFix.txt
Ainde-SDFix-report.txt
Ainde-SDFix-after-second-reboot-.txt
Ainde-hijackthis2008-06-23.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Thanks for the logs.

It looked like it was a flashdrive infection that was causing it as there are remnants of the infection. This infection also disables regedit.exe, msinfo.exe, cmd.exe and regedit32.exe. It also modifies policies for Autorun setting for all drives, modifies COM+ service to load the backdoor component.


Combofix did not remove any obvious bad files so that means the infection was removed by other scanners. Combofix does fix messed up exes and batch files also.

These are the remnants of the flashdrive infection. You can delete them manually or we can use combofix to delete them using its CFScript function.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedt32.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69366ef-591f-11db-b87c-0016362be706}]

setuprs1.PIF <-- check if this file is still present(should be in the Windows folder) as it's only showing in the log as reg value, most likely that the physical file is already gone.
0
 

Author Comment

by:JEHenderson
Comment Utility
Thanks again, rpggamergirl,

The first key, image file execution options for regedit32.exe is gone already.
I removed
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69366ef-591f-11db-b87c-0016362be706}]

Can't find setuprs1.PIF anywhere in the \windows folder tree, neither on the problem computer nor on another XP SP2 machine here. What does it do?

Jim
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
Comment Utility
Jim,

No problem.
I didn't think any bad files would still be present but just wanted to make sure, the reg entry was still showing in the CF log., combofix would've deleted the physical file if they were still there.

setuprs1.PIF is one of the files that the backdoor dropped. It loaded before everything starts inplace of the regedit.exe, regedit32.exe, msconfig.exe and cmd.exe making those utilities not worked.
0
 

Author Closing Comment

by:JEHenderson
Comment Utility
Thanks again, rpggamergirl, for spending so much time for such a paltry reward in points (all I have) -- but then I guess it's not the points you do this for, because you've reached the highest rank already.

If you have time, I'd still be glad to know if you know the name of the nasty that did this damage.

Thanks again,
   Jim
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Jim,

Based on the CF log, the culprit was BKDR_DELF.GAX according to Trendmicro (antivirus differs slightly in their virus definitions)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DELF.GAX&VSect=T

According to McAfee it was BackDoor-AWQ!D12D19B7
http://vil.nai.com/vil/content/v_142325.htm


You can now uninstall Combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


Points are just an added bonus, I'd still participate in any thread even without points, :)
You gave all the points that you've had, which made it worth more than a miliion points.
Thank you!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now