Solved

Windows refusing to run cmd.exe, regedit and batch files

Posted on 2008-06-21
14
4,951 Views
Last Modified: 2011-10-19
The shortcuts for my backup software don't work any more. Windows says it can't find the batch file listed by full path in the shortcut, but the batch file is there, with no strange permissions. (This is on a colleague's computer. His user account is an administrator.)

So I tried to run a command prompt. Did START->Run->cmd and got the message:
"Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I looked in C:\Windows\System32, and there it was, cmd.exe, file version 5.1.2600,2180, so I double-clicked the icon for cmd.exe, and got this message:
Windows cannot find 'C:\WINDOWS\system32\cmd.exe'. Make sure ...

I copied this file to another name, cmd2.exe, in a different folder, and it works perfectly. Now I have a copy in \Windows\system32 that works perfectly also.

I wanted to check the registry to see if
HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD
had been set, but regedit couldn't be found.
Copied it to RegEdit2.exe in another folder, and it works perfectly. Searched the registry for DisableCMD, but the key doesn't exist.

Antivirus running is AVG corporate, last updated June 20, 2008, last complete scan June 21, 2008.

I asked Google, and found EE item ID: 20547191, which is the same problem. I worked through the suggestions there, without success, namely:

Did START->Run sfc /scannow
This started the monitor window, and took 50 minutes to scan. No report of any system files repaired.

Did burrcm's suggestion, renamed cmd.exe to xcmd.exe, but the system didn't notice, even when I ran sfc /scannow again.

Took Milan Ojh's suggestion and ranamed Config.nt, Autoexec.nt and Command.com with an x at the beginning of each one's name (but it seems strange that that would cause the problem, because it seems to me they are things that would be used after cmd.exe starts running.) Ran sfc /scannow again, but it didn't replace them.

Tried the suggestion from and235100, to copy a cmd.exe from Line 228 "Restore CMD.EXE" at
http://www.kellys-korner-xp.com/xp_tweaks.htm

This did no good either.

From here on it seems the experts were thinking there wasn't a valid cmd.exe in c:\windows\system32. But there is, and a copy of it by a different name works perfectly.

I've even used My Computer->Properties to modify the environment variable COMSPEC to point to my cmd2.exe, and if I do START->Run and enter %COMSPEC%, it works perfectly.

The PATH variable seems to be set correctly.

So I think something is stopping Windows from "seeing" certain specified programs, even though it can display their filenames and properties. Do any of you know what happens inside the user tries to run a program?

I could send a HijackThis log if you'd like.

Hope someone can help,
   Jim
0
Comment
Question by:JEHenderson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 19

Expert Comment

by:Delphineous Silverwing
ID: 21839240
Please post your HiJackThis log - this issue is most likely caused by malicious software.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21839419
Run Hijackthis as already suggested and show us its logfile.
Some nasties do stop .exes and batch files from executing, if Hijackthis doesn't run just rename it, change extension to .com if necessary.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21839425
Via the command.com prompt, type:

ftype exefile="%1" %*

This will restore the default association for exe files, only temporarily if the virus is still active.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:JEHenderson
ID: 21839551
Thanks, Here's the HiJackThis log.

Sorry about the delay -- I've been away at an appointment.

Jim
Ainde-hijackthis.log
0
 

Author Comment

by:JEHenderson
ID: 21840796
Thanks for the suggestion, rpggamergirl

I thought I'd check to see what settings were there already, so I did
   ftype /?
and found I could do ftype with no arguments to find the current settings, so I did
   ftype > \temp\ftype-list.txt
I then looked in that file and found these settings (among very many others) already present:

batfile="%1" %*
cmdfile="%1" %*
comfile="%1" %*
exefile="%1" %*

I'll try setting exefile again as you suggested, and let you know what happens.

Back again -- I've tried that, but it had no effect -- Windows still "can't find" what I can see.

I've been looking through the AVG logs, in case any of those ring bells to help you think what's gone wrong, and found it removed the following:

worm/small 2.D from E:\autorun.inf and from C:\autorun.inf

Trojan horse BackDoor Hupigon REA from

C:\System Volume Information\_restore{F6221601-BABC-<snip>\RP320\A0077854.exe
(Why do microsoft put so many unintelligible strings of numbers around the place -- perfect hiding place for malware, I think)

also removed similar paths, ending in A0077863.exe and A0077863.exe
and A0077964.exe

C:\Program FilesSTK018D.exe

and various tracking cookies.

Looking forward to your help,
   Jim
0
 
LVL 3

Expert Comment

by:XChangingIT
ID: 21840878
did you try to reinstall SP2?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21840897
So AVG removed those bad autorun.inf in your drives and also the bad file in your System Restore folder.

Try running these tools and attach their logfiles and see if they find more baddies. I'll check back tomorrow, it's midnight right now.

1.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and attach the contents of the results file "Report.txt" back


2.  download ComboFix to your Desktop, from either of these locations:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 

Author Comment

by:JEHenderson
ID: 21845240
Thanks again, rpggamergirl,

I downloaded the two things and started working through your instructions.

Got to the point "double-click RunThis.bat", but of course, that gave me the "cannot find" error, so I did START->Run and launched my copy of cmd.exe, "cmd2.exe". Then I was able to cd to the folder where I had extracted the files and typed
.\RunThis.bat
and got it to work.

I decided to do A first, to get a system report of the current situation. Three times it complained that my config.nt was not suitable, and I operated the Close button. Went back to reinstate the config.nt that I had renamed in the hope that sfc would replace it, as Milan Ojh had suggested might be the problem for a previous questioner.
Reinstated these files to their proper names:
autoexec.nt
command.com
config.nt
and ran the program again. It worked this time, and I saved the report.
Ran it again, and did the fixing this time. It said it was going to reboot and run the batch file again, but of course Windows said it couldn't find the batch file, so now I'll run it from a command prompt myself.

It gave me a long menu, so I opened RunThis.bat in notepad, and found that the program sets a registry entry to run it after reboot with argument /second, so I'm about to try
   RunThis.bat /second

It finished the malware scan.
Started Catchme Rootkit Scan

Finished.

Attaching report.txt, then I'll run ComboFix and report again.

Jim

Ainde-report.txt
0
 

Author Comment

by:JEHenderson
ID: 21846164
ComboFix worked well, and I think it's the one that finally succeeded.
I decided to do a reboot to restart the antivirus software, and then SDFix started, and succeeded in starting this time!
Then I checked, and I can do START->Run cmd and also regedit, and my shortcuts can now run their batch files!!!

Thanks heaps!

I'm attaching the log files as requested, and if you have time to look at them, I'd love it if you could point out the bits that were causing the problems.

Thanks again,
   Jim
ComboFix-quarantined-files.txt
ComboFix.txt
Ainde-SDFix-report.txt
Ainde-SDFix-after-second-reboot-.txt
Ainde-hijackthis2008-06-23.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21847406
Thanks for the logs.

It looked like it was a flashdrive infection that was causing it as there are remnants of the infection. This infection also disables regedit.exe, msinfo.exe, cmd.exe and regedit32.exe. It also modifies policies for Autorun setting for all drives, modifies COM+ service to load the backdoor component.


Combofix did not remove any obvious bad files so that means the infection was removed by other scanners. Combofix does fix messed up exes and batch files also.

These are the remnants of the flashdrive infection. You can delete them manually or we can use combofix to delete them using its CFScript function.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedt32.exe]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69366ef-591f-11db-b87c-0016362be706}]

setuprs1.PIF <-- check if this file is still present(should be in the Windows folder) as it's only showing in the log as reg value, most likely that the physical file is already gone.
0
 

Author Comment

by:JEHenderson
ID: 21850632
Thanks again, rpggamergirl,

The first key, image file execution options for regedit32.exe is gone already.
I removed
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69366ef-591f-11db-b87c-0016362be706}]

Can't find setuprs1.PIF anywhere in the \windows folder tree, neither on the problem computer nor on another XP SP2 machine here. What does it do?

Jim
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 125 total points
ID: 21850921
Jim,

No problem.
I didn't think any bad files would still be present but just wanted to make sure, the reg entry was still showing in the CF log., combofix would've deleted the physical file if they were still there.

setuprs1.PIF is one of the files that the backdoor dropped. It loaded before everything starts inplace of the regedit.exe, regedit32.exe, msconfig.exe and cmd.exe making those utilities not worked.
0
 

Author Closing Comment

by:JEHenderson
ID: 31469480
Thanks again, rpggamergirl, for spending so much time for such a paltry reward in points (all I have) -- but then I guess it's not the points you do this for, because you've reached the highest rank already.

If you have time, I'd still be glad to know if you know the name of the nasty that did this damage.

Thanks again,
   Jim
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21861956
Jim,

Based on the CF log, the culprit was BKDR_DELF.GAX according to Trendmicro (antivirus differs slightly in their virus definitions)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_DELF.GAX&VSect=T 

According to McAfee it was BackDoor-AWQ!D12D19B7
http://vil.nai.com/vil/content/v_142325.htm


You can now uninstall Combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


Points are just an added bonus, I'd still participate in any thread even without points, :)
You gave all the points that you've had, which made it worth more than a miliion points.
Thank you!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question