• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1537
  • Last Modified:

CMD.EXE and REGEDIT don't work

I have a Dell laptop running Windows XP Media Center with SP3 installed.  There is wireless connectivity to a Verizon FIOS modem/router using WEP security.  (I know it needs to be changed to WPA2).  Here is the problem with supporting information:

1. Neither CMD.EXE nor REGEDIT.EXE will run from Start > Run.  (They appear to start then just disappear.)
  a.  I can, however, run COMMAND.COM and then run CMD.EXE within that.  
  b.  I can "jump" to REGEDIT from a registry link within AutoRuns.  
2. Unlike other people here on Experts Exchange with a similar problem, I can run both MSCONFIG.EXE and TASKMGR.EXE.
3. When I plug a known good Ethernet cable from the FIOS router to the laptop, there is no connection.
   a. The numbered Ethernet light on the FIOS router doesn't light and the wired network icon in the system tray shows as "unplugged".
   b. However, when running in Safe Mode with Networking, the router lights and tray icon display properly.
4. When I click on a "search engine results" link in a browser (either IE7 or Firefox), I get redirected to some other site, but when I paste the link directly into the browser's address bar, I go to the correct site.
5. I ran a check for the Conficker worm/virus at  http://www.confickerworkinggroup.org and it came out negative.
6. I ran a full Trend-Micro anti-virus scan and it revealed no viruses.
7. I ran a full MalwareBytes scan and it removed some questionable registry entries, but nothing else.
8. I ran both F-Secure Blacklight and Sysinternals (Microsoft) RootKit Revealer.  Neither showed anything out of the ordinary.
Does anyone have any ideas as to what this may be and how to remove it?
Thanks.
Michael
0
msklein
Asked:
msklein
  • 6
  • 4
  • 3
  • +2
1 Solution
 
MightySWCommented:
Hi,
Run SFC /scannow from start, run.  

You will need the XP CD.

http://www.updatexp.com/scannow-sfc.html

HTH
0
 
mskleinAuthor Commented:
I tried to run SFC /scannow, but it asks for the Windows XP Media Center SP3 CD.  The upgrade to SP3 was done through Windows Update, so I don't have an SP3 CD.  Suggesions?
0
 
MightySWCommented:
Did you try to just insert the original CD?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
MightySWCommented:
If that works then install SP3 after SFC completes.

Either that or reinstall SP3 and see if that does the trick.
0
 
myderrickCommented:
Download CCleaner - http://www.ccleaner.com/ and run and after download hijackthis - http://www.spychecker.com/program/hijackthis.html or http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and run after the ccleaner.

Good luck

MD
0
 
jason_woodsCommented:
Another option is MalwareBytes:
http://malwarebytes.org/
 It can install and run in safe mode as well as update (highly recommended).
0
 
houssam_balloutCommented:
0
 
mskleinAuthor Commented:
Although none of the replies solved the problem, I thank all of you for trying.  After much research, I found the exact problem along with the solution at http://www.bleepingcomputer.com/forums/topic211718.html.  I suggest you all take a look as this virus/malware/trojan is quite tricky.  It installs as a randomly named drive in the C:\Windows folder and can be found by checking the Registry entry cited in the solution link above.  It isn't currently detected by Malwarebytes, Spybot, Trend-Micro PC-Cillin, or any other major anti-malware/anti-virus product.  Fortunately, it's more of an annoyance than anything else.
Thanks again for your efforts.  No points will be awarded.
0
 
jason_woodsCommented:
Glad it worked.
Please close the thread by accepting your comment.
0
 
MightySWCommented:
I object.  Both Jason and Houssam both were on that it was malware.  Houssam even gave you the site to try.  Please accept Houssam's answer and give assist to Jason.

Thanks
0
 
mskleinAuthor Commented:
MightySW, if you re-read my initial post, you'll note that in item #7 I mentioned that I had already run Malwarebytes.  As for Houssam's suggesting combofix, although it happened to be on the site for the reference I cited, the actual solution came from the Sysinternals forum http://forum.sysinternals.com/forum_posts.asp?TID=18420.  I found that post by Googling "CMD.EXE and REGEDIT don't work".  The author of that post references the bleepingcomputer post, so I felt the original author deserved the citation.  Finally, all references to using combofix are quite emphatic that it should not be used without the guidance of a HijackThis expert.
0
 
jason_woodsCommented:
Not to push the issue too far, but are you saying the Malwarebytes, fully updated and running in safe mode did not find this?
Was the only fix for it to use HiJackThis and manually remove the file listed?
Did any other utility find anything?

This post will be quite useless for others to read without knowing the steps you took. If the only steps were to talk to a sysinternals guide then, please, let us know.
0
 
mskleinAuthor Commented:
Jason,
Yes, that's exactly what I'm saying.  Malwarebytes, fully updated and running in safe mode, did not find this; nor did the latest versions of Spybot Search & Destroy and Trend Micro PC-Cillin.  After finding the post(s) cited, I did the following:
1. I ran Sysinternals AutoRuns and clicked on a Registry entry displayed to run Regedit.
2. I navigated to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] and checked the "aux" and "aux1" value strings.  The aux1 had a "funny" value in it, with strange letters and a strange extension, so I deleted it.
3. I ran HijackThis, clicked on the "Open the Misc Tools section", clicked on the "Delete a file on reboot..." and selected the file I found in the "aux1" Registry string.
4. I rebooted the computer and everything was fixed.
No other utility found anything and I didn't talk to any Sysinternals guide.  I located a dead-on relevant post in the Sysinternals forum using a Google search.
I hope that clarifies things.
Michael
0
 
MightySWCommented:
Nice fix.  

Thanks for the clarification.

Please close again and I will not object this time :)

Have a nice day!
0
 
MightySWCommented:
4) PAQ refund if the Asker answered his/her own question
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now