msklein
asked on
CMD.EXE and REGEDIT don't work
I have a Dell laptop running Windows XP Media Center with SP3 installed. There is wireless connectivity to a Verizon FIOS modem/router using WEP security. (I know it needs to be changed to WPA2). Here is the problem with supporting information:
1. Neither CMD.EXE nor REGEDIT.EXE will run from Start > Run. (They appear to start then just disappear.)
a. I can, however, run COMMAND.COM and then run CMD.EXE within that.
b. I can "jump" to REGEDIT from a registry link within AutoRuns.
2. Unlike other people here on Experts Exchange with a similar problem, I can run both MSCONFIG.EXE and TASKMGR.EXE.
3. When I plug a known good Ethernet cable from the FIOS router to the laptop, there is no connection.
a. The numbered Ethernet light on the FIOS router doesn't light and the wired network icon in the system tray shows as "unplugged".
b. However, when running in Safe Mode with Networking, the router lights and tray icon display properly.
4. When I click on a "search engine results" link in a browser (either IE7 or Firefox), I get redirected to some other site, but when I paste the link directly into the browser's address bar, I go to the correct site.
5. I ran a check for the Conficker worm/virus at http://www.confickerworkinggroup.org and it came out negative.
6. I ran a full Trend-Micro anti-virus scan and it revealed no viruses.
7. I ran a full MalwareBytes scan and it removed some questionable registry entries, but nothing else.
8. I ran both F-Secure Blacklight and Sysinternals (Microsoft) RootKit Revealer. Neither showed anything out of the ordinary.
Does anyone have any ideas as to what this may be and how to remove it?
Thanks.
Michael
1. Neither CMD.EXE nor REGEDIT.EXE will run from Start > Run. (They appear to start then just disappear.)
a. I can, however, run COMMAND.COM and then run CMD.EXE within that.
b. I can "jump" to REGEDIT from a registry link within AutoRuns.
2. Unlike other people here on Experts Exchange with a similar problem, I can run both MSCONFIG.EXE and TASKMGR.EXE.
3. When I plug a known good Ethernet cable from the FIOS router to the laptop, there is no connection.
a. The numbered Ethernet light on the FIOS router doesn't light and the wired network icon in the system tray shows as "unplugged".
b. However, when running in Safe Mode with Networking, the router lights and tray icon display properly.
4. When I click on a "search engine results" link in a browser (either IE7 or Firefox), I get redirected to some other site, but when I paste the link directly into the browser's address bar, I go to the correct site.
5. I ran a check for the Conficker worm/virus at http://www.confickerworkinggroup.org and it came out negative.
6. I ran a full Trend-Micro anti-virus scan and it revealed no viruses.
7. I ran a full MalwareBytes scan and it removed some questionable registry entries, but nothing else.
8. I ran both F-Secure Blacklight and Sysinternals (Microsoft) RootKit Revealer. Neither showed anything out of the ordinary.
Does anyone have any ideas as to what this may be and how to remove it?
Thanks.
Michael
ASKER
I tried to run SFC /scannow, but it asks for the Windows XP Media Center SP3 CD. The upgrade to SP3 was done through Windows Update, so I don't have an SP3 CD. Suggesions?
Did you try to just insert the original CD?
If that works then install SP3 after SFC completes.
Either that or reinstall SP3 and see if that does the trick.
Either that or reinstall SP3 and see if that does the trick.
Download CCleaner - http://www.ccleaner.com/ and run and after download hijackthis - http://www.spychecker.com/program/hijackthis.html or http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and run after the ccleaner.
Good luck
MD
Good luck
MD
Another option is MalwareBytes:
http://malwarebytes.org/
It can install and run in safe mode as well as update (highly recommended).
http://malwarebytes.org/
It can install and run in safe mode as well as update (highly recommended).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad it worked.
Please close the thread by accepting your comment.
Please close the thread by accepting your comment.
I object. Both Jason and Houssam both were on that it was malware. Houssam even gave you the site to try. Please accept Houssam's answer and give assist to Jason.
Thanks
Thanks
ASKER
MightySW, if you re-read my initial post, you'll note that in item #7 I mentioned that I had already run Malwarebytes. As for Houssam's suggesting combofix, although it happened to be on the site for the reference I cited, the actual solution came from the Sysinternals forum http://forum.sysinternals.com/forum_posts.asp?TID=18420. I found that post by Googling "CMD.EXE and REGEDIT don't work". The author of that post references the bleepingcomputer post, so I felt the original author deserved the citation. Finally, all references to using combofix are quite emphatic that it should not be used without the guidance of a HijackThis expert.
Not to push the issue too far, but are you saying the Malwarebytes, fully updated and running in safe mode did not find this?
Was the only fix for it to use HiJackThis and manually remove the file listed?
Did any other utility find anything?
This post will be quite useless for others to read without knowing the steps you took. If the only steps were to talk to a sysinternals guide then, please, let us know.
Was the only fix for it to use HiJackThis and manually remove the file listed?
Did any other utility find anything?
This post will be quite useless for others to read without knowing the steps you took. If the only steps were to talk to a sysinternals guide then, please, let us know.
ASKER
Jason,
Yes, that's exactly what I'm saying. Malwarebytes, fully updated and running in safe mode, did not find this; nor did the latest versions of Spybot Search & Destroy and Trend Micro PC-Cillin. After finding the post(s) cited, I did the following:
1. I ran Sysinternals AutoRuns and clicked on a Registry entry displayed to run Regedit.
2. I navigated to [HKEY_LOCAL_MACHINE\SOFTWA
3. I ran HijackThis, clicked on the "Open the Misc Tools section", clicked on the "Delete a file on reboot..." and selected the file I found in the "aux1" Registry string.
4. I rebooted the computer and everything was fixed.
No other utility found anything and I didn't talk to any Sysinternals guide. I located a dead-on relevant post in the Sysinternals forum using a Google search.
I hope that clarifies things.
Michael
Yes, that's exactly what I'm saying. Malwarebytes, fully updated and running in safe mode, did not find this; nor did the latest versions of Spybot Search & Destroy and Trend Micro PC-Cillin. After finding the post(s) cited, I did the following:
1. I ran Sysinternals AutoRuns and clicked on a Registry entry displayed to run Regedit.
2. I navigated to [HKEY_LOCAL_MACHINE\SOFTWA
3. I ran HijackThis, clicked on the "Open the Misc Tools section", clicked on the "Delete a file on reboot..." and selected the file I found in the "aux1" Registry string.
4. I rebooted the computer and everything was fixed.
No other utility found anything and I didn't talk to any Sysinternals guide. I located a dead-on relevant post in the Sysinternals forum using a Google search.
I hope that clarifies things.
Michael
Nice fix.
Thanks for the clarification.
Please close again and I will not object this time :)
Have a nice day!
Thanks for the clarification.
Please close again and I will not object this time :)
Have a nice day!
4) PAQ refund if the Asker answered his/her own question
Run SFC /scannow from start, run.
You will need the XP CD.
http://www.updatexp.com/scannow-sfc.html
HTH