Solved

CMD.EXE and REGEDIT don't work

Posted on 2009-04-14
16
1,466 Views
Last Modified: 2013-11-22
I have a Dell laptop running Windows XP Media Center with SP3 installed.  There is wireless connectivity to a Verizon FIOS modem/router using WEP security.  (I know it needs to be changed to WPA2).  Here is the problem with supporting information:

1. Neither CMD.EXE nor REGEDIT.EXE will run from Start > Run.  (They appear to start then just disappear.)
  a.  I can, however, run COMMAND.COM and then run CMD.EXE within that.  
  b.  I can "jump" to REGEDIT from a registry link within AutoRuns.  
2. Unlike other people here on Experts Exchange with a similar problem, I can run both MSCONFIG.EXE and TASKMGR.EXE.
3. When I plug a known good Ethernet cable from the FIOS router to the laptop, there is no connection.
   a. The numbered Ethernet light on the FIOS router doesn't light and the wired network icon in the system tray shows as "unplugged".
   b. However, when running in Safe Mode with Networking, the router lights and tray icon display properly.
4. When I click on a "search engine results" link in a browser (either IE7 or Firefox), I get redirected to some other site, but when I paste the link directly into the browser's address bar, I go to the correct site.
5. I ran a check for the Conficker worm/virus at  http://www.confickerworkinggroup.org and it came out negative.
6. I ran a full Trend-Micro anti-virus scan and it revealed no viruses.
7. I ran a full MalwareBytes scan and it removed some questionable registry entries, but nothing else.
8. I ran both F-Secure Blacklight and Sysinternals (Microsoft) RootKit Revealer.  Neither showed anything out of the ordinary.
Does anyone have any ideas as to what this may be and how to remove it?
Thanks.
Michael
0
Comment
Question by:msklein
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 20

Expert Comment

by:MightySW
ID: 24139401
Hi,
Run SFC /scannow from start, run.  

You will need the XP CD.

http://www.updatexp.com/scannow-sfc.html

HTH
0
 

Author Comment

by:msklein
ID: 24139515
I tried to run SFC /scannow, but it asks for the Windows XP Media Center SP3 CD.  The upgrade to SP3 was done through Windows Update, so I don't have an SP3 CD.  Suggesions?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24139551
Did you try to just insert the original CD?
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24139559
If that works then install SP3 after SFC completes.

Either that or reinstall SP3 and see if that does the trick.
0
 
LVL 13

Expert Comment

by:myderrick
ID: 24140220
Download CCleaner - http://www.ccleaner.com/ and run and after download hijackthis - http://www.spychecker.com/program/hijackthis.html or http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and run after the ccleaner.

Good luck

MD
0
 
LVL 4

Expert Comment

by:jason_woods
ID: 24140706
Another option is MalwareBytes:
http://malwarebytes.org/
 It can install and run in safe mode as well as update (highly recommended).
0
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 24140794
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Accepted Solution

by:
msklein earned 0 total points
ID: 24143311
Although none of the replies solved the problem, I thank all of you for trying.  After much research, I found the exact problem along with the solution at http://www.bleepingcomputer.com/forums/topic211718.html.  I suggest you all take a look as this virus/malware/trojan is quite tricky.  It installs as a randomly named drive in the C:\Windows folder and can be found by checking the Registry entry cited in the solution link above.  It isn't currently detected by Malwarebytes, Spybot, Trend-Micro PC-Cillin, or any other major anti-malware/anti-virus product.  Fortunately, it's more of an annoyance than anything else.
Thanks again for your efforts.  No points will be awarded.
0
 
LVL 4

Expert Comment

by:jason_woods
ID: 24143347
Glad it worked.
Please close the thread by accepting your comment.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24143468
I object.  Both Jason and Houssam both were on that it was malware.  Houssam even gave you the site to try.  Please accept Houssam's answer and give assist to Jason.

Thanks
0
 

Author Comment

by:msklein
ID: 24144262
MightySW, if you re-read my initial post, you'll note that in item #7 I mentioned that I had already run Malwarebytes.  As for Houssam's suggesting combofix, although it happened to be on the site for the reference I cited, the actual solution came from the Sysinternals forum http://forum.sysinternals.com/forum_posts.asp?TID=18420.  I found that post by Googling "CMD.EXE and REGEDIT don't work".  The author of that post references the bleepingcomputer post, so I felt the original author deserved the citation.  Finally, all references to using combofix are quite emphatic that it should not be used without the guidance of a HijackThis expert.
0
 
LVL 4

Expert Comment

by:jason_woods
ID: 24144310
Not to push the issue too far, but are you saying the Malwarebytes, fully updated and running in safe mode did not find this?
Was the only fix for it to use HiJackThis and manually remove the file listed?
Did any other utility find anything?

This post will be quite useless for others to read without knowing the steps you took. If the only steps were to talk to a sysinternals guide then, please, let us know.
0
 

Author Comment

by:msklein
ID: 24144415
Jason,
Yes, that's exactly what I'm saying.  Malwarebytes, fully updated and running in safe mode, did not find this; nor did the latest versions of Spybot Search & Destroy and Trend Micro PC-Cillin.  After finding the post(s) cited, I did the following:
1. I ran Sysinternals AutoRuns and clicked on a Registry entry displayed to run Regedit.
2. I navigated to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] and checked the "aux" and "aux1" value strings.  The aux1 had a "funny" value in it, with strange letters and a strange extension, so I deleted it.
3. I ran HijackThis, clicked on the "Open the Misc Tools section", clicked on the "Delete a file on reboot..." and selected the file I found in the "aux1" Registry string.
4. I rebooted the computer and everything was fixed.
No other utility found anything and I didn't talk to any Sysinternals guide.  I located a dead-on relevant post in the Sysinternals forum using a Google search.
I hope that clarifies things.
Michael
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24148866
Nice fix.  

Thanks for the clarification.

Please close again and I will not object this time :)

Have a nice day!
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24148883
4) PAQ refund if the Asker answered his/her own question
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now