cmd.exe and regedit.exe open and immediately close again

Posted on 2009-04-15
Last Modified: 2012-06-27
When I open cmd.exe from the Start | Run menu the command prompt flashes open and then the whole desktop blinks, the command prompt closes and explorer seems to reload.  As if you kill explorer.exe in task manager and start another instance.
The machine has only started doing this in the last week or so.
It's running XP Pro with SP2 with the latest patches.
It runs behind a firewall and under Trend Micro Worry Free Business.
I have spent 20 hours or so scanning with a variety of tools run from Safe mode, following advisories from the internet.  
If I run cmd.exe from the system32 directory using Run As administrator it works, but running it as my user, which is administrator equiv I get the above behaviour.
I'm an IT guy, not a complete knucklehead, but I'm out of ideas on this one.
Any ideas?  Thanks.
Question by:bgrsyd
    LVL 3

    Expert Comment

    Get autoruns from sysinternals (microsoft)   and see what is running at startup.    

    A lot of the un-signed items are suspicious, but not all.   Delete entries that look suspicous.    This is a judgement call...

    Get malwarebytes and run it, if you haven't already.

    Check for more than one copy of cmd.exe on the drive, and also the shortcut, also check the permissions on the file, see if they changed.
    Check in c:\windows & c:\windows\system32 and look for files that changed in the last week.   Then google them and see if they are spyware.

    Find an original XP SP 2 Disk, and copy in cmd.exe and regedit, then mark them as read-only.  

    Or just give up and format and reinstall.   :)
    LVL 23

    Expert Comment

    While following the above Advise with Autoruns, I would strongly suggest just to disable suspicious items, not delete them.
    also if in doubt, please save the program log as autoruns.arn , rename to Autoruns.txt & attach here.
    from the routine of periodically  terminating cmd & regedit , I would guess this is the action of a trojan infection or some  variant of Brontok or a similar worm, you can recover from using the below link
    Microsoft Malicious Software removal tool
    finally if Malwarebytes as already suggested did not do the trick, please post a hijack this log.


    Author Comment

    Thanks for the suggestions.
    I've tried all the above and I can find nothing suspicious.  I have seen on other machines this before but it's always been a resident program or a changed registry.
    I have replaced cmd.exe and regedit.exe directly from the CD and flagged them read only.
    Also the symptoms are the same if you start in Safe Mode.

    This is a brand new HP workstation about 3 months old, always lived behind the firewall and always had current Anti-Everything, but clearly it's caught something in the last few weeks.

    I have attached a HijackThis log from.

    I'd love to avoid rebuilding this machine for all the usual reasons.

    Thanks agaion for your help.

    Author Comment

    Sorry I've taken so long to respond to the suggestions, but they aren't 5 minute jobs and the issues is on a busy production machine.
    Does anyone have any further ideas?  
    The machine scans clean with everything suggested and more, I have uploaded a Hjacthis log on the previous post.
    The machine also exhibts redirect issues when you follow a link on a Google search, you often end up at an advertising site rather than the target link.
    Any further suggestions would be greatly appreciated.
    Thanks and regards,
    LVL 30

    Expert Comment

    by:Wayne Barron
    (Hijackthis log looks to be ok)

    please follow the information provided here.

    You want to run a chkdsk.
    This will hopefully find and repair anything that has gone bad.

    You sounds as if your system is becoming or is already Corrupted.
    Hopefully the Chkdsk will help.

    Good Luck
    LVL 47

    Accepted Solution

    A lot of nasties can hide from a Hijackthis scan these days.

    Try Combofix and show us the logfile please. If it doesn't run at first, redownload it but rename before saving the file.

    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    LVL 66

    Expert Comment

    Copy teh following three lines, and paste them into a start>run>cmd window, and hit enter.

    reg query "hklm\software" >c:\reg.txt
    reg query "hkcu\software" >>c:\reg.txt
    notepad c:\reg.txt

    Paste the output of the text file here please......

    Author Comment

    Thanks for your suggestions.
    I've attached the registry output johnb6767 requested.
    LVL 47

    Expert Comment

    Could also be that the Path Environment variable is not set right, if it's wrong then we can use FixPath2 to fix it.

    run regedt32 and navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
    In the right pane check the Path if the data type is correct, it should be --> REG_EXPAND_SZ and not REG_SZ

    OR: run the below batch file and post the result.
    Copy and paste the bold text below into notepad.
    Save this as look.bat , choose to save as *All files and place it on your desktop. Then doubleclick on the "look.bat" and show us the result.

    C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >>
    start notepad look.txt

    LVL 4

    Expert Comment

    downloaded to USB drive (seems to be important) ComboFix and SmitFraudFix
    - restart in Safe mode with Networking
    - run ComboFix from USB drive, followed instructions
    - restarted in Normal mode, finished ComboFix cleanup
    - restarted again in Safe mode with Networking, run SmitFraudFix, option
    - First update it  and then searcg and remove the infections
    - after SmitFraudFix was done, closed it and tested Run-> cmd and this time
    it should work OK
    - restarted in normal mode, RUn -> cmd should work as well.

    Sure this would help you.

    Author Closing Comment

    This resolved the cmd and regedit issues, and remarkably found stuff a number of other scanners didn't so it's all good.
    Thanks heaps rpggamergirlpulp, this has saved me a full week in manually rebuilding the PC.
    LVL 47

    Expert Comment

    That's great!
    If everything is fine you may uninstall it later

    To uninstall Combofix:
    Go to Start > Run and 'copy and paste' next command in the field:

    ComboFix /u

    The above process will remove Combofix and its files, delete the created backup and reset System Restore.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now