cmd.exe and regedit.exe open and immediately close again

When I open cmd.exe from the Start | Run menu the command prompt flashes open and then the whole desktop blinks, the command prompt closes and explorer seems to reload.  As if you kill explorer.exe in task manager and start another instance.
The machine has only started doing this in the last week or so.
It's running XP Pro with SP2 with the latest patches.
It runs behind a firewall and under Trend Micro Worry Free Business.
I have spent 20 hours or so scanning with a variety of tools run from Safe mode, following advisories from the internet.  
If I run cmd.exe from the system32 directory using Run As administrator it works, but running it as my user, which is administrator equiv I get the above behaviour.
I'm an IT guy, not a complete knucklehead, but I'm out of ideas on this one.
Any ideas?  Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Get autoruns from sysinternals (microsoft)   and see what is running at startup.   

A lot of the un-signed items are suspicious, but not all.   Delete entries that look suspicous.    This is a judgement call...

Get malwarebytes and run it, if you haven't already.

Check for more than one copy of cmd.exe on the drive, and also the shortcut, also check the permissions on the file, see if they changed.
Check in c:\windows & c:\windows\system32 and look for files that changed in the last week.   Then google them and see if they are spyware.

Find an original XP SP 2 Disk, and copy in cmd.exe and regedit, then mark them as read-only.  

Or just give up and format and reinstall.   :)
Mohamed OsamaSenior IT ConsultantCommented:
While following the above Advise with Autoruns, I would strongly suggest just to disable suspicious items, not delete them.
also if in doubt, please save the program log as autoruns.arn , rename to Autoruns.txt & attach here.
from the routine of periodically  terminating cmd & regedit , I would guess this is the action of a trojan infection or some  variant of Brontok or a similar worm, you can recover from using the below link
Microsoft Malicious Software removal tool
finally if Malwarebytes as already suggested did not do the trick, please post a hijack this log.

bgrsydAuthor Commented:
Thanks for the suggestions.
I've tried all the above and I can find nothing suspicious.  I have seen on other machines this before but it's always been a resident program or a changed registry.
I have replaced cmd.exe and regedit.exe directly from the CD and flagged them read only.
Also the symptoms are the same if you start in Safe Mode.

This is a brand new HP workstation about 3 months old, always lived behind the firewall and always had current Anti-Everything, but clearly it's caught something in the last few weeks.

I have attached a HijackThis log from.

I'd love to avoid rebuilding this machine for all the usual reasons.

Thanks agaion for your help.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

bgrsydAuthor Commented:
Sorry I've taken so long to respond to the suggestions, but they aren't 5 minute jobs and the issues is on a busy production machine.
Does anyone have any further ideas?  
The machine scans clean with everything suggested and more, I have uploaded a Hjacthis log on the previous post.
The machine also exhibts redirect issues when you follow a link on a Google search, you often end up at an advertising site rather than the target link.
Any further suggestions would be greatly appreciated.
Thanks and regards,
Wayne BarronAuthor, Web DeveloperCommented:
(Hijackthis log looks to be ok)

please follow the information provided here.

You want to run a chkdsk.
This will hopefully find and repair anything that has gone bad.

You sounds as if your system is becoming or is already Corrupted.
Hopefully the Chkdsk will help.

Good Luck
A lot of nasties can hide from a Hijackthis scan these days.

Try Combofix and show us the logfile please. If it doesn't run at first, redownload it but rename before saving the file.

Please download ComboFix by sUBs:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Copy teh following three lines, and paste them into a start>run>cmd window, and hit enter.

reg query "hklm\software" >c:\reg.txt
reg query "hkcu\software" >>c:\reg.txt
notepad c:\reg.txt

Paste the output of the text file here please......
bgrsydAuthor Commented:
Thanks for your suggestions.
I've attached the registry output johnb6767 requested.
Could also be that the Path Environment variable is not set right, if it's wrong then we can use FixPath2 to fix it.

run regedt32 and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
In the right pane check the Path if the data type is correct, it should be --> REG_EXPAND_SZ and not REG_SZ

OR: run the below batch file and post the result.
Copy and paste the bold text below into notepad.
Save this as look.bat , choose to save as *All files and place it on your desktop. Then doubleclick on the "look.bat" and show us the result.

C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >> 
start notepad look.txt

downloaded to USB drive (seems to be important) ComboFix and SmitFraudFix
- restart in Safe mode with Networking
- run ComboFix from USB drive, followed instructions
- restarted in Normal mode, finished ComboFix cleanup
- restarted again in Safe mode with Networking, run SmitFraudFix, option
- First update it  and then searcg and remove the infections
- after SmitFraudFix was done, closed it and tested Run-> cmd and this time
it should work OK
- restarted in normal mode, RUn -> cmd should work as well.

Sure this would help you.
bgrsydAuthor Commented:
This resolved the cmd and regedit issues, and remarkably found stuff a number of other scanners didn't so it's all good.
Thanks heaps rpggamergirlpulp, this has saved me a full week in manually rebuilding the PC.
That's great!
If everything is fine you may uninstall it later

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset System Restore.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.