?
Solved

cmd.exe and regedit.exe open and immediately close again

Posted on 2009-04-15
14
Medium Priority
?
3,890 Views
Last Modified: 2012-06-27
When I open cmd.exe from the Start | Run menu the command prompt flashes open and then the whole desktop blinks, the command prompt closes and explorer seems to reload.  As if you kill explorer.exe in task manager and start another instance.
The machine has only started doing this in the last week or so.
It's running XP Pro with SP2 with the latest patches.
It runs behind a firewall and under Trend Micro Worry Free Business.
I have spent 20 hours or so scanning with a variety of tools run from Safe mode, following advisories from the internet.  
If I run cmd.exe from the system32 directory using Run As administrator it works, but running it as my user, which is administrator equiv I get the above behaviour.
I'm an IT guy, not a complete knucklehead, but I'm out of ideas on this one.
Any ideas?  Thanks.
0
Comment
Question by:bgrsyd
12 Comments
 
LVL 3

Expert Comment

by:scwoa
ID: 24165076
Get autoruns from sysinternals (microsoft)   and see what is running at startup.   http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx   

A lot of the un-signed items are suspicious, but not all.   Delete entries that look suspicous.    This is a judgement call...

Get malwarebytes and run it, if you haven't already.    www.malwarebytes.com

Check for more than one copy of cmd.exe on the drive, and also the shortcut, also check the permissions on the file, see if they changed.
Check in c:\windows & c:\windows\system32 and look for files that changed in the last week.   Then google them and see if they are spyware.

Find an original XP SP 2 Disk, and copy in cmd.exe and regedit, then mark them as read-only.  

Or just give up and format and reinstall.   :)
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24177056
While following the above Advise with Autoruns, I would strongly suggest just to disable suspicious items, not delete them.
also if in doubt, please save the program log as autoruns.arn , rename to Autoruns.txt & attach here.
from the routine of periodically  terminating cmd & regedit , I would guess this is the action of a trojan infection or some  variant of Brontok or a similar worm, you can recover from using the below link
Microsoft Malicious Software removal tool
finally if Malwarebytes as already suggested did not do the trick, please post a hijack this log.



0
 

Author Comment

by:bgrsyd
ID: 24211745
Thanks for the suggestions.
I've tried all the above and I can find nothing suspicious.  I have seen on other machines this before but it's always been a resident program or a changed registry.
I have replaced cmd.exe and regedit.exe directly from the CD and flagged them read only.
Also the symptoms are the same if you start in Safe Mode.

This is a brand new HP workstation about 3 months old, always lived behind the firewall and always had current Anti-Everything, but clearly it's caught something in the last few weeks.

I have attached a HijackThis log from.

I'd love to avoid rebuilding this machine for all the usual reasons.

Thanks agaion for your help.
Bruce.
hijackthis.log
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:bgrsyd
ID: 24238020
Sorry I've taken so long to respond to the suggestions, but they aren't 5 minute jobs and the issues is on a busy production machine.
Does anyone have any further ideas?  
The machine scans clean with everything suggested and more, I have uploaded a Hjacthis log on the previous post.
The machine also exhibts redirect issues when you follow a link on a Google search, you often end up at an advertising site rather than the target link.
Any further suggestions would be greatly appreciated.
Thanks and regards,
Bruce.
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 24238357
(Hijackthis log looks to be ok)

please follow the information provided here.
http://www.updatexp.com/windows-xp-chkdsk.html

You want to run a chkdsk.
This will hopefully find and repair anything that has gone bad.

You sounds as if your system is becoming or is already Corrupted.
Hopefully the Chkdsk will help.

Good Luck
Carrzkiss
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 24238504
A lot of nasties can hide from a Hijackthis scan these days.

Try Combofix and show us the logfile please. If it doesn't run at first, redownload it but rename before saving the file.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24238892
Copy teh following three lines, and paste them into a start>run>cmd window, and hit enter.

reg query "hklm\software" >c:\reg.txt
reg query "hkcu\software" >>c:\reg.txt
notepad c:\reg.txt

Paste the output of the text file here please......
0
 

Author Comment

by:bgrsyd
ID: 24239580
Thanks for your suggestions.
I've attached the registry output johnb6767 requested.
reg.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24241173
Could also be that the Path Environment variable is not set right, if it's wrong then we can use FixPath2 to fix it.

run regedt32 and navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
In the right pane check the Path if the data type is correct, it should be --> REG_EXPAND_SZ and not REG_SZ



OR: run the below batch file and post the result.
Copy and paste the bold text below into notepad.
Save this as look.bat , choose to save as *All files and place it on your desktop. Then doubleclick on the "look.bat" and show us the result.

C:\Windows\system32\reg.exe query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /s >> 
look.txt
start notepad look.txt

0
 
LVL 4

Expert Comment

by:satyan1894
ID: 24241924
downloaded to USB drive (seems to be important) ComboFix and SmitFraudFix
- restart in Safe mode with Networking
- run ComboFix from USB drive, followed instructions
- restarted in Normal mode, finished ComboFix cleanup
- restarted again in Safe mode with Networking, run SmitFraudFix, option
- http://siri.urz.free.fr/Fix/SmitfraudFix.exe
- First update it  and then searcg and remove the infections
2.Clean
- after SmitFraudFix was done, closed it and tested Run-> cmd and this time
it should work OK
- restarted in normal mode, RUn -> cmd should work as well.

Sure this would help you.
0
 

Author Closing Comment

by:bgrsyd
ID: 31575783
This resolved the cmd and regedit issues, and remarkably found stuff a number of other scanners didn't so it's all good.
Thanks heaps rpggamergirlpulp, this has saved me a full week in manually rebuilding the PC.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24257360
That's great!
If everything is fine you may uninstall it later

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above process will remove Combofix and its files, delete the created backup and reset System Restore.

Thanks!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question