[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1872
  • Last Modified:

Cannot Run CMD, Regedit or reged32 from Start Run

I have 3 machines on a network having this problem. If i try to run any of the above the Desktop goes blank then the icons reappear. Seems to be some sort of Virus or Spyware as it has spread to  3 machines.

 I have run superantispyware, it comes up relavtivly clean only a few adware cookies. Same problem happens in safe mode.
Ran Symantec antivirus, comes up clean. Can get into the registry using a third party registry editor but the usally suspects appear clean.
 Ran CCleaner - Nothing, reinstalled SP 3 - still same problem.
 Installed the lastest version of AVG and ran scan with that, still comes up clean.  
Super Antispyware not allowed to update, tells me the firewall is stopping it, but the firewall on the machine is disabled. We have a corporate firewall which is not blockig access to the site.

I can run Command from the Start Run menu.

Hijackthis comes up ok.

Tried to rename cmd.exe to oldcmd.exe but a new copy appears straight away. The version on the machine is the same size as the version on the xp cd.

Any ideas, when it was just one machine I was going to reinstall XP but cant now with it spreading.
0
Dancing_homer
Asked:
Dancing_homer
1 Solution
 
houssam_balloutCommented:
Download and run combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix


Save the code below and name it with .inf extension

; VArestorepolicies.inf 
; Created by: miekiemoes
; http://miekiemoes.blogspot.com/
 
[Version]
Signature = "$CHICAGO$"
 
[DefaultInstall]
DelReg=Removepolicies
 
[Removepolicies]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowControlPanel
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",StartMenuAdminTools
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowRun
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowSearch
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowHelp
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",StartMenuFavorites
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowRecentDocs
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowMyDocs
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowMyPics
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowMyComputer
HKCU,"Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced",Start_ShowMyMusic
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",NoToolbarCustomize
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",NoDrives
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",StartMenuLogoff
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",NoStartMenuMorePrograms
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\Explorer",NoSetFolders
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System",DisableRegistryTools
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System",DisableTaskMgr
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System",DisableCMD
HKCU,"Software\Microsoft\Windows\CurrentVersion\Policies\System",NoDispCPL
HKCU,"Software\Policies\Microsoft\Windows\System",DisableCMD
HKCU,"Software\Policies\Microsoft\Internet Explorer\Restrictions",NoBrowserOptions

Open in new window

0
 
segurahCommented:
Try to boot from a cd with utilities (Hiren's boot cd) and scan machine http://www.9down.com/Hiren-s-BootCD-9-8-Keyboard-Patch-73110/.
0
 
nobusCommented:
hirens cd is illegal - should not be recommended on EE
i suggest running ALL these :
     Spybot :        http://www.download.com/3000-8022-10122137.html
     MBAM  :   http://www.malwarebytes.org/mbam.php
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the logfile
0
 
Dancing_homerAuthor Commented:
Thanks Houssam, that solved it. Have done two machines now going to do the last one. thanks for your help
0
 
houssam_balloutCommented:
you are most welcome mate
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now