• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 961
  • Last Modified:

Command Prompt closes instantly - including hijackthis log

Possible virus

Running XP Pro
run> type cmd hit enter - all icons disappear from the desktop and reappear. Command prompt doesn't show.

Same happens when I click on cmd from C:\WINDOWS\system32 or from all programs etc.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:46:48, on 11/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Shiro SKYPE DECT\USBPhone4Skype.exe
C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Infection Removal\HijackThis.2.0.2\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [USBPhone4Skype] C:\Program Files\Shiro SKYPE DECT\USBPhone4Skype.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IPEVO Control Center] C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe -startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HeatMat.local
O17 - HKLM\Software\..\Telephony: DomainName = HeatMat.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HeatMat.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HeatMat.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

End of file - 7572 bytes

  • 7
  • 5
  • 4
  • +4
2 Solutions
Christian de BellefeuilleProgrammerCommented:
Have you checked the signature of C:\WINDOWS\SYSTEM32\CMD.EXE?
Christian de BellefeuilleProgrammerCommented:
if its not a virus, i would check the events log in the administrative tools of the control panel
Report back the date/timestamp of CMD.EXE.  CMD.EXE may have been corrupted so you can attempt to copy from another machine.

Can you run other apps from c:\windows\system32\...like clipbrd.exe?  I don't think it is a %path% issue since you can't even run it directly from the location.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Does typing


instead of


get you a command prompt?
You might running SFC /SCANNOW.
SFC SCANNOW takes about fifteen minutes and requires your OS CD.
Just insert your CD while holding down Shift to prevent autorun.
Release the Shift key after about ten seconds.
Then click Start and in the Run field type SFC /SCANNOW and select OK.
SFC SCANNOW directions/screenshots

This entries are unnecessary and can be removed.
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
Your log file is clean for all other purposes.
unrealone1Author Commented:
@ akahan

Yes when I type command - I get command box
unrealone1Author Commented:
@ nhenny2009:
Have you checked the signature of C:\WINDOWS\SYSTEM32\CMD.EXE?

How do I do this?
Christian de BellefeuilleProgrammerCommented:
go in Windows Explorer, find your file (C:\WINDOWS\SYSTEM32\CMD.EXE)
Right click on the file, then choose properties.

Give us some info like who did the program, the file size and all that stuff.  Browse thru the tabs, you should find this info
In the registry.....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Is thre a subkey named cmd.exe? If so, kill it......

Log looks fine....

"all icons disappear from the desktop and reappear."

Thats a sign Explorer.exe is crashing, which is your Shell....

Check for an Explorer.exe subkey under there as well.....

Also in the registry......

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look for the following values....

Userinit=C:\Windows\system32\userinit.exe, <~~~~ Should look EXACTLY like this, including the comma...

RootRepeal - RootRepeal - Rootkit Detector

Under each tab, hit the Scan button, and see if you get any RED files/services/processes/drivers in the list, or just look for the summary, for any hidden files/services/processes/drivers in the lower left hand corner.....
If the Rootkit Detector finds nothing, & the problem is still unresolved, try running Combofix.
Download ComboFix and save to your Desktop >

Before running ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.
unrealone1Author Commented:
I can't run regedit either.

File size 380kb
file version: 5.1.2600.5512
unrealone1Author Commented:

I have just noticed that this only occurs when I logon as a domain user. user1, administrator etc.
It doesn't occur when I log on as a local user. Sorry I should have nemtioend this.

Any ideas why it would do this?
unrealone1Author Commented:
Now it sounds like a permissions issue of some sort.  Could you ensure that you don't have and "deny" ACL's on the the c:\windows\system32 folder or directly on the cmd.exe file itself.  If you don't then please ensure that you add domain users to this folder and retry.

Ok, now that seems more like a Policy..... Any GPOs in place?

Error "Registry Editing has been disabled by your administrator"

That the error you are getting?
Interesting; usually when use of "cmd" is barred by a policy restriction, the user gets a message that says something along the lines of "CMD is disabled by your group policy; please check with your administrator," or something like that, rather than having the command just silently close out.

The registry entry affecting "cmd" from the group policy point of view (at least the one I know about) is at:


If "DisableCMD" is set to 1, then the use of the command prompt is disabled, and the user will get the "talk to your administrator" message.
unrealone1Author Commented:
Thanks for your suggestions, but I haven't done any further alterations.

I noticed there were a lot of updates missing. So I installed them 25+ from windows update site, I still haven't installed sp3.

And the problem has gone away, cmd opens find, so does regedit. Has anyone got any Idea why an update would make it work suddenly?
Those updates replace a lot of Windows system files with newer versions.  Perhaps one of your Windows system files that was needed for "cmd" to operate properly was corrupted, and happened to get replaced by one of the updates.

Another possibility is that your problem was caused by malware; those updates probably included updated versions of the Windows Malicious Software Removal Tool; that tool will run as part of the reboot after the updates are installed, and will attempt to remove the malware it knows about.  

You can also run the tool manually by typing


in the Start/Run box (same place you were typing "cmd").
By the way -- if you haven't installed SP3, any idea why your hijackthis log says you're running SP3?

unrealone1Author Commented:
Great Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

  • 7
  • 5
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now