 |  |  |  |  |  |  |  |
Windows cannot find 'cmd'
 |
My PC has windowxp/SP2 and I can no longer run cmd.exe using either of these:
1. Start\Run\cmd
or
Start\Run\cmd.exe
or
Start\Run\C:\WINDOWS\system32\cmd.exe
These will get me this error:
Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
I have same problem in running mange by right click in my computer icon.
Does anyone have any ideas?
Thanks!
1. Start\Run\cmd
or
Start\Run\cmd.exe
or
Start\Run\C:\WINDOWS\system32\cmd.exe
These will get me this error:
Windows cannot find 'cmd'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
I have same problem in running mange by right click in my computer icon.
Does anyone have any ideas?
Thanks!
try logging in by using other username, if possible, then try to run cmd by start>run>cmd;
see what happens, let us know.
btw, what do you have in the directory C:\windows\system32\cmd.exe ?
If not possible, please download this Hijack tool from this site www.majorgeeks.com/download5554.html ;and save it to DESKTOP.
Then doubleclick it (it doesn't need installation)...checklist the 'Do a systemscan and save logfile' tab. As soon as it finishes, it shall produce you a logfile (in notepad), either copy-paste the content here or attach it here (it is saved under C:\Program Files\Trendmicro\HijackThis\HijackThis.txt
WARNING:
Don't click or do anything while HijackThis is doing a scan, or else it may cause your computer to stall and must be rebooted.
see what happens, let us know.
btw, what do you have in the directory C:\windows\system32\cmd.exe ?
If not possible, please download this Hijack tool from this site www.majorgeeks.com/download5554.html ;and save it to DESKTOP.
Then doubleclick it (it doesn't need installation)...checklist the 'Do a systemscan and save logfile' tab. As soon as it finishes, it shall produce you a logfile (in notepad), either copy-paste the content here or attach it here (it is saved under C:\Program Files\Trendmicro\HijackThis\HijackThis.txt
WARNING:
Don't click or do anything while HijackThis is doing a scan, or else it may cause your computer to stall and must be rebooted.
Last edited by eagerJO; Apr 5th, 2008 at 4:49 am.
1- I test it by a new user and still have the problem.
2- When I want to see C:\windows\system32\cmd.exe, I get the error again.
3- This is HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:51 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\maryam\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazemjoon.mihanblog.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.3.90:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Windows] C:\WINDOWS\system32\Kernel.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Oracleora9iTNSListener - Unknown owner - D:\Oracle\product\9.2.0.1.0\ora9i\BIN\TNSLSNR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6266 bytes
Thanks,
2- When I want to see C:\windows\system32\cmd.exe, I get the error again.
3- This is HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:51 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\maryam\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazemjoon.mihanblog.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.3.90:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Windows] C:\WINDOWS\system32\Kernel.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Oracleora9iTNSListener - Unknown owner - D:\Oracle\product\9.2.0.1.0\ora9i\BIN\TNSLSNR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 6266 bytes
Thanks,
Hi maryamj
It looks like you only use one browser, Internet Explorer, in your pc. IE is quite vulnerable to virus/spyware/malware attacks. However, i don't see any dangerous application running in your logfile (or is it me who is not good at reading logfile?). Quite confusing........
Anyway, I don' t see any antispyware running in your pc. hmm..that's quite risky!
Try installing these spyware/malware removal tools:
Ad-aware: http://www.lavasoft.de/
AVG-AS : http://www.ewido.net/en/
There is a free version for Ad-aware; but for avg-as, you can only use the resident-shield, which is a real-time scanning, for 30 days.
Install and do a scan with both of them, delete/move to vaults any file(s) found by them. Then let us know the update behaviour of your pc.
PS:
1. Could you please let us know what had happened before the cmd disappeared?
2. After installing ad-aware, you might be asked to reboot and update first, after booting, your pc might be a bit slower than usual. This is ok.
3. Try running the cmd from Task Manager,
CTRL+ALT+DEL>New Task>choose from the list or use the browse button to navigate it to the corresponding folder.
Jo.
It looks like you only use one browser, Internet Explorer, in your pc. IE is quite vulnerable to virus/spyware/malware attacks. However, i don't see any dangerous application running in your logfile (or is it me who is not good at reading logfile?). Quite confusing........
Anyway, I don' t see any antispyware running in your pc. hmm..that's quite risky!
Try installing these spyware/malware removal tools:
Ad-aware: http://www.lavasoft.de/
AVG-AS : http://www.ewido.net/en/
There is a free version for Ad-aware; but for avg-as, you can only use the resident-shield, which is a real-time scanning, for 30 days.
Install and do a scan with both of them, delete/move to vaults any file(s) found by them. Then let us know the update behaviour of your pc.
PS:
1. Could you please let us know what had happened before the cmd disappeared?
2. After installing ad-aware, you might be asked to reboot and update first, after booting, your pc might be a bit slower than usual. This is ok.
3. Try running the cmd from Task Manager,
CTRL+ALT+DEL>New Task>choose from the list or use the browse button to navigate it to the corresponding folder.
Jo.
I have the problem in alot of shortcut files:
when I want to open the Windows Services utility: From then Administrative Tools, show me this error:
"windows cannot find 'c:\windows\system32\servises.msc'.Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."
when I want to open the Windows Services utility: From then Administrative Tools, show me this error:
"windows cannot find 'c:\windows\system32\servises.msc'.Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."
Hi maryamj,
From the HijackThis logifle, windows services are actually running...quite weird if you can't open windows utility files.
I gotta be offline soon enough and will be offline for a couple of days. I notice that the forum here is quite passive in responding to threads.
I'd recommend you to go this forum:
register yourself, read the rules, post a new thread by describing the behaviour of your pc under Microsoft Support and your corresponding OS in that forum. That forum is a lot more active. You can also give the link in that forum which directs to the thread here so that the moderator/administrator/computer experts/enthusiasts can have a glimpse of what you have been through.
But before you do so, please complete the scanning and moving-to-vault/quarantine any infections found by the antispyware/malware tools given before.
Sorry for not being quite helpful to you, maryamj.
Dear Moderator,
Sorry if I refer this person to other forum, as it can help her better and faster, at least.
Hope you don't mind.
Jo.
From the HijackThis logifle, windows services are actually running...quite weird if you can't open windows utility files.
I gotta be offline soon enough and will be offline for a couple of days. I notice that the forum here is quite passive in responding to threads.
I'd recommend you to go this forum:
register yourself, read the rules, post a new thread by describing the behaviour of your pc under Microsoft Support and your corresponding OS in that forum. That forum is a lot more active. You can also give the link in that forum which directs to the thread here so that the moderator/administrator/computer experts/enthusiasts can have a glimpse of what you have been through.
But before you do so, please complete the scanning and moving-to-vault/quarantine any infections found by the antispyware/malware tools given before.
Sorry for not being quite helpful to you, maryamj.
Dear Moderator,
Sorry if I refer this person to other forum, as it can help her better and faster, at least.
Hope you don't mind.
Jo.
Last edited by crunchie; May 31st, 2008 at 10:23 pm. Reason: Removed link. Keep it onsite please
Posting this in hopes it will be helpful to later users:
Yes, this activity can be caused by viruses, spyware, etc. Get a good anti-virus and clean everything up! I used Vexira. I had Backdoor.Win32.Hupigon.gpm
It puts a hidden autorun in the root of every Disk Drive, and on USB keys, which is how it travels.
You will have to enable viewing hidden files, and a couple boxes under that, uncheck "protect windows system files"
Vexira detected and cleaned all these up. Be sure you get your USB keys cleaned too!
It does leave annoying little folders called ..runauto in the root. I used the "unlocker" tool to delete these, although they are clean now. http://ccollomb.free.fr/unlocker/
Be sure that the autorun.pif file is deleted from the root of all the drives. This will cause your windows drives to not load from My Computer until after you reboot.
After all that cleaning, I still couldn't use cmd.exe, regedit.exe, etc.
I have figured out the fix for the programs that were disabled by the virus.
Backup your registry first, just in case.
It takes advantage of a debug option in the registry. I have emergency utils that gives me a copy of regedit.exe so I can edit the registry.
http://www.dougknox.com/xp/utils/xp_emerutils.htm
Look here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
cmd.exe etc.
Under each of the .exe files that doesn't work, there is a handle called "Debugger" with the value set to "setuprs1.PIF" on mine. Delete the entire debugger entry.
If your name is the same, you can just search for all instances of setuprs1.pif, and delete them all.
This guy explains how it works. So any of those programs were actually set to install the virus again. But of course, the real program couldn't be found. And after the virus program cleaned out the .pifs, there was nothing there. It's interesting that you can actually use a completely different program so easily ... under the name cmd.exe .... NO WONDER viruses use it!
http://geekswithblogs.net/ssimakov/a.../22/26930.aspx
Good luck!
Yes, this activity can be caused by viruses, spyware, etc. Get a good anti-virus and clean everything up! I used Vexira. I had Backdoor.Win32.Hupigon.gpm
It puts a hidden autorun in the root of every Disk Drive, and on USB keys, which is how it travels.
You will have to enable viewing hidden files, and a couple boxes under that, uncheck "protect windows system files"
Vexira detected and cleaned all these up. Be sure you get your USB keys cleaned too!
It does leave annoying little folders called ..runauto in the root. I used the "unlocker" tool to delete these, although they are clean now. http://ccollomb.free.fr/unlocker/
Be sure that the autorun.pif file is deleted from the root of all the drives. This will cause your windows drives to not load from My Computer until after you reboot.
After all that cleaning, I still couldn't use cmd.exe, regedit.exe, etc.
I have figured out the fix for the programs that were disabled by the virus.
Backup your registry first, just in case.
It takes advantage of a debug option in the registry. I have emergency utils that gives me a copy of regedit.exe so I can edit the registry.
http://www.dougknox.com/xp/utils/xp_emerutils.htm
Look here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
cmd.exe etc.
Under each of the .exe files that doesn't work, there is a handle called "Debugger" with the value set to "setuprs1.PIF" on mine. Delete the entire debugger entry.
If your name is the same, you can just search for all instances of setuprs1.pif, and delete them all.
This guy explains how it works. So any of those programs were actually set to install the virus again. But of course, the real program couldn't be found. And after the virus program cleaned out the .pifs, there was nothing there. It's interesting that you can actually use a completely different program so easily ... under the name cmd.exe .... NO WONDER viruses use it!
http://geekswithblogs.net/ssimakov/a.../22/26930.aspx
•
•
•
•
Image File Execution options key as an Attack Vector on Windows
Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:
By simply mapping the executable name to a different debugger source, you can actually load something else entirely.
Let me give you a proof of concept:
Start the Registry Editor: Click Start, click Run, and then type regedt32.
Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)
To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe
Start up notepad (Click Start, click Run, and then type notepad)
Notice that a new cmd window opened instead [more in Dana's blog entry]
BTW, Mark Russinovich's ProcessExplorer is using this technique to replace default Task Manager (check your HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe key)
if you still havent fixed it by now then check out the "kernel.exe" i have heard it has caused alot of problems.....
i also have this problem but do not know what is causing this. i dont have kernel.exe so i dunno ......Help!!!
i also have this problem but do not know what is causing this. i dont have kernel.exe so i dunno ......Help!!!
Thanks dwlorimer.
This worked a treat.
I just exported the "Image File Execution Options" key to a file opened it in notepad and replaced the debugger line with "setuprs1.PIF" in it with a blank line and saved the file. Then I deleted the "Image File Execution Options" key completely and merged the file with the registry and bobs your uncle it all works again.
Thanks again
This worked a treat.
I just exported the "Image File Execution Options" key to a file opened it in notepad and replaced the debugger line with "setuprs1.PIF" in it with a blank line and saved the file. Then I deleted the "Image File Execution Options" key completely and merged the file with the registry and bobs your uncle it all works again.
Thanks again
|
Similar Threads
- cannot find server or DNS error (Web Browsers)
- HiJackThis log - Could someone have a look? Windows explorer won't open (Viruses, Spyware and other Nasties)
- API to find executables or files (C)
- Slow computer + about:blank homepage (Viruses, Spyware and other Nasties)
- Web pages won't open (Viruses, Spyware and other Nasties)
- Windows explorer won't load! (Viruses, Spyware and other Nasties)
- Browser Hijack (about:blank) (Viruses, Spyware and other Nasties)
- my HJT log, 2 of them for 2 comp (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Can someone ready my hijackthis log, please?????
- Next Thread: Windows XP professional Virus Infection
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday