Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RUN CMD.EXE causes Explorer to Crash


  • This topic is locked This topic is locked
57 replies to this topic

#1 bfasula

bfasula

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 26 February 2009 - 02:18 PM

Start/Run CMD causes explorer to crash. The task bar disappears and I find "For more information, see Help and Support Center at [url="http://go.microsoft.com/fwlink/events.asp.""]http://go.microsoft.com/fwlink/events.asp."[/url] in the Application Event log. Regedit does the same thing. Double clicking on a batch file from windows explorer does the same thing. Any shortcuts that execute a batch file does the same thing.

I can run COMMAND.COM.

If I copy CMD.EXE to CMD2.EXE and then Start/Run CMD2 opens a dos window. Regedit and batch files work from this window.

My PATH Environment variable = %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Windows Resource Kits\Tools\;C:\Program Files\Citrix\System32\;C:\Apache\apache-ant-1.7.0\bin;C:\Java\jdk1.5.0_15\bin;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\MySQL\MySQL Server 5.0\bin

Thanks

BC AdBot (Login to Remove)

 


#2 Charybdis

Charybdis

  • Members
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tasmania
  • Local time:07:25 PM

Posted 26 February 2009 - 07:26 PM

Theres a good chance you have a bad prefetch file (likely virus related) go to
C:\windows\prefetch and delete the contents
(you might have to enable viewing of hidden and system files)

I would also download malware bytes, update it and give it a quick run

Edited by Charybdis, 26 February 2009 - 07:33 PM.


#3 bfasula

bfasula
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 27 February 2009 - 04:53 PM

I tried deleting the contents of prefetch but get the same results. I have also run SpyBot , Maleware Bytes and Ad-aware.

#4 ziggie216

ziggie216

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 27 February 2009 - 04:59 PM

I'm working on someone's laptop who has the same issue. Try running regedit as well and explorer will crash. New malware?

#5 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 27 February 2009 - 05:15 PM

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for a several reasons:

:trumpet: Registry cleaners can damage the registry by using aggressive cleaning routines. Many users (including some Staff Members) have reported problems after using registry cleaning tools - to include those tools released by Microsoft. This can cause your system to become unbootable.

:flowers: Registry cleaners generally don't do anything significant for your system. This topic discusses it in greater detail than we could address here: http://www.windowsbbs.com/showthread.php?t=61015 Although the topic discusses the XP registry, the concepts there apply to all other versions of Windows.

:thumbsup: Not all registry cleaners create a backup of your registry before making changes. If the changes prevent the system from booting/logging in, then there's no backup to restore in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

#6 Charybdis

Charybdis

  • Members
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tasmania

Posted 27 February 2009 - 08:11 PM

the fact that renameing it runs it really makes me think you have another cmd.exe on your drive, try searching the winows folder (with search hidden files and folders enabled) for cmd.exe and see how many hits you get.

#7 vparunak

vparunak

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 28 February 2009 - 11:21 AM

I'm having this problem too, on XP professional. Trying to run any batch file from Windows file explorer (or xplorer2, my two-pane replacement) crashes the explorer. So does trying to run cmd.exe from the explorer. In addition, the taskbar goes away for a few moments, then regenerates itself. Running cmd.exe or regedit from the run command line in Start has the same effect.

As Charybdis suggested, I scanned for cmd.com in c:\WINDOWS and found three instances: C:\WINDOWS\$NtServicePackUninstall$\cmd.exe, C:\WINDOWS\ServicePackFiles\i386\cmd.exe, and C:\WINDOWS\system32\cmd.exe. The lengths and checksums (computed by xplorer2) show that the last two are the same. The crash happens when I run C:\WINDOWS\system32\cmd.exe directly from this location.

I've got another XP Pro system, same update level, and its copy of C:\WINDOWS\system32\cmd.exe, which behaves just fine, has the same length, date, and checksum as the one that crashes file explorer on the bad machine. If my cmd.exe is bad, someone did a very careful job of hiding their steps! In fact, like bfasula, I tried renaming the file and running it, and it works just fine. So it's not the series of bytes in the file that's at fault.

Actually, that's not exactly what bfasula did--I renamed rather than copied, and as a result when I ran it, there was no cmd.exe in c:\WINDOWS\system32. But when I exited from the DOS window that my renamed copy (cmd1.exe) opened, lo and behold, a new cmd.exe appeared right along side it in my explorer, and when I tried to run that, it misbehaved as before.

I'll be grateful for any help that anyone can give!

#8 Charybdis

Charybdis

  • Members
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tasmania
  • Local time:04:25 AM

Posted 28 February 2009 - 05:54 PM

My guess is that there is a nasty lurking somewhere (or remnants of not fully removed malware), i would head over to the hijack this forum and explain whats happening and get them to help you do a scan of your system because thats the sort of thing id be looking for at this stage, and i cant look at it for you because im not a member of the hjt team.

In the meantime you can to a little system maintainence yourself
Checkdisk
start->run->type
chkdsk /r /f /x c:
and click ok, this will check for errors on the hdd
after that
start->run->type
sfc /scannow
and click ok, this will check the windows system files and replace them if needed (you will need your windows cd)

#9 tmongiello

tmongiello

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 28 February 2009 - 06:55 PM

I am having this same issue and have been following this threat all day. I just now registered so I could reply.

I tried just about everything:

Ran roguefix.bat
Ran Malwarebytes
Installed and ran AVG Free edition
ran sfc /scannow
ran CCleaner and removed all temp and garbage files.

I also scanned the registry for known locations where spyware lurks and starts from. I have come up empty.

One more symptom my PC is showing is if you do a Google search in Firefox (3.0.6) it will return valid results, but clicking on those results takes me to various shopping or bogus search sites. I might get to click on 1 or 2 results before the boigus ones show up but they always do.

The only thing I DIDN'T do (as it just dawned on me to try) was to check the HOSTS file and make sure google.com hasn't been redirected somehow. OR install and run HiJackThis. (Totally forgot about that utility).

If anyone has any ideas on how this can be fixed, I would greatly appreciate it.

Tony

#10 patbox

patbox

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 28 February 2009 - 07:06 PM

Make sure you run the CMD from the correct directory. Instead of just "cmd" type the whole route in the Start/Run dialog:

C:\WINDOWS\system32\command.com

or

C:\WINDOWS\system32\cmd

To see what happens.

---

In general, however, it seems you are infected, and should post or check the forum for infected computers. We are not supposed to heal infected computers here, because more damage than good could be done. Anyway, I would start with Start/Run and type mrt for the first check.

Edited by patbox, 28 February 2009 - 07:08 PM.

Message from Patbox: I AM LOOKING FOR A GIRLFRIEND (PM if interested) :-)

#11 tmongiello

tmongiello

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 28 February 2009 - 07:49 PM

I find it amazing that this thread is the ONLY one on the internet (That Google finds at leas) that deals with this issue. I have been searching all day and the only page that references this issue is this one.

#12 patbox

patbox

  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 28 February 2009 - 07:53 PM

I find it amazing that this thread is the ONLY one on the internet (That Google finds at leas) that deals with this issue. I have been searching all day and the only page that references this issue is this one.


Seriously I think that this is a new malware/spyware/virus. It is the the first time I noticed that people are comming here with this sort of a problem. It could also be that the anti-malware/anti-virus programs still do not have this new malware/spyware/virus in their definitions. Try to update your definitions tomorrow.
Message from Patbox: I AM LOOKING FOR A GIRLFRIEND (PM if interested) :-)

#13 tmongiello

tmongiello

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 28 February 2009 - 08:08 PM

I will try again tomorrow, I hate being stumped. :thumbsup: I can honestly say that in the past 2 years, spayware/viruses haven't beaten me. I was able to remove everything I've come across without having to nuke/pave.

The PC I am working on is at my client's office. I've found a few other suggestions on Experts Exchange that I'll try tomorrow..

For everyone else here, this is what I've found:

Via the command.com prompt, type:

ftype exefile="%1" %*

This will restore the default association for exe files, only temporarily if the virus is still active.

#14 vparunak

vparunak

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 28 February 2009 - 08:35 PM

I tried the ftype... maneuver, but it didn't help on my machine.

#15 Dr. WAV

Dr. WAV

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:25 AM

Posted 28 February 2009 - 08:55 PM

I am also experiencing this problem in Windows XP Pro, whenever I run cmd OR regedit OR batch files explorer.exe crashes as evidenced by my taskbar and desktop icons disappearing and then coming back after a second or two.

I’ve also been experiencing occasional redirects when clicking on search results from google, this happens in both Opera and Firefox. I have no idea how this is happening since the redirects happen after arriving at the exact URL that the results give me since my back button will bring me back to the page I was expecting most of the time.

I believe I first noticed the problem with the redirects Thursday night (Feb 26), but it is subtle enough that I might have seen it sooner.

I have tried running the following to resolve this with no success:

Malewarebytes Anti-Malware
Spybot Search & Destroy
SUPERAntiSpyware
Ad-Aware 2008
Norton Anti-Virus Corporate Edition (my school’s IT department gave it to all students)

I’ve tried to run ComboFix several times but I believe that since cmd is broken it is unable to run. All that happens is a small grey box with the word “ComboFix” in it appears with a progress bar and once it fills up it disappears and does nothing else.

I have also tried renaming cmd.exe to cmd1.exe and running cmd1 and that DOES work.

I checked my hosts file in windows\system32\drivers\etc and all it has is the 127.0.0.1 entry in it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users