Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows can't find cmd.exe, msconfig.exe and regedit.exe


  • Please log in to reply
36 replies to this topic

#1 Avalon60

Avalon60

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 28 March 2015 - 07:06 AM

This has just started to happen on my win8.1 machine.

 

I typed cmd in the search box of the start menu (win8.1), then clicked on it and got a blue band across my monitor saying 'This app cannot run on your PC'
I've never had that before!

So I then right click and select run as Administrator, but then I get another message box telling me that
Windows cannot find
'C:\windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf385ad...\cmd.exe.

For a start cmd.exe is in that location as well as being in the \System32 folder.

I have created 2 shortcuts , 1 for each location, on my desktop an can just click on either and they open up with any errors.

From which location is the correct cmd.exe to use, and why am I getting the said error message.

 

Also, it is the same scenario when I type msconfig.exe and regedit. After right clicking and run as Admin, Windows can't find, etc etc in the same WnSxS folder.

I have scanned my system with Malwarebytes anti malware, SpyBot S&D,  EEK, and AdwCleaner.

 

EEK found 0 adware entries , while AdwCleaner found a few registry entries which were deleted by the program.

 

I have also done a sfc /scannow, and nothing was amiss.

 

I started a new topic in the Am I infected section on the above problems here :

http://www.bleepingcomputer.com/forums/t/569244/windows-cant-find-cmdex-msconfigexe-and-regeditexe/

 

I was asked to start a new topic in this thread due to more problems as described lower down.

 

I used/ran the windows all 1 one program and completed the required repairs, but that didn't cure the problem.

Then more or less out of the blue, after I had ran other cleaning tools like HighJackThis, and Runscanner, the problem was cured.

 

Then after a couple of weeks, after I have just very recently updated my hardware, the problem I had previously has returned.

 

I have scanned for malware and spyware using Malware Bytes and Spybot S&D. I have ran Emisofts Emergency Tooltkit 3 times, and have ran the windows repair all in one 3 times, once being in safe mode.

Also I have ran ADW Cleaner, once in Safe Mode and again in Normal Mode

 

Each program now shows no malware or spyware anywhere on my system.

 

Each time I try to open cmd, msconfig or regedit, I get this: a blue band across my monitor saying 'This app cannot run on your PC'

 

Also, yesterday I found that right mouse click on any folder crashes or closes windows explorer down. Another  annoying problem was that my permissions on the folders on my home server had been changed, and I could not write to any folder.

 

Last night when I thought I had cured the 2 problems above, I rebooted for some reason, and both problems came back again..

I have also found that on both occasions I had 'omniboxes' on my system, or at least it hijacked FireFox, but I have now removed it., and yet it still appears each time I open up/run Firefox, as a new page. I don't know where it is coming from, as I have searched and cleaned my system as best as I could.

 

Just one thing I should say is that all my data is on a separate drive, and to the best of my knowledge none of the files are giving me problems or infected.


Edited by hamluis, 28 March 2015 - 08:34 AM.
Moved from Win 8 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,023 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:05 PM

Posted 28 March 2015 - 09:46 AM

Broni suggested that you start a new topic in the Malware Removal Logs forum.  He obviously recognized that the malware you have couldn't be addressed properly with the tools allowed in the Am I Infected forum and suggested the new topic where the Malware Removal Team members can use the tools needed to clean your computer.

 

I would suggest that you go back to Broni's suggestion and do what was requested.

 

Once you have opened the new topic a moderator will close this topic in order to prevent confusion that could be created otherwise.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 28 March 2015 - 10:09 AM

Yes I know that Broni suggested that, then after I did start a new thread about the problem, and then nasdaq told me to start a new thread here, because as it was not a virus nor malware problem it was out side his remit so to speak.

 

This is a link to that thread:

 

http://www.bleepingcomputer.com/forums/t/570816/windows-cant-find-cmdex-msconfigexe-and-regeditexe-am-i-infected/


Edited by Avalon60, 28 March 2015 - 10:11 AM.


#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:05:05 PM

Posted 28 March 2015 - 10:13 AM

You did start a topic in Malware Removal Logs. That topic is here http://www.bleepingcomputer.com/forums/t/570816/windows-cant-find-cmdex-msconfigexe-and-regeditexe-am-i-infected/

The "new topic" you linked to is not new. In it Broni suggested you follow the prep guide for Malware Removal Logs, which you did.

After working with Nasdaq he suggested you start a new topic in the approrpriate OS forum. Instead you posted this topic in Am I Infected.

Because it was suggested that you post in the OS forum I have moved your topic to Windows 8. If necessary you can be referred back to one of the malware removal forums.

#5 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 28 March 2015 - 01:10 PM

Ok, confused I will be, lol

 

I thought this was the windows 8 forum, mm, maybe not then.

 

I know he told me,.nasdaq, that I should start a new topic in the windows 7 forum, but I am using windows 8.1 , that is why I posted in the windows 8 forum


Edited by Avalon60, 28 March 2015 - 01:27 PM.


#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,023 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:05 PM

Posted 28 March 2015 - 02:15 PM

@Queen-Evie

 

The header of the FRST scan which nasdaq had Afalon60 run shows that he is running Windows 8.1, so this does belong in the Windows 8 forum.  Nasdaq made an error, it happens.

 

What is missing is this file...  C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.16384_none_7bcb26c7ee538fe3


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 28 March 2015 - 03:03 PM

That file is missing from my windows WinSxS\ folder?

 

And you have it in your windows 8 system?



#8 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 28 March 2015 - 03:37 PM

I do have that said line here:

 

C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.16384_none_7bcb26c7ee538fe3

 

It is the 4th line down:

 

================== Search Files: "cmd.exe" =============

1st C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.17415_none_866c6bf6227abe66\cmd.exe
[2014-11-30 17:13][2014-10-29 01:05] 0315392 ____A (Microsoft Corporation) 622D21C40A25F9834A03BFD5FF4710C1 [File is signed]

2nd C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.16384_none_861fd11a22b451de\cmd.exe
[2013-08-22 02:54][2014-12-03 05:31] 0047195 ____A () 77C9818180EB1AF14A2E019B31EADBAC

3rd C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.17415_none_7c17c1a3ee19fc6b\cmd.exe
[2014-11-30 17:13][2014-10-29 01:28] 0357376 ____A (Microsoft Corporation) F5AE03DE0AD60F5B17B82F2CD68402FE [File is signed]

4th C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.16384_none_7bcb26c7ee538fe3\cmd.exe
[2013-08-22 10:03][2014-12-03 05:04] 0057589 ____A () 089EDF7CAB7415FCF3D40E35C2530CFF

other lines deleted

====== End Of Search ======

So I don't know/understand how it was missing from where you say.

 


Edited by Avalon60, 28 March 2015 - 03:42 PM.


#9 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 31 March 2015 - 02:26 PM

Can anyone please help with this problem I have? If not , I won't continue asking.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:05 PM

Posted 01 April 2015 - 10:15 AM

Hi Avalon,

May I see something? Can you go in the Registry, to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

From there, right-click on the Environment key and select Export. Save the file on your desktop, then attach it in your next reply. And please do the same for:

HKEY_CURRENT_USER\Environment

If you need more instructions on how to proceed, let me know.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 01 April 2015 - 11:58 AM

Hi Aura, thanks for coming back to me.

 

How do I attach the 2 files as I was told in another forum you cannot attach files, so here they are:

 

This is the HKU_Environment reg file

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Environment]
"MOZ_PLUGIN_PATH"="C:\\Program Files\\Tracker Software\\PDF Viewer\\Win32\\"
"TEMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,\
  00,45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,\
  6f,00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00
"TMP"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,4c,00,\
  45,00,25,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,00,5c,00,4c,00,6f,\
  00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,00,00
 

This is the HKM Environment

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"ComSpec"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
  00,6d,00,64,00,2e,00,65,00,78,00,65,00,00,00
"FP_NO_HOST_CHECK"="NO"
"NUMBER_OF_PROCESSORS"="1"
"OS"="Windows_NT"
"Path"="C:\\Program Files (x86)\\NVIDIA Corporation\\PhysX\\Common;C:\\ProgramData\\Oracle\\Java\\javapath;C:\\Program Files (x86)\\iis express\\PHP\\v5.4;C:\\Program Files (x86)\\Intel\\iCLS Client\\;C:\\Program Files\\Intel\\iCLS Client\\;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files (x86)\\ATI Technologies\\ATI.ACE\\Core-Static;C:\\Program Files\\Calibre2\\;C:\\Program Files\\Intel\\Intel® Management Engine Components\\DAL;C:\\Program Files\\Intel\\Intel® Management Engine Components\\IPT;C:\\Program Files (x86)\\Intel\\Intel® Management Engine Components\\DAL;C:\\Program Files (x86)\\Intel\\Intel® Management Engine Components\\IPT;C:\\Program Files\\MySQL\\MySQL Server 5.1\\bin;C:\\Program Files (x86)\\QuickTime\\QTSystem\\"
"PATHEXT"=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"
"PROCESSOR_ARCHITECTURE"="AMD64"
"PROCESSOR_IDENTIFIER"="Intel64 Family 6 Model 60 Stepping 3, GenuineIntel"
"PROCESSOR_LEVEL"="6"
"PROCESSOR_REVISION"="3c03"
"PSModulePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,50,00,6f,00,77,00,65,00,72,00,53,\
  00,68,00,65,00,6c,00,6c,00,5c,00,76,00,31,00,2e,00,30,00,5c,00,4d,00,6f,00,\
  64,00,75,00,6c,00,65,00,73,00,5c,00,00,00
"TEMP"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,54,00,45,00,4d,00,50,00,00,00
"TMP"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,\
  25,00,5c,00,54,00,45,00,4d,00,50,00,00,00
"USERNAME"="SYSTEM"
"windir"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,00,00
"VBOX_MSI_INSTALL_PATH"="C:\\Program Files\\Oracle\\VirtualBox\\"



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:05 PM

Posted 01 April 2015 - 12:02 PM

Right-click on the Windows logo and select System. From there, click on the Advanced System Settings on the left pane. Click on the Environment variables... button at the bottom. From there, under System variables, find the one called windir. Once selected, click on Modify.... In the box that will pop-up, erase the current Variable value and input this instead:

%SystemRoot%

Click on Ok, followed by Ok again and finally Apply. Try to launch cmd, regedit, msconfig, etc.

Edited by Aura., 01 April 2015 - 12:02 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 01 April 2015 - 12:35 PM

%SystemRoot% was already there in the Windir value. I deleted it and re entered it. I ok'd out of everything and then tried launching cmd.exe, No change at all, as I got the same error messages as before.



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:05:05 PM

Posted 01 April 2015 - 12:36 PM

When you right-click on the cmd.exe, msconfig.exe, regedit.exe, etc. icons that you try to launch and that gives you an error message then select Properties. Where are these .exe located? In System32 or the WinSxS folder?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Avalon60

Avalon60
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leeds UK
  • Local time:10:05 PM

Posted 01 April 2015 - 01:41 PM

From properties this is the location of cmd.exe:

 

C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_6.3.9600.16384_none_7bcb26c7ee538fe3

 

So it is in the WinSxS folder.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users