Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start Up Problem


  • Please log in to reply
14 replies to this topic

#1 raywat

raywat

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 09 November 2006 - 11:14 AM

Hi. I've started getting an error message everytime I reboot my XP-Pro SP2 system: "windows cannot find %systemroot%\system32\cmd.exe". It comes up twice and, unless I click on each message, the system will not complete it's boot. CMD.EXE is, in fact, in the system32 directory. Once the two error messages are ok'ed, she boots perfectly. Can anyone explain why this is happening? Thanks very much.

raywat

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:52 PM

Posted 09 November 2006 - 11:33 AM

Did you recently remove a virus infection from your system? This may be the result of the virus trying to execute itself through a command prompt (and since the virus isn't there anymore - it errors out on you).

This KB article describes a similar problem (but not the same thing) that may occur on some systems: http://support.microsoft.com/?kbid=170086
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:04:52 PM

Posted 09 November 2006 - 11:46 AM

Have you tried posting a HJT log?

I agree with USAMA. I have seen several Virii/Spyware that try to run through the command interpreter, and generate this message, the only other thing that I can think of is that your path is not correct.

under system properties :advanced > Enviromental variables : should have "ComSpec C:\Windows\system32\cmd.exe
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#4 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 09 November 2006 - 12:47 PM

Thanks but I use NOD32 and it did not find/report any viruses. And the environmental path for COMSPEC is correct. Any other thoughts???

Ray

#5 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:06:52 PM

Posted 09 November 2006 - 02:43 PM

Try booting to safe mode and use "Last Known Good Configuration".

Do you have a Windows XP installation cd? (not a manufacturer's restore disk)

If last known good config doesn't work you can try using the System File Checker utility- Sfc /scannow, but it will require that you insert the Windows XP installation disk to compare known good copies of the system files.

Start -> Run and type in
cmd

Then, in the black box that appears (DOS emulator), type

sfc /scannow

Make sure that you leave a space between the sfc and the /.

Windows will then check that all operating system files are in place and original.


I also recommend that you run the Windows One Care Free Scan

Go to Windows Live Onecare Free Scan
It will say "Get a free PC safety scan"
http://safety.live.com/site/en-us/default.htm

Make sure you click "Full Service Scan" in the middle of the page and
not the "Try It Now Free" on the right side.

Allow it to download an Active X component.
Choose "Complete Scan" in the window that opens
Click "Next"
Do not click on anything else that offers you a free trial or to sign up if you live in the US.

Allow it to scan - it may take quite, maybe two hours or so depending on how big your hard drive is and how fragmented your registry and drive are.

#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:52 PM

Posted 10 November 2006 - 04:16 PM

If it's the remnants of a virus repair, or it's a missing startup item - the approach is the same.

You'll have to find the item that's calling for the command interpreter (cmd.exe) and stop it from calling it.

While most obviously it can be something that directly invokes cmd.exe - it may be something else calling a program that requires cmd.exe to run.

So, I'd first suggest checking your startups with this free program: http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx

Then, if there's nothing obvious, then I'd suggest that you disable your startups and restart them one by one until the error occurs. An easier program to do this with is this free app (easier than the Autoruns program): http://www.mlin.net/StartupCPL.shtml
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#7 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 November 2006 - 01:24 PM

Progress but no solution yet: It turns out that two RunOnce registry items: IERESETATTRIB AND IERESETICONS make the exact call to cmd.exe reported above. When I delete them from the registry I do not get the error messages. Unfortunately the registry entries are regenerated (I assume by IE7 which I have in this system). As soon as they are regenerated, the error messages resume when I reboot. I have NOT tested IE7 after deleting those registry items but would not expect any problems. I did a complete registry search but could only find these items in the RunOnce listing - so I don't know what is creating them. I'd be grateful for your thoughts. Thanks.

Ray

#8 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 November 2006 - 01:40 PM

A bit more information. The two regenerated registry keys contain the following values: %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes, and %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe. A search of my system and the registry does not find either the ieudinit.exe file or iereseticons.exe. Unbelieveable...

Ray

#9 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 13 November 2006 - 01:55 PM

One last comment: correction. I did find those two files. iereset.exe icons is in the windows\ie7 folder. ieudinit.exe is in the system32 folder. Sorry for bad info...

#10 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:06:52 PM

Posted 13 November 2006 - 07:02 PM

Did you run the Windows Onecare Scan?

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:52 PM

Posted 14 November 2006 - 08:33 AM

ieudinit.exe may be associated with malware directed at IE7.
iereseticons.exe is a file that was updated in version 3 of the beta for IE7 - I believe that it has a function to reset the icons when IE7 is uninstalled.

I'd suggest the malware scan that Enthusiast recommends.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 14 November 2006 - 12:58 PM

Have run the Windows Onecare, Spysweeper, Ewindo, and NOD32 scanners. Nothing is identified. I then renamed the iereseticons.exe and ieudinit.exe files, deleted the RunOnce entries and rebooted twice. Same error message. Is it possible that the system is simply not finding cmd.exe - even tho it's in the system32 folder?

#13 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:52 PM

Posted 15 November 2006 - 08:41 AM

I'm just shooting hot air here, but....

%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
and %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe


Is your %SystemRoot% = C:\Windows? IF not, what is it?
Did you delete the ieudinit.exe in the System32 sub-folder?
Did you delete the iereseticons.exe in the Windows folder?
Do the keys regenerate even if you don't start IE7?

Try RootKit Revealer (free here: http://www.microsoft.com/technet/sysintern...itRevealer.mspx )

The ieudinit.exe is probably OK also, since it's used by IE7 and your scans came up clean.

The RunOnce entries are generally generated by a program that wants to call a particular program on rebooting (my defragger does this). So, it could be some settings in IE7, corruption in IE7, or just some bad code.

Try resetting all the IE7 options to default. Or try uninstalling and then reinstalling it.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#14 raywat

raywat
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 17 November 2006 - 01:01 PM

Well, as mysteriously as it came - it's now gone. I am not going to look the gift horse in the mouth so just let me thank you-all for all of your help and interest. I am very grateful.

Ray

#15 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:52 PM

Posted 17 November 2006 - 05:36 PM

That's good news! Thanks for letting us know!
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users