Run cmd flashes open, closes & exits 2

[suncity]

Run / cmd gives small black screen, flashes open about 1 second, then closes down.

I ran sfc /scannow, no change. Can't reinstall since XP/Pro on CPU is newer than on retail CD.

Only serious work on XP was start of network installation. Will soon need to ping clients: Run / cmd / ping.

 

[bcastner]

Malware.
See faq608-4650
Be sure to do at least two online Antivirus scans.

 

[linney]

Are you typing something in the Start Run Box, if so what?
Can you open the Command Prompt via Programs/ Accessories?

Do your other tools like RegEdit or Task Manager work?
Why does Task Manager, MSCONFIG, or REGEDIT disappear while opening?

http://windowsxp.mvps.org/ToolsQuit.htm

You don't say too much about any problem concerning repairing XP, but if you version of Windows is SP2 and your CD is SP1, you will have to match versions by uninstalling SP2 or Slipstreaming your current CD with the SP2 files to produce a new XP CD.

Slipstream Service Packs
thread779-900263

875350 - How to remove Windows XP Service Pack 2 from your computer

http://support.microsoft.com/default.aspx?scid=kb;en-us;875350&FR=1&PA=1&SD=HSCH

 

[bcastner]

I agree 100% with Linney that the first thing to do after resolving this Run issue is to slipstream SP2 into whatever CD you have.

But for a non-Domain member workstation, the open and close on the Run line is either an indadvertant Group Policy setting using gpedit, or more likely, malware.

 

[linney]

A chronic mis-typer like me is always getting vanishing Command Prompt screens just by typing incorrect commands into the Start Run box. These same incorrect commands when typed into the actual Command Prompt itself, display a message pointing out the errors of my way, this explanation is not available if you use the Start Run method.

 

[bcastner]

OK, add one more reason:

You type as badly as linney.

 

[suncity]

I am typing "cmd" or "regedit" in the dialog box. Black window flashes open, then closes immediately.
"msconfig" & "taskmgr" work.
Command prompt in Program/Accessories works.

I will slipsteam my XP/Pro CD after pursuing malware process.

Don't know what "an indadvertant Group Policy setting using gpedit" means. This will be "Plan B" if malware route fails.

At Accessories/CmdPrompt, "taskmgr" works, "regedit" does not.

bcastner, I'm sure both linny and I can handle C-M-D

THANKS to all for these useful and educational posts!!!!
===============================================

Logfile of HijackThis v1.99.1
Scan saved at 9:24:29 AM, on 6/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
D:\SmartBoard32\Smtbrd32.exe
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.excite.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.excite.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP

Pro\wsbho2k0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SpeedOptimizer] "C:\PROGRA~1\SPEEDO~1\SPO.EXE" -s
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to Smtbrd32.lnk = D:\SmartBoard32\Smtbrd32.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -

http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) -

https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -

http://www.dotphoto.com/XUpload.ocx

O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) -

https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation -

C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. -

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

 

[JockMullin]

Hi, suncity

What happens if you start/run/command.com? How about cmd.exe? Or if you specify the full path to cmd.exe?

I agree it sounds like malware. Also maybe there is more than one cmd.* around, such as cmd.com or cmd.bat or cmd.cmd getting executed first, whereas the shortcut in accessories is pointing to the correct cmd.exe.

Jock

 

[bcastner]

Your Hijack This log is clean, but it is more revealing for non-virus malware.

I like JockMullin's notion that it could be a path issue, particularly if a bad guy is found first in the path.

Have you done a search on cmd.*

 

[suncity]

You guys are right on!

I tried using extensions: Run / command.com, and Run / cmd.exe and both work !

Searched system. cmd (no extension) must be finding a bad cmd among these. I suspect the last one dated 2002.
Search for "cmd.*" gave:

White box icon - C:\WINDOWS\System32 - 1 KB - MS-DOS appl - 5/15/05
Blk box w/"C:\" - C:\W\System32 - 380 KB - Appl - 8/4/04
Blk box w/"C:\" - C:\W\System32\dllcache - 380 KB - Appl - 8/4/04
Blk box w/"C:\" - C:\W\ServicePackFiles\i386 - 380 KB - 8/4/04
Blk box w/"C:\" - C:\W\$NTServicePackUninstall$ - 367 KB - 8/29/02

Not sure which one to delete (aka, rename), maybe the first one that is only 1 KB. But I don't know the XP path sequence saying where it looks first.

Will the real cmd please stand up! Any idea which is most likely the real one before I start guessing and really screw up and get locked out of my machine?

Bonus: now I've got a reeeeeeeeally clean machine !

Many thanks again !!!!!

 

[bcastner]

Delete this one:
White box icon - C:\WINDOWS\System32 - 1 KB - MS-DOS appl - 5/15/05

 

[suncity]

Thought so!
Have an e-beer on me.

 

[ReTeMa]

suncity,

copy-paste your complete Logfile of HijackThis here

http://www.hijackthis.de/index.php#anl

and push ''analyze'' button.

some moments latter you'll get the result.

 

[suncity]

Thanks! That's how I got so squeeky clean.
It's a great diagnostic tool !!!