Sign in with
Sign up | Sign in
Your question
Solved

cmd prompt appears instead of booting windows after using Hitmanpro to remove a trojan

Last response: in Windows 7
Share
May 12, 2013 3:00:27 PM

Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome
May 12, 2013 3:13:54 PM

rdm100 said:
Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixI...
a b $ Windows 7
May 12, 2013 3:15:39 PM

Hi

can you get Safe Mode to start up normally?
do you normally have to login to Windows?
if you normally login does the command prompt happen before or after logging in?

Trying to find out how broken your system is

If you can get into Safe Mode create a new account and try logging into that account
(sometimes only one account is damaged)

There should be no programs running in Documents (c:\users\User name\My Documents ?)

best of luck

Mike Barnes

May 12, 2013 3:41:06 PM

mbarnes86 said:
Hi

can you get Safe Mode to start up normally?
do you normally have to login to Windows?
if you normally login does the command prompt happen before or after logging in?

Trying to find out how broken your system is

If you can get into Safe Mode create a new account and try logging into that account
(sometimes only one account is damaged)

There should be no programs running in Documents (c:\users\User name\My Documents ?)

best of luck

Mike Barnes



Hi Mike,

Even in safe mode it still boots the cmd window.
I don't have to login and it does it just after it says welcome and I have only one account on the machine.

Like I said it still loads to my dektop once I type explorer into the cmd window so I can get on. I've done scans with the HitmanPro software and Malwarebytes and come back with nothing so I'm at a bit of a loss. I can't do a system restore as I haven't created any points I can restore to.

Thanks for replying,
Rich
May 12, 2013 3:42:17 PM

Truckinupga said:
rdm100 said:
Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixI...


Thanks for the reply but unfortunately that fixit thing says the beta version has been closed for applications to download it.
a b $ Windows 7
May 12, 2013 4:05:21 PM

I think you're discovering that removing the virus infection is only part of the problem, and the easy part at that. The hard part is fixing the damage to Windows that many viruses leave behind them. A clean install would solve your problems, but would also introduce new ones (you might not have a Windows install disk handy, all your data would have to be backed up first, and all your applications would have to be re-installed after the clean install of Windows).

Best solution

May 14, 2013 2:04:04 PM
Share

Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.
May 16, 2013 10:37:45 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Thanks for the reply! the cmd.exe was in the HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon location as you suggested. However shouldn't I change it to explorer.exe instead of deleting it?

I found the autorun file in the:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor location but it contained the file extension of C:\Users\User\Documents\69323f56.exe which is the file that was deleted by hitman and is what I'm guessing was the virus that locked my computer out.

So basically should I still delete both or change the cmd.exe to explorer.exe and delete the autorun?

Thanks,
Rich

May 16, 2013 10:03:22 PM

Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.
May 17, 2013 2:03:16 AM

slosiris said:
Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.


That's great it has worked a treat. Thanks a lot for your help!
June 26, 2013 7:45:32 AM

slosiris said:
Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.


I have just read your reply to the last chap. and I have to confirm that doing exactly what you said has cured my Vista system after having the pceu virus,
you are a star thankyou

June 30, 2013 11:20:47 AM

"slosiris May 14, 2013 2:04:04 PM
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well."

I got infected by the ICE malware that rendered my PC inoperable. Cleaned it by booting with Kapersky 10 app (image). Fixed it but got same cmd window and only typing explorer would bring me into Windows 7.

In my case, I just removed cmd.exe value in HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon (left it blank vs. deleting the entire line. Worked for me.

Thanks to all for this thread!!!
August 14, 2013 12:25:41 PM

OK here is what i did as a professional 16 year old boy! Took out the HDD out, connected it on an other computer deleting the Trojan [since safe mode wasn't working] it has on it [with malware byte's] After connecting it back it gave me a similar error, i runned explorer.exe through task manager so i was able to go on computer's user management and create an other user with all the rights! logged off from current one and logged in to my new user, i transferred all my files i wanted from the other user and deleted it after that ! Problem solved !

Mario Mele
August 16, 2013 10:54:19 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


I would like to say that this method worked successfully for me. I've been sitting here for almost an hour scratching my head looking for a fix. Thanks a million!!!!!!!

August 18, 2013 3:06:05 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Hi friend,
I have the same problem as the original poster. I deleted the cmd.exe shell key like you suggested and it did get rid of the "cdmd.exe" box popup but now I have some other problems: The bottom of the screen looks different all across but the main thing is I cant get internet and "network" icon isn't showing up in my tray icon. Any suggestions on how to add that shell key back would be appreciate. I'm somewhat of a novice.
Thanks
September 23, 2013 9:27:20 AM

Also look in the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon if this does not fix it. That is where I found another cmd.exe
September 29, 2013 7:06:25 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Just ran into this posts and found your information very helpful! I also had the same problem and fixed it following your suggestions. Thanks!!!
October 6, 2013 3:13:11 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Amazing!!
You just made my day. I wondered how you figured it out. I spent a good 10 hours on it before I saw your solution
Many thanks again...
October 7, 2013 5:47:39 PM

Deleting the shell key cmd.exe worked for me too after getting the ICE virus. tHANKS!
November 27, 2013 8:09:20 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.



Wonderful! the first part of this is all over the net, but I knew their had to be a profile specific key corrupted by the virus(HKEY_CURRENT_USER\Software\Microsoft\Command Processor) because this is only affecting one profile for me.

brilliant, you just saved me hours of work.

my question now is why are there no easily found tools that verify the integrity of this sort of thing (thing meaning windows registry).

thank you so much!
December 23, 2013 4:33:18 AM

i run regedit n followed this MACHINE\SYSTEM\current controlset control\class
n removed d upperfilters data value...n my window's is ungenuine n finding prblems in opening windows..
January 11, 2014 8:38:58 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


This worked for me as well Thanks a bunch!!
!