cmd prompt appears instead of booting windows after using Hitmanpro to remove a trojan

rdm100 · May 12, 2013

Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

Truckinupga · May 12, 2013

rdm100 :

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixIt

mbarnes86 · May 12, 2013

Hi

can you get Safe Mode to start up normally?
do you normally have to login to Windows?
if you normally login does the command prompt happen before or after logging in?

Trying to find out how broken your system is

If you can get into Safe Mode create a new account and try logging into that account
(sometimes only one account is damaged)

There should be no programs running in Documents (c:\users\User name\My Documents ?)

best of luck

Mike Barnes

rdm100 · May 12, 2013

mbarnes86 :

Hi Mike,

Even in safe mode it still boots the cmd window.
I don't have to login and it does it just after it says welcome and I have only one account on the machine.

Like I said it still loads to my dektop once I type explorer into the cmd window so I can get on. I've done scans with the HitmanPro software and Malwarebytes and come back with nothing so I'm at a bit of a loss. I can't do a system restore as I haven't created any points I can restore to.

Thanks for replying,
Rich

rdm100 · May 12, 2013

Truckinupga :

rdm100 :

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixIt

Thanks for the reply but unfortunately that fixit thing says the beta version has been closed for applications to download it.

mbreslin1954 · May 12, 2013

I think you're discovering that removing the virus infection is only part of the problem, and the easy part at that. The hard part is fixing the damage to Windows that many viruses leave behind them. A clean install would solve your problems, but would also introduce new ones (you might not have a Windows install disk handy, all your data would have to be backed up first, and all your applications would have to be re-installed after the clean install of Windows).

slosiris · May 14, 2013

Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.

rdm100 · May 16, 2013

slosiris :

Thanks for the reply! the cmd.exe was in the HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon location as you suggested. However shouldn't I change it to explorer.exe instead of deleting it?

I found the autorun file in the:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor location but it contained the file extension of C:\Users\User\Documents\69323f56.exe which is the file that was deleted by hitman and is what I'm guessing was the virus that locked my computer out.

So basically should I still delete both or change the cmd.exe to explorer.exe and delete the autorun?

Thanks,
Rich

slosiris · May 17, 2013

Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.

rdm100 · May 17, 2013

slosiris :

That's great it has worked a treat. Thanks a lot for your help!

warren3360 · Jun 26, 2013

slosiris :

I have just read your reply to the last chap. and I have to confirm that doing exactly what you said has cured my Vista system after having the pceu virus,
you are a star thankyou

bmgf300z · Jun 30, 2013

"slosiris May 14, 2013 2:04:04 PM
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well."

I got infected by the ICE malware that rendered my PC inoperable. Cleaned it by booting with Kapersky 10 app (image). Fixed it but got same cmd window and only typing explorer would bring me into Windows 7.

In my case, I just removed cmd.exe value in HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon (left it blank vs. deleting the entire line. Worked for me.

Thanks to all for this thread!!!

Mario Mele · Aug 14, 2013

OK here is what i did as a professional 16 year old boy! Took out the HDD out, connected it on an other computer deleting the Trojan [since safe mode wasn't working] it has on it [with malware byte's] After connecting it back it gave me a similar error, i runned explorer.exe through task manager so i was able to go on computer's user management and create an other user with all the rights! logged off from current one and logged in to my new user, i transferred all my files i wanted from the other user and deleted it after that ! Problem solved !

Mario Mele

wba-champ · Aug 16, 2013

slosiris :

I would like to say that this method worked successfully for me. I've been sitting here for almost an hour scratching my head looking for a fix. Thanks a million!!!!!!!

gelvis32 · Aug 18, 2013

slosiris :

Hi friend,
I have the same problem as the original poster. I deleted the cmd.exe shell key like you suggested and it did get rid of the "cdmd.exe" box popup but now I have some other problems: The bottom of the screen looks different all across but the main thing is I cant get internet and "network" icon isn't showing up in my tray icon. Any suggestions on how to add that shell key back would be appreciate. I'm somewhat of a novice.
Thanks

IBT Tech · Sep 23, 2013

Also look in the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon if this does not fix it. That is where I found another cmd.exe

djzorro · Sep 29, 2013

slosiris :

Just ran into this posts and found your information very helpful! I also had the same problem and fixed it following your suggestions. Thanks!!!

Ahora · Oct 6, 2013

slosiris :

Amazing!!
You just made my day. I wondered how you figured it out. I spent a good 10 hours on it before I saw your solution
Many thanks again...

BWM10 · Oct 7, 2013

Deleting the shell key cmd.exe worked for me too after getting the ICE virus. tHANKS!

pmac1111 · Nov 27, 2013

slosiris :

Wonderful! the first part of this is all over the net, but I knew their had to be a profile specific key corrupted by the virus(HKEY_CURRENT_USER\Software\Microsoft\Command Processor) because this is only affecting one profile for me.

brilliant, you just saved me hours of work.

my question now is why are there no easily found tools that verify the integrity of this sort of thing (thing meaning windows registry).

thank you so much!

sangeetaaish · Dec 23, 2013

i run regedit n followed this MACHINE\SYSTEM\current controlset control\class
n removed d upperfilters data value...n my window's is ungenuine n finding prblems in opening windows..

Davidwesty · Jan 11, 2014

slosiris :

This worked for me as well Thanks a bunch!!

jackie_1 · Apr 30, 2014

Will this work for windows 7? I have same issue,

HKEY_local machine/software/microsoft/WindowsNT/Currentversion/winlogon/shell SHOULD have a value of "explorer.exe"

BUT has "cmd.exe /k start cmd.exe"

I edit this bad value back to "explorer.exe" attempt a re-boot and the bad value for Shell is still there.

Saga Lout · Apr 30, 2014

Your change didn't stick so try editing the Permissions for that key to give you full control before making the change again. Some Trojans have learnt how to fight back. If all else fails, try ComboFix instead. Read up on it first and let it run its course however long it take to produce its report and come to an end.

jackie_1 · Apr 30, 2014

I've run combo fix before with success on other machines. The issue is though, with the error, I cannot boot the machine, It gives black screen after windows logo pops up. I'd need to run combo fix from a usb drive, and don't know if that's smart?

Also, how would I change these permissions in this state? Please advice. Safe mode same issue with black screen, and system isn't usable right now except for dos from repair tool. Thanks

cmd prompt appears instead of booting windows after using Hitmanpro to remove a trojan

Honorable

Distinguished

Splendid

Honorable

Honorable

Distinguished

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Honorable

Reputable

Retired Mod

Reputable

Share this page