Sign in with
Sign up | Sign in
Your question
Solved

cmd prompt appears instead of booting windows after using Hitmanpro to remove a trojan

Last response: in Windows 7
Share
May 12, 2013 3:00:27 PM

Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome
May 12, 2013 3:13:54 PM

rdm100 said:
Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixI...
m
0
l
a b $ Windows 7
May 12, 2013 3:15:39 PM

Hi

can you get Safe Mode to start up normally?
do you normally have to login to Windows?
if you normally login does the command prompt happen before or after logging in?

Trying to find out how broken your system is

If you can get into Safe Mode create a new account and try logging into that account
(sometimes only one account is damaged)

There should be no programs running in Documents (c:\users\User name\My Documents ?)

best of luck

Mike Barnes

m
0
l
May 12, 2013 3:41:06 PM

mbarnes86 said:
Hi

can you get Safe Mode to start up normally?
do you normally have to login to Windows?
if you normally login does the command prompt happen before or after logging in?

Trying to find out how broken your system is

If you can get into Safe Mode create a new account and try logging into that account
(sometimes only one account is damaged)

There should be no programs running in Documents (c:\users\User name\My Documents ?)

best of luck

Mike Barnes



Hi Mike,

Even in safe mode it still boots the cmd window.
I don't have to login and it does it just after it says welcome and I have only one account on the machine.

Like I said it still loads to my dektop once I type explorer into the cmd window so I can get on. I've done scans with the HitmanPro software and Malwarebytes and come back with nothing so I'm at a bit of a loss. I can't do a system restore as I haven't created any points I can restore to.

Thanks for replying,
Rich
m
0
l
May 12, 2013 3:42:17 PM

Truckinupga said:
rdm100 said:
Hitmanpro removed the ukash police virus so I could access my computer again but now when I boot up the command prompt appears instead of just loading windows. If I just type explorer then windows does load.

When the cmd window appears it reads:
"C:\Users\User\Documents\69323f56.exe" is not recognised as an internal or external command, operable program or batch file.

This file was removed by Hitmanpro as a "Remnant"

Was this part of the trojan or have I deleted something that I really shouldn't have?

Any help is welcome

Try this automated fix from Microsoft, If this does not work than you may have to do a system restore or Windows reinstall. Here's a link.
http://fixitcenter.support.microsoft.com/Portal/WhyFixI...


Thanks for the reply but unfortunately that fixit thing says the beta version has been closed for applications to download it.
m
0
l
a b $ Windows 7
May 12, 2013 4:05:21 PM

I think you're discovering that removing the virus infection is only part of the problem, and the easy part at that. The hard part is fixing the damage to Windows that many viruses leave behind them. A clean install would solve your problems, but would also introduce new ones (you might not have a Windows install disk handy, all your data would have to be backed up first, and all your applications would have to be re-installed after the clean install of Windows).
m
0
l

Best solution

May 14, 2013 2:04:04 PM

Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.
Share
May 16, 2013 10:37:45 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Thanks for the reply! the cmd.exe was in the HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon location as you suggested. However shouldn't I change it to explorer.exe instead of deleting it?

I found the autorun file in the:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor location but it contained the file extension of C:\Users\User\Documents\69323f56.exe which is the file that was deleted by hitman and is what I'm guessing was the virus that locked my computer out.

So basically should I still delete both or change the cmd.exe to explorer.exe and delete the autorun?

Thanks,
Rich

m
0
l
May 16, 2013 10:03:22 PM

Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.
m
0
l
May 17, 2013 2:03:16 AM

slosiris said:
Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.


That's great it has worked a treat. Thanks a lot for your help!
m
0
l
June 26, 2013 7:45:32 AM

slosiris said:
Yes, delete both. If that shell key does not exist it will default to the one in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon which should be correct still.


I have just read your reply to the last chap. and I have to confirm that doing exactly what you said has cured my Vista system after having the pceu virus,
you are a star thankyou

m
0
l
June 30, 2013 11:20:47 AM

"slosiris May 14, 2013 2:04:04 PM
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well."

I got infected by the ICE malware that rendered my PC inoperable. Cleaned it by booting with Kapersky 10 app (image). Fixed it but got same cmd window and only typing explorer would bring me into Windows 7.

In my case, I just removed cmd.exe value in HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon (left it blank vs. deleting the entire line. Worked for me.

Thanks to all for this thread!!!
m
0
l
August 14, 2013 12:25:41 PM

OK here is what i did as a professional 16 year old boy! Took out the HDD out, connected it on an other computer deleting the Trojan [since safe mode wasn't working] it has on it [with malware byte's] After connecting it back it gave me a similar error, i runned explorer.exe through task manager so i was able to go on computer's user management and create an other user with all the rights! logged off from current one and logged in to my new user, i transferred all my files i wanted from the other user and deleted it after that ! Problem solved !

Mario Mele
m
0
l
August 16, 2013 10:54:19 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


I would like to say that this method worked successfully for me. I've been sitting here for almost an hour scratching my head looking for a fix. Thanks a million!!!!!!!

m
0
l
August 18, 2013 3:06:05 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Hi friend,
I have the same problem as the original poster. I deleted the cmd.exe shell key like you suggested and it did get rid of the "cdmd.exe" box popup but now I have some other problems: The bottom of the screen looks different all across but the main thing is I cant get internet and "network" icon isn't showing up in my tray icon. Any suggestions on how to add that shell key back would be appreciate. I'm somewhat of a novice.
Thanks
m
0
l
September 23, 2013 9:27:20 AM

Also look in the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon if this does not fix it. That is where I found another cmd.exe
m
0
l
September 29, 2013 7:06:25 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Just ran into this posts and found your information very helpful! I also had the same problem and fixed it following your suggestions. Thanks!!!
m
0
l
October 6, 2013 3:13:11 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


Amazing!!
You just made my day. I wondered how you figured it out. I spent a good 10 hours on it before I saw your solution
Many thanks again...
m
0
l
October 7, 2013 5:47:39 PM

Deleting the shell key cmd.exe worked for me too after getting the ICE virus. tHANKS!
m
0
l
November 27, 2013 8:09:20 AM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.



Wonderful! the first part of this is all over the net, but I knew their had to be a profile specific key corrupted by the virus(HKEY_CURRENT_USER\Software\Microsoft\Command Processor) because this is only affecting one profile for me.

brilliant, you just saved me hours of work.

my question now is why are there no easily found tools that verify the integrity of this sort of thing (thing meaning windows registry).

thank you so much!
m
0
l
December 23, 2013 4:33:18 AM

i run regedit n followed this MACHINE\SYSTEM\current controlset control\class
n removed d upperfilters data value...n my window's is ungenuine n finding prblems in opening windows..
m
0
l
January 11, 2014 8:38:58 PM

slosiris said:
Just fought this myself. Run regedit and go to HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon and look for a shell key with a value of cmd.exe and delete it.

May also need HKEY_CURRENT_USER\Software\Microsoft\Command Processor and look for an autorun key with that exe and delete it as well.


This worked for me as well Thanks a bunch!!
m
0
l
April 29, 2014 11:22:34 PM

Will this work for windows 7? I have same issue,

HKEY_local machine/software/microsoft/WindowsNT/Currentversion/winlogon/shell SHOULD have a value of "explorer.exe"

BUT has "cmd.exe /k start cmd.exe"

I edit this bad value back to "explorer.exe" attempt a re-boot and the bad value for Shell is still there.
m
0
l
a b $ Windows 7
April 29, 2014 11:28:09 PM

Your change didn't stick so try editing the Permissions for that key to give you full control before making the change again. Some Trojans have learnt how to fight back. If all else fails, try ComboFix instead. Read up on it first and let it run its course however long it take to produce its report and come to an end.
m
0
l
April 29, 2014 11:39:17 PM

I've run combo fix before with success on other machines. The issue is though, with the error, I cannot boot the machine, It gives black screen after windows logo pops up. I'd need to run combo fix from a usb drive, and don't know if that's smart?

Also, how would I change these permissions in this state? Please advice. Safe mode same issue with black screen, and system isn't usable right now except for dos from repair tool. Thanks
m
0
l
a b $ Windows 7
April 30, 2014 12:45:50 AM

I'd stake a small amount of money on Safe Mode with Command Prompt working properly. Give that a try then at the prompt, type regedit and press Enter.

From the File menu, select Export and note the name and location of the backup you're about to make in case anything goes wrong.

Then, from the Edit menu choose Find and type in the name of that file in the your first post. It will probably show up in CURRENT_USERS or LOCAL_MACHINE then Software/Microsoft/Windows/Current Version/Run or RunOnce but there may be Start Menu entries as well which call it up at boottime and stop anything else loading because that file no longer exists. Delete any entries you find.

Close the registry from the File>Exit menu and back in Command Prompt, type:-
net user /add fred coffee
then press Enter. You now have a new account in to which to log if yours fails. The name is fred and the password is coffee. You can delete it later if you can access your own account.

Type exit to leave the Command form and restart the computer. Did you get back in or did fred gain access?
m
0
l
April 30, 2014 7:39:31 AM

Ok, I searched for cmd.exe /k start cmd.exe and it only found that same entry, in one spot. Delete the value again.

I added the fred command and it says, The user or group soecified cannot be found. THe user was successfully created but could not be added to the users local group. Type in NET HELPMSG 3774 for help.

Rebooted, and same issue.
m
0
l
a b $ Windows 7
April 30, 2014 11:27:29 AM

Did the fred account not show up on the login screen beside your own? That message often shows up but the account is there regardless. Have you tried Safe Mode again? If that fails, try again but this time go for with Command Prompt. At the prompt, type explorer.exe and things should light up as usual.
m
0
l
!