I no longer have something called "cmd"

I'm a Comcast subscriber, so I get free (yeah, right) McAfee Security Suite. I have Windows XP, Professional, and I use Firefox.

I am only slightly computer literate, so please be kind.

The other day, the McAfee Update Window popped up and it said "You need to reinstall McAfee Security Suite."

To make a long story short, I went through a few Comcast and then McAfee technicians - very nice folks - but what was eventually revealed is that I have no "cmd" thing, whatever it is.

The McAfee technician told me to go to "Start," then "Run," type in "cmd," and nothing happened.

Can anyone help me fix this? I'm no longer able to download updates. This is troubling.

I've never posted here before, so I thank you in advance for whatever help anyone might be able to give me, and please excuse the fact that I'm driving with a Learner's Permit..................

click on the Browse button and navigate to:

C:\WINDOWS\system32\cmd.exe

(Then check back in if you want to know what to do with it.... :evilgrin: :evilgrin: :evilgrin:

You've helpful and evil - a delicious combination.

I did what you said, and there was no "cmd.exe" there. Nothing. I seem to have lost it.

But a window has opened, a black thing, "Windows\system32\command.com" and I can't close it.

Now what?

It's not *the* same thing, but close.

You can quit it by typing "exit" (without the quotes) and then hitting ENTER at the prompt.

I have no idea what the techs were going to have you do.

I don't either, but they were very nice, for what that's worth.

I appreciate your help.

If it's not there, you should have seen a notification pop-up appeared with an error something like, "Windows cannot find 'cmd' ..."

What this does, FWIW, is open a command line window/DOS shell. The techs were going to have you do some stuff there.

If cmd is missing, that's a problem, so we need to figure out if it is in fact missing. If canetoad's advice doesn't lead to it, there's a bigger issue here than just your virus program.

That said, I am obligated to say there are other virus protection suites out there that are both free and more effective than the McAfee you're getting from Comcast. If you're interested in changing, you could find guidance here.

I decided to give up on McAfee last night, and someone from DU recommended AVAST, but I couldn't download it, so that's when I got concerned.

It's missing. No error window pops up.

I'm screwed, ain't I?

What do you mean you couldn't download Avast? What happened?

A missing cmd.exe can be a sign of a virus infection, potentially a really irritating one since the author went to the trouble to remove or otherwise block usage. If you were somehow blocked from download Avast, that could be another sign of a virus infection, one in particular.

The fact you're not getting the "missing" error message is bizarre to me, but I may be missing something obvious.

So, anyway ... what was going on when you tried to download Avast?

and then, when it should have finished, the AVAST window just said "The download could not be completed," and when I clicked on to see what it said, it was a lot of lines of stuff that made no sense to me.

A virus? Man, so much for Comcast/McAfee protection, huh?

But my computer illiterate cousin had the full Norton catastrophe on her computer. Before removing it, I tried to download Avast but for some reason could not connect to the download page. My feverish brain considered that Norton may have blocked access to the Avast site in some way. Is it possible that McAfee does the same?

and what really is odd is that I cannot access the McAfee page, nor any of the McAfee links.

So Comcast had me open a second email account to use to access McAfee, but that didn't work, either.

The cmd thing is apparently vital.

I am SO lost here. But I know that I hate Norton and I really hate McAfee now..........

But that would be a definite no-no for any company wanting to avoid problems with the SEC. Of course, we've had the Bush administration here for the last century (seems like anyway) with an SEC that has wielded the power of an infant carrying a nerf baseball bat, but still ...

A small company could get away with it, but I dunno about one the size of Symantec or McAfee. Microsoft has tried stuff similar to this and has gotten hammered because of it.

Basically I just think it's something people would notice and scream about so loudly that they'd be compelled to stop. Not even corporate IT departments would put up with that kind of thing for long, and corporate IT departments are very important to their business.

at the local CompUSA (a few years ago, indeed), and I just found the Windows XP CD, so do you think I have to re-install Windows? Or is there a "repair" option?

I'm very grateful for your help, I hope you know that......

looks a lot like the command.com window on steroids. Your choice.

However, if you have run the computer for a few years without a re-load of the operating system, maybe it is time to do so. Files can become corrupt over time; it's knowing when to draw the line as to whether you keep trying fixes or just start afresh.

Can be considered a learning curve too.

This computer- knock on wood - has been wonderful, so if that's what's needed, yeah, it's a good idea.

What do I do? Just pop in the CD and find "repair"?

I'm scared.

Besides what canetoad already said, I guess you know that reinstalling Windows will mean *everything* will be deleted. If you don't have important files backed up somewhere, they're gone.

I don't know that this is a virus problem, but it's suspicious. One of the things the worm that caused the recent scare does (name escapes me at the moment) is hijack your computer such that you can't get at other security tools to download them. Your cmd file could simply be corrupted, but it should still show up when you browse to that folder, which is the first thing canetoad had you do.

Try something else first before we go with the radical reinstall option.

Go here and see if you can download and install this. http://www.malwarebytes.org/

If so, run it, and see what it may find.

That malware downloaded and the installation went perfectly!!!

So, now I'm going to run it.

I really do NOT want to reinstall Windows, so let's hope.

Oh, thank you SO much!

Here goes ------------------------->

and then the Malware screen popped up (?) and I started the scan.

So far, it's found EIGHT INFECTED OBJECTS!!!!!!!!!!!

Could this be it?

Just let it do its thing for however long it takes for now.

I unfortunately have to step out for a bit. I'll be back later to check on progress.

Hopefully others are still around.

the update still can't work on McAfee, and cmd appears in Windows\system32, but when I try to put it in "Run," nothng happens.

Thanks for all your help ...................

still with only EIGHT infected items - McAfee pops up with a notation that it just blocked a Virus. Disappeared before I could see what it was.

Does one have anything to do with the other, I wonder?

The scan just finished - a total of TWELVE infected items - I had them removed - and all went smoothly.

This is what came up after:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

5/9/2009 7:12:26 PM
mbam-log-2009-05-09 (19-12-26).txt

Scan type: Quick Scan
Objects scanned: 74084
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

the cmd.exe

You may find it hiding elsewhere. If not, put in that WinXP install disc and do a search of that to see if you can find it there. If so, try to just copy it to the windows/system32 folder and then try to execute it (double click)

But, I agree that the fact that this file is missing is a sign of some sort of mischief going on.

There are five entries - one is in something called "ServicePackUninstall" -there are two of those, actually - in Wondows\$NTServicePackUnin."

And there is "CMD.EXE-087B4001.pf" in "C\Windows\prefetch."

There is one that says it's in "C\Windows\system32" but we know that's a lie. I think.

There is a "cmd" in "C\Windows\ServicePackFiles\386."

And there is "evntcmd" in "C\Windows\ServicePackFiles\386."

This is making no sense to me at all. Is it hiding?

Is this what a virus does?

That is, I would expect them to be found.
In your search results, try double clicking on the cmd.exe found in Windows\system32 and see if that starts it up.

if this is significant - is that the symbol for the "cmd" in system32 is a small black box.

It looks sinister, but, then, I'm seriously at the end of my paranoid rope.

(And I do so appreciate your taking the time to help me. Thank you.)

Well, I double-clicked it, the taskbar went black, the "Search" window disappeared, then the taskbar came back, and that's that......

for being excellent entertainment value!

That is the right icon for cmd.exe - meant to symbolize black screen with a 'C' in it. I'd probably be searching for my XP disc to reinstall by now. When Roy G returns he may have something more constructive to add

I just said the same thing. :)

Thank you! That makes up a lot for the angry "I'm putting you on Ignore" comments I get.

If I have to reinstall, does that mean EVERYTHING goes? I don't have a whole lot of stuff here, but it would still be a pain. Can't I just do a "repair"?

The repair option lets you get in there and start issuing commands to fix things, but it's all command line stuff.

It would be next to impossible to try to walk you through that here. You won't have a web browser available while you're doing it, so we'd basically have to run a crash course on the repair options, and that's just not practical.

And, yes, when you reinstall, everything goes.

Well, that's assuming it's set up in a typical fashion. You can set it up so your data is on a different partition so that if you need to do a reinstall, that's not as much of an issue, but that's not how it's typically done unless you specifically ask for it from whoever put it together or do it yourself.

to start all over somewhere as a virgin, so this might be my only chance.

OK, I'm gonna give the cut and copy option a try, but not until tomorrow. It's late here, and I'll screw it up.

I will let you know what happens, and, again, thanks so very, very much for all your kind help .....................

... in some way.

It's supposed to be a black-box looking thing. It's a miniature representation of the DOS shell.

Specifically, it should be a black background box with a small blue stripe at the top and a white C:\ in the middle.

Now, if it's not like that, it's wrong.

But whatever the case, something is wrong with it. Are you able to follow Duer's advice about finding it on the XP install disc? You might just be able to replace it.

McAfee update may simply have been failing because cmd.exe wasn't functioning. I'm not sure of that, but some of these programs use cmd.exe to do low-level functions like system updates.

I find "cmd.exe" on the install disk, and then move it to "system32," right?

This is so damn scary to me...........

At least try that.

go to the windows\servicepackfiles\386 folder and copy the cmd.exe that's in there, and paste it into your system32 folder.

Oh, but before you do that, if there is a cmd.exe in the system32 folder, rename it cmdBAK.exe first, so you don't overwrite it, in case you need to back out of this

let us know

for assuring me that that black box is normal.

Should I change that name?

It's probably named cmd.exe, but by default Windows hides extensions, so you don't see the .exe part.

You can change this. From any folder window, click on Tools > Folder Options, then click the View tab, then you may need to scroll down just a bit. There's a box that says something like "Hide extensions for known file types ..." Uncheck that and save it.

Yep, it now says "cmd.exe."

OK, tomorrow the big event.

Good night, you sweet DUer, and thanks a million.

I'll probably nag you again tomorrow, but, for now, I feel safe. Thanks...........................................

Let us know how it goes.

I'll be on it in the morning, and you can be sure I'll let you know what happens.

Thank you very much. Even if I'm good entertainment value, I still feel really lucky with you and your compatriots here.

I love DU. We can do anything, can't we?

Sleep well ...........................

First off: I am a Tier 1 customer service rep for another major telecommunications and high speed internet company. We are not Comcast. We actually give a huge shit about our customers and their user experience. Unlike Comcast.

Next: I have been running into the dissapearance of of common low-level command line commands of late. Things like ipconfig, ping, netsh, cmd and others involved with networking. My superiors were gobsmacked. They had no idea what the fuck was up. So I did what I do best: I went and found out.

Seems like there is a nasty...something... out there that, when installing itself, is rewriting or wiping out environmental paths to these commands. I would figure that this is being done to obfuscate and disable removal of whatever this is. I have had a good 6-8 instances of this showing up during troubleshooting and let me tell you, it does not make life, for me, one bit easier.

Finally, McAfee: It's useless. Just a waste of money. So's Anything Symantec. Stop wasting your money on stuff that is proven to be some of the lowest-scoring anti-nasty software out there. Kapersky, Nod 32, F-Secure, even Avast Free is better(AVG is slipping again).

The big problem is Mickeyshot's security model or lack thereof. RPC is on by default and cannot be turned off. All the nasties exploit this massive move towards perfect idiocy worthy of a Buddha who drools and votes Repuke. Will Mickeysnot change this idiocy? Hell no. It fuels a huge industry.

I have not mentioned this in the thread, but early this morning, trying to open msconfig, I kept getting an error box saying it could not be found.

It's there all right, in Sys32, and it opens OK. Just not from Start\run\msconfig.

I didn't think much of it as it's been a while since I have done a reload and the computer is just about due for it, with a few other bugs hanging about.

Interestingly, I have just run Antimalwarebytes and nothing was found. ThreatFire has reported nothing either. I'll try a few other things and report back.

Or if you are in a payin' mood, A Squared Commercial. Pretty good stuff.

That said, my investigations have yet to turn up a definitive malign instrumentality causing this. Just that something is.

I hadn't reloaded for a while? lol just after my last post I lost all networking. Then no amount of rebooting would make the desktop appear.

I'm back with a fresh install of XP.

and name it "system32orig" or something, just in case something like this happens, so that I have an available repository of all the original state files that can be copied over easily.

FYI

protocol for client/server apps then? Or is EVERY programmer at fault for implementing it crappy?

I would expect that Sun allows you to turn the service off when you do not need it, or get a bit granular with permissions.

Mickeysnot does neither.

RPC is inherently insecure sometimes. Now the programmers that make the RPC call have the ability and responsibility to use the highest level of security. MS, Linux, and most everyone else supports RPC with Keberos. Not 100% secure but it is better. So instead of bashing one vendor why not spread the blame where it truly belongs square on the feet of programmers.

So it's not just me? I feel better.

I'm watching and trying to understand all the great advice and help I'm getting here. (Is there life without DU?) But, right now, I'm lacking the time to be able to devote to beginning to solving this problem Just bookmarked the thread and I'll come back to it when I'm better equipped.

Does this mean it's a virus? I've never had anything like this happen.

Although, I remembered that right before this happened, my hard drive went on and just kept rattling and humming and the screen froze up and then everything was all right. Shortly after that, I got the message that McAfee's security suite needed to be reinstalled, that the update could not be completed.

Was that when it happened, do you think? I thought a virus came when you downloaded something. I don't download things.

This is like a trip through the looking glass for me. A whole new perspective, and I am so lucky to have encountered such generous folks ...........

why not try to repair the system files? try to run this from the RUN line. "SFC /SCANNOW" without the quotes. SFC means system file check. Or if you can now open the command prompt run it from within that. This will repair any sys files but you will need the setup CD. A lot of OEM's turn off SFC because it is annoying to users, it will prompt for the install CD whenever a system file is being modified. to get around this they turn it off. See Winxp actually DOES try to keep the system files protected, contrary to statements made to the opposite. The problem is that users get annoyed by security pop ups and are loath to drop the install CD in as too much effort.

and thank you for the suggestion. I don't understand any of this, but I'll try anything.

I just hate the idea of a whole new install. It is far more work than I care to undertake right now, so I'm trying to get as much information as possible before I actually DO anything.

It's jarring to realize how dependent I am on this infernal machine ...............

I used to reinstall Windows 95 a few times a year because it got bloated and buggy. That OS was simple to install. I've reinstalled '98 many times also. But, personally, never XP. Before you begin XP, make sure you have the Key. I'm sure it is likely just as simple as other OS's, but have heard way more horror stories about XP than the earlier releases.

If you would, try this > Click Start > All Programs > Accessories > see if you have "Command Prompt" in that list?

Have you tried to download Avira anti-virus? Have you run a recent scan with McAfee?

What's 'the key'? The number that goes with the start-up disk?

I am so uninformed here as to be speaking a different language, functionally. I'm so impressed by what people here know, but then, you'd be impressed if you saw me examining a hostile witness in court, I would hope.

I ran a scan with malware.com, and it found 12 things, which were removed. McAfee, I did that about a week ago, and all was clear. I downloaded AVAST, but was unable to install it.

I found "Command Prompt," as per your instructions, clicked on it, and the same thing happened as happens when I try to click on "cmd.exe" - the taskbar goes black, the list of programs disappears, everything blinks for a second, and I'm back here, where I started.

A whole new install would be a good idea, but just the thought of it wears me out.

Thank you so much for such generous help..............

I couldn't run CMD or REGEDIT (registry editor) and I couldn't update my virus protection (AVG).

SOMETHING installed on my computer. It got past AVG and ZoneAlarm. SpyBot and AdAware didn't catch it, either. It didn't appear to be running in the background or sending info via the internet, but it was preventing me from from running the programs I mentioned.

I did some research and it's called Trogan.Win32.Agent.byab. Most anti-virus programs aren't catching it yet. (The other night, all the info I came across suggested that Kaspersky was the only anti-virus program catching it, but that may have changed by now). From what I've read on various message boards, it seems to affect computers in different ways. Some users will be able to run CMD and REGEDIT, others won't. Some will have trouble with Google searches, others won't. Some people can't run Windows Update, while others have no problem. It's very odd.

Anyway, if you can run REGEDIT, you will find the malware in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

For some people, the "aux" value under "Drivers32" refers to the malware file, for others it's the "aux 2" value. (I recognized the file that was associated with the "aux" value, so I knew that "aux 2" was the problem. My guess is that the malware will create "aux 2" if you already have a legitimate file associate with "aux".)

You must delete that registry key. If you can't run REGEDIT, you will need to use a third party registry editor. I used RegAlyzer. It's free and it's from the creators of SpyBot.

Before you delete the key, write down the name of the file it points to. After deleting the key, go to the C:\Windows folder and rename and move the malware file. Reboot. Everything should work fine after that.

Another possible solution:
Use HijackThis to remove the file at boot time. NOTE: I didn't try this, so I don't know if it works, but this was another solution that I came across. Details can be found here.


This post on the AVG forum is what solved my problem:
http://freeforum.avg.com/read.php?12,183533,backpage=3,sv=

I recommend reading the entire thread. :-)


Good luck! :hi:


edited: typo :blush:

and I'm wearing my abestos bodysuit, which isn't really a good look for me.

:::: sigh ::::

I did all that you suggested. I don't understand what you wrote here:

For some people, the "aux" value under "Drivers32" refers to the malware file, for others it's the "aux 2" value. (I recognized the file that was associated with the "aux" value, so I knew that "aux 2" was the problem. My guess is that the malware will create "aux 2" if you already have a legitimate file associate with "aux".)

So I didn't know what to do when I found everything under this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

I didn't delete anything because I was scared. I don't have an "aux2" file, but I do have an "aux" file. Do I delete that?

I did nothing. Terror-stricken, I went to your next suggestion.

I downloaded RegAlyzer, not understanding anything, and I got a log, but it makes no sense to me.

(Can I trade you some lawyerly skills for your expertise here? Need a Health Care Power Of Attorney?)

Then I went to HijackThis, and that one sort of made sense to me. When I read the stuff at the AVG forum you linked me to, it was like reading EXACTLY what has happened to me. You spotted it!!

How lucky am I?

Here's my problem now: What does it mean to "run HijackThis at boot"? I restarted this computer, but didn't see anything that would have guided me.

I am a total ignoramus where these matters are concerned. I'd do better speaking Classical Greek than I would understand the language in which you all here are so fluent.

And I thank you. I'd hate to reinstall, I really would, but you seem to have tracked this damn virus down and shown me a way to fix the damage done - the problem is, I don't understand the mechanics.

I cannot thank you enough for all this ........................

:-)


There should be several values under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 key. It sounds like you found it with no problem. :-) Based on the research I did when I was trying to get my system fixed, the malware file is always under "aux" or "aux 2" in the "Drivers32" registry key. However, let's make sure.

QUESTION: What is the name of the file under "aux"?

QUESTION: How were you able to view this key? Your PM said you can't use REGEDIT, so what program did you use to view the registry? Was it RegAlyzer? (I'm only asking so I know exactly what you're looking at and what tools you have at the moment.)

In response to your other question ... basically, once we determine which file is causing the problem, we will tell HijackThis to delete it when you reboot your computer. Of course, if you have access to the registry, we may not even have to use HijackThis.



edited: typo :blush:

QUESTION/ANSWER - The name of the filed under "aux" is C:\\Windows\\system32\\..\\hatsdjw.qln

QUESTION/ANSWER - I was able to view the key by following your directions using RegAlyzer. I did just as you instructed, and it took me right to the place where I found this aforementioned "aux" file.

Do you think it's possible just to delete this "aux" file? Because I have installed HijackThis, and read the support forums at the links you so kindly provided, but I still don't know what to do. With ReAlyzer, I'm looking right at that registry.

Could it really be that simple?

Naw. Not in my life. Not ever.

But, this feels like it's closing in on a solution. Everything other people described at those forums (fora?) were exactly what has been happening to me.

Thank you ................ :)

:-)

As soon as I saw the file name, I was 99.9% sure that was the culprit. However, just to be safe, I did a Google on the file name and then on the .qln file extension itself - nothing turned up. It's fake. (That's exactly what happened when I did a search in the file name that was under "aux 2" in my registry.)

Let's get started ...

Read everything before you do anything. There are some steps that you may or may not have to take and I don't want you to miss anything. :-)

Open up RegAlyzer.
Go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 key. Right-Click on "aux" - it will be highlighted, and a drop-down menu will appear. Select "Delete Value" from that menu.
Exit RegAlyzer.

NOTE: If you're nervous about deleting things from the registry, you can make a backup of the "Drivers32" key before you delete the "aux" file. All you have to do is right-click on "Drivers32" - it will be highlighted, and a drop-down menu will appear. Select "Export" and name it something like "RegFix" then save it. If there's a problem later, all you have to do is double-click on the file you just created and it will put the data back in the registry. Assuming everything goes well ... you should delete the "RegFix" file when the computer is fixed because you don't want to double-click on it accidentally and recreate the bad registry entry. :P



Now go to the C:\WINDOWS folder. (Click on the "Start" button ... Click on "My Computer" ... double-click "Drive C" ... double-click on the "Windows" folder)

Scroll down in the Windows folder until you reach the malware file (hatsdjw.qln). When I was fixing my computer, I tried to delete the file, but it reappeared when I rebooted, so I followed the advice in the link I posted earlier from the AVG forum. That person said he renamed and moved the file, so that's what I did. I ended up keeping the original file name, but I changed the extension to "bad" - in your case, it would look like this: hatsdjw.qln.bad

Then I created a folder called C:\BadFiles and moved it there. I rebooted and everything has been fine ever since. :-)


So ... a quick summary:
Open RegAlyzer
Backup the "Drivers32" key if you want to.
Delete the file from the registry.
Go to C:\WINDOWS and rename the file, then move it somewhere else.
Reboot.
Computer fixed. :-)


Just one more thing ... if you can't find the malware file in the C:\WINDOWS folder, it may be hidden. You'll have to unhide it before you can rename it. Here's how:

When you're in the C:\WINDOWS folder, click "Tools" on the bar at the top - select "Folder Options"
Click on the "View" tab.
Scroll down until you see "Hidden Files and Folders"
Select the "Show Hidden Files and Folders" option, then click "Apply" - Click "OK" to exit that window.

Now you should see hatsdjw.qln in the C:\WINDOWS folder.
Rename it. Move it.
Before you leave the folder, you should probably go back into "Tools" and select the "Do Not Show Hidden Files and Folders" option. That way you won't have to worry about accidentally deleting something important in the future. :-)

Ok ... you should be all set. Good luck! :hi:



edited: typo :blush: Too much info for my fingers to handle, LOL!

her with this. I was gritting my teeth over her having to reinstall XP. :D

I really hate to see someone go through the aggravation of a reinstall. I always try to help people avoid it. :-)

In fact, I'm pretty certain of it. If I can't marry you, may I adopt you?

It's THAT simple? Wow. I'm sitting here, looking at my Windows disk, not wanting to take it out of its nice shrink-wrapped case. Now, I know I don't have to. This is the best news I've heard in a good while.

I'll do it all tomorrow - all of it - and let you know how it goes.

The time and trouble you took to do this for me, well, I'm just blown away. DU is a great place, for sure, but folks like you and the other wonderful people who took time to help me just make it an even greater place. Imagine - all this for someone sitting in Alexandria, Va, having a problem.

isn't that amazing?

Aren't you wonderful?

Yes and yes.

Your fingers are fabulous.

Thank you so much.........................

Don't propose just yet ... let's make sure it works first. ;-)

Seriously ... I'm 99.999% sure that you'll be fine. Last week, I did all of this on my own computer and I was surprised at how easy it was to fix it. I've done a lot of computer troubleshooting and repairs over the years and usually, a virus is far more difficult to get rid of.

I agree with you - DU is a great place! No matter what problem you have, there is always a bunch of people right there ready to help in any way they can.

:grouphug: