Hey all, first time poster, and have an issue that just surfaced yesterday. I have been trying to fix it by going through msconfig, an archived post from this forum had some info, and a few other things, but to no avail. What happens is as soon as windows boots up, cmd.exe flashes up on the screen, then closes, then opens and says "Installing...." and closes, then opens again, and closes for the last time. Right away I knew something was up, so I immediatly went into msconfig to search for anything strange...didnt find anything. I downloaded and ran "Trojan Remover", did a housecall scan, and ran adaware....nothing unsual. So I decided to come here and seek advice/help. Here is my HJT log...hopefully someone has an idea of what could be happening.

Logfile of HijackThis v1.97.7
Scan saved at 2:09:36 PM, on 10/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\EXSHOW95.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Smeezy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QveCtl2Tray] C:\Program Files\Philips\PSA2\skin\QveCplSk.EXE C:\Program Files\Philips\PSA2\skin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v3/vet_install_popup.pl?1&4&04.00.08.43&unknown&unknown&http://www.scion.com/scionConfigApp/scion/viewsection.jsp?forceLoad=1
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37885.6156134259
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Nothing out of the ordinary to me....granted there are quite a few things rtunning, but I have never had an issue with slow loading or anything until now. I notice it mostly on the internet. I was using Mozilla until yesterday when I uninstalled it thinking it may have been the problem. Sometimes it takes longer than usual for the page to load, sometimes the page will lock up completely for 5-10 seconds. Strange strange.

Thanks
Josh

First thing I'd try is a real virus scan using a virus scanning tool like AVG, Norton, McAfee.. Install it, update the definitions, and scan away.

Then I'd try adaware again, as well as spybot search and destroy.

Then going into msconfig, general tab, select DIAGNOSTIC startup. That should load only the basic software and essential drivers.

If that doesn't work, I'd try uninstalling anything you have installed in the past 2-3 days. Or I'd run a system restore.

I'd get rid of that red swoosh product immediately. Unless you absolutely must use it.

Cmd.exe is basically the command line executive. If it is popping up, something is accessing it. And it sounds like something is trying to install.

Have you tried to install anything in the past 2-3 days? If so, can you list what it was you installed?

Some other things, get rid of the real player and get media player classic. It plays all .ram, .rm files and doesn't infest your PC like the real player does.

Why did I suggest this?

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

It could be the google toolbar as well.. I dunno.
because it could be that the real player is trying to update itself on the boot. Which it is supposed to do if you have it installed... which I don't :D I hate real player.

I've found that emptying the contents af all temp folders gets rid of the sluggishness that I sometimes experience with my internet connection.

Like when I updated FireFox to 0.10.1, the update file that remained in the temp folder was slowing down my surfing. When I cleared the contents of the temp folders, things speeded up again.

hi,

i've got the exact same problem. any luck getting rid of it?

Hi guys,

I have recently have experienced this same problem? I've tried virus scan, trojan removal and spyware removal to no avail. Do any of you remember if you installed / uninstalled any programs before you started having the cmd.exe problem on boot? We might be able to find a common link between all of our problems.

Thanks!

Have any of you tried system restore?

hi,

try this

goto start button and select run
type sysedit
check to see that you don't have anything in the autoexec.bat and config.sys windows

that can cause the cmd.exe on bootup

Got the same problem- just started happening the other day to me as well. I did try out one new file share prog called music station- but have since removed all of its components. Nothing in the normal range of checkers is finding anything- So what have we here??

Try the same as suggested here (http://www.techzonez.com/forums/showthread.php?t=12086).

Hi egghead.... I tried what you suggested and I have this in my autoexec.bat

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

Normal? Safe to delete this? Suggestions?

Thanks everyone for their help! :)

Hi egghead.... I tried what you suggested and I have this in my autoexec.bat

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

Normal? Safe to delete this? Suggestions?

Thanks everyone for their help! :)

hmm
windowsxp does not use autoexec.bat and config.sys but some older programs might use them

both my files are empty

you can do something that is the equivelent of removing the info from the files.

at the start of each line put the word "rem" in front of it

this tells windows and command.com to ignore that line.

rem SET windir=C:\WINDOWS
rem SET winbootdir=C:\WINDOWS
rem SET COMSPEC=C:\WINDOWS\COMMAND.COM
rem SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
rem SET PROMPT=$p$g
rem SET TEMP=C:\WINDOWS\TEMP
rem SET TMP=C:\WINDOWS\TEMP


was there anything in your config.sys? you can rem them too.

keep us updated.