Hey guys,

I've got a problem with windows xp when it starts up. This is how the story goes...
A few days ago my antivirus program (eTRUST - computer assoc) let me know that I had a virus affecting a cmd.exe file somewhere on my computer. i told the program to clean out the virus for me, and so it did.

after that whenever i start up windows xp, i get 5-7 black windows opening all with the heading c:\windows\system32\cmd.exe. some of them disappear automatically, but some of them require manual closing. at the same time my firewall keeps on alerting me that some new program is trying to access the internet.

Now, i've already run my virus scan again and it says its clean, i ran my ad alert program and its removed all spy ware, but the cmd.exe windows still come up. i ran a trojan removal program and it couldn't find anything.

i ran msconfig.exe and tried to remove all the non-essential things. the only weird this is there is this file call ctfmon while i deselected, but it keeps reappearing even though i deselect it everytime. (i don't know if its related to my current problem)

If anyone has had a similar problems or has a possible solution, your advice would be greatly appreciated.

thanks a lot :o

Frequently asked questions about Ctfmon.exe (http://support.microsoft.com/default.aspx?kbid=282599)

Have you checked the contents of your Startup folder in the programs menu ? Remove any unwanted entries from it and reboot.

Hi, thanks for the reply.

i figured out that its not a ctfmon.exe problem.
i've noticed that some of the cmd.exe windows have text in them while loading up. the windows close too fast for me to read it or "printscreen" it.

i was wondering, should i try deleting cmd.exe, or will this cause problems with windows.

thanks

Hi guys,

I have recently have experienced this same problem? I've tried virus scan, trojan removal and spyware removal to no avail. Do any of you remember if you installed / uninstalled any programs before you started having the cmd.exe problem on boot? We might be able to find a common link between all of our problems.

Thanks!

According to this thread http://www.hardwareanalysis.com/content/topic/30307/ it is Spyware of some type. Try the suggestions in the last post of running Bazooka Spyware Scanner (http://www.kephyr.com/spywarescanner/) as it seems to have helped the issues.

Oh and uh, Welcome to Techzonez fellas...Hope this helps and hope you come back and stay awhile.

i have this exact same problem and norton, trojan remover, all find nothing
ive ran ad aware and there was something about a possible virus so i removed that one and the problem still exsists.
ive used that Bazooka Spyware scanner and all that shows up is a Media Player GUI or something about how my media player could be snding infromation and all this crap but i really dont think thats whats causing the problem,

i raelly hope someone finds a solution to this because its not pleseant when i start up and dos screens pop everywhere saying "installing..."

thanks in advance

hi,

try this

goto start button and select run
type sysedit
check to see that you don't have anything in the autoexec.bat and config.sys windows

that can cause the cmd.exe on boot

see this thread
http://www.techzonez.com/forums/search.php?searchid=41935

Another update... tried what egghead suggested with the sysedut still to no avail. Any other ideas short of doing a reinstall of windows?

Run MSCONFIG. Kill ALL startup items and non-MS services, reboot. Then let us know what happens at next boot.

You might try grabbing the utility called autoruns from sysinternals.com, I hear it will show all startup locations.

Badger

well i did that msconfig thing and it doesnt come up anymore but i cant help but think that theres still something in my computer but now it just doesnt go on boot up.

You are correct. It is still there. Now you'll need to run/rerun spyware scans...Update any of the scanners you have and run them. Then also try downloading Spybot Search and Destroy. You can get it here (http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html). Make sure that you update the scanners before you run them, even the new ones, and see what they find. Also it doesn't hurt going thru your Add/Remove Programs and uninstalling any apps that are easily identifiable as adware/malware/spyware.

I have the same problem. Also, neither spybot, adaware nor spyhunter finds anything, MacAfee doesn’t as well. I found out, that the starting point of CTFMON.EXE is in HKEY_Users\S-1-5-21...<myID>...\Software\Microsoft\Windows\CurrentVersion\run.
If I delete this entry, starting InternetExplorer will set the entry there again. In my case after a reboot it will add at the same place in the registry the entry "wkdetect.exe" (probably because on my computer runs Works).

About 4 weeks ago I restored my whole system from scratch, because I had a similar problem, also connected with "wkdetect" and "ctfmon". After some reboots I could not open the taskmanager and msconfig. Probably the author of the Trojan wanted to prevent a detection of the two processes. I had to go into secured mode to start windows and then to delete both files.

This strange behaviour caused me to build up the whole system, but now I have a similar problem as described above. Probably a slightly changed new version of the same Trojan.

I have read in several forums that there are users, who have problems with shut down of windows. I have problems to go in standby. Probably this is also a result of the virus to force reboots, which fits into the philosophy of "distributed trojaning".

Out of this I have drawn the following hypothesis:
1. We are confronted with a new type of stealth Trojan
2. The Trojan uses names of well known MS programs to hide himself
3. The Trojan uses probably parts of existing programs for his own purposes, therefore these programs must be running in the background

At the moment I do not know, where is the Trojan really situated, where can I catch it. So I ask you, please, give me feedback, if you have some news.

i get this problem when i start up windows xp , that 8 cmd.exe files are open in the taskmanager processes. they take up the cpu to run at 100% but once all of them are closed it goes back to normal.

i suspect this has something to do with the problems ive been getting lately, e.g wscript file is running high, system idle and me not beinmg able to open word documents (says document unavaliable)

could someone please help me? :confused:

OK, it seems that no one has posted the reason why, so I will do it.
Most of you guys are correct. The problem is spyware. What it is happening is that you removed the spyware program with the antivirus. That is a NO NO NO NO!! :p
Because antivirus haven't really dive into the spyware section completely. Other thing is, as Spybot recommends at the beginning, some reboots are needed for programs to run. Best recommendation is, you run a spyware analyzer (like Spybot, Ad Aware) [make sure your spyware detector doesn't carry spyware itself too. There are some that do ironically) Then when the scan finished, don't remove them. Simply look up information about those spyware types.
I use this 2 sites
http://www.spywareguide.com/ (it has a search function)
http://www.doxdesk.com/parasite/ (It doesn't have search function, but I use google site search instead. In google, type what you are looking for example 404, then type site:www.sitename.com, so it looks like this "404 site:www.doxdesk.com. This site has more information about each spyware including the distribution)

Now, you will have a better idea of how it got it, and can prevent a lot better, but also you can see all names that it has, and if it has a un-installer. Then go to Control Panel, and un-install all the spyware that has an entry ( a lot actually do). after you un-installed the last one (and probably restarted a couple of times if you have more than one) restart the computer, and run spyware again. Most will say this is a big mess, but actually this way you will have a much healthier system. Spyware remover programs will remove it no matter what, which can brake programs and even the OS (It happened to me this week, so it is not strange) Doing this way it takes longer time, but it is safer. I cleaned a PC with over 1000 results (only 60 were cookies) and the PC was running fine after I finished (there were no recovery CDs for the PC)

Many variants of the spybot worm (and others) exhibit similar behaviour. It is also possible you have a new variant of something - lucky you. Run HijackThis and post the hijackthis log to this forum and you will be amazed at how welpful we can be. Knowledge is the only armour against new malware variants. Various bits are missed by different AV and Spyware solutions, none of them get everything. You may also want to use a tool like QwikFix to shut some of those IE vulns down before you get more infections.