Windows cannot find 'cmd'

try logging in by using other username, if possible, then try to run cmd by start>run>cmd;
see what happens, let us know.

btw, what do you have in the directory C:\windows\system32\cmd.exe ?

If not possible, please download this Hijack tool from this site www.majorgeeks.com/download5554.html ;and save it to DESKTOP.
Then doubleclick it (it doesn't need installation)...checklist the 'Do a systemscan and save logfile' tab. As soon as it finishes, it shall produce you a logfile (in notepad), either copy-paste the content here or attach it here (it is saved under C:\Program Files\Trendmicro\HijackThis\HijackThis.txt

WARNING:
Don't click or do anything while HijackThis is doing a scan, or else it may cause your computer to stall and must be rebooted.

1- I test it by a new user and still have the problem.
2- When I want to see C:\windows\system32\cmd.exe, I get the error again.
3- This is HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:51 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\maryam\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazemjoon.mihanblog.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.3.90:8080
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Windows] C:\WINDOWS\system32\Kernel.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: Oracleora9iTNSListener - Unknown owner - D:\Oracle\product\9.2.0.1.0\ora9i\BIN\TNSLSNR.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6266 bytes
Thanks,

Hi maryamj

It looks like you only use one browser, Internet Explorer, in your pc. IE is quite vulnerable to virus/spyware/malware attacks. However, i don't see any dangerous application running in your logfile (or is it me who is not good at reading logfile?). Quite confusing........

Anyway, I don' t see any antispyware running in your pc. hmm..that's quite risky!

Try installing these spyware/malware removal tools:
Ad-aware: http://www.lavasoft.de/
AVG-AS : http://www.ewido.net/en/

There is a free version for Ad-aware; but for avg-as, you can only use the resident-shield, which is a real-time scanning, for 30 days.

Install and do a scan with both of them, delete/move to vaults any file(s) found by them. Then let us know the update behaviour of your pc.

PS:
1. Could you please let us know what had happened before the cmd disappeared?
2. After installing ad-aware, you might be asked to reboot and update first, after booting, your pc might be a bit slower than usual. This is ok.
3. Try running the cmd from Task Manager,
CTRL+ALT+DEL>New Task>choose from the list or use the browse button to navigate it to the corresponding folder.

Jo.

I have the problem in alot of shortcut files:
when I want to open the Windows Services utility: From then Administrative Tools, show me this error:
"windows cannot find 'c:\windows\system32\servises.msc'.Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

Hi maryamj,

From the HijackThis logifle, windows services are actually running...quite weird if you can't open windows utility files.
I gotta be offline soon enough and will be offline for a couple of days. I notice that the forum here is quite passive in responding to threads.

I'd recommend you to go this forum:
register yourself, read the rules, post a new thread by describing the behaviour of your pc under Microsoft Support and your corresponding OS in that forum. That forum is a lot more active. You can also give the link in that forum which directs to the thread here so that the moderator/administrator/computer experts/enthusiasts can have a glimpse of what you have been through.

But before you do so, please complete the scanning and moving-to-vault/quarantine any infections found by the antispyware/malware tools given before.
Sorry for not being quite helpful to you, maryamj.

Dear Moderator,
Sorry if I refer this person to other forum, as it can help her better and faster, at least.
Hope you don't mind.

Jo.

Posting this in hopes it will be helpful to later users:

Yes, this activity can be caused by viruses, spyware, etc. Get a good anti-virus and clean everything up! I used Vexira. I had Backdoor.Win32.Hupigon.gpm

It puts a hidden autorun in the root of every Disk Drive, and on USB keys, which is how it travels.
You will have to enable viewing hidden files, and a couple boxes under that, uncheck "protect windows system files"

Vexira detected and cleaned all these up. Be sure you get your USB keys cleaned too!
It does leave annoying little folders called ..runauto in the root. I used the "unlocker" tool to delete these, although they are clean now. http://ccollomb.free.fr/unlocker/
Be sure that the autorun.pif file is deleted from the root of all the drives. This will cause your windows drives to not load from My Computer until after you reboot.

After all that cleaning, I still couldn't use cmd.exe, regedit.exe, etc.

I have figured out the fix for the programs that were disabled by the virus.

Backup your registry first, just in case.

It takes advantage of a debug option in the registry. I have emergency utils that gives me a copy of regedit.exe so I can edit the registry.
http://www.dougknox.com/xp/utils/xp_emerutils.htm

Look here:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
cmd.exe etc.

Under each of the .exe files that doesn't work, there is a handle called "Debugger" with the value set to "setuprs1.PIF" on mine. Delete the entire debugger entry.

If your name is the same, you can just search for all instances of setuprs1.pif, and delete them all.

This guy explains how it works. So any of those programs were actually set to install the virus again. But of course, the real program couldn't be found. And after the virus program cleaned out the .pifs, there was nothing there. It's interesting that you can actually use a completely different program so easily ... under the name cmd.exe .... NO WONDER viruses use it!
http://geekswithblogs.net/ssimakov/archive/2005/03/22/26930.aspx

Image File Execution options key as an Attack Vector on Windows
Dana Epp posted interesting article about using Image File Execution options in the Windows registry to redirecting a process loading:

By simply mapping the executable name to a different debugger source, you can actually load something else entirely.

Let me give you a proof of concept:

Start the Registry Editor: Click Start, click Run, and then type regedt32.

Locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

To this hive, add the SOURCE exe as a key. Lets use notepad.exe: (Right click and select New, and then Key (Add the key and name it notepad.exe)

To the notepad.exe key, add a new REG_SZ (string) value called Debugger, and point it to c:\windows\system32\cmd.exe

Start up notepad (Click Start, click Run, and then type notepad)

Notice that a new cmd window opened instead [more in Dana's blog entry]
BTW, Mark Russinovich's ProcessExplorer is using this technique to replace default Task Manager (check your HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe key)

Good luck!

if you still havent fixed it by now then check out the "kernel.exe" i have heard it has caused alot of problems.....
i also have this problem but do not know what is causing this. i dont have kernel.exe so i dunno ......Help!!!

Thanks dwlorimer.
This worked a treat.

I just exported the "Image File Execution Options" key to a file opened it in notepad and replaced the debugger line with "setuprs1.PIF" in it with a blank line and saved the file. Then I deleted the "Image File Execution Options" key completely and merged the file with the registry and bobs your uncle it all works again.

Thanks again

my problem with this error is under windows server 2008 and it seems to be a malware.
the solution is http://www.malwarebytes.org/mbam.php
just download its free version,
first of all when setup has been finished let the program to be updated,
it just takes a few minutes.
then open the malwarebytes and go to scanner ,
select quick scan , and let it scan your system,
after the scan has finished it tells you to view the result of
infected objects. so open view result and then push remove selected button
and remove objects.some objects may need windows to be restarted, so after reboot resume the process.after all infected objects removed you can exit the program and
try "CMD" in run .. it should work now.

No doubt after 3 years, the OP has solved the problem :).