WinXP cmd shell window problem

A weird thing kept me occupied my whole saturday and prompted me to write about it so that others facing the same may benefit from the fix.

I was eagerly looking forward to my weekend so that I could try out few things.. testing Java localization features being one of them. Now I did give it a try over the week at work but couldn’t do much. Anyways, my work needed me to execute the following command from a shell.


$ java -jar $JAVA_HOME/demo/jfc/Font2DTest/Font2DTest.jar

Let me tell you about the Operating Systems I use. I use Fedora Linux at work and have Windows XP on my laptop. So on a fine Saturday morning in order to execute the above comand, I tried to invoke the Windows XP cmd shell as follows:

(a)

Start -> Run -> cmd

Now I’ve done this many times in the past but this morning it behaved in a weird manner. The cmd shell window would appear for a brief moment but terminate automatically ! 😦

Well the first thing I did (besides cursing Windows) was to quickly update my virus definitions and scan my system. This didn’t show any virus or infected files. I did a quick google search with the following keywords:


Windows XP, cmd not working
Windows XP, unable to open command prompt
cmd shell terminating automatically

My search didn’t yield any fruitful results so decided to investigate into the problem. I tried to execute the cmd.exe directly i.e.

(b)

I browsed to the C:\WINDOWS\system32\ and double-clicked cmd.exe

– Now this did bring up the window!

(MAKE SURE to unhide system files if you wan’t the windows explorer to show you files under the C:\WINDOWS\system32\ directory i.e. Tools->Folder Options-> UNCHECK Hide System files)

I tried to execute the cmd shell again using approach (a) but found the same problem !

After trying out the above two approaches multiple times, I observed that with

(b) the shell window has the title – C:\WINDOWS\system32\cmd.exe while with
(a) for the brief moment that the window appears, has the title –
C:\WINDOWS\system32\cmd.COM

I found that C:\WINDOWS\system32\ directory has 2 files named cmd – cmd.exe and cmd.com . I renamed cmd.com to cmd.com_ and then tried approach (a)

Voila! This time it did work.

I did a google search to find the cause of the problem and learnt that my system was infected with the WORM_ALCAN.A virus, which somehow wasn’t getting picked by my Anti-Virus utility (Norton). This virus (among various other things) drops the following files in C:\WINDOWS\system32\

  • CMD.COM
  • NETSTAT.COM
  • PING.COM
  • REGEDIT.COM
  • TASKKILL.COM
  • TASKLIST.COM
  • TRACERT.COM



Since .COM files have a higher priority over their .EXE counterparts, it disables the execution of the .EXE files.

I realised that NETSTAT and other files were infected too and needless to say I straightaway removed these .COM malicious files.

Learn more about it at:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A&VSect=T

Well.. this pretty much brings my Saturday to an end.. I sincerely hope nothing goes wrong tomorrow and I continue with my plans.

Advertisements

10 comments so far

  1. JMurray on

    Thanks! I was facing a similar issue. I was unable to run regedit. You saved me from re-installing XP 🙂

  2. JPD on

    Thanks, this kind of info helps a lot of people all over the globe. You got my ping.exe and regedit running again !

  3. zahir on

    thanks a lot
    me too was facing the problem.
    keep it up

  4. sanj on

    wonderful, worked like a charm

  5. kdawg on

    thank you very much, saved me from reloading xp

  6. jai on

    nice info man!
    helped a lot!

  7. jayson on

    this is fine, but at the end the worm still in the computer.

  8. David on

    Oh man my cmd had the same problem… i was getting really frustrated but it works now thanks

  9. junkbox on

    ^^^^^^^^^
    Not necessarily Jayson.. what many AV’s fail to do is to delete the *.com files (probably a failsafe)
    Run the AV to clean up the ‘run’ entries and the TSR properties of the virus and then delete the *.com files manually.
    viruses like this would be pointless if they modded those system files, as SFC would inevitably flag them.. but by inserting a "non" system file that takes advantage of Windows preference of *.com files, SFC is none the wiser.
    Good article, i re-ran across this issue today and forgot the fix.
    Thanks

  10. AK on

    Hi, thanks a lot for taking your Saturday time to write this post. I had slightly different problem and your article lead me to finding a solution. I was using shortcut to access cmd and it was pointing to smth weird, that only resembled cmd.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: