File explorer opens when I try to open CMD

Hi Rajivrocks,

I'm Paul, a fellow customer like you & an Independent Advisor. Please also run a malware scan if you will. Thanks.
https://support.office.com/en-us/article/remove...
If above link doesn't find anything, try scanning malware again using the below tool.
https://docs.microsoft.com/en-us/windows/securi...

For the interim, kindly try running this command below in an elevated Command Prompt. Then reboot your PC & test.
SFC /scannow

Also, kindly send me a screenshot below. Thanks.
Right-click on Command Prompt > open file location > right-click on its' shortcut icon > Properties

I hope this helps. Let me know how you go. Thank you!


Sincerely,
Paul A.
Independent Advisor

Hi Paul,

Thanks for the response, I ran the first scan already with my antivirus (EST NOD32 Antivirus) and it found nothing. After that I ran the microsoft tool and it found a trojan that was removed but I have had no alerts via any account that i have that I have been hacked. I still have the cmd issue that it opens explorer so I think its somehting else. Also the SFC /scannow command didn't find any integrity issues either.

Here is a screenshot of the cmd shortcut. I already looked at this previously and it looks normal to me. Tried to directly open cmd from the windows/system32 folder and the same thing happend.

Thanks a lot for your help, I really appreciate it.

Kind regards,

Rajiv

Hi Rajivrocks,

Got it, thanks. What's the name of that trojan virus? Looks like it damaged your CMD.
1. Go to Start > search regedit.msc > open "Registry Editor" > navigate to HKLM\Software\Microsoft\Command Processor > ensure the "AutoRun" settings is either empty. Do the same to HKLU\Software\Microsoft\Command Processor; ignore if you can't find this folder. Reboot your PC & test.
2. If the above "AutoRun" file will not allow you to set an empty value, then reboot your PC to Safe Mode & delete the "AutoRun" file on both locations above.

I hope this helps. Let me know how you go. Thank you!


Sincerely,
Paul A.
Independent Advisor

Hi Paul,

So I looked at the specific spot that you mentioned but there is no autorun line entry there in HKEY_LOCALMACHINE and the HKLU didn't exist. These are the entries that are in there.

The Trojan was a version of "windows/system32/trojan.vigor"

Thanks again for the help.

Kind regards,

Rajiv

Hi Rajivrocks,

Got it, thanks. That's alright. Now, here's the information about the virus & it's a pretty nasty one. I'd first recommend changing all of your passwords, either offline or online, as a matter of urgency. It should be good after that since we've already removed the culprit from your system.
https://www.microsoft.com/en-us/wdsi/threats/ma...

1. Once done, kindly go to Start > search/open "System" > in the left pane, click "Advanced system settings" > click "Advanced" tab > click the "Environment Variables..." > take a screenshot for me > double-click the Variable "Path" > take another screenshot for me > click the "New" button > then add the value below & click OK all the way.
C:\Windows\SysWow64\
2. Once done, reboot your PC & test.

I hope this helps. Let me know how you go. Thank you!


Sincerely,
Paul A.
Independent Advisor

Hi Paul,

Thanks for the reply, here are the screenshots. they are all in order so look through them as you would do normally. Top to bottom. Also added the Env variable rebooted but it still does the same.

1

2.

3.

Path env 1.

2.

I'm a computer science student, that's why I have all these env variables. ComSpec says something about cmd but I have no clue if that's it.

Again, thanks for the help.

Kind regards,

Rajiv

Hi Rajiv,

Got it, thanks. Coof stuff!
Now, do you have 64 or 32 bit OS? Kindly navigate & open CMD from the below path and see if there's a difference?
C:\Windows\SysWow64\cmd.exe
C:\Windows\System32\cmd.exe

I hope this helps. Let me know how you go. Thank you!


Sincerely,
Paul A.
Independent Advisor

Hi Paul,

EDIT: Disregard the bottom text. After googling a bit I found a stackoverflow page where the guy told me to do the same thing as you asked, checking regedit. turns out i have a current_user entry after all. I have very bad eyes so that's why I missed it. the autorun entry was there and I removed it.

It pointed towards a firewall module that was a part of a virus that was removed automatically when I installed something a few days ago. So it pointed to nothing, that's why it couldn't execute its task. In the end it could've only been a registry entry when I think back. 

Thanks for baring with me and of course I really appreciate the help!

Kind regards,

Rajiv

END EDIT

I have a 64bit system, I already tried opening cmd in the system32 folder but it doesn't do anything. In both system32 and SysWow64 folders the cmd opens and closes real fast. When i run cmd like this though it doesn't open explorer and when I open both cmd's in powershell it doesn't give me the "file or directory find: explorer.exe no such file or directory found" message. usually when i open cmd in powershell with the cmd command it displays this message and opens explorer. when I open cmd with powershell in de specified directories by you it doesn't show any message and no explorer window is opened.

I am really confused, I'm tempted to just reinstall windows to be safe, even though I'm almost 100% sure nothing is compromised. Just to be on the safe side, but it is such a pain to reinstall everything.

Kind regards,

Rajiv

Hi Rajiv,

I understand. Before we go to that path though, I suggest follow these steps below & see if it fixes it.
1. Try to run the Windows Troubleshooter & see if it finds/fixes it.
https://support.microsoft.com/en-us/help/402843...
2. If that won't work, try to run the Files & Folder troubleshooter tool too.
https://support.microsoft.com/en-in/help/17590/...
3. Otherwise, reboot your PC to Auto Repair.
Go to Start > Settings > Update & recovery > Recovery > in Advanced startup, click "Restart now" > upon PC boot, click "Troubleshoot" > Advanced options > click Startup Repair

I hope this helps. Let me know how you go. Thank you!


Sincerely,
Paul A.
Independent Advisor

Hi Paul, 

Sorry I edited my post last night, but apparently I forgot to hit submit. Please read my last post. The problem has been resolved!

Kind regards,

Rajiv