 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows Me / System Tools / November 2004HARDCMD ???
Hi, I have a few questions about Windows ME. Does anybody know what this is ::: HARDCMD HKLM\Software\Microsoft\Windows\CurrrentVersion\Run Once. Or HARDCMD=C:\Windows\Cursers\Hardcmd.exe rerun ? I'm trying to fix my sister's computer and found these items keep appearing after I've used HiJackThis to delete them. I'm thinking she must of downloaded some kind of annimated cursers or spyware. The issue I'm having..is I believe this or both of them are causing a problem when I try to do a Disc Scan. I've looked on Google, but there's not to much about this. Also I've downloaded the disc scan program,that I've seen through this newsgroup (I've learned so much from you guys and ladies) and it is THAT program, that is telling me that these things are interfering with the disc scan at start up. One other question ::: If I find something in the registry, that I know is bad or a virus, is it safe to just right click the item and delete it? I've never messed with the registry, but I'm getting desperate Thank You if you can help me I can only find a few references to hardcmd.exe and AFAIK this is not a legitimate application but quite likely to be malicious, possibly a trojan. Locate the file using Windows Explorer, select right click and look at its Properties. Do these give a clue as to its possible origin? Meanwhile I would use MSConfig (or possibly even regedit), open the Startup tab and uncheck the entry used to launch hardcmd.exe each time the PC is booted. Check though that if you do this that another randomly named process doesn't get launched instead. If it does then you may have picked up a version of some of the rather crafty newer parasites which could take a fair bit of cleaning to remove entirely.  SignatureMike Maltby MS-MVP mike.maltby@gmail.com anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com> wrote: > Hi, > I have a few questions about Windows ME. [quoted text clipped - 19 lines] > messed with the registry, but I'm getting desperate > Thank You if you can help me Hi Mike, Thank you for your quick response, as I was just looking in the registry and was going to try to delete these.I've already found numerous trojans and spyware on her computer. I'm fighting with them everyday, as I try to download different programs to get rid of them. I will get back to you on your advice and let you know what I find. Thanks Much ;-) >-----Original Message----- >I can only find a few references to hardcmd.exe and AFAIK this is not a [quoted text clipped - 32 lines] > >. Best of luck. Please post back any findings you make including anything you find out about hardcmd.exe. SignatureMike Maltby MS-MVP mike.maltby@gmail.com anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com> wrote: > Hi Mike, > Thank you for your quick response, as I was just looking [quoted text clipped - 4 lines] > get back to you on your advice and let you know what I > find. Thanks Much ;-) Hi Mike, I think the disaster is in the registry, but here is what I found in Explorer ( I was in safe mode at the time ).... Cursors >>Hardcmd >>type of file >>application >> C:\Windows\Cursors In msconfig >>startup >> HARDCMD >>Registry (machine run) >>C:\Windows\Cursors\HARDCMD In Registry >>HKEY_LOCAL_MACHINE >>Software >>Microsoft >>Windows >>Current Version >> Run (default not set) Hardcmd-C:\Windows\Cursors\Hardcmd.exe Run- (default not set) Hardcmd >> C:\Windows\Cursors\Hardcmd.exe Run Once (default not set) Hardcmd >>C:\Windows\Cursors\Hardcmd.exe rerun Run Once EX (default not set) It appears this trojan or program is running more than once at the start up, so my question is...How do I edit or delete all these instances of it running from the registry ? Please be gentle..I'm a newbie with the registry. ;-) Also, when trying to use the scan\defrag program 5.0, I get a dialog box stating that ::: Scan\Defrag has found programs scheduled to run at next boot up. You will need to restart Windows to allow these programs to finish before running Scan\defrag.(Application found in Run Once keys. Showing warning dialog.It lists >>HKLM\Software\Micosoft\Windows\Current version\Run Once Hardcmd=C:\Windows\Cursors\Hardcmd.Exe rerun . So I reboot the computer and the scan\defrag never starts and is in a loop. I have also gone into msconfig and unchecked the Hardcmd then the computer tell me I'm in selective mode. I try again, with the scan\defrag, but after it restarts the computer the Hardcmd starts up again.grrrrrrr Thanks for helping P.S. What is AFAIK ??? >-----Original Message----- >Best of luck. Please post back any findings you make including anything [quoted text clipped - 9 lines] > >. AFAIK - As Far As I Know You may have a virus/spyware hijack download the Stinger from here and run it to make sure that A-V-disabling viruses are not present on your PC http://download.nai.com/products/mcafee-avert/stinger.exe - update your virus scanner and run a full system scan of all files. Reboot to Safe Mode and run CWShredder - to remove variants of the CoolWebSearch hijacker. http://www.merijn.org/cwschronicles.html Use CWShredder, the removal tool: http://www.merijn.org/files/cwshredder.zip http://www.merijn.org/files/CWShredder.exe http://www.spywareinfo.com/downloads/tools/CWShredder.exe http://www.zerosrealm.com/downloads/CWShredder.zip download AdAware from www.lavasoftusa.com, install, update, and run it to remove spyware, adware, and other such nasties from your system. - then reboot to Safe Mode, set Folder Options|View to be able to view System and Hidden Files, and run it again. See if that helps at all SignatureNoel Paton (MS-MVP 2002-2005, Windows) Nil Carborundum Illegitemi http://www.btinternet.com/~winnoel/millsrpch.htm http://tinyurl.com/6oztj Please read http://dts-l.org/goodpost.htm on how to post messages to NG's > Hi Mike, > I think the disaster is in the registry, but here is what [quoted text clipped - 61 lines] >> >>. Hi Noel, Thanks for the advice. I've had this comp. over here for 1 week now and been reading all the posts in this Windows ME newsgroup. Lots of good advice !!!(I have XP and usually reading in XP newsgroups.Yesterday was my 1st post. I've already taken your advice through YOUR other posts, as far as resetting the system restore. (numerous trojans in there)& downloaded Search & Destroy, Adaware,Spyblaster,Stinger,Hijackthis,Belarc Advisor & Scan\Defrag 5.0.I also did a visus scan at Trendmicro. It amazes how these trojans and spyware actually changes the web site that your trying to download from. I had to be very careful on clicking things as these nasties were changing my pages, then Not allowing me to close the window. I've installed my own program, System Suite but since..I've removed it off due to some errors. Some of the garbage and trojans found from all these programs include...( Virtumondo,AgentGJ,1stBar,Zapchast,Atlevents, TsCash(sysupd.exe),Browser Hi-Jacks...Too many to list. One of my mistakes I've done is... I checked of all items in Hijackthis (after a week of fighting with computer) which I had to go back and restore the System Tray. There was so many items in this program, that I need to study up on and learn what these programs are, before I actually delete items. I might get "Delete Happy" and delete the whole system.... lol oops... My most stupid mistake is...After a week of NOT being able to get Task Monitor to run.(I was thinking it was the trojans causing this )... I finally remembered somebody's post in here,that you advised on, to disable certain items in Device Manager. I went in Device manager and deleted my sister's keyboard ( a cordless Logitech) and let windows install the keyboard to the computer, I have it hooked up to now. (I'm used of XP, where I just right click by the clock, to show the task manager.) Task Manager now shows up after hitting Ctrl, Alt & Delete. Yahooooooo ;-)) Now I'm confused about the difference of Taskmon and Taskman. :-( I will study up on these. I also have numerous items quaranteed in Adware that I need to learn, if they are safe to delete. Thanks for your Advice & Help, through this post and your other posts. Mikki >-----Original Message----- >AFAIK - As Far As I Know [quoted text clipped - 91 lines] > >. What happens when you delete those registry entries using regedit (the values having hardcmd.exe as data in the right hand pane, not the keys)? The Run- value is there because you unchecked the Run entry using MSConfig and it looks as if, as I suspected, hardcmd.exe added itself back. To prevent this unwanted malware from being launched you need to delete _all_ entries referring to it in the registry - and even then that may not be enough to rid the system of the pest however we won't know if that is the case until you have deleted the entries and rebooted. SignatureMike Maltby MS-MVP mike.maltby@gmail.com anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com> wrote: > Hi Mike, > I think the disaster is in the registry, but here is what [quoted text clipped - 63 lines] >> >> . Hi Mike, I will follow your advice here and get back to you. I Just woke up & need a little coffee...Hopefully the computer will wake up too...lol (I'm on mine right now ) Thank You & Please Stay With Me on This... Mikki >-----Original Message----- >What happens when you delete those registry entries using regedit (the [quoted text clipped - 74 lines] > >. Mike, You did it !!! Yahoooooooo !!! ;-)) I followed your steps and it seems to have fixed it. I went into Windows Explorer one more time and found a folder under Local Disc C >>Windows >> Cursors and I deleted this folder. Then in the Registry >>> HKEY_Users >> Cursors folder with a sub-folder >>> Schemes 1. default (value not set ) 2.Annimated Hourglass\C\Windows\Cursors\appstart.ani\ 3. Windows Standard I deleted the 2nd one,although, not sure if this had something to do with Hardcmd Then in Registry>>HKEY_Local_Machine>>Software>>Microsoft>>Windows >>Current Version >>>> RUN I left default,msconfig reminder & system tray alone. I deleted HARDCMD RUN- I left default alone and deleted HARDCMD RUN ONCE I left default alone and deleted HARDCMD I don't know why, but this one kept reappearing after I clicked to delete it. I need to check back there and other places to make sure it's gone. I also saw some screen savers in there,(that might be a part of this Hardcmd ) that I wanted to delete, but figured one step at a time. I've asked sis if she ever downloaded any mouse cursor programs, but she says NO. Hmmmm....I thought I saw an annimated animal mouse pointer on her screen one time... I must of been seeing things..lol...She's always downloading screen savers, Smiley programs and Hotbar (which I deleted right away) Anyway, back on the subject,I rebooted the computer up in Normal Mode and I just did a new scan on Ad-Aware. It's still finding the trojan, Virtumundo (Atlevents) in the registry. Spybot finds the same one, so I guess I need to do more in the registry. Then I need to go to the web sight for HiJackThis because I have a whole list of funky things quaranteed in that program, that I have no clue what they are.The computer seems to be doing fine without them, but I don't know if any of them are Windows Me system programs, so I'm not going to delete the quaranteed list till I know. I already had the system tray in there, but restored it back. I'm going to do a full scan on all the programs and see if it's clean. Thank you very much for your help. It has been very much appreciated. Mikki >-----Original Message----- >Hi Mike, [quoted text clipped - 3 lines] >Thank You & Please Stay With Me on This... >Mikki >>-----Original Message----- >>What happens when you delete those registry entries [quoted text clipped - 100 lines] >> >. That's good news Mikki. I'm glad to read that you seem to have managed to clear up the problem. By the way, Win Me by default has a windows\cursors folder containing just three files, all dated 8 Jun 2000. One of those files is appstart.ani, the others are globe.ani and hourglas.ani. Similarly HKCU\Control Panel\Cursors\Schemes is a valid key containing the entries you mentioned. Virtumundo may well be the origin of the hardcmd.exe file as this is a particularly invasive parasite that can sometimes be difficult to remove. More details can be found at http://www.pestpatrol.com/PestInfo/v/virtumonde.asp. Keep up the good work. HijackThis should help you identify any remaining pests and with a little bit of luck you should end up with a clean system. Cheers, SignatureMike Maltby MS-MVP mike.maltby@gmail.com anonymous@discussions.microsoft.com <anonymous@discussions.microsoft.com> wrote: > Mike, > You did it !!! Yahoooooooo !!! ;-)) [quoted text clipped - 46 lines] > Thank you very much for your help. It has been very much > appreciated. Please post and tell if your system was really cleaned up. I have been fighting for the last 10 hours with CA to get e-trust to scan for and remove this program. It may be adware/spyware whatever but is hogs system resources, cannot be removed(at least not easily), and as I will explain returns even if detected by PestPatrol, adware, hijackthis, etc The reason it keeps returning is the same reason you see the deleted registry key appear again. On my system it comes back after about 1 second. It is also very hard to find information on the Internet about this because as I have discovered the file name changes with each new host. Must be some random name or a combination of filenames it finds on your system. In the registry though there always appears to be an asterisk * in front of the key name. Here is my removal method, which gets rid of it but unfortunately does nothing to prevent reinfestation. Also it uses file security to break the virus cycle so Win9x and ME are probably out of luck. Open regedit and navigate to HKLM\software\microsoft\windows\currentversion\runonce\* look for keys that have the * at the front. The data part of that key shows the location of the malware file. Next go to the location of the suspect file and right click, properties, security. Remove all users from the access list. Everything including groups, system etc. Now reboot. After the login you may get a message that a file failed to run. This is typically the unwanted app. Next run regedit and search for every occurrence of that malware file name. Delete all references. This will stop the virus from trying to rerun. Next navigate back to the file in question and again right click, properties, security, now add yourself back as having full control and save. Delete this file immediately and empty the recycle bin. (Holding down the shift key while deleting a file makes it bypass the recycle bin and immediately deletes it. You now should be free of this nasty program. I would be interested to know if this helps anyone out. It takes a lot of time to type a message like this and it would be helpful to know the time was not wasted. Tony > Mike, > You did it !!! Yahoooooooo !!! ;-)) [quoted text clipped - 168 lines] > >> > >. Hi Tony, I just noticed your post, as I've been in the Internet Explorer newsgroups and doing alot of google searches, looking for any posts that would help me out with other problems I have now. I think the Hardcmd is gone,( Thanks to Mike ) but I've downloaded HIJACKTHIS and have a list of items that I'm not familar with, as far as ME goes.I think I might have to post my report on their websight. The computer works very well and as fast as mine, (without the items that are quaranteed in Hijackthis ), considering from when I first started trying to fix it. The items in Hijackthis could be Windows Me files, but I'm scared to restore any items for fear I might put the bad guys back on the computer. The problem I'm having is Internet Explorer is not displaying the whole page. There is dialog boxes stating that IE could not load the page. The page is loading and it seems just the ads and some pictures are missing and caused from one of the spyware programs I installed or the settings in IE tools. I have since, changed the settings, but one web sight I'm having trouble with is Pogo.( My sister's favorite ) The first sign in page and home page is fine but when the game room is trying to load, it just sits there. I've tried the help on Pogo, as far as Java and Microsoft Virtual Machine and also checked into Active X, to no avail.I think I have to check into her SiS Video card. There was an issue with that before also. Somehow,I got off track and I'm into checking my own conection with her computer (network,firewall & routing settings )I'm so farrrrrrrr into every possible conflict that I'm forgetting what problem, I was trying to fix.... Oh My ;-(( The computer sits right beside a window...hmmmm....... just an evil thought I've been having lately... Mikki >-----Original Message----- >Please post and tell if your system was really cleaned up. [quoted text clipped - 64 lines] >> >> Then in Registry>>HKEY_Local_Machine>>Software>>Microsoft>>Windows >> >>Current Version >>>> >> RUN I left default,msconfig reminder & system tray alone. [quoted text clipped - 153 lines] >> > >. Pogo Queen here.......does your sister use a popup blocker?? Won't let her load the game page if she does. And don't make the popup and ad stuff too strict in Zone Alarm. As for their tech support.......they still think Microsoft makes the Java program.....duh!! Cheers.....Heather but one web sight I'm having > trouble with is Pogo.( My sister's favorite ) The first > sign in page and home page is fine but when the game room [quoted text clipped - 11 lines] > just an evil thought I've been having lately... > Mikki |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.