Hello, I do not want to turn on the command line, i.e. when entering cmd in the run, a console (a small window) appears for a moment, then closes immediately. I also noticed that when logging in to the account (when the desktop appeared), the console opens and the Library folder starts running...

Other commands in run work? Have you tried to run as an administrator?

After selecting a command line from the start menu is the same?

Download FRST compatible with your system version => Complete the scan and replace the logs with FRST.txt and Addition.txt in the form of attachments.

Yes, everything works in run, except cmd. I tried to run as an administrator. I always open a command line from the start menu. It does not work either from the menu, folder and .bat (start cmd.exe start blabla.exe) Please, scan in the attachment.

Otwórz notatnik systemowy i wklej: ContextMenuHandlers1: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers1: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers5: -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku ContextMenuHandlers6: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers6: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate -nolegacy HKLM-x32\...\Run: => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {0eacd0b2-762a-11e7-bc4b-fcaa14240824} - H:\startme.exe HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {75adcb9b-58ad-11e7-b702-fcaa14240824} - H:\HiSuiteDownLoader.exe HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Winlogon: C:\Windows\System32\cmd.exe [345088 2010-11-21] (Microsoft Corporation) NUL | find /I /N SoundMixer.exe>NUL && exit & if exist C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe ( start /MIN C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe & tasklist /FI IMAGENAME eq explorer.exe 2>NUL | find /I /N explorer.exe>NUL && exit & explorer.exe & exit ) else ( tasklist /FI IMAGENAME eq explorer.exe 2>NUL | find /I /N explorer.exe>NUL && exit & explorer.exe & exit )

Otwórz notatnik systemowy i wklej: ContextMenuHandlers1: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers1: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers5: -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku ContextMenuHandlers6: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku ContextMenuHandlers6: -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku AlternateDataStreams: C:\ProgramData\Microsoft:1HpGaBeqmAD5cTinjYY7suS3 [2184] AlternateDataStreams: C:\ProgramData\Microsoft:hE5bKKu5PQmRDSgOi4JDOZFK [2322] AlternateDataStreams: C:\ProgramData\Microsoft:UafJNZ5nRsCk3vFHCC [2172] AlternateDataStreams: C:\Users\dmNen\AppData\Local\DOycCMwx3jjNzP:pecjhhohiQJTMjL6Yk [1978] AlternateDataStreams: C:\Users\dmNen\AppData\Local\xudI8yzch:Yo2yIfmnjnIcO0wO8I6JOkyc [2104] HKLM-x32\...\Run: => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Run: [AdobeBridge] => [X] HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {0eacd0b2-762a-11e7-bc4b-fcaa14240824} - H:\startme.exe HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {75adcb9b-58ad-11e7-b702-fcaa14240824} - H:\HiSuiteDownLoader.exe HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Winlogon: C:\Windows\System32\cmd.exe [345088 2010-11-21] (Microsoft Corporation) NUL | find /I /N SoundMixer.exe>NUL && exit & if exist C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe ( start /MIN C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe & tasklist /FI IMAGENAME eq explorer.exe 2>NUL | find /I /N explorer.exe>NUL && exit & explorer.exe & exit ) else ( tasklist /FI IMAGENAME eq explorer.exe 2>NUL | find /I /N explorer.exe>NUL && exit & explorer.exe & exit )

Managed to! The command line works when the desktop starts up, then cmd is turned on, but the Library folder no longer, so it's ok What was the reason? And of course, thank you for your help.

Like what? Infection. Insert new logs from FRST, from scanning.

Odinstaluj SpyBot. Wykonaj Fixlist.txt dla FRST: Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate -nolegacy Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(2): %windir%\system32\rundll32.exe -> appraiser.dll,DoScheduledTelemetryRun Task: {3C5D9430-D7F4-4ADE-B93E-143422BEDE9F} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate Task: {3C5D9430-D7F4-4ADE-B93E-143422BEDE9F} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => Command(2): %windir%\system32\rundll32.exe -> invagent.dll,RunUpdate (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 2017-11-20 05:11 - 2017-11-20 16:39 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy 2017-11-20 05:11 - 2017-11-20 16:39 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2 2017-11-20 05:11 - 2017-11-20 05:11 - 000000000 ____D C:\Windows\System32\Tasks\Safer-Networking 2017-11-20 05:10 - 2017-11-20 05:10 - 051725936 _____ (Safer-Networking Ltd. ) C:\Users\dmNen\Downloads\spybotsd-2.6.46.exe 2017-11-20 05:09 - 2017-11-20 05:09 - 000000000 ____D C:\ProgramData\adaware

Windows 7 Command Line Console Closes Immediately After Opening - Possible Fixes

Lasek001 15099 13

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Report a violation of the law

| New topic

#1 16836128 20 Nov 2017 05:02

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author

Post #1
16836128 20 Nov 2017 05:02

Hello,

I do not want to turn on the command line, i.e. when entering "cmd" in the run, a console (a small window) appears for a moment, then closes immediately. I also noticed that when logging in to the account (when the desktop appeared), the console opens and the "Library" folder starts running for me. I tried to start the computer in an emergency - it did not help. Windows 7
I would ask for help in this matter.
ADVERTISEMENT
#2 16836145 20 Nov 2017 06:12

krzychupar krzychupar

Level 43

Posts: 6807

Help: 1490

Rate: 633
» | Helpful post? (0)

Post #2
16836145 20 Nov 2017 06:12

Other commands in run work? Have you tried to run as an administrator?
#3 16836150 20 Nov 2017 06:33

Kasek21 Kasek21

Level 43

Posts: 45513

Help: 4962

Rate: 3503
» | Helpful post? (+1)

Post #3
16836150 20 Nov 2017 06:33

After selecting a command line from the start menu is the same?
ADVERTISEMENT
#4 16836256 20 Nov 2017 08:46

RADU23 RADU23

VIP Meritorious for electroda.pl

Posts: 20712

Help: 2425

Rate: 1726
» | Helpful post? (+1)

Post #4
16836256 20 Nov 2017 08:46

Download FRST compatible with your system version =>
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Complete the scan and replace the logs with FRST.txt and Addition.txt in the form of attachments.
#5 16837237 20 Nov 2017 16:52

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author Helpful post? (+1)

Post #5
16837237 20 Nov 2017 16:52

Yes, everything works in run, except "cmd". I tried to run as an administrator. I always open a command line from the start menu. It does not work either from the menu, folder and .bat (start cmd.exe start blabla.exe)

Please, scan in the attachment.

Attachments:

Addition.txt (36.96 KB) You must be logged in to download this attachment.

FRST.txt (30.31 KB) You must be logged in to download this attachment.
ADVERTISEMENT
#6 16837358 20 Nov 2017 17:43

krzychupar krzychupar

Level 43

Posts: 6807

Help: 1490

Rate: 633
» | Helpful post? (+4)

Post #6
16837358 20 Nov 2017 17:43

Otwórz notatnik systemowy i wklej:

ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate -nolegacy
HKLM-x32\...\Run: [SDTray] => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {0eacd0b2-762a-11e7-bc4b-fcaa14240824} - H:\startme.exe
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {75adcb9b-58ad-11e7-b702-fcaa14240824} - H:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Winlogon: [Shell] C:\Windows\System32\cmd.exe [345088 2010-11-21] (Microsoft Corporation) NUL | find /I /N "SoundMixer.exe">NUL && exit & if exist "C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" ( start /MIN "" "C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )
ADVERTISEMENT
#7 16837359 20 Nov 2017 17:43

Acorus 20 Acorus 20

Level 43

Posts: 10541

Help: 3247

Rate: 1063
» | Helpful post? (+1)

Post #7
16837359 20 Nov 2017 17:43

Otwórz notatnik systemowy i wklej:

ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> Brak pliku
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll -> Brak pliku
AlternateDataStreams: C:\ProgramData\Microsoft:1HpGaBeqmAD5cTinjYY7suS3 [2184]
AlternateDataStreams: C:\ProgramData\Microsoft:hE5bKKu5PQmRDSgOi4JDOZFK [2322]
AlternateDataStreams: C:\ProgramData\Microsoft:UafJNZ5nRsCk3vFHCC [2172]
AlternateDataStreams: C:\Users\dmNen\AppData\Local\DOycCMwx3jjNzP:pecjhhohiQJTMjL6Yk [1978]
AlternateDataStreams: C:\Users\dmNen\AppData\Local\xudI8yzch:Yo2yIfmnjnIcO0wO8I6JOkyc [2104]
HKLM-x32\...\Run: [SDTray] => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {0eacd0b2-762a-11e7-bc4b-fcaa14240824} - H:\startme.exe
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\MountPoints2: {75adcb9b-58ad-11e7-b702-fcaa14240824} - H:\HiSuiteDownLoader.exe
HKU\S-1-5-21-3728886683-294045490-3694822398-1000\...\Winlogon: [Shell] C:\Windows\System32\cmd.exe [345088 2010-11-21] (Microsoft Corporation) NUL | find /I /N "SoundMixer.exe">NUL && exit & if exist "C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" ( start /MIN "" "C:\Users\dmNen\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )
#8 16837391 20 Nov 2017 17:58

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author Helpful post? (+1)

Post #8
16837391 20 Nov 2017 17:58

Managed to! The command line works when the desktop starts up, then cmd is turned on, but the Library folder no longer, so it's ok What was the reason? And of course, thank you for your help.
#9 16837788 20 Nov 2017 20:07

Kolobos Kolobos

IT specialist

Posts: 85152

Help: 17159

Rate: 10419
» | Helpful post? (+2)

Post #9
16837788 20 Nov 2017 20:07

Like what? Infection.

Insert new logs from FRST, from scanning.
#10 16837872 20 Nov 2017 20:31

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author Helpful post? (0)

Post #10
16837872 20 Nov 2017 20:31

Attach logs.

Attachments:

FRST.txt (27.3 KB) You must be logged in to download this attachment.

Addition.txt (38.94 KB) You must be logged in to download this attachment.
#11 16837973 20 Nov 2017 21:03

Kolobos Kolobos

IT specialist

Posts: 85152

Help: 17159

Rate: 10419
» | Helpful post? (0)

Post #11
16837973 20 Nov 2017 21:03

Odinstaluj SpyBot.

Wykonaj Fixlist.txt dla FRST:
Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate -nolegacy
Task: {1E0513C6-CE77-4432-8166-29B4B5E022B0} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => Command(2): %windir%\system32\rundll32.exe -> appraiser.dll,DoScheduledTelemetryRun
Task: {3C5D9430-D7F4-4ADE-B93E-143422BEDE9F} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => Command(1): %windir%\system32\rundll32.exe -> aepdu.dll,AePduRunUpdate
Task: {3C5D9430-D7F4-4ADE-B93E-143422BEDE9F} - C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => Command(2): %windir%\system32\rundll32.exe -> invagent.dll,RunUpdate
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
2017-11-20 05:11 - 2017-11-20 16:39 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-11-20 05:11 - 2017-11-20 16:39 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-11-20 05:11 - 2017-11-20 05:11 - 000000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2017-11-20 05:10 - 2017-11-20 05:10 - 051725936 _____ (Safer-Networking Ltd. ) C:\Users\dmNen\Downloads\spybotsd-2.6.46.exe
2017-11-20 05:09 - 2017-11-20 05:09 - 000000000 ____D C:\ProgramData\adaware
#12 16838450 20 Nov 2017 23:36

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author Helpful post? (+2)

Post #12
16838450 20 Nov 2017 23:36

Subsequent logs after repair.

Attachments:

FRST.txt (26.31 KB) You must be logged in to download this attachment.

Addition.txt (37.37 KB) You must be logged in to download this attachment.
#13 16838694 21 Nov 2017 08:19

Kolobos Kolobos

IT specialist

Posts: 85152

Help: 17159

Rate: 10419
» | Helpful post? (0)

Post #13
16838694 21 Nov 2017 08:19

Is it still cmd during the start?
#14 16839721 21 Nov 2017 17:51

Lasek001 Lasek001

Level 9

Posts: 63

Rate: 5
» | Topic author Helpful post? (0)

Post #14
16839721 21 Nov 2017 17:51

Nothing starts. It turns out that the problem solved, it was without format
Thanks a lot!
Create an account, log in here and be active on the forum — ads won't appear. Earn points for registering and replying.

Install Elektroda application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

| New topic

Report a violation of the law

Topic summary

✨ The discussion revolves around a Windows 7 issue where the command line console (cmd) closes immediately upon opening. The user reports that cmd does not function from the run command, start menu, or batch files, and that the Library folder opens unexpectedly upon login. Various troubleshooting steps are suggested, including running cmd as an administrator, scanning the system with the Farbar Recovery Scan Tool (FRST), and checking for issues related to the Spybot - Search & Destroy software. Ultimately, the user resolves the issue without needing to format the system, indicating that the command line now works correctly after addressing the underlying problems.
Generated by the language model.

FAQ

TL;DR: In 1 Windows 7 case, cmd closed instantly due to malware altering Winlogon Shell; “Like what? Infection.” Remove unwanted tools, run FRST fixlist, and clean the Shell entry to stop cmd/Library popups. [Elektroda, Kolobos, post #16837788]

Why it matters: This FAQ helps Windows 7 users fix a cmd window that opens then closes and a Library folder that pops up at logon.

Quick Facts

Affected platform: Windows 7; Safe Mode did not help the symptom. [Elektroda, Lasek001, post #16836128]
Root cause found: malicious Winlogon Shell calling cmd and SoundMixer.exe from AppData. [Elektroda, krzychupar, post #16837358]
Diagnostic recommended: Farbar Recovery Scan Tool (FRST) with FRST.txt and Addition.txt logs. [Elektroda, RADU23, post #16836256]
Fix actions used: uninstall Spybot S&D, apply FRST fixlist, remove bad tasks/entries. [Elektroda, Kolobos, post #16837973]
Outcome: Issue confirmed solved by Nov 21, 2017, without reinstalling Windows. [Elektroda, Lasek001, post #16839721]

How do I fix a Windows 7 cmd window that opens and closes immediately?

Treat it as malware. Uninstall conflicting tools like Spybot, run FRST, and apply a provided fixlist to clean Winlogon Shell and scheduled tasks. Reboot and confirm cmd no longer flashes and no Library window appears. “Like what? Infection.” [Elektroda, Kolobos, post #16837973]

Why does the Library folder open at startup along with a flashing cmd?

A malicious Winlogon Shell command chained cmd.exe and then launched explorer.exe, which triggers the Library window. Cleaning the Shell value and any referenced binaries stops both the cmd flash and the Library popup at sign‑in. [Elektroda, krzychupar, post #16837358]

Is Safe Mode enough to bypass this problem?

No. The original report notes that booting in Safe Mode did not change the behavior. That indicates a persistent logon hook, not a normal startup item that Safe Mode disables. [Elektroda, Lasek001, post #16836128]

What is FRST and why use it here?

FRST (Farbar Recovery Scan Tool) produces detailed logs of autoruns, tasks, and registry keys. Helpers use it to craft a targeted fixlist that removes malicious entries without reinstalling the OS. Attach FRST.txt and Addition.txt. [Elektroda, RADU23, post #16836256]

How do I safely run a FRST fixlist?

Save FRST.exe and the provided Fixlist.txt in the same folder.
Run FRST as Administrator and click Fix.
Reboot when prompted and share the Fixlog for review. [Elektroda, Kolobos, post #16837973]

Should I remove Spybot Search & Destroy before cleaning?

Yes. The helper advised uninstalling Spybot before applying the fixlist. This avoids conflicts and removes related shell extensions and services referenced in the logs. [Elektroda, Kolobos, post #16837973]

How do I confirm the infection is gone?

After reboot, the desktop should load without a cmd popup, and the Library folder should not open. The user confirmed success on Nov 21, 2017, after following cleanup steps. [Elektroda, Lasek001, post #16839721]

What logs should I post for help?

Generate and attach FRST.txt and Addition.txt from FRST. These logs show autoruns, tasks, and critical registry values needed for a tailored fixlist. [Elektroda, RADU23, post #16836256]

What exactly changed in the registry?

The Winlogon Shell value was altered to run cmd.exe and conditionally start SoundMixer.exe, then explorer.exe. Restoring Shell to explorer.exe fixes the startup chain. [Elektroda, Acorus 20, post #16837359]

Could a USB device have introduced this?

It’s possible. The logs list MountPoints2 entries pointing to autorun‑style executables on drive H:. Disable autorun and scan removable media when cleaning. [Elektroda, Acorus 20, post #16837359]

How long did the successful fix take in this case?

It was confirmed solved by Nov 21, 2017. That is within roughly one day of the initial report on Nov 20, 2017. [Elektroda, Lasek001, post #16839721]

What if cmd still opens at startup after I run the fixlist?

Rescan with FRST, post fresh FRST.txt and Addition.txt, and confirm the behavior after boot. A helper explicitly checked whether cmd still appeared at start. [Elektroda, Kolobos, post #16838694]

What is SoundMixer.exe in AppData in this context?

It is a malicious file referenced by the altered Shell command in AppData\Roaming\Microsoft\SoundMixer. Remove it during the fix to stop reinfection. [Elektroda, krzychupar, post #16837358]

Can running cmd as Administrator or from .bat help?

No. The user tried Run as Administrator and .bat wrappers, but cmd still closed immediately. The root cause was the Shell hijack, not permissions. [Elektroda, Lasek001, post #16837237]

What is the Windows Winlogon Shell?

It’s a registry value that defines the program launched after user logon. Here, malware replaced the default explorer.exe with a chained cmd call. Restore it to explorer.exe only. [Elektroda, Acorus 20, post #16837359]

Generated by the language model.