Jump to content

CMDOW.EXE Virus? Hacktool.HideWindow

Express
 Share

Recommended Posts

aquarius

aquarius

Posted
Posted (edited)

Hello all!

Here is a script for you that I made to avoid using CMDOW with Windows Post-Install, hope it will help!

Upgrading to WPI 5.0 might allso help, since it eliminates wpi.cmd, but you might still want this :-)

You can use it to start programs (e.g. wpi.cmd from Autorun) like this:

OPEN=WScript.exe wpi\lh.vbs wpi.cmd

Note: To avoid putting a long path in there twice, the cmd file is assumed to be in the same folder as the script. (\WPI in the example)

I know it's not very good when it comes to handling arguments, because you will lose quotes...

Here is it: 

' rh.vbs - Run (a cmd batch) hidden - aquarius 11:58 14.12.2005
' Example: WScript.exe wpi\rh.vbs wpi.cmd
' Assumes wpi.cmd is in same folder as rh.vbs
' quoted arguments not handled well...

Dim objArgs, WshShell
Dim strWindowStyle, DebugWait, strCMD, strShellRun, ProgFolder, Prog, strApp, I

Set objArgs = WScript.Arguments
Set WshShell = WScript.CreateObject("WScript.Shell")

Const nDebug = false	' nDebug=true for Debug mode 
strWindowStyle = 0
DebugWait = false
strCMD = "Cmd /c "

If nDebug then
	strWindowStyle = 1
	DebugWait = True
	strCMD = "Cmd /c CLS & "
End If

if WScript.Arguments.Count = 0 then
	msgbox "strApplication requires an argument" & VbNewline &_
		"Example: WScript.exe wpi\rh.vbs wpi.cmd"
	WScript.Quit (-1)
End If

' Find folder and program to launch (arg 0) in the same folder as the script
ProgFolder =  Left( WScript.ScriptFullName, InStrRev( WScript.ScriptFullName, "\" ))
Prog = objArgs(0)

strApp = """" & ProgFolder & Prog & """"
' Add all arguments (following arg 0 which is the cmd file)
For I = 1 to objArgs.Count - 1
   strApp = strApp & " " & objArgs(I)
Next

strShellRun = strCMD & strApp
If nDebug then
	if wshShell.Popup( "Do you want to execute " & strShellRun & " ?", 10, "Confirm", 1 ) <> 1 then
		wScript.Quit(1)
	End If
End If

WScript.Quit (WshShell.Run( strShellRun, strWindowStyle, DebugWait ))

As you can see, you can set the nDebug to true to verify it's actions.

Allso, instead of using CMDOW @ /VIS for handling error messages, here is another script to display error dialogs etc.

'dialog.vbs  - Aquarius, 23:32 15.06.2006
'WScript.exe dialog.vbs "Message" [/T:"Title"] [/S:type] [/W:SecondsToWait]
'The returned errorcode will be like Windows Script Host Popup Method 
' except if no arguments where passed, in which case it returns -2
'Put strings with spaces inside quotes (message and title)

Dim WshShell, DlgTitle, nSeconds, nType
Dim argsNamed, argsUnnamed

nSeconds=0
nType=0

set WshShell = WScript.CreateObject("WScript.Shell")

if WScript.Arguments.Count = 0 then
  WshShell.Popup "Syntax: wscript.exe dialog.vbs " + chr(34) + "Message" + chr(34) + " [/T:" + chr(34) + "Title" + chr(34) + "] [/S:type] [/W:SecondsToWait]", 0, "Dialog.vbs", 4112
  WScript.Quit (-2)
end if

Set argsNamed = WScript.Arguments.Named
if argsNamed.Exists("t") then DlgTitle=argsNamed.Item("t")
if argsNamed.Exists("s") then nType=argsNamed.Item("s")
if argsNamed.Exists("w") then nSeconds=argsNamed.Item("w")

WScript.Quit (WshShell.Popup( WScript.Arguments.Unnamed(0) , nSeconds, DlgTitle, nType))

Here is an example:

ifmember.exe  administrators && (
	WScript.exe %wpipath%dialog.vbs "You are not an administrator. Log in with admin rights to use this program" /T:"WPI"
	Exit
)

It does pass on errorcodes from the dialog, so you can use it to do some decision making in the batch.

The full syntax is in the script :-)

I hope these may help you further!

Aquarius

Edited by aquarius
Link to comment
Share on other sites

urie

urie

Posted
Posted
with symantec all you need to do is set cmdow.exe as one of your exceptions this is saved in a file called,

SRTSEXCL.DAT but to be safe all i do is copy all .DAT files when installing SAC

REG ADD %KEY%\1001 /VE /D "Symantec Antivirus Corp v10.1.0.401" /f
REG ADD %KEY%\1001 /V 101 /D "CMD /C Start /Wait C:\Install\Symantec\Symantec_AntiVirus.msi /QB RUNLIVEUPDATE=0 REBOOT=ReallySuppress" /f
REG ADD %KEY%\1001 /V 102 /D "CMD /C COPY \"C:\Insatll\Symantec\*.DAT\" \"%ProgramFiles%\Symantec AntiVirus\" /Y" /f

:thumbup

Link to comment
Share on other sites
  • 4 weeks later...
core22

core22

Posted
Posted (edited)

I just noticed this problem too bacause I updated my install DVD so my SAV installer has the definitions current as of July 2006. Here's what I did... I just modified my RunOnceEx.cmd to run something called PreClean.cmd. PreClean.cmd ends the rtvscan.exe (display name=Symantec Antivirus) service prior to running Cleanup.cmd, so Cleanup.cmd can execute with cmdow.exe so it remains hidden. If anyone can show me how to do a NET STOP from a REG ADD in RunOnceEx.cmd, so I don't have to resort to that extra file, that would be great. Here's what I included in it...

NET STOP "Symantec Antivirus"
EXIT

This should let Cleanup.cmd run unhindered and the last few lines of Cleanup.cmd deletes cmdow.exe prior to reboot as seen here...

cmdow @ /HID
DEL "C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk"
DEL "C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk"
DEL "%AllUsersProfile%\Start Menu\Set Program Access and Defaults.lnk"
DEL "%AllUsersProfile%\Start Menu\New Office Document.lnk"
DEL "%AllUsersProfile%\Start Menu\Open Office Document.lnk"
DEL "%AllUsersProfile%\Start Menu\Windows Catalog.lnk"
DEL "%AllUsersProfile%\Start Menu\Programs\Windows Movie Maker.lnk"
DEL "%AllUsersProfile%\Desktop\Adobe Reader 6.0.lnk"
DEL "%AllUsersProfile%\Desktop\Java Web Start.lnk"
DEL "%AllUsersProfile%\Desktop\Nero StartSmart.lnk"
RD "C:\Documents and Settings\All Users\Start Menu\Programs\Java Web Start" /s /q
RD "C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing" /s /q
DEL C:\addUsepmtimer.exe /s
DEL C:\agrep.exe /s
DEL C:\ATICCC.ins /s
DEL C:\devcon.exe /s
DEL C:\DPs_fnsh.cmd /s
DEL C:\fnsh_log.cmd /s
DEL C:\cmdow.exe /s
DEL C:\Windows\System32\cmdow.exe /s
DEL C:\Docume~1\AllUse~1\Desktop\MSN*.* /s
net user aspnet /delete
shutdown.exe -r -f -t 60 -c "Windows XP will restart in 1 minute..."
EXIT

I just burned the change and my laptop is building, should know in an hour or so if this worked. If so, it's a better solution than adding hacktools to the SAV exclusion list.

Edited by core22
Link to comment
Share on other sites
core22

core22

Posted
Posted

OK so the method above failed...rtvscan.exe respawned and during Cleanup.cmd the virus warning pops up. I just changed to method #2, using a vb script instead. I'm calling cleanup.vbs (instead of cleanup.cmd) from runonceex.cmd, and that vb script is calling cleanup.cmd to start minimized.

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run "cleanup.cmd", 2, true

I have preclean.cmd delete cmdow.exe just prior to starting the Symantec AV install from RunOnceEx. Just using preclean.cmd without the vb script will work, but the window is not minimized and it looks "ugly". if the cleanup.vbs fails I'll just resport to keeping the window in view for the 5 or 10 seconds it takes to run cleanup.cmd.

Link to comment
Share on other sites
azaze1

azaze1

Posted
Posted

I had this problem too and thought I'd get rid of it with a few lines using AutoIT

It works beautifully. Just compile this to an exe, and make it the first thing you run via CMDLINES.TXT (if you have batch scripts running before GUI setup is complete). ALSO, make it the first thing run via GuiRunOnce if that is how you start WPI (most do).

While 1 < 10
  WinWait("C:\WINDOWS\")
  WinSetState("C:\WINDOWS\system32\cmd.exe", "", @SW_HIDE)
  WinSetState("C:\WINDOWS\SYSTEM32\cmd.exe", "", @SW_HIDE)
WEnd

IMPORTANT NOTE: You must launch it via a batch script itself so that the install doesn't hang waiting for the autoit script to terminate. Because this is going to run until reboot (or until forcably stopped) you need to launch the exe in a batch with something like

@ECHO OFF
start %SYSTEMDRIVE%\INSTEMP\CMDHIDE.EXE
EXIT

Link to comment
Share on other sites
  • 2 weeks later...
core22

core22

Posted
Posted

OK so none of what I did worked. I ended up deleting CMDOW as part of my SAV install...it deleted just before RunOnceEx calls the Symantec msi. This still keeps the RunOnceEx hidden but my cleanup.cmd is NOT hidden...its only up for maybe 5 seconds though so I don't mind.

Link to comment
Share on other sites
  • 11 months later...
memofromturner

memofromturner

Posted
Posted

hello express, et.al.

i am memofromturner, a new member. i have read through several replies to your original post, but not all. just wanted to add that i received the identical response from my nod32 v2.5.18. i googled the file, and found this link to be quite informative: http://www.commandline.co.uk/cmdow/, ritchie lawrence's command line utils, etc. according to sir lawrence [get it?], it has a veritable plethora of handy usages. hope it sheds new light on this topic.

sincerely,

memofromturner

Link to comment
Share on other sites
  • 2 years later...
fsz2

fsz2

Posted
Posted (edited)

Hello

I have NOD32 and today it have alarmed me, that the CMDOW.EXE have been infected with WIN32/CMDOW.143

Is it proper or i need to delete it or take in carantene or what?

Sorry about writing mistakes, i'm learning English.

Thnaks, fsz2

Edited by fsz2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...