CMDOW.EXE Virus? Hacktool.HideWindow - MSFN Forums

MSFN Home·Forum Rules·Unattended Guide·Login·Register

Search ·Members·Calendar·Help·Contact Us

MSFN Forums > Unattended Windows Discussion & Support > Unattended Windows 2000/XP/2003

Forum Rules

Unattended CD/DVD Guide Homepage · MSFN Forum Rules

2 Pages

1 2 >

Reply to this topic

Start new topic

CMDOW.EXE Virus? Hacktool.HideWindow, Hacktool.HideWindow

Express View Member Profile	Jun 7 2006, 09:23 AM Post #1
Express Group: Members Posts: 174 Joined: 8-August 05 From: New York City Member No.: 67932	Hi All, Ok here's my problem I have successfully created a unattended DVD installation of XP and Office 2003, there is a cmdow.exe file in $$\System32 that I have been using for the longest I can't even remember at this point what was it for. But in any case yesterday my helpdesk tells me viruses are being picked up from these installs from Symantec. The "Risk" Hacktool.HideWindow Threat Type Hack Tools the file name as mentioned above is cmdow.exe. Can someone PLEASE tell me whats going on. Like i said I forget what was the purpose of the cmdoe.exe but now its showing up as a virus threat. Do I need to use CMDOW.exe? Has anyone else have had these issues and what was done to rectify them. Thanks any help will be appreciated... EXPRESS

larson View Member Profile	Jun 7 2006, 09:39 AM Post #2
Newbie Group: Members Posts: 16 Joined: 11-August 03 From: Jacksonville, Florida Member No.: 5656 OS: XP Pro x86	It (CMDOW.exe) isn't a virus; its purpose is to (as Symantec claims) hide the window of your choice. Used in such context as CMDOW @ /HID, this command is popular among users making unattended installations of Windows-- that DON'T want to show the end user some ugly DOS box that could be closed with the click of "X". By the words "help desk," I'm guessing you're in a business and have no choice but to use Symantec products. You have my deepest condolences. In the event that I'm wrong, may I suggest AVG (the Firewall edition, especially) or Avast! Antivirus: two solutions that won't bring a fresh new processor to its knees. Unfortunately, I have the job of installing Norton on new computers, but I've never gone the unattended route with strangers' computers, and as such, I've never seen that warning. But fear none-- you're not being hacked. CMDOW.exe is your friend (just not Norton's). -L

Express View Member Profile	Jun 7 2006, 09:48 AM Post #3
Express Group: Members Posts: 174 Joined: 8-August 05 From: New York City Member No.: 67932	Thanks Larson for the prompt reply, you are correct Symantec is our Antivirus product so thats not going to change. So currently I have it being installed on to the local mahcines when doing the installs can i just not included in there, in other words use it to do the installs then remove the cmdow.exe? Thanks for you help. EXPRESS

mmarable View Member Profile	Jun 7 2006, 09:53 AM Post #4
Advanced Member Group: Members Posts: 382 Joined: 1-November 03 From: USA Member No.: 8879 OS: none	Sure, you could leave CMDOW on your install media, you would just need to add the full path to any batch file that you are calling it from. Putting it into System32 makes it simple to just put CMDOW @ /HID at the top of any batch script. If you keep it on your install media, you would just need to change it to something like: f:\Installs\Tools\CMDOW @ /HID (of course the path would be to where you do have it).

stevem99 View Member Profile	Jun 7 2006, 02:26 PM Post #5
Group: Members Posts: 4 Joined: 14-May 04 Member No.: 19936	If your running Symantec System Center you can add Hacktool.Hidewindow to the global security risk exclusion list. On a stand-alone client it's easy too.. Configure> File System Auto-Protect> Actions> Security Risks> Exceptions> Add.. ..or you could switch from SAV to AVG.. -SteveM

jrf2027 View Member Profile	Jun 7 2006, 02:35 PM Post #6
Member Group: Members Posts: 196 Joined: 6-September 04 Member No.: 30216 OS: Vista Home Premium x64	For my personal unattended installation, I just deleted cmdow.exe. Yeah, now I get the command windows popping up during installation and when I run my file backup command, but for my own personal system I don't really care - plus, I don't think my three-month-old son knows how to use a mouse yet, let alone how to close the command window.

oneless View Member Profile	Jun 7 2006, 03:31 PM Post #7
Advanced Member Group: Members Posts: 412 Joined: 7-January 05 From: Craiova , Romania Member No.: 40173	file deleted here too. false positive , or maybe the antivirus producers know some i dont. after 18 months on my computer cmdow.exe was first detected on-line scanning , 4..5 weeks ago, sorry dont remember who/where and from 2..3 weeks my local bitdefender says same about cmdow. .. ? QUOTE Do I need to use CMDOW.exe? no you dont. cmdow just hide a .cmd/DOS window. i prefere to see a dos window vs. an antivirus alert. especially when i insert my WPI DVD in other computer (friends... !)

Express View Member Profile	Jun 8 2006, 05:53 AM Post #8
Express Group: Members Posts: 174 Joined: 8-August 05 From: New York City Member No.: 67932	Many good advices, I will have to rethink this. The question mark that ONLESS possed made me think. Hmmm how about if there is something lurking in the background which none of us knows whats going on? QUOTE (oneless @ Jun 7 2006, 04:31 PM) after 18 months on my computer cmdow.exe was first detected on-line scanning , 4..5 weeks ago, sorry dont remember who/where and from 2..3 weeks my local bitdefender says same about cmdow. .. ? Maybe if I just use it from the cd without copying it to the local computer... mmarable you may have a good idea. Hey jrf2027 becarefull with your 3 month old, he may not know how to close a dos window but I bet he can drop his bottle on the keyboard :-) ... Thank you all, EXPRESS

krawz187 View Member Profile	Jun 8 2006, 01:33 PM Post #9
Group: Members Posts: 3 Joined: 6-June 06 Member No.: 98183	I had the same virus detection warning come up today on our SAV Corporate Edition. I'm thinking it's just detected as such because it's in \%SystemRoot%\System32. I bet if it was located somewhere less suspicious like C:\install, it wouldn't be picked up. That's just my conspiracy theory.

oneless View Member Profile	Jun 8 2006, 01:58 PM Post #10
Advanced Member Group: Members Posts: 412 Joined: 7-January 05 From: Craiova , Romania Member No.: 40173	QUOTE (krawz187 @ Jun 8 2006, 09:33 PM) ...That's just my conspiracy theory. like i said : or maybe the antivirus producers know some i dont. and after 18 months on my computer cmdow.exe... i realize now than i never copied cmdow in my \%SystemRoot%\System32 ..! and yes was detected there too...??? i use it since i discover WPI here at MSFN . maybe WPI copy it there ? i dont think this... so.. deleted ... and ask help from autoIT to do the job .

Alanoll View Member Profile	Jun 8 2006, 02:15 PM Post #11
CODE tags people, CODE tags! Group: Patrons Posts: 6221 Joined: 25-September 03 From: Dallas, Texas Member No.: 7393 OS: none	Of late, AntiVirus vendors have been including spyware/malware into their definitions and any program that could be used to support them. CMDOW is such a program. It is not a program, and all it does it hide a window. It's detected because one or two pieces of software could use it maliciously so you don't see what's happening to your computer. You people are too paranoid.

Crash&Burn Crash&Burn View Member Profile	Jun 8 2006, 05:21 PM Post #12
Advanced Member Group: Members Posts: 363 Joined: 11-March 05 Member No.: 47285	People would be suprised how little anti-spyware and anti-viral programs are needed in the home-computing arena when you don't utilize IE & OutLook. Ask staunch Opera users how often they need such tools ;-)

Alanoll View Member Profile	Jun 8 2006, 06:46 PM Post #13
CODE tags people, CODE tags! Group: Patrons Posts: 6221 Joined: 25-September 03 From: Dallas, Texas Member No.: 7393 OS: none	QUOTE (Crash&Burn @ Jun 8 2006, 06:21 PM) People would be suprised how little anti-spyware and anti-viral programs are needed in the home-computing arena when you don't utilize IE & OutLook. Ask staunch Opera users how often they need such tools ;-) Threats are only warranted when the targets a numerous. There's no reason for a hacker to target a browser utilized by a small percentage. Toute all you want about browser security regardless of browser, but if there's little gain for the effort it won't be done.

blinkdt View Member Profile	Jun 8 2006, 08:57 PM Post #14
Somewhat Knowledgeable Group: Supreme Sponsors Posts: 586 Joined: 30-September 03 From: Fox Valley, WI Member No.: 7533 OS: Vista Business x86	I don't get it. I have been using Outlook and IE for years. I have not seen a virus/trojan/spyware/malware item on my machine in all of that time, and have watched the Firefox/Opera hooplah come and go. I am not impressed. People who bring their machines to me with problems have been visiting naughty Web sites or clicking silly links or failed to update their OS in all cases. The basics. We all learn, but some learn the hard way. Maybe they should have, like, a test similar to a driver's license test. If you don't get 17 out of 20 correct, you can't operate a computer. Naaaaah, then my side income would disappear.

RyanVM View Member Profile	Jun 9 2006, 07:17 AM Post #15
Like a big surly teddy bear. Group: Members Posts: 3181 Joined: 31-August 03 From: Philadelphia, PA Member No.: 6091	It's not a matter of being paranoid, it's a matter of having to change my default settings so that AutoProtect doesn't just delete the file without my permission, which of course become annoying for any other malware that's not CMDOW.

aquarius View Member Profile	Jun 19 2006, 06:22 AM Post #16
Newbie Group: Members Posts: 17 Joined: 3-May 06 Member No.: 95383	Hello all! Here is a script for you that I made to avoid using CMDOW with Windows Post-Install, hope it will help! Upgrading to WPI 5.0 might allso help, since it eliminates wpi.cmd, but you might still want this :-) You can use it to start programs (e.g. wpi.cmd from Autorun) like this: OPEN=WScript.exe wpi\lh.vbs wpi.cmd Note: To avoid putting a long path in there twice, the cmd file is assumed to be in the same folder as the script. (\WPI in the example) I know it's not very good when it comes to handling arguments, because you will lose quotes... Here is it: CODE ' rh.vbs - Run (a cmd batch) hidden - aquarius 11:58 14.12.2005 ' Example: WScript.exe wpi\rh.vbs wpi.cmd ' Assumes wpi.cmd is in same folder as rh.vbs ' quoted arguments not handled well... Dim objArgs, WshShell Dim strWindowStyle, DebugWait, strCMD, strShellRun, ProgFolder, Prog, strApp, I Set objArgs = WScript.Arguments Set WshShell = WScript.CreateObject("WScript.Shell") Const nDebug = false ' nDebug=true for Debug mode strWindowStyle = 0 DebugWait = false strCMD = "Cmd /c " If nDebug then strWindowStyle = 1 DebugWait = True strCMD = "Cmd /c CLS & " End If if WScript.Arguments.Count = 0 then msgbox "strApplication requires an argument" & VbNewline &_ "Example: WScript.exe wpi\rh.vbs wpi.cmd" WScript.Quit (-1) End If ' Find folder and program to launch (arg 0) in the same folder as the script ProgFolder = Left( WScript.ScriptFullName, InStrRev( WScript.ScriptFullName, "\" )) Prog = objArgs(0) strApp = """" & ProgFolder & Prog & """" ' Add all arguments (following arg 0 which is the cmd file) For I = 1 to objArgs.Count - 1 strApp = strApp & " " & objArgs(I) Next strShellRun = strCMD & strApp If nDebug then if wshShell.Popup( "Do you want to execute " & strShellRun & " ?", 10, "Confirm", 1 ) <> 1 then wScript.Quit(1) End If End If WScript.Quit (WshShell.Run( strShellRun, strWindowStyle, DebugWait )) As you can see, you can set the nDebug to true to verify it's actions. Allso, instead of using CMDOW @ /VIS for handling error messages, here is another script to display error dialogs etc. CODE 'dialog.vbs - Aquarius, 23:32 15.06.2006 'WScript.exe dialog.vbs "Message" [/T:"Title"] [/S:type] [/W:SecondsToWait] 'The returned errorcode will be like Windows Script Host Popup Method ' except if no arguments where passed, in which case it returns -2 'Put strings with spaces inside quotes (message and title) Dim WshShell, DlgTitle, nSeconds, nType Dim argsNamed, argsUnnamed nSeconds=0 nType=0 set WshShell = WScript.CreateObject("WScript.Shell") if WScript.Arguments.Count = 0 then WshShell.Popup "Syntax: wscript.exe dialog.vbs " + chr(34) + "Message" + chr(34) + " [/T:" + chr(34) + "Title" + chr(34) + "] [/S:type] [/W:SecondsToWait]", 0, "Dialog.vbs", 4112 WScript.Quit (-2) end if Set argsNamed = WScript.Arguments.Named if argsNamed.Exists("t") then DlgTitle=argsNamed.Item("t") if argsNamed.Exists("s") then nType=argsNamed.Item("s") if argsNamed.Exists("w") then nSeconds=argsNamed.Item("w") WScript.Quit (WshShell.Popup( WScript.Arguments.Unnamed(0) , nSeconds, DlgTitle, nType)) Here is an example: CODE ifmember.exe administrators && ( WScript.exe %wpipath%dialog.vbs "You are not an administrator. Log in with admin rights to use this program" /T:"WPI" Exit ) It does pass on errorcodes from the dialog, so you can use it to do some decision making in the batch. The full syntax is in the script :-) I hope these may help you further! Aquarius This post has been edited by aquarius: Jun 19 2006, 06:24 AM

urie View Member Profile	Jun 19 2006, 05:45 PM Post #17
Advanced Member Group: Members Posts: 336 Joined: 30-July 03 Member No.: 5322	QUOTE with symantec all you need to do is set cmdow.exe as one of your exceptions this is saved in a file called, SRTSEXCL.DAT but to be safe all i do is copy all .DAT files when installing SAC CODE REG ADD %KEY%\1001 /VE /D "Symantec Antivirus Corp v10.1.0.401" /f REG ADD %KEY%\1001 /V 101 /D "CMD /C Start /Wait C:\Install\Symantec\Symantec_AntiVirus.msi /QB RUNLIVEUPDATE=0 REBOOT=ReallySuppress" /f REG ADD %KEY%\1001 /V 102 /D "CMD /C COPY \"C:\Insatll\Symantec\*.DAT\" \"%ProgramFiles%\Symantec AntiVirus\" /Y" /f