Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

CMDOW.EXE Virus? Hacktool.HideWindow

- - - - -

  • Please log in to reply
22 replies to this topic

#1
Express

Express

    Express

  • Member
  • PipPip
  • 159 posts
Hi All,

Ok here's my problem I have successfully created a unattended DVD installation of XP and Office 2003, there is a cmdow.exe file in $$\System32 that I have been using for the longest I can't even remember at this point what was it for. But in any case yesterday my helpdesk tells me viruses are being picked up from these installs from Symantec.

The "Risk" Hacktool.HideWindow Threat Type Hack Tools the file name as mentioned above is cmdow.exe. Can someone PLEASE tell me whats going on. Like i said I forget what was the purpose of the cmdoe.exe but now its showing up as a virus threat.

Do I need to use CMDOW.exe? Has anyone else have had these issues and what was done to rectify them.

Thanks any help will be appreciated...
EXPRESS
---------
Thanks,

Express


How to remove advertisement from MSFN

#2
larson

larson

    Newbie

  • Member
  • 14 posts
It (CMDOW.exe) isn't a virus; its purpose is to (as Symantec claims) hide the window of your choice.

Used in such context as CMDOW @ /HID, this command is popular among users making unattended installations of Windows-- that DON'T want to show the end user some ugly DOS box that could be closed with the click of "X".

By the words "help desk," I'm guessing you're in a business and have no choice but to use Symantec products. You have my deepest condolences.

In the event that I'm wrong, may I suggest AVG (the Firewall edition, especially) or Avast! Antivirus: two solutions that won't bring a fresh new processor to its knees.

Unfortunately, I have the job of installing Norton on new computers, but I've never gone the unattended route with strangers' computers, and as such, I've never seen that warning.

But fear none-- you're not being hacked. CMDOW.exe is your friend (just not Norton's).

-L
Posted Image

#3
Express

Express

    Express

  • Member
  • PipPip
  • 159 posts
Thanks Larson for the prompt reply, you are correct Symantec is our Antivirus product so thats not going to change.

So currently I have it being installed on to the local mahcines when doing the installs can i just not included in there, in other words use it to do the installs then remove the cmdow.exe?

Thanks for you help.
EXPRESS
---------
Thanks,

Express

#4
mmarable

mmarable

    Advanced Member

  • Member
  • PipPipPip
  • 377 posts
Sure, you could leave CMDOW on your install media, you would just need to add the full path to any batch file that you are calling it from. Putting it into System32 makes it simple to just put CMDOW @ /HID at the top of any batch script. If you keep it on your install media, you would just need to change it to something like: f:\Installs\Tools\CMDOW @ /HID (of course the path would be to where you do have it).
"There are three classes of men; lovers of wisdom, lovers of honor, and lovers of gain." - Plato
"Winning is not everything, but wanting to win is." - Vince Lombardi - "If you wait, all that happens is that you get older." - Mario Andretti
"Do it no matter what. If you believe in it, it is something very honorable. If somebody around you or your family does not understand it, then that's their problem. But if you do have a passion, an honest passion, just do it." - Mario Andretti

#5
stevem99

stevem99
  • Member
  • 4 posts
If your running Symantec System Center you can add Hacktool.Hidewindow to the global security risk exclusion list.

On a stand-alone client it's easy too..
Configure> File System Auto-Protect> Actions> Security Risks> Exceptions> Add..


..or you could switch from SAV to AVG.. :blink:

-SteveM

#6
jrf2027

jrf2027

    Member

  • Member
  • PipPip
  • 238 posts
For my personal unattended installation, I just deleted cmdow.exe. Yeah, now I get the command windows popping up during installation and when I run my file backup command, but for my own personal system I don't really care - plus, I don't think my three-month-old son knows how to use a mouse yet, let alone how to close the command window. :D

#7
oneless

oneless

    Advanced Member

  • Member
  • PipPipPip
  • 374 posts
file deleted here too.
false positive , or maybe the antivirus producers know some i dont.

after 18 months on my computer cmdow.exe was
first detected on-line scanning , 4..5 weeks ago, sorry dont remember who/where
and from 2..3 weeks my local bitdefender says same about cmdow.
.. ?

Do I need to use CMDOW.exe?

no you dont. cmdow just hide a .cmd/DOS window.
i prefere to see a dos window vs. an antivirus alert.
especially when i insert my WPI DVD in other computer (friends... !)
     oneLess

#8
Express

Express

    Express

  • Member
  • PipPip
  • 159 posts
Many good advices, I will have to rethink this. The question mark that ONLESS possed made me think. Hmmm how about if there is something lurking in the background which none of us knows whats going on?

after 18 months on my computer cmdow.exe was
first detected on-line scanning , 4..5 weeks ago, sorry dont remember who/where
and from 2..3 weeks my local bitdefender says same about cmdow.
.. ?

Maybe if I just use it from the cd without copying it to the local computer... mmarable you may have a good idea.

Hey jrf2027 becarefull with your 3 month old, he may not know how to close a dos window but I bet he can drop his bottle on the keyboard :-) ...

Thank you all,
EXPRESS
---------
Thanks,

Express

#9
krawz187

krawz187
  • Member
  • 3 posts
I had the same virus detection warning come up today on our SAV Corporate Edition. I'm thinking it's just detected as such because it's in \%SystemRoot%\System32. I bet if it was located somewhere less suspicious like C:\install, it wouldn't be picked up. That's just my conspiracy theory. ;)

#10
oneless

oneless

    Advanced Member

  • Member
  • PipPipPip
  • 374 posts

...That's just my conspiracy theory. ;)

like i said : or maybe the antivirus producers know some i dont.
and after 18 months on my computer cmdow.exe...
i realize now than i never copied cmdow in my \%SystemRoot%\System32 ..!
and yes was detected there too...???
i use it since i discover WPI here at MSFN .
maybe WPI copy it there ? i dont think this...
so.. deleted ... and ask help from autoIT to do the job .
     oneLess

#11
Alanoll

Alanoll

    CODE tags people, CODE tags!

  • Patrons
  • 5,496 posts
Of late, AntiVirus vendors have been including spyware/malware into their definitions and any program that could be used to support them. CMDOW is such a program. It is not a program, and all it does it hide a window. It's detected because one or two pieces of software could use it maliciously so you don't see what's happening to your computer.

You people are too paranoid.
Welcome to the Forum! Please READ Me!!
Alright, that's it for the site for now. Now on to the next project....which could concievable replace the current site :)

#12
Crash&Burn

Crash&Burn

    Advanced Member

  • Member
  • PipPipPip
  • 364 posts
  • OS:Windows 2000 Professional
  • Country: Country Flag
People would be suprised how little anti-spyware and anti-viral programs are needed in the home-computing arena when you don't utilize IE & OutLook. Ask staunch Opera users how often they need such tools ;-)

#13
Alanoll

Alanoll

    CODE tags people, CODE tags!

  • Patrons
  • 5,496 posts

People would be suprised how little anti-spyware and anti-viral programs are needed in the home-computing arena when you don't utilize IE & OutLook. Ask staunch Opera users how often they need such tools ;-)

Threats are only warranted when the targets a numerous. There's no reason for a hacker to target a browser utilized by a small percentage. Toute all you want about browser security regardless of browser, but if there's little gain for the effort it won't be done. :hello:
Welcome to the Forum! Please READ Me!!
Alright, that's it for the site for now. Now on to the next project....which could concievable replace the current site :)

#14
blinkdt

blinkdt

    Somewhat Knowledgeable

  • Member
  • PipPipPipPip
  • 582 posts
  • OS:Windows 8 x64
  • Country: Country Flag
I don't get it. I have been using Outlook and IE for years. I have not seen a virus/trojan/spyware/malware item on my machine in all of that time, and have watched the Firefox/Opera hooplah come and go. I am not impressed.

People who bring their machines to me with problems have been visiting naughty Web sites or clicking silly links or failed to update their OS in all cases. The basics. We all learn, but some learn the hard way.

Maybe they should have, like, a test similar to a driver's license test. If you don't get 17 out of 20 correct, you can't operate a computer. Naaaaah, then my side income would disappear. :P
no peace for the wicked, no rest for the good

#15
RyanVM

RyanVM

    Like a big surly teddy bear.

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,661 posts
It's not a matter of being paranoid, it's a matter of having to change my default settings so that AutoProtect doesn't just delete the file without my permission, which of course become annoying for any other malware that's not CMDOW.
RyanVM MSFN Files | RyanVM Forums
Please do not link directly to files on my site or modify/redistribute them without getting my permission first. Link to the above URL instead.
Current Update Pack Release: 2.2.2
(Released April 28, 2008)

BTW, 90% of what I say is kidding around. Don't take things so personally ;)

#16
aquarius

aquarius

    Newbie

  • Member
  • 18 posts
Hello all!

Here is a script for you that I made to avoid using CMDOW with Windows Post-Install, hope it will help!
Upgrading to WPI 5.0 might allso help, since it eliminates wpi.cmd, but you might still want this :-)

You can use it to start programs (e.g. wpi.cmd from Autorun) like this:
OPEN=WScript.exe wpi\lh.vbs wpi.cmd

Note: To avoid putting a long path in there twice, the cmd file is assumed to be in the same folder as the script. (\WPI in the example)
I know it's not very good when it comes to handling arguments, because you will lose quotes...

Here is it:
' rh.vbs - Run (a cmd batch) hidden - aquarius 11:58 14.12.2005
' Example: WScript.exe wpi\rh.vbs wpi.cmd
' Assumes wpi.cmd is in same folder as rh.vbs
' quoted arguments not handled well...

Dim objArgs, WshShell
Dim strWindowStyle, DebugWait, strCMD, strShellRun, ProgFolder, Prog, strApp, I

Set objArgs = WScript.Arguments
Set WshShell = WScript.CreateObject("WScript.Shell")

Const nDebug = false	' nDebug=true for Debug mode 
strWindowStyle = 0
DebugWait = false
strCMD = "Cmd /c "

If nDebug then
	strWindowStyle = 1
	DebugWait = True
	strCMD = "Cmd /c CLS & "
End If

if WScript.Arguments.Count = 0 then
	msgbox "strApplication requires an argument" & VbNewline &_
		"Example: WScript.exe wpi\rh.vbs wpi.cmd"
	WScript.Quit (-1)
End If

' Find folder and program to launch (arg 0) in the same folder as the script
ProgFolder =  Left( WScript.ScriptFullName, InStrRev( WScript.ScriptFullName, "\" ))
Prog = objArgs(0)

strApp = """" & ProgFolder & Prog & """"
' Add all arguments (following arg 0 which is the cmd file)
For I = 1 to objArgs.Count - 1
   strApp = strApp & " " & objArgs(I)
Next

strShellRun = strCMD & strApp
If nDebug then
	if wshShell.Popup( "Do you want to execute " & strShellRun & " ?", 10, "Confirm", 1 ) <> 1 then
		wScript.Quit(1)
	End If
End If

WScript.Quit (WshShell.Run( strShellRun, strWindowStyle, DebugWait ))

As you can see, you can set the nDebug to true to verify it's actions.
Allso, instead of using CMDOW @ /VIS for handling error messages, here is another script to display error dialogs etc.

'dialog.vbs  - Aquarius, 23:32 15.06.2006
'WScript.exe dialog.vbs "Message" [/T:"Title"] [/S:type] [/W:SecondsToWait]
'The returned errorcode will be like Windows Script Host Popup Method 
' except if no arguments where passed, in which case it returns -2
'Put strings with spaces inside quotes (message and title)

Dim WshShell, DlgTitle, nSeconds, nType
Dim argsNamed, argsUnnamed

nSeconds=0
nType=0

set WshShell = WScript.CreateObject("WScript.Shell")

if WScript.Arguments.Count = 0 then
  WshShell.Popup "Syntax: wscript.exe dialog.vbs " + chr(34) + "Message" + chr(34) + " [/T:" + chr(34) + "Title" + chr(34) + "] [/S:type] [/W:SecondsToWait]", 0, "Dialog.vbs", 4112
  WScript.Quit (-2)
end if

Set argsNamed = WScript.Arguments.Named
if argsNamed.Exists("t") then DlgTitle=argsNamed.Item("t")
if argsNamed.Exists("s") then nType=argsNamed.Item("s")
if argsNamed.Exists("w") then nSeconds=argsNamed.Item("w")

WScript.Quit (WshShell.Popup( WScript.Arguments.Unnamed(0) , nSeconds, DlgTitle, nType))

Here is an example:
ifmember.exe  administrators && (
	WScript.exe %wpipath%dialog.vbs "You are not an administrator. Log in with admin rights to use this program" /T:"WPI"
	Exit
)

It does pass on errorcodes from the dialog, so you can use it to do some decision making in the batch.
The full syntax is in the script :-)

I hope these may help you further!
Aquarius

Edited by aquarius, 19 June 2006 - 06:24 AM.


#17
urie

urie

    Senior Member

  • Member
  • PipPipPipPip
  • 519 posts

with symantec all you need to do is set cmdow.exe as one of your exceptions this is saved in a file called,
SRTSEXCL.DAT but to be safe all i do is copy all .DAT files when installing SAC


REG ADD %KEY%\1001 /VE /D "Symantec Antivirus Corp v10.1.0.401" /f
REG ADD %KEY%\1001 /V 101 /D "CMD /C Start /Wait C:\Install\Symantec\Symantec_AntiVirus.msi /QB RUNLIVEUPDATE=0 REBOOT=ReallySuppress" /f
REG ADD %KEY%\1001 /V 102 /D "CMD /C COPY \"C:\Insatll\Symantec\*.DAT\" \"%ProgramFiles%\Symantec AntiVirus\" /Y" /f

:thumbup

#18
core22

core22
  • Member
  • 8 posts
I just noticed this problem too bacause I updated my install DVD so my SAV installer has the definitions current as of July 2006. Here's what I did... I just modified my RunOnceEx.cmd to run something called PreClean.cmd. PreClean.cmd ends the rtvscan.exe (display name=Symantec Antivirus) service prior to running Cleanup.cmd, so Cleanup.cmd can execute with cmdow.exe so it remains hidden. If anyone can show me how to do a NET STOP from a REG ADD in RunOnceEx.cmd, so I don't have to resort to that extra file, that would be great. Here's what I included in it...
NET STOP "Symantec Antivirus"
EXIT



This should let Cleanup.cmd run unhindered and the last few lines of Cleanup.cmd deletes cmdow.exe prior to reboot as seen here...
cmdow @ /HID
DEL "C:\Documents and Settings\Administrator\Desktop\Spybot - Search & Destroy.lnk"
DEL "C:\Documents and Settings\Default User\Start Menu\Programs\Remote Assistance.lnk"
DEL "%AllUsersProfile%\Start Menu\Set Program Access and Defaults.lnk"
DEL "%AllUsersProfile%\Start Menu\New Office Document.lnk"
DEL "%AllUsersProfile%\Start Menu\Open Office Document.lnk"
DEL "%AllUsersProfile%\Start Menu\Windows Catalog.lnk"
DEL "%AllUsersProfile%\Start Menu\Programs\Windows Movie Maker.lnk"
DEL "%AllUsersProfile%\Desktop\Adobe Reader 6.0.lnk"
DEL "%AllUsersProfile%\Desktop\Java Web Start.lnk"
DEL "%AllUsersProfile%\Desktop\Nero StartSmart.lnk"
RD "C:\Documents and Settings\All Users\Start Menu\Programs\Java Web Start" /s /q
RD "C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing" /s /q
DEL C:\addUsepmtimer.exe /s
DEL C:\agrep.exe /s
DEL C:\ATICCC.ins /s
DEL C:\devcon.exe /s
DEL C:\DPs_fnsh.cmd /s
DEL C:\fnsh_log.cmd /s
DEL C:\cmdow.exe /s
DEL C:\Windows\System32\cmdow.exe /s
DEL C:\Docume~1\AllUse~1\Desktop\MSN*.* /s
net user aspnet /delete
shutdown.exe -r -f -t 60 -c "Windows XP will restart in 1 minute..."
EXIT


I just burned the change and my laptop is building, should know in an hour or so if this worked. If so, it's a better solution than adding hacktools to the SAV exclusion list.

Edited by core22, 12 July 2006 - 08:28 AM.


#19
core22

core22
  • Member
  • 8 posts
OK so the method above failed...rtvscan.exe respawned and during Cleanup.cmd the virus warning pops up. I just changed to method #2, using a vb script instead. I'm calling cleanup.vbs (instead of cleanup.cmd) from runonceex.cmd, and that vb script is calling cleanup.cmd to start minimized.

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run "cleanup.cmd", 2, true

I have preclean.cmd delete cmdow.exe just prior to starting the Symantec AV install from RunOnceEx. Just using preclean.cmd without the vb script will work, but the window is not minimized and it looks "ugly". if the cleanup.vbs fails I'll just resport to keeping the window in view for the 5 or 10 seconds it takes to run cleanup.cmd.

#20
azaze1

azaze1

    Junior

  • Member
  • Pip
  • 61 posts
I had this problem too and thought I'd get rid of it with a few lines using AutoIT

It works beautifully. Just compile this to an exe, and make it the first thing you run via CMDLINES.TXT (if you have batch scripts running before GUI setup is complete). ALSO, make it the first thing run via GuiRunOnce if that is how you start WPI (most do).

While 1 < 10
  WinWait("C:\WINDOWS\")
  WinSetState("C:\WINDOWS\system32\cmd.exe", "", @SW_HIDE)
  WinSetState("C:\WINDOWS\SYSTEM32\cmd.exe", "", @SW_HIDE)
WEnd

IMPORTANT NOTE: You must launch it via a batch script itself so that the install doesn't hang waiting for the autoit script to terminate. Because this is going to run until reboot (or until forcably stopped) you need to launch the exe in a batch with something like

@ECHO OFF
start %SYSTEMDRIVE%\INSTEMP\CMDHIDE.EXE
EXIT

azazel - CCNA, MCSE

Dell 2407WFP
Antec P180 w/Enermax NoiseTaker II 600watt
Asus M2N32-SLI Deluxe nForce 590 Wireless Edition
AMD Athlon 64 X2 5000+
WD Raptor SATA 160GB 16MB Cache 10000 RPM NCQ x3 (RAID 0)
XFX GeForce 7950 GX2 M570 1GB DDR3 (Returned: waiting on G80)
2GB Corsair PC-6400 DDR800 C4 (4.4.4.12)

#21
core22

core22
  • Member
  • 8 posts
OK so none of what I did worked. I ended up deleting CMDOW as part of my SAV install...it deleted just before RunOnceEx calls the Symantec msi. This still keeps the RunOnceEx hidden but my cleanup.cmd is NOT hidden...its only up for maybe 5 seconds though so I don't mind.

#22
memofromturner

memofromturner
  • Member
  • 1 posts
hello express, et.al.
i am memofromturner, a new member. i have read through several replies to your original post, but not all. just wanted to add that i received the identical response from my nod32 v2.5.18. i googled the file, and found this link to be quite informative: http://www.commandline.co.uk/cmdow/, ritchie lawrence's command line utils, etc. according to sir lawrence [get it?], it has a veritable plethora of handy usages. hope it sheds new light on this topic.

sincerely,
memofromturner


#23
fsz2

fsz2
  • Member
  • 1 posts
Hello
I have NOD32 and today it have alarmed me, that the CMDOW.EXE have been infected with WIN32/CMDOW.143
Is it proper or i need to delete it or take in carantene or what?

Sorry about writing mistakes, i'm learning English.

Thnaks, fsz2

Edited by fsz2, 26 July 2009 - 04:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN