CMD.exe closes immediately - unusual line in AutoRun registry entry - windows

I've noticed that my command line didn't start anymore, it just immediately minimized and closed itself upon running. I suspect this is due to a virus or at least some kind of malicious program having been executed. I found the following code inside my registry. It seems legible but my knowledge of batch / the command line is limited. Can anyone tell me what it does?
#mode 20,5 & tasklist /FI "IMAGENAME eq SoundModule.exe" 2>NUL | find /I /N "SoundModule.exe">NUL && exit & if exist "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" ( start /MIN "" "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )

According to this reddit thread, it's a "vmprotected cryptocurrency miner".
You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^)
The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64)
The malicious party added an AutoRun directive via registry to the Windows Command Processor (cmd.exe usually), which you need to remove from any of the following locations it's present in:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).
According to the other reply in this thread, they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe. Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word.
There are at least two confirmed VirusTotal records for this file: [1], [2]

I had the same program on my computer, check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe"

Run regedit
Go to HKLM\Software\Microsoft\Command Processor\ or HKEY_CURRENT_USER\Software\Microsoft\Command Processor\ or HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\
For some reason there was AUTORUN key with "EXIT" inside.
Remove the AutoRun key and cmd will work fine.
Then check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe" as the user above said.
Edit: I also found that it was a cryptocurrency mining virus located at %appdata%\Microsoft\SoundModule or SoundMixer on my case.
You should probably delete this file too.

For reference, I will add that I was able to verify that my issue was the Autorun registry key by using Win-R to bring up the "Run" dialog, and typing cmd /d (which disables any autorun per the windows docs [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd] . This successfully opened a command prompt window.
Inspecting the registry, my HKEY_CURRENT_USER\Software\Microsoft\Command Processor had Autorun as Type=REG_SZ and Data=if exist. I made a restore point, then renamed that key to AutorunOld ... and then I was able to open a command prompt without issue.

Related

Convert Batch file to Exe with administrator privileges

I have created a code in batch, which works perfectly only when I run it as administrator. If not, some of the main functions of the code does not work.
On top of that, I would like to convert it to exe, so that I can put an icon on.
Can anyone tell me please, how can I convert a batch file to exe with administrator privileges? If it is possible without uac prompt?
By the way: I am administrator on my PC.
I have tried with some software:
Iexpress -> Temp-file was not found.
Bat to Exe Converter -> After starting the .exe file it does not run as administrator, although I run it as.
That's the code:
#echo off
start "" "C:\Users\Viktor\Documents\FreeFileSync Auftraege\RealTimeSync Auftraege\RealTime_(.minecraft-GoogleDrive)_[Mirror].ffs_real"
start "" "C:\Users\Viktor\Documents\FreeFileSync Auftraege\RealTimeSync Auftraege\RealTime_(.minecraft-Backupfolder)_[Mirror].ffs_real"
start "" "C:\Program Files (x86)\Minecraft\MinecraftLauncher.exe"
:Anfang
tasklist /v | find "MinecraftLauncher.exe"
if %errorlevel% == 1 goto Dead
tasklist /FI "IMAGENAME eq javaw.exe" 2>NUL | find /I /N "javaw.exe">NUL
if %errorlevel% == 0 goto Active
goto Anfang
:Active
tasklist /v | find "javaw.exe"
if %errorlevel% == 1 goto Dead
goto Active
:Dead
timeout 5
taskkill /F /IM "RealTimeSync_x64.exe"
exit
It works only with "run as administrator". Without, some functions like taskkill or tasklist does not work.
I succeeded with Bat to Exe Converter available here : https://www.majorgeeks.com/files/details/bat_to_exe_converter.html
Simple GUI to transform batch to exe with administrator privileges.
Here is how you can make your .bat to .exe file require administrator privileges to run:
Download Bat To Exe Converter from Softpedia.com:
https://www.softpedia.com/get/System/File-Management/Batch-To-Exe-Converter.shtml (Version 3.2 seems to be a good option due to it's easy layout/interface.)
Once downloaded, go through the install the application and run said application.
Input code into the IDE window, ensuring that you check the box (under the options tab) that says "Request Administrator Privileges"
Now click convert, and continue through the prompts and you will have your .exe file ready for use!

Need help using tasklist to check if the Battle.net process

I am trying to create a batch file as an impromptu shortcut to launch the Battle.net client and when it fully opens, to launch Hearthstone specifically but i'm sure it can be applied to any Blizzard game.
The problem is when I run
start "" "C:\Program Files (x86)\Hearthstone\Hearthstone Beta Launcher.exe"
tasklist /fi "IMAGENAME eq battle.net.exe" 2>NUL | find /I /N "battle.net.exe">NUL
if "%ERRORLEVEL%"=="0" echo Battle net is ready
And if that worked then I would use start "" "battlenet://WTCG" but it immediately echos even though nothing is visible on my screen and the process is not running in task manager. Which means it would try to launch hearthstone without Battle.net being open even though the script says it is.
Is this just an issue with Battle.net processes or am I doing something very wrong? I am currently using Windows 10 if it matters.

Batch file to uninstall a program

I'm trying to uninstall a program EXE via batch file and am not having any success.
The uninstall string found in the registry is as follows:
C:\PROGRA~1\Kofax\Capture\ACUnInst.exe /Workstation
C:\PROGRA~1\Kofax\Capture\UNWISE.EXE /U
C:\PROGRA~1\Kofax\Capture\INSTALL.LOG
If I run that from CMD or batch it does nothing.
If I run C:\PROGRA~1\Kofax\Capture\UNWISE.EXE /U from CMD it will open up a dialog box to point to the INSTALL.LOG file and then proceed to uninstall.
At the end, it will ask me to click finish.
I need this to be silent, can you point me in the right direction? This is on XP and 7.
Every program that properly installs itself according to Microsoft's guidelines makes a registry entry in either HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall (for machine installs) or HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall (for user profile installs). Usually, the key for the program will be its GUID, or else the name of the program. Within that key will be an entry called UninstallString. This contains the command to execute to uninstall the program.
If you already know ahead of time what you will be uninstalling, it should be easy enough to just put that in your batch file. It gets tricky when you try to automate that process though. You can use the reg command to get data from the registry, but it returns a lot of text around the actual value of a given key, making it hard to use. You may want to experiment with using VBscript or PowerShell, as they have better options for getting data from the registry into a variable.
This might help you further.....
How to Create a script via batch file that will uninstall a program if it was installed on windows 7 64-bit or 32-bit
I've had the same problem and this is what I came up with.
Before you start using this method though, you might wanna look up the name of the application on WMIC using CMD so..
First you wanna do: WMIC product > C:\Users\"currentuser"\Desktop\allapps.txt
I'd recommend to output the command to an TXT file because it's really confusing to read it in the Cmd prompt, plus is easier to find the data you are looking for.
Now what you wanna do is find the actual name of the app... If you look at the code I put in, the app name says SkypeT because skype has "™" in the end of it and the command prompt can't interpretate that as it is.
After you got the app name, just put in the find in the 4th line and substitute, a few lines which contain my examples with skype...
Also you can probably creat a variable called %APP% and not worry as much, but at it's current it works just fine...
One thing to note! with me the msi /quiet command did not work, the program would not install or uninstall so I used /passive, which lets the users see what's going on.
#Echo off
CD %cd%
:VerInstall
for /f "tokens=12,*" %%a in ('wmic product list system ^| Find /I "SkypeT"') do (
if Errorlevel = 0 (
Echo Skype is installed! )
if Errorlevel = 1 ( Echo Skype is not installed, proceding to the installation!
Ping localhost -n 7 >nul
goto :Reinstall )
)
:Status
tasklist /nh /fi "IMAGENAME eq "APP.exe" | find ":"> nul
if errorlevel = 1 goto :force
goto :Uninstall
:Force
echo We are killing the proccess... Please do not use the application during this process!
Ping localhost -n 7 > nul
taskkill /F /FI "STATUS eq RUNNING" /IM APP* /T
echo The task was killed with success! Uninstalling...
Ping localhost -n 7 > nul
:Uninstall
cls
for /f "tokens=12,*" %%a in ('wmic product list system ^| Find /I "SkypeT"') do (
set %%a=%%a: =%
msiexec.exe /x %%a /passive /norestart
)
:DoWhile
cls
Tasklist /fi "IMAGENAME eq msi*" /fi "STATUS eq RUNNING" | Find ":" >nul
if errorlevel = 1 (
echo Installation in progress
Goto :DoWhile
)
echo Skype is Uninstalled
:Reinstall
msiexec.exe /i SkypeSetup.msi /passive /norestart
:reinstallLoop
Tasklist /fi "IMAGENAME eq msi*" /fi "STATUS eq RUNNING" | Find ":" >nul
if errorlevel = 1 (
echo Installation in progress
goto :reinstallLoop
)
echo Skype is installed
:end
cls
color 0A
Echo Done!
exit
One last thing. I used this as an Invisible EXE task, so the user couldn't interact with the command prompt and eventually close the window (I know, I know, it makes the whole echoes stupid, but it was for testing purposes).for that I used BAT to EXE converter 2.3.1, you can put everything to work on the background and it will work very nicelly. if you want to show progress to users just write START Echo "info" and replace the info with whatever you want, it will open another prompt and show the info you need.
Remember, Wmic commands sometimes take up to 20 seconds to execute since it's querying the conputer's system, so it might look like it's doing nothing at first but it will run! ;)
Good luck :)
We needed a batch file to remove a program and we couldn't use programmatic access to the registry.
For us, we needed to remove a custom MSI with a unique name. This only works for installers that use msi or integrate such that their cached installer is placed in the Package_Cache folder. It also requires a unique, known name for the msi or exe. That said, it is useful for those cases.
dir/s/b/x "c:\programdata\packag~1\your-installer.msi" > removeIt.bat
set /p RemoveIt=< removeIt.bat
echo ^"%RemoveIt%^" /quiet /uninstall > removeIt.bat
removeIt.bat
This works by writing all paths for 'your-installer.msi' to the new file 'removeIt.bat'
It then assigns the first line of that bat file to the variable 'RemoveIt'
Next, it creates a new 'removeIt.bat' that contains the path/name of the .msi to remove along with the needed switches to do so.
Finally, it runs the batch file which executes the command to uninstall the msi. This could be done with an .exe as well.
You will probably want to place the 'removeIt.bat' file into a known writable location, for us that was the temp folder.

Batch - Reboot computer if a batch file ends

Essentially we have 2 batch files, one which is the "wrapper" if you will, calling another batch file so it starts as /min (minimized). This batch file then ends once it has launched the 2nd batch file.
This contains a loop, which keeps spawning an RDP session after it is closed.
The problem is, if the user ALT-TABs and closes the batch, they are just left with an empty desktop (as we task kill explorer). Is there a way of force rebooting the machine if that batch loop ends?
Thanks!
There is a standard cmd command:
shutdown /r
Usage: shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/f]
[/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]
No args Display help. This is the same as typing /?.
/? Display help. This is the same as not typing any options.
/i Display the graphical user interface (GUI).
This must be the first option.
/l Log off. This cannot be used with /m or /d options.
/s Shutdown the computer.
/r Full shutdown and restart the computer.
/g Full shutdown and restart the computer. After the system is
rebooted, restart any registered applications.
/a Abort a system shutdown.
This can only be used during the time-out period.
/p Turn off the local computer with no time-out or warning.
Can be used with /d and /f options.
/h Hibernate the local computer.
Can be used with the /f option.
/hybrid Performs a shutdown of the computer and prepares it for fast startup.
Must be used with /s option.
/e Document the reason for an unexpected shutdown of a computer.
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option.
/m \\computer Specify the target computer.
/t xxx Set the time-out period before shutdown to xxx seconds.
The valid range is 0-315360000 (10 years), with a default of 30.
If the timeout period is greater than 0, the /f parameter is
implied.
/c "comment" Comment on the reason for the restart or shutdown.
Maximum of 512 characters allowed.
/f Force running applications to close without forewarning users.
The /f parameter is implied when a value greater than 0 is
specified for the /t parameter.
/d [p|u:]xx:yy Provide the reason for the restart or shutdown.
p indicates that the restart or shutdown is planned.
u indicates that the reason is user defined.
If neither p nor u is specified the restart or shutdown is
unplanned.
xx is the major reason number (positive integer less than 256).
yy is the minor reason number (positive integer less than 65536).
My suggestions:
Do you really need batch to be visible (minimized) or can it be hidden?
If it can be hidden, just use VBScript to launch it hidden:
With CreateObject("W"&"Script.Shell")
.Run "LongRun.bat", 0
End With
If you really need batch to be shown, you could make a hidden script which will wait for batch to terminate and reboot.
Step 1: Launch script hidden (Start.vbs):
Set WsShell = CreateObject("W"&"Script.Shell")
WsShell.Run "Hidden.vbs", 0
Step 2: Hidden.vbs will launch batch and wait it to return:
'This script is supposed to start hidden!
Set WsShell = CreateObject("W"&"Script.Shell")
WsShell.Run "LongRun.bat", 7, True
'WsShell.Run "REBOOT.EXE ..." 'Must remove comment and complete command line
MsgBox "Rebooting..."
Now LongRun.bat is running, Hidden.vbs also (but not visible).
If somehow LongRun.bat is terminated, Hidden.vbs will continue its execution and reboot.
(WScript.Shell.Run documentation)
EDIT: Notice "W"&"Script.Shell" is same as "WScript.Shell" but StackOverflow doesn't allow me to write it!

Attaching the windows debugger in VS2010 from a batch file?

Is it possible to attach the windows debugger in VS2010 to a process from a batch file?
preferably by giving it a process name
Since you presumably already have the process running, you would use vsjitdebugger.exe /p 1234 where 1234 is the PID of the process you want to debug. If you don't know it, you would have to use some other method to figure it out.
If you have the debugging tools for windows available, the tlist.exe utility will yield the process ID for a process name. If that is available, then the following will attach to a given process:
rem Get the process ID
for /f %%f in ('tlist -p %1') do set mypid=%%f
rem attach to it with selected debugger
vsjitDebugger -p %mypid%
Edit If tlist is not available, I think tasklist will work. It's a bit uglier, but the following worked for me (you know ... it works my on my system :) Note too that I edited the command previous example to work in a cmd.exe prompt (I use tcc, which does require as many % signs).
rem Get the process ID
for /f "tokens=2 delims= " %%f in ('tasklist /nh /fi "imagename eq %1"' ) do set mypid=%%f
rem attach to it with selected debugger
vsjitDebugger -p %mypid%
Specifying a /Command switch on devenv.exe 's command-line will make it run a specified command on open. You could specify the Debug.AttachToProcess command. Don't know if you can specify a pid, though, when you execute that command.

Resources