The TOTALCMD executable file is corrupted, possible VIRUS

Please report only one bug per message!

Moderators: Hacker, Stefan2, white, sheep

Post Reply
burhanemre
New Member
New Member
Posts: 1
Joined: 2017-10-06, 02:45 UTC

The TOTALCMD executable file is corrupted, possible VIRUS

Post by *burhanemre » 2017-10-06, 02:53 UTC

Hello Christian,

I have a script to start Total Commander in elevated mode and started getting the warning message below before TC exists. Root caused the issue to a mistake in the script that added a space at the end of the command line. Apparently Total Commander flags the space as a virus. I think the issue started after upgrading to version 9. Verified reproduces with 9.0a 32bit (2016-12-14). Please run the following command line from a cmd window (note the trailing space):

C:\Users\user>"c:\Program Files\totalcmd\TOTALCMD.EXE "

---------------------------
Total Commander
---------------------------
WARNING: The TOTALCMD executable file is corrupted, possible VIRUS!
Totalcmd will close. Please run a virus scanner as soon as possible!
---------------------------
OK
---------------------------

User avatar
petermad
Power Member
Power Member
Posts: 8004
Joined: 2003-02-05, 20:24 UTC
Location: Valsted, Denmark
Contact:

Post by *petermad » 2017-10-06, 03:51 UTC

Hmm, if I try to launch totalcmd.exe with a trailing space, all that happens is that TC opens and closes again in a split second.

If I do the same with totalcmd64.exe, TC opens but only parts of the GUI is loaded and after a few seconds TC closes again.

But I don't get any arror messages.

Testet with TC 9.0, 9.0a and 9.1b3 32- and 64bit. both from an elevated and a non-elevated command prompt.

EDIT
If I start with a fresh ini-file like this:
"C:\Program Files\totalcmd\TOTALCMD64.EXE " /i=f:\temp\tc.ini then TC stays open and I get the virus warning after a few seconds,
License #524
Danish Total Commander Translator
TC 9.21a 32+64bit on Win XP 32bit, Win 7, 8.1 & 10 64bit and TC 2.91b4 on Android 6.0
Get Extended Total Commander Menus | PHSM-Calendar

User avatar
Dalai
Power Member
Power Member
Posts: 6198
Joined: 2005-01-28, 22:17 UTC
Location: Meiningen (Südthüringen)

Post by *Dalai » 2017-10-06, 04:47 UTC

Set the current working directory prior to launching TC to avoid such issues.

A little background info: I had the same issue years ago with my ThinkPad which has some hotkey driver that can launch user-defined programs. Launching totalcmd.exe directly triggered the message in the OP. So I worked around it by launching a script by the hotkey driver instead. This script sets the working directory to TC directory and starts TC afterwards.

Regards
Dalai
#101164 Personal licence
Athlon X4 880K, 16 GiB RAM, Gigabyte F2A88X-D3HP, Win7 x64

Plugins: Services2, Startups

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-10-06, 09:31 UTC

TC checks its own EXE on startup to detect tampering. Apparently CreateFile fails when there is an extra space at the end. Currently I don't have any plans to change this.
Author of Total Commander
http://www.ghisler.com

User avatar
Flint
Power Member
Power Member
Posts: 3159
Joined: 2003-10-27, 09:25 UTC
Location: Moscow, Russia
Contact:

Post by *Flint » 2017-11-09, 11:59 UTC

ghisler(Author)
You can use GetModuleFileName to get executable path instead of relying on what command line was launched.
Flint's Homepage: Full TC Russification Package, VirtualDisk, NTFS Links, NoClose Replacer, and other stuff!
 
Using TC 9.21rc1 / Win7 x64 SP1, Win10 x64

User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 36354
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) » 2017-11-09, 15:51 UTC

Yes, I could try that, but it may cause other problems (e.g. with Unicode names). Therefore I prefer not to change it now.
Author of Total Commander
http://www.ghisler.com

User avatar
MVV
Power Member
Power Member
Posts: 8107
Joined: 2008-08-03, 12:51 UTC
Location: Russian Federation

Post by *MVV » 2017-11-09, 18:00 UTC

GetModuleFileNameW has no Unicode problems. :)

Post Reply