plat Posted January 19, 2006 Share Posted January 19, 2006 Hi all,I'd like to try the following project as an anti spyware solutionI've searched the forum but haven't found anything similar enough to be of use to a newbie.....1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b2. surf the net picking up various unwanted progs / spyware3. scan sys partition again at a later date to create an 'AFTER' snapshot as above4. This is the tricky bit Compare the differences between the two file lists and create a 'CHANGES' file.5. Use the 'CHANGES' file as the input source to supply a third party delete on reboot type program (would enable in use spyware proggies to be deleted).Any thoughts on the above gratefully received! Link to comment Share on other sites More sharing options...
MadBoy Posted January 19, 2006 Share Posted January 19, 2006 Spyware, adware and any other virus type programs aren't only disk based, even if you delete them they might make preety much a lot of mess. So you gotta consider registry scan too. My little company: Evotec (PL version: Evotec) Link to comment Share on other sites More sharing options...
Bert Posted January 19, 2006 Share Posted January 19, 2006 InstallShield does something like you describe. (If my coworker explained it to me correctly.) With Install shield, you have a before snapshot, you then install the application, and it will take an after snapshot. It then will compare the changes and come up with the install package. The problem with your approach is that by taking a snapshot, you lock the PC in a "photo" of its state. If later you take another snapshot, things have changed, and some things you want to have changed. Example being antivirus def files, windows updates, software updates, and so forth. A simple change to the registry that points to something you need would be deleted also. The research to look for every change would be quite daunting to say the least. Another problem is Spyware is more often using root kits to install themselves, and the use of a snapshot is almost useless. Unless you know exactly what you are looking for, the Spyware will (odds are) slip past. I've personally have seen Spyware that would install itself in the root kernel, and it is almost impossible to remove. The way computers are today, you just about have to treat them as living machines. They are born (OS loaded and other basic software), they grow (you install more software, and customize them to your taste), they get sick (virus and Spyware infections), they need medications (antivirus, AntiSpyware), and they die (they get a infection that causes so much damage that the unit is no longer stable, and needs to be rebuilt). The computer person is like a doctor, treating the sick. The problem is the environment is evolving, just like the normal environment we all live in. New infections come along; drugs that worked on old infections no longer work, and so forth. The idea you put forth is good, but the work to do this is quite labor intensive, for each change would need to be checked, just to see what the change is. I will get off my soapbox now....... The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
plat Posted January 19, 2006 Author Share Posted January 19, 2006 Thanks for the feedback folks,i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them ).In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.Anyone think this idea has legs or should i consign it to the recycle bin Link to comment Share on other sites More sharing options...
seandisanti Posted January 19, 2006 Share Posted January 19, 2006 Thanks for the feedback folks,i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them ).In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.Anyone think this idea has legs or should i consign it to the recycle bin personally i don't think it's really worth your time. I say that because of the tools people already have, system restore, registry backups, last known good, etc, not to mention the plethora of spyware scanners. In addition, not every new file or registry entry is a bad one, and by adding in a confirmation for each thing to be deleted, you'd be pretty much removing the very efficiency you mean to create. I would say you definitely had a neat idea, which someone would probably use (one born every minute?) but as far as a real project, i personally don't think it would be worth the time investment, except possibly for the knowledge gained by creating a new project. Link to comment Share on other sites More sharing options...
ACalcutt Posted January 20, 2006 Share Posted January 20, 2006 (edited) i am interested in this. i use bartpe at work...and spyware/viruses are alot easier to deal with when you remove its files, then you only need to deal with the registry stuff (which theres also tools in bartpe...and then stuff in windows afterward) maybe something like this....i dont think this is completely right...but its a start expandcollapse popup#include <GuiConstants.au3> #Include <process.au3> $tempfile1 = "C:\Spyware_Finder_Temp1.txt" $tempfile2 = "C:\Spyware_Finder_Temp2.txt" $tempfile3 = "C:\Spyware_Finder_Results.txt" Dim $line1 = 1 Dim $line2 = 1 SplashTextOn ( "Scanning", "Scanning Files") _RunDOS("DIR c:\ /s /b > " & $tempfile1) SplashOff () MsgBox(0, "", "Click OK when ready to scan again") _RunDOS("DIR c:\ /s /b > " & $tempfile2) GuiCreate("MyGUI", 392, 239) $edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL) $edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL) $count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20) $count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20) GuiSetState() While 1 $file1 = FileReadLine ($tempfile1, $line1) If @error = -1 Then $file1 = "" $file2 = FileReadLine ($tempfile2, $line2) If @error = -1 Then ExitLoop ;SplashTextOn ( "comparing", $line1 & @LF & $file1 & @LF & @LF & $line2 & @LF & $file2, 500, 250) GUICtrlSetData ( $edit1, $file1) GUICtrlSetData ( $edit2, $file2) GUICtrlSetData ( $count1, $line1) GUICtrlSetData ( $count2, $line2) If $file2 = $file1 Then $line1 += 1 $line2 += 1 Else If $file2 <> $tempfile2 Then FileWrite($tempfile3, $file2 & @CRLF) $line2 += 1 EndIf Wend Exit Edited January 20, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 20, 2006 Share Posted January 20, 2006 maybe delete useing killboxhttp://www.bleepingcomputer.com/files/killbox.php$deletefiles = "C:\Spyware_Finder_Results.txt" $line=1 Run("Killbox.exe") WinWaitActive("Pocket Killbox") While 1 $file1 = FileReadLine ($deletefiles, $line) If @error = -1 Then ExitLoop ClipPut ($file1) WinActivate("Pocket Killbox") Send("!fp") $line += 1 WEnd ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton4");click delete on reboot ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton1");click "All files" ControlClick("Pocket Killbox", "", "ThunderRT6CommandButton2");click delete button WinWaitActive("Delete next Reboot") ;ControlClick("Delete next Reboot", "", "Button1"); reboot now ControlClick("Delete next Reboot", "", "Button2"); do not reboot now Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 20, 2006 Share Posted January 20, 2006 (edited) the comparing file names takes to long...any ideas on making it faster? i looked to fileopen and other commands, i but i dont really know how to use them Edited January 20, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 21, 2006 Share Posted January 21, 2006 (edited) i used an array and that sped things up greatly (6hrs to like under5mins) keep in mind this program assumes no files get deleted, if something get deleted its going to mess up all remaining results my first autoit array :-) expandcollapse popup;-------------------------------------------------------- #include <file.au3> #include <GuiConstants.au3> #Include <process.au3> $tempfile1 = "C:\Spyware_Finder_Temp1.txt" $tempfile2 = "C:\Spyware_Finder_Temp2.txt" $tempfile3 = "C:\Spyware_Finder_Results.txt" Dim $array1, $array2 Dim $line1 = 1 Dim $line2 = 1 ;-------------------------------------------------------- FileDelete($tempfile1);remove old files if they exist FileDelete($tempfile2) FileDelete($tempfile3) ;-------------------------------------------------------- SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " & $tempfile1);pipe index results to tempfile1 SplashOff () MsgBox(0, "", "Click OK when ready to scan again") SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " & $tempfile2);pipe index results to tempfile2 SplashOff () _FileReadToArray($tempfile1, $array1); create an array with tempfile1(each line contains a filename) _FileReadToArray($tempfile2, $array2); create an array with tempfile2 ;Comparing GUI GuiCreate("Comparing", 392, 239) $edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL) $edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL) $count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20) $count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20) GuiSetState() ;Comparing GUI End While 1 If $line1 <= $array1[0] Then $file1 = $array1[$line1] Else $file1 = "" EndIf If $line2 <= $array2[0] Then $file2 = $array2[$line2] Else ExitLoop EndIf GUICtrlSetData ( $edit1, $file1) GUICtrlSetData ( $edit2, $file2) GUICtrlSetData ( $count1, $line1) GUICtrlSetData ( $count2, $line2) If $file2 = $file1 Then $line1 += 1 $line2 += 1 Else If $file2 <> $tempfile2 Then FileWrite($tempfile3, $file2 & @CRLF) $line2 += 1 EndIf Wend Edited January 21, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
plat Posted January 21, 2006 Author Share Posted January 21, 2006 Wow! thanks ACalcutt I tested the concept on an installation of SpyWare Doctor (like the irony!) to see if it removed all traces; Together with the registry backup via ERUNT it was toast! It did take an age as you've said (6 hours on a 20Gig sys partition) but now with your latest code it flies! (~4mins) As almost all spyware / virii / trojans are software installations this idea should work on them all? With regard tp Killbox; It works fine but I was trying to use CopyLock (link in earlier post) as it has a command line version which should make it possible to acheive the same result without the pop up gui... While 1 call to copylock + name of file to delete WEnd As a newb I am getting stuck passing the $file1 parameter to the command line. This is what I have tried RunWait(@ComSpec & " /c " & "c:\cl.exe & $file1") I think the concatination is correct and the file names are being passed to the clipboard (checked with MsgBox) but it seems the string content is not available in the command shell?! Any ideas? Link to comment Share on other sites More sharing options...
ACalcutt Posted January 21, 2006 Share Posted January 21, 2006 (edited) untested...but i think it should be RunWait(@ComSpec & 'c:\cl.exe "' & $file1 & '"') if you dont put quotes around the filename, any filename where theres a space will mess things up...you had a the variable inside quotes, and you were missing a space between cl.exe and you filename ex. $file1="c:\test\a b\test.exe" msgbox(0, "", 'c:\cl.exe "' & $file1 & '"') Edited January 22, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 21, 2006 Share Posted January 21, 2006 (edited) something like this maybe (untest...dont have cl.exe) ;-------------------------------------------------------- ;AutoIt Version: 3.1.1.102 Beta ; ;Script Author: Andrew Calcutt ;Script Date: 01/21/2006 ;Script Name: RemoveNewFiles ;Script Function: Use the 'CHANGES' file as the input source to Copylock delete on reboot program ;*Needs CopyLock(cl.exe) http://noeld.com/programs.asp?cat=misc ;-------------------------------------------------------- #include <file.au3> #Include <process.au3> $tempfile3 = "C:\FileChange_Results.txt" Dim $array3 Dim $line3=1 _FileReadToArray($tempfile3, $array3) For $x = 1 to $array3[0] _RunDOS('c:\cl.exe "' & $array3[$line3] & '"') $line3 += 1 Next Edited January 22, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 22, 2006 Share Posted January 22, 2006 (edited) update - this version wont mess up if a file is deleted before the second scan starts expandcollapse popup;-------------------------------------------------------- ;AutoIt Version: 3.1.1.102 Beta ; ;Script Author: Andrew Calcutt ;Script Date: 01/21/2006 ;Script Name: FileChangeSearch ;Script Function: ; 1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b ; 2. scan sys partition again at a later date to create an 'AFTER' snapshot as above (after picking up new files) ; 3. Compare the differences between the two file lists and create a 'CHANGES' file. ;-------------------------------------------------------- #include <Array.au3> #include <GuiConstants.au3> #include <file.au3> #Include <process.au3> Dim $tempfile1 = "C:\FileChange_Temp1.txt" Dim $tempfile2 = "C:\FileChange_Temp2.txt" Dim $tempfile3 = "C:\FileChange_Results.txt" Dim $array1, $array2 Dim $pos = 0 Dim $line = 1 ;-------------------------------------------------------- FileDelete($tempfile1);remove old files if they exist FileDelete($tempfile2) FileDelete($tempfile3) ;-------------------------------------------------------- SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " & $tempfile1);pipe index results to tempfile1 SplashOff () MsgBox(0, "", "Click OK when ready to scan again") SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " & $tempfile2);pipe index results to tempfile2 SplashOff () _FileReadToArray($tempfile1, $array1); create an array with tempfile1(each line contains a filename) _FileReadToArray($tempfile2, $array2); create an array with tempfile2 ;Comparing GUI GuiCreate("Comparing", 392, 239) $edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL) $edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL) $count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20) GuiSetState() ;Comparing GUI End For $loop = 1 To $array2[0] GUICtrlSetData ( $edit2, $array2[$line]) GUICtrlSetData ( $count1, $line) GUICtrlSetData ( $edit1, "Scanning For Match" & @CRLF) If $array2[$line] <> $tempfile2 Then $pos2 = $pos $pos = _ArraySearch ($array1, $array2[$line], $pos2, $array1[0]) If @Error = 6 Or @Error = 4 Then FileWrite($tempfile3, $array2[$line] & @CRLF) If $pos = -1 Then GUICtrlSetData ( $edit1, "*** New File ***" & @CRLF) GUICtrlSetData ( $edit1, $array2[$line], 1) Sleep(1000) $pos = $pos2 Else GUICtrlSetData ( $edit1, "Match Found on Line: " & $pos & @CRLF, 1) GUICtrlSetData ( $edit1, $array1[$pos], 1) EndIf EndIf $line += 1 Next Edited January 22, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
plat Posted January 22, 2006 Author Share Posted January 22, 2006 Hi again, Firstly the cl.exe / array combo works really well! I've just tried your latest script and got the error shown in the thumbnail below.... Link to comment Share on other sites More sharing options...
ACalcutt Posted January 22, 2006 Share Posted January 22, 2006 (edited) Hi again, Firstly the cl.exe / array combo works really well! I've just tried your latest script and got the error shown in the thumbnail below.... are you using the latest beta? because _ArraySearch isn't in in the production release http://www.autoitscript.com/autoit3/files/beta/autoit/ once you install the beta you have to go Start\Programs\AutoIt v3\beta\Toggle AU3 Beta edit - also, i just changed filenames inside the copylock script and the compare script - look above Edited January 22, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 22, 2006 Share Posted January 22, 2006 (edited) i could also make this search for files that got deleted, but i didn't think that would be useful since you cant get them back anyway and i think in my version i am going to make it ignore the temporary internet files, because i want to browse the web and see what i pick up on a test machine, and we delete the temp\temp internet files by default anyways by changing this line If $array2[$line] <> $tempfile2 Then to If $array2[$line] <> $tempfile2 Or StringInStr ( $array2[$line], "Temporary Internet Files") = 0 Then Edited January 22, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
plat Posted January 23, 2006 Author Share Posted January 23, 2006 Yep using the Beta solved it! Thanks for you speedy responses! Now must try and do the same with the registry Should keep me busy for a while..... Link to comment Share on other sites More sharing options...
ACalcutt Posted January 23, 2006 Share Posted January 23, 2006 (edited) maybe you could do REGEDIT /E c:\reg.txt this would dump the registry info into c:\reg.txt then the hard part would be the comparing...because some keys are multilined edit - looks like multiline keys end with ",\" so you could look for that Edited January 23, 2006 by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
ACalcutt Posted January 24, 2006 Share Posted January 24, 2006 this may help you ;By Andrew Calcutt ;_RegSubKeysSubVals([start registry key], [array name]) ; Func _RegSubKeysSubVals($startkey, ByRef $array) $line=0 While 1 $line += 1 $reg = RegEnumVal($startkey, $line) If @error Then ExitLoop $data = RegRead($startkey, $reg) _ArrayAdd($array, $reg & "=" & $data) WEnd $line=0 While 1 $line += 1 $reg = RegEnumKey($startkey, $line) If @error Then ExitLoop _ArrayAdd($array, "[" & $startkey & "\" & $reg & "]") _RegSubkeys($startkey & "\" & $reg, $array) WEnd EndFunc working example #include <Array.au3> Dim $reg1[1] _RegSubKeysSubVals("HKLM\SOFTWARE\AutoIt v3", $reg1) $reg1[0] = UBound($reg1) - 1 _ArrayDisplay($reg1, $reg1[0]) Func _RegSubKeysSubVals($startkey, ByRef $array) $line=0 While 1 $line += 1 $reg = RegEnumVal($startkey, $line) If @error Then ExitLoop $data = RegRead($startkey, $reg) _ArrayAdd($array, $reg & "=" & $data) WEnd $line=0 While 1 $line += 1 $reg = RegEnumKey($startkey, $line) If @error Then ExitLoop _ArrayAdd($array, "[" & $startkey & "\" & $reg & "]") _RegSubkeys($startkey & "\" & $reg, $array) WEnd EndFunc Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature Link to comment Share on other sites More sharing options...
plat Posted January 24, 2006 Author Share Posted January 24, 2006 Cheers! If I am gonna have a learning curve might as well make it a steep one! From 'Hello World' to UDF's & Arrays in a few short days If this registry rollback can be achieved without the 3rd party ERUNT prog it's one step closer to an all Autoit uninstaller! I think the delete / move on next boot might be a step too far though; c# anyone ? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now