Skitty Posted January 25, 2011 Share Posted January 25, 2011 (edited) Every time I use SciTE.exe it tries to access the internet every now and then. I never realized this up until I started using zonealarm Why is it contacting the internet with functions like expandcollapse popup#RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_icon=..\Pictures\Icons\G-key.ico #AutoIt3Wrapper_outfile=Safe.exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include<Misc.au3> #include<File.au3> #include <String.au3> If _Singleton(@ScriptName,1) = 0 Then Exit EndIf HotKeySet("{F2}","_Select") While 1 Sleep(360000) WEnd Func _Select() Local $I = InputBox("Command Center", " ", "", "", 200, 100) Switch $I Case "kill", "exit", "stop", "Kill", "Exit", "Stop", "KILL", "EXIT", "STOP" Exit Case "create", "Create", "CREATE" _create() Case "lock", "Lock", "LOCK" _lock() Case "unlock", "Unlock", "UNLOCK", "un-lock", "Un-lock", "UN-LOCK", _ "un lock", "Un lock", "UN LOCK", "Un Lock", "Un-Lock" _unlock() Case "google", "Google", "GOOGLE" ShellExecute("http://www.google.com") Case "au3" ShellExecute("http://www.autoitscript.org") Case Else MsgBox(0, "Syntax error", "'" & $I & "'" & " is not recognized as an internal or external command." & _ @LF & "Correct your syntax and try again.") EndSwitch EndFunc Func _create() $folder = @ScriptDir & "\Archive" DirCreate(@ScriptDir & "\Archive") _FileCreate(@ScriptDir & "\Archive\desktop.ini") FileInstall("C:\W7\lock.ico",@ScriptDir & "\Archive\lock.ico") IniWriteSection($folder & "\" & "Desktop.ini", ".ShellClassInfo", _ "IconFile=" & "lock.ico" & @LF & _ "IconIndex=0" & @LF & _ "InfoTip=Folder ready for archiving!") FileSetAttrib($folder & "\" & "Desktop.ini", "+HS") FileSetAttrib($folder, "+R") FileSetAttrib($folder & "\lock.ico", "+SHR") EndFunc Func _lock() $KB29 = InputBox("Enter password"," ","","*",200,75) _TalkOBJ("Processing.") $Encrypt = _StringEncrypt(1, $KB29 , " ", 7) FileInstall("C:\W7\Rar.exe",@TempDir & "\Rar.exe") FileChangeDir(@TempDir) RunWait("rar a Data.rar -k -ow -dw -m5 -hp" & $KB29 & " " & @ScriptDir & "\Archive",@TempDir,@SW_HIDE) $Rar = _TempFile(@ScriptDir, "DATA_", ".rar", 7) FileMove(@TempDir & "\Data.rar",$Rar) ProcessClose("Rar.exe") $Get = ( _GetNameByFullPath ( $Rar )) If FileExists(@ScriptDir & "\$~settings.ini") Then iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" & $Encrypt) Else _FileCreate(@ScriptDir & "\$~settings.ini") iniWriteSection(@ScriptDir & "\$~settings.ini", $Get,"KB29=" & $Encrypt) EndIf _TalkOBJ("Archiving complete.") EndFunc Func _unlock() $message = "Select your archive file." $archive = FileOpenDialog($message, @WindowsDir & "\", "Archives (*.rar)", 1 + 4 ) If @error Then MsgBox(4096,"","No File(s) chosen") Exit Else $archive = StringReplace($archive, "|", @CRLF) EndIf $message2 = "Select your ini file." $ini = FileOpenDialog($message2, @WindowsDir & "\", "Images (*.ini)", 1 + 4 ) If @error Then MsgBox(4096,"","No File(s) chosen") Exit Else $ini = StringReplace($ini, "|", @CRLF) EndIf $Geta = ( _GetNameByFullPath ( $archive )) $G = IniRead ( $ini, $Geta, "KB29", " " ) $Uc = _StringEncrypt(0, $G, " ", 7) FileInstall("C:\W7\UnRAR.exe",@TempDir & "\UnRAR.exe") DirCreate(@ScriptDir & "\Data") FileChangeDir(@TempDir) RunWait("unrar e -y -p" & $Uc & " " & $archive & " " & @ScriptDir & "\Data",@TempDir,@SW_HIDE) ProcessClose("UnRAR.exe") Sleep(500) FileDelete(@ScriptDir & "\UnRAR.exe") _TalkOBJ("Task completed.") EndFunc Func _GetNameByFullPath ( $_FullPath ) If Not FileExists ( $_FullPath ) Then Return 0 $_FileName = StringSplit ( $_FullPath, '\' ) Return $_FileName[$_FileName[0]] EndFunc ;==> _GetNameByFullPath ( ) Func _TalkOBJ($s_text) Local $o_speech = ObjCreate("SAPI.SpVoice") $o_speech.Speak($s_text) $o_speech = ""EndFunc Do I have an infected copy or something? lol Edited January 26, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
C45Y Posted January 25, 2011 Share Posted January 25, 2011 Just ran your script on mine and im not getting anything happening. checked out the TCP/IP connections in ProcessExplorer. As to your question its kinda unlikely, but best to prob run a scan through and try downloading and installing it again. As far as im aware it doesnt have an update function in scite either. strange..... http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 (edited) As far as im aware it doesnt have an update function in scite either. strange.....Scite Help Menu, Aboutand you see Check the SciTE4AutoIt3 Homepage for Updates http://www.autoitscript.com/autoit3/scitewhere you can find http://www.autoitscript.com/autoit3/scite/downloads.shtml ! Last Update : 2/28/2010 Edited January 25, 2011 by wakillon AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
C45Y Posted January 25, 2011 Share Posted January 25, 2011 Scite Help Menu, Aboutaah touche Maybe this is the source?But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying. http://twentylinesofcode.blogspot.comLittle apps n crap. can be fun Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 aah touche Maybe this is the source?But just running the script without going to the about dialog box doesn't make any TCP/IP connections is what I was saying.You're right, i don't see any attempt to access internet !xJSLRx should show ZA message to be sure... AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
Skitty Posted January 25, 2011 Author Share Posted January 25, 2011 You're right, i don't see any attempt to access internet !xJSLRx should show ZA message to be sure...It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end? Link to comment Share on other sites More sharing options...
Skitty Posted January 25, 2011 Author Share Posted January 25, 2011 (edited) Here's the image of the warning I keep getting. Edited January 25, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 It's basically what I put as the topic title. something about SciTE attempting to access the trusted zone and making repeated requests to my dns server.I'm beginning to think I might have a modified udf.... And that it's probably spyware but then again who wan't to see me fiddle with a script editor for hours on end?Ip : 209.18.47.61 is located to :OrgName: Road Runner HoldCo LLCOrgId: RRMAAddress: 13241 Woodland Park RoadCity: HerndonStateProv: VAPostalCode: 20171Country: USRegDate: Updated: 2011-01-05Comment: Allocations for this OrgID serve Road Runner residential customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.9.1209.18.47.618.47.61May be your Internet Service Providers ? AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
Skitty Posted January 25, 2011 Author Share Posted January 25, 2011 (edited) Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image... Edited January 25, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 Weird.. I live in south texas and my dns server is only 17-18 miles away. Why would SciTE try to make contact to the area in your image...yes it's strange !Where have you got scite installer ? AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
Skitty Posted January 25, 2011 Author Share Posted January 25, 2011 (edited) yes it's strange !Where have you got scite installer ? SciTE came from here but a lot of my udf's came from shady sites. I wouldn't doubt my PC is pretty much just plain "INFECTED" cause I can just imagine how easy It would be writing a script what mod's udf's to do stuff you wouldn't wan't. I'll have download a brand spankin new copy of scite and make a copy of my "Includes" before replacing them, then I can test to see if it really was my udf's or something even BIGGER Edit: bunch of spelling errors... Edited January 25, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 In worst case, block internet access to scite and scan your PC ! AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
Skitty Posted January 25, 2011 Author Share Posted January 25, 2011 (edited) Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though... Did scite recently come out with a usage monitoring feedback system? Edit: I have Microsoft security essentials but I don't think its very good. Edited January 25, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 Even the script obfuscater tries to make contact. This definitely rules out the udf theory and opens a whole new spectrum of though... Did scite recently come out with a usage monitoring feedback system?Edit: I have Microsoft security essentials but I don't think its very good.No feedback system, it must be a spyware !Microsoft security essentials must be too light !Take a security Suite more reliable ...like KIS... AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
Developers Jos Posted January 25, 2011 Developers Share Posted January 25, 2011 (edited) Your image shows that AutoIt3.exe is trying something, not SciTE nor Obfuscator.So how is AutoIt3.exe ran ?By the way, SciTE4AutoIt3 has a option to check for updates but that is switched off by default. When Switched on, Autoit3Wrapper.exe will perform the check.Josau3.properties that contain the switch for updates checking:# SciTE settings for AutoIt v3## February 26, 2010 - Jos### *** Specify here your AutoIt program directory ***autoit3dir=C:\Program Files (x86)\AutoIt3openpath.$(au3)=$(autoit3dir)\includeopenpath.beta.$(au3)=$(autoit3dir)\beta\includeau3=*.au3filter.au3=AutoIt (au3)|$(au3)|lexer.$(au3)=au3#define the number of backup files you want to keep 0=nonebackup.files=0#define if you want AutoIt3Wrapper to check once every day for available updates for SciTE4AutoIt3check.updates.scite4autoit3=0 Edited January 25, 2011 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
wakillon Posted January 25, 2011 Share Posted January 25, 2011 (edited) @Jos I have made the change in au3.properties for check for update and restart Scitebut it doesn't try to acces internet... Edited January 25, 2011 by wakillon AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
GEOSoft Posted January 25, 2011 Share Posted January 25, 2011 Just out of curiosity the OP could post a list of all the files that are #Included. I have a solid hunch the problem will be in there. George Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number. Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else. "Old age and treachery will always overcome youth and skill!" Link to comment Share on other sites More sharing options...
Developers Jos Posted January 25, 2011 Developers Share Posted January 25, 2011 (edited) When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when: If SendSciTE_GetInfo($My_Hwnd, $SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then CheckForUpdates() IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate()) EndIf EndIf Which will retrieve the following file for the Website: $rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini', $SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1) Jos Edited January 25, 2011 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Skitty Posted January 26, 2011 Author Share Posted January 26, 2011 (edited) When you have the Full installer loaded and AutoIt3Wrapper is run during a Compile-RUN etc, it will run a CheckForUpdates() udf once a day when: If SendSciTE_GetInfo($My_Hwnd, $SciTE_hwnd, "askproperty:check.updates.scite4autoit3") = 1 Then If IniRead($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', '') <> _NowDate() Then CheckForUpdates() IniWrite($SciTE_Dir & "\SciTEVersion.ini", 'SciTE4AutoIt3', 'LastCheckDate', _NowDate()) EndIf EndIf Which will retrieve the following file for the Website: $rc = InetGet('http://www.autoitscript.com/autoit3/scite/download/scite4autoit3version.ini', $SciTE_Dir & "\scite4autoit3versionWeb.ini", 16, 1) Jos Im sorry for the late reply but last night after I compiled my program, every time I run any compiled program I make, It automatically tries to access the IP address I mentioned earlier! This is very strange, I'm not concerned about my privacy because my PC is not very private. On another note, This morning I have noticed that the balloon's that popup warning about the internet connection just go away after about half a second, What I think may be happening is there may be another program waiting for these popups and then just clicking accept. I think it may be possible that I have a "RAT" on my PC. RAT = Remote administration tool. I've been trying to take a screen shot of the popup that say's Scite, a centilla (Not sure how its spelled...) based script editor is trying to access the internet which is a different popup than the one in my picture above, not only that but it says the obfuscater and any program I make keeps doing the same thing.. It may be very possible that 209.18.47.61 is using my PC to DDoS sites etc, I say this because I have been fire-walled from HF and several msc sites. So my conclusion is I "AM" infected. I am going to boot into Maverick and use V-box to investigate my SciTE install, It would be nice if there were a program that could tell you the difference between two similar files. Like file size etc. I'll just have to download a fresh SciTE and compare them manually. Edited January 26, 2011 by xJSLRx Link to comment Share on other sites More sharing options...
iamtheky Posted January 26, 2011 Share Posted January 26, 2011 (edited) http://forums.majorgeeks.com/showthread.php?t=208856 check post 16 (and 17 for the MVP answer, naturally). If those keys are there I would not think it is your exe or Scite, just your browser and when something invokes it the calls are being made. but I have been wronger. Edited January 26, 2011 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now