Jump to content
Sign in to follow this  
TomMelee

Program automation TDSS Killer, finding valid Class?

Recommended Posts

TomMelee

Heya guys. I've been pumping out a ton of scripts to help me at my little IT shop here, but I'm having issues with TDSS Killer. When I run au3info against the active window, it returns almost nothing, which I'm sure is intentional to keep malware from attacking it. I get no Title, for Basic Window Info Class, I just get #32770. No basic control info, although I do get a button ID if I click scan.

Here's what I'm trying to do. It opens tdsskiller and throws no errors.

Run("../Ketarin Apps/tdsskiller.exe -tdlfs -l -qsus")
WinWaitActive("[CLASS:#32770]")
ControlClick("[CLASS:#32770]", "", 1002)

Exit

I've also tried without the #'s.

I can't seem to find applicable documentation pages, any help is appreciated.

Share this post


Link to post
Share on other sites
BrewManNH

What does the button do that you need to press? Have you tried running it with the -silent option of TDSSKiller?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
TomMelee

The button just starts the scan. There's a reason that I don't want to run it in silent after some tests, and I'm having trouble remembering why. I think maybe it's that the log function or something doesn't work if you do that.

Share this post


Link to post
Share on other sites
BrewManNH

You never tell it where to write the log anyways, is there a default log file used if you don't specify one?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
0xdefea7

The log lives in C: by default. You can automate TDSSKiller whichever way you want, I have scripts for both manual run (where I make my techs click the button), or one that runs silently and warns you when infection is found. This will log to whatever path you want, and start with the option "decect TDLFS" (which I recommend)

Requires interaction:

ShellExecute($PathToTDSSKiller, "-l " & '"' & $PathToYourLogDirectory & "TDSSKiller.log" & '"' & " -tdlfs", "")

I have to look for the one with no interaction but that should get you started.

the -qsus switch is honestly a really bad idea. There is nothing out that is horribly bricking machines at the moment, but TDSSKiller is sketchy at best to automate removal with. Best be careful for the sake of whoever's PC you are repairing.

Edited by 0xdefea7

Share this post


Link to post
Share on other sites
TomMelee

If you don't specify a path but you specify -l, it writes to the directory it was called from, in this case, my big ass portable drive with all my utilities on it where it pulls the .exe from.

From what I can see wayfarer, yours still requires you to click the scan button, no? I'll go ahead and pull the qsus---script works fine w/o using shellexecute, btw. I pass a lot of switches w/o using shellexecute...unless there's something I'm not seeing in that snippet.

Share this post


Link to post
Share on other sites
BrewManNH

I'd try it with the -silent option and see if you can figure out why you opted not to use it instead of trying to recall it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
TomMelee

Ok, so I sorted it out kind of but not really. I was putting the -silent behind the -l, which meant that it was dumping a log called -silent, heh. Duh.

So now I've got it working fine, I just moved -silent to the front of the string, but since my system is clean I have no idea what it does to show me if there are problems and it's running in silent mode. Any ideas on that one?

Share this post


Link to post
Share on other sites
0xdefea7

Here is my code from a tool that I wrote. The _UpdateLog functions can be removed:

Func TDSSKiller()

;~  Returns 0 on 'Clean'
;~  Returns 1 on 'Infection Found'
;~  Returns 2 if error reading log

    Local $sTDSSRemote = "http://support.kaspersky.com/downloads/utils/tdsskiller.exe"
    Local $sTDSSLocal = @TempDir & "\QuickScan\TDSSKiller.exe"
    Local $sLogPath = @TempDir & "\QuickScan\Logs\TDSSKiller.log"
    Local $aTDSSLog
    Local $aTDSSLog, $aReport[3], $found = 0

    Download($sTDSSRemote, $sTDSSLocal)

    If FileExists($sTDSSLocal) Then
        RunWait(@ComSpec & ' /c ' & '"' & $sTDSSLocal & ' -tdlfs -silent -l ' & '"' & $sLogPath & '"', "", @SW_HIDE)
        If FileExists($sLogPath) Then
            If Not _FileReadToArray($sLogPath, $aTDSSLog) Then
                MsgBox(16, "QuickScan", "Error reading TDSSKiller log to array.")
                Return 2
            Else
                For $i = 1 To UBound($aTDSSLog) - 1
                    If StringInStr($aTDSSLog[$i], "Suspicious") Then
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "infected") Then
                        $iStrPos = Abs(StringInStr($aTDSSLog[$i], "(")) - 1
                        $iLength = Abs(StringLen($aTDSSLog[$i])) + 1
                        $sFileFound = StringTrimLeft(StringTrimRight($aTDSSLog[$i], $iLength - $iStrPos), 20)
                        If Not _ArrayAdd($aReport, "File: " & $sFileFound & ".sys") Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "detected") Then
                        $iStrPos = StringInStr($aTDSSLog[$i], "-")
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    EndIf
                Next
            EndIf
        EndIf
    EndIf

;~  _ArrayDisplay($aReport)

    If $found = 1 Then
        _UpdateLog("TDSSKiller found rootkits:")
        _UpdateLog("")
        For $i = 0 To UBound($aReport) - 1
            If $aReport[$i] = "" Then ContinueLoop
            _UpdateLog(Chr(9) & $aReport[$i]) ;Write to the log file from the array
        Next
        ShellExecute("notepad.exe", $Log_Summary)
    Else
        _UpdateLog("TDSSKiller scan complete.")
        _UpdateLog("")
    EndIf

    Return $found

EndFunc   ;==>TDSSKiller

Share this post


Link to post
Share on other sites
TomMelee

Holy crap that's elegant. I'm nowhere near ready to parse strings from logfiles yet, but this is a fantastic example of how to do it. I'm still struggling with creating a GUI, lol.

Thanks!

  • Like 1

Share this post


Link to post
Share on other sites
TXTechie

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

  • Like 1

Share this post


Link to post
Share on other sites
TomMelee

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

Thanks TXTechie. I was looking at Koda, but having trouble finding a n00b guide for it. I was expecting OnClick to work like MS Access, but it doesn't seem to. I'm sure it's easy, but I'm not catching on. I'll check this out and see what I see.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Similar Content

    • autotin
      By autotin
      Hello I am a first time user of AutoIT with little coding experience and I would REALLY really appreciate your help.
      I work in a warehouse where I am responsible for data entry along with a slew of other different tasks such as auditing and managing paperwork. Most of my time is tied up entering info to close receipts of product orders (8-12+ hours for thousands of products). The quantity actually produced by the warehouse is sometimes different from the quantity listed on the reciept (in this case 20). I need to change all the build qty for sublocation "1-WIP" from 20 to the actual quantity 22 and set all other numbers as 0. The form is an iframe coded with jQuery and freezes for 1-2 seconds after every entry and refreshes. As such, it doesn't allow me to use tab and I need to click and type every incorrect field.
      I have attached an image as an example from the webapp, FinaleInventory.
      I'm thinking that I probably need a macro that has a message box entry where I can type the corrected number entry I want. Then it uses image/character recognition (Tesseract?) to find "WIP" sublocation =,   Move the mouse over to the right to "Quantity" relative to location of WIP If quantity number = entry, then move to next "WIP" image (Not quite sure how to make Tesseract "find next") Elseif quantity number ≠ entry then click quantity number of "WIP" and type corrected entry Scroll down Loop until bottom of page I would greatly appreciate any help, ideas or pointers for this project. Thank you!
      -A newbie scripter

    • Rammanan
      By Rammanan
      Hi all, Below is my script,
      Pls advise me if any wrong on that....File exit in location but the return -1.
      FileOpen($file, 0)
         $line = FileReadLine($file)
         MsgBox(0,'',$line)
      FileClose($file)
      Local $aArray = _FileListToArrayRec($serverpath, "*|*.txt", $FLTAR_FILES, $FLTAR_RECUR, $FLTAR_SORT, $FLTAR_NOPATH)
      If @error Then
              MsgBox($MB_SYSTEMMODAL, "Ooops!", "No files found")
          Else
          ;_ArrayDisplay($aArray, "Sorted tree")
                 Local $hSearch = FileFindFirstFile($line)
               MsgBox(0,'',$hSearch)
       
    • JNutt
      By JNutt
      I'm trying ot use controlClick to click on button. So I'm using the Window Info Finder tool. But I noticed that the control ID in windowInfo changes each time I restart the app.  
      Am I doing this wrong.
    • Theodoor
      By Theodoor
      Hi,
      I am trying to use the ControlClick in a "save as"-window to select the path of where to save the document.
      I found out that when in press the icon in front of the path, i select the path. So I am trying to press that button (i have attached a print screen of this window).
      While trying to figure out how i had to use the ControlClick, it said somewhere that i could us Au3Info to find out what title,... i should use with the ControlClick.
      The result of the Au3Info I have attached aswel.
      The ControlClick that i tried are these: (and none of these even move the mouse)
      ControlClick("[CLASS:ToolbarWindow32; INSTANCE:4]", "", "", "Left" ,1 ,10,10)
      ControlClick("[CLASS:ToolbarWindow32; INSTANCE:4]", "", "1001", "Left" ,1 ,10,10)
      ControlClick("[CLASS:ToolbarWindow32]", "", "", "Left" ,1 ,10,10)
      ControlClick("Save project as", "", "", "Left" ,1 ,10,10)
      I don't know what I am doing wrong.
      Should I use a controlID? is my windowtitle wrong?
      Can anyone help me?
      Thanks in advance,
      Theo


    • Trisha
      By Trisha
      I tried (using AutoIt) to automate a scenario where i  have to open IE with specific URL on my extranet(Xen Desktop or Citrix ) ,from there i need to download  file and then through WinSCP; I  have to move that file to another location that can be access from my Local system using VMWare.
      I did as far as the above step. Now i want to navigate from my extranet to my local desktop system. But i am not able to move  from there.Mouse click is also not working.Please find the below screenshot highlighted in YELLOW.
       


×