# Anti Spyware idea

## Recommended Posts

Hi all,

I'd like to try the following project as an anti spyware solution

I've searched the forum but haven't found anything similar enough to be of use to a newbie.....

1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b

2. surf the net picking up various unwanted progs / spyware

3. scan sys partition again at a later date to create an 'AFTER' snapshot as above

4. This is the tricky bit Compare the differences between the two file lists and create a 'CHANGES' file.

5. Use the 'CHANGES' file as the input source to supply a third party delete on reboot type program (would enable in use spyware proggies to be deleted).

Any thoughts on the above gratefully received!

##### Share on other sites

Spyware, adware and any other virus type programs aren't only disk based, even if you delete them they might make preety much a lot of mess. So you gotta consider registry scan too.

My little company: Evotec (PL version: Evotec)

##### Share on other sites

InstallShield does something like you describe. (If my coworker explained it to me correctly.) With Install shield, you have a before snapshot, you then install the application, and it will take an after snapshot. It then will compare the changes and come up with the install package.

The problem with your approach is that by taking a snapshot, you lock the PC in a "photo" of its state. If later you take another snapshot, things have changed, and some things you want to have changed. Example being antivirus def files, windows updates, software updates, and so forth. A simple change to the registry that points to something you need would be deleted also. The research to look for every change would be quite daunting to say the least.

Another problem is Spyware is more often using root kits to install themselves, and the use of a snapshot is almost useless. Unless you know exactly what you are looking for, the Spyware will (odds are) slip past. I've personally have seen Spyware that would install itself in the root kernel, and it is almost impossible to remove. The way computers are today, you just about have to treat them as living machines. They are born (OS loaded and other basic software), they grow (you install more software, and customize them to your taste), they get sick (virus and Spyware infections), they need medications (antivirus, AntiSpyware), and they die (they get a infection that causes so much damage that the unit is no longer stable, and needs to be rebuilt). The computer person is like a doctor, treating the sick. The problem is the environment is evolving, just like the normal environment we all live in. New infections come along; drugs that worked on old infections no longer work, and so forth.

The idea you put forth is good, but the work to do this is quite labor intensive, for each change would need to be checked, just to see what the change is.

I will get off my soapbox now.......

##### Share on other sites

Thanks for the feedback folks,

i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!

With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.

This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them ).

In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....

There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.

Anyone think this idea has legs or should i consign it to the recycle bin

##### Share on other sites

Thanks for the feedback folks,

i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!

With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.

This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them ).

In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....

There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.

Anyone think this idea has legs or should i consign it to the recycle bin

personally i don't think it's really worth your time. I say that because of the tools people already have, system restore, registry backups, last known good, etc, not to mention the plethora of spyware scanners. In addition, not every new file or registry entry is a bad one, and by adding in a confirmation for each thing to be deleted, you'd be pretty much removing the very efficiency you mean to create. I would say you definitely had a neat idea, which someone would probably use (one born every minute?) but as far as a real project, i personally don't think it would be worth the time investment, except possibly for the knowledge gained by creating a new project.
##### Share on other sites

i am interested in this. i use bartpe at work...and spyware/viruses are alot easier to deal with when you remove its files, then you only need to deal with the registry stuff (which theres also tools in bartpe...and then stuff in windows afterward)

maybe something like this....i dont think this is completely right...but its a start

#include <GuiConstants.au3>
#Include <process.au3>

$tempfile1 = "C:\Spyware_Finder_Temp1.txt"$tempfile2 = "C:\Spyware_Finder_Temp2.txt"
$tempfile3 = "C:\Spyware_Finder_Results.txt" Dim$line1 = 1
Dim $line2 = 1 SplashTextOn ( "Scanning", "Scanning Files") _RunDOS("DIR c:\ /s /b > " &$tempfile1)
SplashOff ()
MsgBox(0, "", "Click OK when ready to scan again")
_RunDOS("DIR c:\ /s /b > " & $tempfile2) GuiCreate("MyGUI", 392, 239)$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL)$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL)$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)
$count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20) GuiSetState() While 1$file1 = FileReadLine ($tempfile1,$line1)
If @error = -1 Then $file1 = ""$file2 = FileReadLine ($tempfile2,$line2)
If @error = -1 Then ExitLoop
;SplashTextOn ( "comparing", $line1 & @LF &$file1 & @LF & @LF & $line2 & @LF &$file2, 500, 250)
GUICtrlSetData ( $edit1,$file1)
GUICtrlSetData ( $edit2,$file2)
GUICtrlSetData ( $count1,$line1)
GUICtrlSetData ( $count2,$line2)

If $file2 =$file1 Then
$line1 += 1$line2 += 1
Else
If $file2 <>$tempfile2 Then FileWrite($tempfile3,$file2 & @CRLF)
$line2 += 1 EndIf Wend Exit Edited by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature ##### Link to post ##### Share on other sites maybe delete useing killbox http://www.bleepingcomputer.com/files/killbox.php $deletefiles = "C:\Spyware_Finder_Results.txt"
$line=1 Run("Killbox.exe") WinWaitActive("Pocket Killbox") While 1$file1 = FileReadLine ($deletefiles,$line)
If @error = -1 Then ExitLoop
ClipPut ($file1) WinActivate("Pocket Killbox") Send("!fp")$line += 1
WEnd

ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton4");click delete on reboot
ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton1");click "All files"

ControlClick("Pocket Killbox", "", "ThunderRT6CommandButton2");click delete button

WinWaitActive("Delete next Reboot")
;ControlClick("Delete next Reboot", "", "Button1"); reboot now
ControlClick("Delete next Reboot", "", "Button2"); do not reboot now

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

##### Share on other sites

the comparing file names takes to long...any ideas on making it faster? i looked to fileopen and other commands, i but i dont really know how to use them

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

##### Share on other sites

i used an array and that sped things up greatly (6hrs to like under5mins)

keep in mind this program assumes no files get deleted, if something get deleted its going to mess up all remaining results

my first autoit array :-)

;--------------------------------------------------------
#include <file.au3>
#include <GuiConstants.au3>
#Include <process.au3>
$tempfile1 = "C:\Spyware_Finder_Temp1.txt"$tempfile2 = "C:\Spyware_Finder_Temp2.txt"
$tempfile3 = "C:\Spyware_Finder_Results.txt" Dim$array1, $array2 Dim$line1 = 1
Dim $line2 = 1 ;-------------------------------------------------------- FileDelete($tempfile1);remove old files if they exist
FileDelete($tempfile2) FileDelete($tempfile3)
;--------------------------------------------------------

SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile1);pipe index results to tempfile1 SplashOff () MsgBox(0, "", "Click OK when ready to scan again") SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " &$tempfile2);pipe index results to tempfile2
SplashOff ()

_FileReadToArray($tempfile1,$array1); create an array with tempfile1(each line contains a filename)
_FileReadToArray($tempfile2,$array2); create an array with tempfile2

;Comparing GUI
GuiCreate("Comparing", 392, 239)
$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80,$WS_VSCROLL)
$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80,$WS_VSCROLL)
$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)$count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20)
GuiSetState()
;Comparing GUI End
While 1
If $line1 <=$array1[0] Then
$file1 =$array1[$line1] Else$file1 = ""
EndIf
If $line2 <=$array2[0] Then
$file2 =$array2[$line2] Else ExitLoop EndIf GUICtrlSetData ($edit1, $file1) GUICtrlSetData ($edit2, $file2) GUICtrlSetData ($count1, $line1) GUICtrlSetData ($count2, $line2) If$file2 = $file1 Then$line1 += 1
$line2 += 1 Else If$file2 <> $tempfile2 Then FileWrite($tempfile3, $file2 & @CRLF)$line2 += 1
EndIf
Wend
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

##### Share on other sites

Wow! thanks ACalcutt

I tested the concept on an installation of SpyWare Doctor (like the irony!) to see if it removed all traces; Together with the registry backup via ERUNT it was toast! It did take an age as you've said (6 hours on a 20Gig sys partition) but now with your latest code it flies! (~4mins) As almost all spyware / virii / trojans are software installations this idea should work on them all?

With regard tp Killbox; It works fine but I was trying to use CopyLock (link in earlier post) as it has a command line version which should make it possible to acheive the same result without the pop up gui...

While 1

call to copylock + name of file to delete

WEnd

As a newb I am getting stuck passing the $file1 parameter to the command line. This is what I have tried RunWait(@ComSpec & " /c " & "c:\cl.exe &$file1")

I think the concatination is correct and the file names are being passed to the clipboard (checked with MsgBox) but it seems the string content is not available in the command shell?! Any ideas?

##### Share on other sites

untested...but i think it should be

RunWait(@ComSpec & 'c:\cl.exe "' & $file1 & '"') if you dont put quotes around the filename, any filename where theres a space will mess things up...you had a the variable inside quotes, and you were missing a space between cl.exe and you filename ex.$file1="c:\test\a b\test.exe"

msgbox(0, "", 'c:\cl.exe "' & $file1 & '"') Edited by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature ##### Link to post ##### Share on other sites something like this maybe (untest...dont have cl.exe) ;-------------------------------------------------------- ;AutoIt Version: 3.1.1.102 Beta ; ;Script Author: Andrew Calcutt ;Script Date: 01/21/2006 ;Script Name: RemoveNewFiles ;Script Function: Use the 'CHANGES' file as the input source to Copylock delete on reboot program ;*Needs CopyLock(cl.exe) http://noeld.com/programs.asp?cat=misc ;-------------------------------------------------------- #include <file.au3> #Include <process.au3>$tempfile3 = "C:\FileChange_Results.txt"
Dim $array3 Dim$line3=1

_FileReadToArray($tempfile3,$array3)
For $x = 1 to$array3[0]
_RunDOS('c:\cl.exe "' & $array3[$line3] & '"')
$line3 += 1 Next Edited by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature ##### Link to post ##### Share on other sites update - this version wont mess up if a file is deleted before the second scan starts ;-------------------------------------------------------- ;AutoIt Version: 3.1.1.102 Beta ; ;Script Author: Andrew Calcutt ;Script Date: 01/21/2006 ;Script Name: FileChangeSearch ;Script Function: ; 1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b ; 2. scan sys partition again at a later date to create an 'AFTER' snapshot as above (after picking up new files) ; 3. Compare the differences between the two file lists and create a 'CHANGES' file. ;-------------------------------------------------------- #include <Array.au3> #include <GuiConstants.au3> #include <file.au3> #Include <process.au3> Dim$tempfile1 = "C:\FileChange_Temp1.txt"
Dim $tempfile2 = "C:\FileChange_Temp2.txt" Dim$tempfile3 = "C:\FileChange_Results.txt"
Dim $array1,$array2
Dim $pos = 0 Dim$line = 1
;--------------------------------------------------------
FileDelete($tempfile1);remove old files if they exist FileDelete($tempfile2)
FileDelete($tempfile3) ;-------------------------------------------------------- SplashTextOn ( "Scanning", "Scanning Files", 200, 75) _RunDOS("DIR c:\ /s /b > " &$tempfile1);pipe index results to tempfile1
SplashOff ()
MsgBox(0, "", "Click OK when ready to scan again")
SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile2);pipe index results to tempfile2 SplashOff () _FileReadToArray($tempfile1, $array1); create an array with tempfile1(each line contains a filename) _FileReadToArray($tempfile2, $array2); create an array with tempfile2 ;Comparing GUI GuiCreate("Comparing", 392, 239)$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL)$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL)$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)
GuiSetState()
;Comparing GUI End
For $loop = 1 To$array2[0]
GUICtrlSetData ( $edit2,$array2[$line]) GUICtrlSetData ($count1, $line) GUICtrlSetData ($edit1, "Scanning For Match" & @CRLF)
If $array2[$line] <> $tempfile2 Then$pos2 = $pos$pos = _ArraySearch ($array1,$array2[$line],$pos2, $array1[0]) If @Error = 6 Or @Error = 4 Then FileWrite($tempfile3, $array2[$line] & @CRLF)
If $pos = -1 Then GUICtrlSetData ($edit1, "*** New File ***" & @CRLF)
GUICtrlSetData ( $edit1,$array2[$line], 1) Sleep(1000)$pos = $pos2 Else GUICtrlSetData ($edit1, "Match Found on Line: " & $pos & @CRLF, 1) GUICtrlSetData ($edit1, $array1[$pos], 1)
EndIf
EndIf

to

If $array2[$line] <> $tempfile2 Or StringInStr ($array2[$line], "Temporary Internet Files") = 0 Then Edited by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature ##### Link to post ##### Share on other sites Yep using the Beta solved it! Thanks for you speedy responses! Now must try and do the same with the registry Should keep me busy for a while..... ##### Link to post ##### Share on other sites maybe you could do REGEDIT /E c:\reg.txt this would dump the registry info into c:\reg.txt then the hard part would be the comparing...because some keys are multilined edit - looks like multiline keys end with ",\" so you could look for that Edited by ACalcutt Andrew Calcutt Http://www.Vistumbler.net Http://www.TechIdiots.net Its not an error, its a undocumented feature ##### Link to post ##### Share on other sites this may help you ;By Andrew Calcutt ;_RegSubKeysSubVals([start registry key], [array name]) ; Func _RegSubKeysSubVals($startkey, ByRef $array)$line=0
While 1
$line += 1$reg = RegEnumVal($startkey,$line)
If @error Then ExitLoop
$data = RegRead($startkey, $reg) _ArrayAdd($array, $reg & "=" &$data)
WEnd
$line=0 While 1$line += 1
$reg = RegEnumKey($startkey, $line) If @error Then ExitLoop _ArrayAdd($array, "[" & $startkey & "\" &$reg & "]")
_RegSubkeys($startkey & "\" &$reg, $array) WEnd EndFunc working example #include <Array.au3> Dim$reg1[1]

_RegSubKeysSubVals("HKLM\SOFTWARE\AutoIt v3", $reg1)$reg1[0] = UBound($reg1) - 1 _ArrayDisplay($reg1, $reg1[0]) Func _RegSubKeysSubVals($startkey, ByRef $array)$line=0
While 1
$line += 1$reg = RegEnumVal($startkey,$line)
If @error Then ExitLoop
$data = RegRead($startkey, $reg) _ArrayAdd($array, $reg & "=" &$data)
WEnd
$line=0 While 1$line += 1
$reg = RegEnumKey($startkey, $line) If @error Then ExitLoop _ArrayAdd($array, "[" & $startkey & "\" &$reg & "]")
_RegSubkeys($startkey & "\" &$reg, \$array)
WEnd
EndFunc

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

##### Share on other sites

Cheers!

If I am gonna have a learning curve might as well make it a steep one! From 'Hello World' to UDF's & Arrays in a few short days

If this registry rollback can be achieved without the 3rd party ERUNT prog it's one step closer to an all Autoit uninstaller!

I think the delete / move on next boot might be a step too far though; c# anyone ?

## Create an account

Register a new account

• ### Recently Browsing   0 members

×

• Wiki

• Back

• #### Beta

• Git
• FAQ
• Our Picks
×
• Create New...