Xander Posted January 20, 2006 Share Posted January 20, 2006 I have a short script that, on my customer's computer, gets run once a month. On the 6th month, it drops a basic PDF document to the desktop to remind that I still exist.For the last couple of weeks, my antivirus has been reporting a "sample" of Win32:Trojan-gen. {UPX!} exists within the compiled the script.expandcollapse popup#notrayicon Global $txt = 'C:\windows\housecalls.ini' $var = IniRead($txt, "NumberOfMonths", "Month", "0") $var = $var + 1 IniWrite($txt, "NumberOfMonths", "Month", $var) If $var < 6 Then Exit SixMonths() IniWrite($txt, "NumberOfMonths", "Month", 0) ;RESET COUNTER Exit Func SixMonths() FileInstall("F:\spyware\6months.pdf", @DesktopCommonDir & '\READ ME - 6 month reminder.pdf') Dim $iMsgBoxAnswer $iMsgBoxAnswer = MsgBox(36,"HOUSECALLS computer services","It has been at least 6 months since Housecalls Computer Services was last here. A simple tune-up reminder document has been placed on your desktop." & @CRLF & "" & @CRLF & "You can contact us for a service call or a tune-up at" & @CRLF & "" & @CRLF & "[email="*************@gmail.com"]*************@gmail.com[/email]") Sleep(10000) EndFunc ;==>SixMonths ; it did use INCLUDE inet.au3 but I just pasted in the needed sections to try to circumvene the error Func INetMail($s_MailTo, $s_MailSubject, $s_MailBody) Return Run(StringReplace(RegRead('HKCR\mailto\shell\open\command', ''), '%1', _INetExplorerCapable('mailto:' & $s_MailTo & '?subject=' & $s_MailSubject & '&body=' & $s_MailBody))) = 0 EndFunc ;==>_INetMail Func _INetExplorerCapable($s_IEString) If StringLen($s_IEString) <= 0 Then Return '' SetError(1) Else Local $s_IEReturn Local $i_IECount Local $n_IEChar For $i_IECount = 1 To StringLen($s_IEString) $n_IEChar = '0x' & Hex(Asc(StringMid($s_IEString, $i_IECount, 1)), 2) If $n_IEChar < 0x21 Or $n_IEChar = 0x25 Or $n_IEChar = 0x2f Or $n_IEChar > 0x7f Then $s_IEReturn = $s_IEReturn & '%' & StringRight($n_IEChar, 2) Else $s_IEReturn = $s_IEReturn & Chr($n_IEChar) EndIf Next Return $s_IEReturn EndIf EndFunc ;==>_INetExplorerCapable Link to comment Share on other sites More sharing options...
cdkid Posted January 20, 2006 Share Posted January 20, 2006 yeah i had that same problem with a script that opened google & did a search for me...im guessing that the file just got infected i would also like to know about this though AutoIt Console written in C#. Write au3 code right at the console :D_FileWriteToLineWrite to a specific line in a file.My UDF Libraries: MySQL UDF Library version 1.6 MySQL Database UDF's for AutoItI have stopped updating the MySQL thread above, all future updates will be on my SVN. The svn location is:kan2.sytes.net/publicsvn/mysqlnote: This will still be available, but due to my new job, and school hours, am no longer developing this udf.My business: www.hirethebrain.com Hire The Brain HireTheBrain.com Computer Consulting, Design, Assembly and RepairOh no! I've commited Scriptocide! Link to comment Share on other sites More sharing options...
lewcamino Posted January 20, 2006 Share Posted January 20, 2006 Its a issue that has been addressed (some what). If you rename upx.exe in "C:\Program Files\AutoIt3\Aut2Exe\" to something else (just so its not used when compiling) It usually fixes the issue. Feel free to ask more opinions but try it and see if it fixes your issue. Later; Lew Link to comment Share on other sites More sharing options...
Xander Posted January 20, 2006 Author Share Posted January 20, 2006 Its a issue that has been addressed (some what). If you rename upx.exe in "C:\Program Files\AutoIt3\Aut2Exe\" to something else (just so its not used when compiling) It usually fixes the issue. Feel free to ask more opinions but try it and see if it fixes your issue.Later; LewCDkid, it's not infected -- I can freshly compile the script, entirely replacing the old one, and I get the infected message almost immediately.Lew, I renamed both the original UPX.exe and the beta one ... still gettin' it. Link to comment Share on other sites More sharing options...
MHz Posted January 20, 2006 Share Posted January 20, 2006 I have a short script that, on my customer's computer, gets run once a month. On the 6th month, it drops a basic PDF document to the desktop to remind that I still exist.For the last couple of weeks, my antivirus has been reporting a "sample" of Win32:Trojan-gen. {UPX!} exists within the compiled the script.Win32:Trojan-gen. AVs use gen abbreviated for general. This is a pickup with overactive Heuristics, I would guess. Link to comment Share on other sites More sharing options...
pingpong24 Posted January 20, 2006 Share Posted January 20, 2006 your anti virus is very stupid, its assuming UPX is a virus as the compiled exe gets compressed via UPX. best thing to do would be try to compress the exe with another program! also try running the script using autoit without compiling it.. if it still says its a virus change your anti virus. NumCR Super Fast EASY NUMBER OCR, easiest and the fastest AUTOIT OCR released on this forum Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted January 20, 2006 Moderators Share Posted January 20, 2006 best thing to do would be try to compress the exe with another program! Hmmm... what other packer do you suggest? Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
Xenobiologist Posted January 20, 2006 Share Posted January 20, 2006 Hi, I had the same problem a couple of weeks ago. I sent the log-Files to the support center of norman virus control and told them that it is an FP (false postive). They corrected it within the next pattern update. So long, Mega. It was that fast, because I´m working in big company. Scripts & functions Organize Includes Let Scite organize the include files Yahtzee The game "Yahtzee" (Kniffel, DiceLion) LoginWrapper Secure scripts by adding a query (authentication) _RunOnlyOnThis UDF Make sure that a script can only be executed on ... (Windows / HD / ...) Internet-Café Server/Client Application Open CD, Start Browser, Lock remote client, etc. MultipleFuncsWithOneHotkey Start different funcs by hitting one hotkey different times Link to comment Share on other sites More sharing options...
Xander Posted January 20, 2006 Author Share Posted January 20, 2006 It's noteworthy, btw, that this is the only script I have where I get this error. I can recompile any of my common scripts and not get it. By elimination, it makes me think that it's something in the script itself more than the packer. I've run my AV on the PDF that gets dropped to the desktop, so the 'sample' shouldn't be in there. I also find it odd that I never got this error about the file until the last week or so. I've had this script almost unchanged for close to a year. I suppose the best option is to just "rephrase" the script to try to get away from mirroring the sample that the AV thinks is within it. Link to comment Share on other sites More sharing options...
lewcamino Posted January 20, 2006 Share Posted January 20, 2006 Well to be honest it looks as if you have a smart anti-virus program. I think it was a recent update that is causing it to detect this as a virus now. I also think that perhaps that email part is causing it. Once again I stress that although I am not new to autoit, I am by no means an expert. I would do some process of elimination until it is no longer detected. Later; Lew P.S. Google toolbar spell check is the win! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now