Sign in to follow this  
Followers 0
R.Sanderson

Ad-Aware </3 Auto-It

6 posts in this topic

#1 ·  Posted (edited)

Ad-Aware now detects active Auto-It scripts as WIN32.Trojandropper or something similar to this. I am not 100% sure that it is 100% of Auto-It scripts, but I tested it on a few scripts.

Does anyone know a way to protect a file from Ad-Aware, or some way to convince Ad-Aware that Auto-It is ok, without actually going in and excluding the folder the script is in?

Here is one that it didn't like (thanks, ChrisL, by the way):

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

$Output=""
$Output = $Output & "Computer: " & $strComputer  & @CRLF
$Output = $Output & "==========================================" & @CRLF
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration ", "WQL", _
                                          $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
   For $objItem In $colItems
      $Output = $Output & "ArpAlwaysSourceRoute: " & $objItem.ArpAlwaysSourceRoute & @CRLF
      $Output = $Output & "ArpUseEtherSNAP: " & $objItem.ArpUseEtherSNAP & @CRLF
      $Output = $Output & "Caption: " & $objItem.Caption & @CRLF
      $Output = $Output & "DatabasePath: " & $objItem.DatabasePath & @CRLF
      $Output = $Output & "DeadGWDetectEnabled: " & $objItem.DeadGWDetectEnabled & @CRLF
      $strDefaultIPGateway = $objItem.DefaultIPGateway(0)
      $Output = $Output & "DefaultIPGateway: " & $strDefaultIPGateway & @CRLF
      $Output = $Output & "DefaultTOS: " & $objItem.DefaultTOS & @CRLF
      $Output = $Output & "DefaultTTL: " & $objItem.DefaultTTL & @CRLF
      $Output = $Output & "Description: " & $objItem.Description & @CRLF
      $Output = $Output & "DHCPEnabled: " & $objItem.DHCPEnabled & @CRLF
      $Output = $Output & "DHCPLeaseExpires: " & WMIDateStringToDate($objItem.DHCPLeaseExpires) & @CRLF
      $Output = $Output & "DHCPLeaseObtained: " & WMIDateStringToDate($objItem.DHCPLeaseObtained) & @CRLF
      $Output = $Output & "DHCPServer: " & $objItem.DHCPServer & @CRLF
      $Output = $Output & "DNSDomain: " & $objItem.DNSDomain & @CRLF
      $strDNSDomainSuffixSearchOrder = $objItem.DNSDomainSuffixSearchOrder(0)
      $Output = $Output & "DNSDomainSuffixSearchOrder: " & $strDNSDomainSuffixSearchOrder & @CRLF
      $Output = $Output & "DNSEnabledForWINSResolution: " & $objItem.DNSEnabledForWINSResolution & @CRLF
      $Output = $Output & "DNSHostName: " & $objItem.DNSHostName & @CRLF
      $strDNSServerSearchOrder = $objItem.DNSServerSearchOrder(0)
      $Output = $Output & "DNSServerSearchOrder: " & $strDNSServerSearchOrder & @CRLF
      $Output = $Output & "DomainDNSRegistrationEnabled: " & $objItem.DomainDNSRegistrationEnabled & @CRLF
      $Output = $Output & "ForwardBufferMemory: " & $objItem.ForwardBufferMemory & @CRLF
      $Output = $Output & "FullDNSRegistrationEnabled: " & $objItem.FullDNSRegistrationEnabled & @CRLF
      $strGatewayCostMetric = $objItem.GatewayCostMetric(0)
      $Output = $Output & "GatewayCostMetric: " & $strGatewayCostMetric & @CRLF
      $Output = $Output & "IGMPLevel: " & $objItem.IGMPLevel & @CRLF
      $Output = $Output & "Index: " & $objItem.Index & @CRLF
      $strIPAddress = $objItem.IPAddress(0)
      $Output = $Output & "IPAddress: " & $strIPAddress & @CRLF
      $Output = $Output & "IPConnectionMetric: " & $objItem.IPConnectionMetric & @CRLF
      $Output = $Output & "IPEnabled: " & $objItem.IPEnabled & @CRLF
      $Output = $Output & "IPFilterSecurityEnabled: " & $objItem.IPFilterSecurityEnabled & @CRLF
      $Output = $Output & "IPPortSecurityEnabled: " & $objItem.IPPortSecurityEnabled & @CRLF
      $strIPSecPermitIPProtocols = $objItem.IPSecPermitIPProtocols(0)
      $Output = $Output & "IPSecPermitIPProtocols: " & $strIPSecPermitIPProtocols & @CRLF
      $strIPSecPermitTCPPorts = $objItem.IPSecPermitTCPPorts(0)
      $Output = $Output & "IPSecPermitTCPPorts: " & $strIPSecPermitTCPPorts & @CRLF
      $strIPSecPermitUDPPorts = $objItem.IPSecPermitUDPPorts(0)
      $Output = $Output & "IPSecPermitUDPPorts: " & $strIPSecPermitUDPPorts & @CRLF
      $strIPSubnet = $objItem.IPSubnet(0)
      $Output = $Output & "IPSubnet: " & $strIPSubnet & @CRLF
      $Output = $Output & "IPUseZeroBroadcast: " & $objItem.IPUseZeroBroadcast & @CRLF
      $Output = $Output & "IPXAddress: " & $objItem.IPXAddress & @CRLF
      $Output = $Output & "IPXEnabled: " & $objItem.IPXEnabled & @CRLF
      $strIPXFrameType = $objItem.IPXFrameType(0)
      $Output = $Output & "IPXFrameType: " & $strIPXFrameType & @CRLF
      $Output = $Output & "IPXMediaType: " & $objItem.IPXMediaType & @CRLF
      $strIPXNetworkNumber = $objItem.IPXNetworkNumber(0)
      $Output = $Output & "IPXNetworkNumber: " & $strIPXNetworkNumber & @CRLF
      $Output = $Output & "IPXVirtualNetNumber: " & $objItem.IPXVirtualNetNumber & @CRLF
      $Output = $Output & "KeepAliveInterval: " & $objItem.KeepAliveInterval & @CRLF
      $Output = $Output & "KeepAliveTime: " & $objItem.KeepAliveTime & @CRLF
      $Output = $Output & "MACAddress: " & $objItem.MACAddress & @CRLF
      $Output = $Output & "MTU: " & $objItem.MTU & @CRLF
      $Output = $Output & "NumForwardPackets: " & $objItem.NumForwardPackets & @CRLF
      $Output = $Output & "PMTUBHDetectEnabled: " & $objItem.PMTUBHDetectEnabled & @CRLF
      $Output = $Output & "PMTUDiscoveryEnabled: " & $objItem.PMTUDiscoveryEnabled & @CRLF
      $Output = $Output & "ServiceName: " & $objItem.ServiceName & @CRLF
      $Output = $Output & "SettingID: " & $objItem.SettingID & @CRLF
      $Output = $Output & "TcpipNetbiosOptions: " & $objItem.TcpipNetbiosOptions & @CRLF
      $Output = $Output & "TcpMaxConnectRetransmissions: " & $objItem.TcpMaxConnectRetransmissions & @CRLF
      $Output = $Output & "TcpMaxDataRetransmissions: " & $objItem.TcpMaxDataRetransmissions & @CRLF
      $Output = $Output & "TcpNumConnections: " & $objItem.TcpNumConnections & @CRLF
      $Output = $Output & "TcpUseRFC1122UrgentPointer: " & $objItem.TcpUseRFC1122UrgentPointer & @CRLF
      $Output = $Output & "TcpWindowSize: " & $objItem.TcpWindowSize & @CRLF
      $Output = $Output & "WINSEnableLMHostsLookup: " & $objItem.WINSEnableLMHostsLookup & @CRLF
      $Output = $Output & "WINSHostLookupFile: " & $objItem.WINSHostLookupFile & @CRLF
      $Output = $Output & "WINSPrimaryServer: " & $objItem.WINSPrimaryServer & @CRLF
      $Output = $Output & "WINSScopeID: " & $objItem.WINSScopeID & @CRLF
      $Output = $Output & "WINSSecondaryServer: " & $objItem.WINSSecondaryServer & @CRLF
      if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
      $Output=""
   Next
Else
   Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NetworkAdapterConfiguration" )
Endif


Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc
Edited by R.Sanderson

Share this post


Link to post
Share on other sites



Ad-Aware now detects active Auto-It scripts as WIN32.Trojandropper or something similar to this. I am not 100% sure that it is 100% of Auto-It scripts, but I tested it on a few scripts.

Does anyone know a way to protect a file from Ad-Aware, or some way to convince Ad-Aware that Auto-It is ok, without actually going in and excluding the folder the script is in?

Here is one that it didn't like (thanks, ChrisL, by the way):

$wbemFlagReturnImmediately = 0x10
$wbemFlagForwardOnly = 0x20
$colItems = ""
$strComputer = "localhost"

$Output=""
$Output = $Output & "Computer: " & $strComputer  & @CRLF
$Output = $Output & "==========================================" & @CRLF
$objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
$colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration ", "WQL", _
                                          $wbemFlagReturnImmediately + $wbemFlagForwardOnly)

If IsObj($colItems) then
   For $objItem In $colItems
      $Output = $Output & "ArpAlwaysSourceRoute: " & $objItem.ArpAlwaysSourceRoute & @CRLF
      $Output = $Output & "ArpUseEtherSNAP: " & $objItem.ArpUseEtherSNAP & @CRLF
      $Output = $Output & "Caption: " & $objItem.Caption & @CRLF
      $Output = $Output & "DatabasePath: " & $objItem.DatabasePath & @CRLF
      $Output = $Output & "DeadGWDetectEnabled: " & $objItem.DeadGWDetectEnabled & @CRLF
      $strDefaultIPGateway = $objItem.DefaultIPGateway(0)
      $Output = $Output & "DefaultIPGateway: " & $strDefaultIPGateway & @CRLF
      $Output = $Output & "DefaultTOS: " & $objItem.DefaultTOS & @CRLF
      $Output = $Output & "DefaultTTL: " & $objItem.DefaultTTL & @CRLF
      $Output = $Output & "Description: " & $objItem.Description & @CRLF
      $Output = $Output & "DHCPEnabled: " & $objItem.DHCPEnabled & @CRLF
      $Output = $Output & "DHCPLeaseExpires: " & WMIDateStringToDate($objItem.DHCPLeaseExpires) & @CRLF
      $Output = $Output & "DHCPLeaseObtained: " & WMIDateStringToDate($objItem.DHCPLeaseObtained) & @CRLF
      $Output = $Output & "DHCPServer: " & $objItem.DHCPServer & @CRLF
      $Output = $Output & "DNSDomain: " & $objItem.DNSDomain & @CRLF
      $strDNSDomainSuffixSearchOrder = $objItem.DNSDomainSuffixSearchOrder(0)
      $Output = $Output & "DNSDomainSuffixSearchOrder: " & $strDNSDomainSuffixSearchOrder & @CRLF
      $Output = $Output & "DNSEnabledForWINSResolution: " & $objItem.DNSEnabledForWINSResolution & @CRLF
      $Output = $Output & "DNSHostName: " & $objItem.DNSHostName & @CRLF
      $strDNSServerSearchOrder = $objItem.DNSServerSearchOrder(0)
      $Output = $Output & "DNSServerSearchOrder: " & $strDNSServerSearchOrder & @CRLF
      $Output = $Output & "DomainDNSRegistrationEnabled: " & $objItem.DomainDNSRegistrationEnabled & @CRLF
      $Output = $Output & "ForwardBufferMemory: " & $objItem.ForwardBufferMemory & @CRLF
      $Output = $Output & "FullDNSRegistrationEnabled: " & $objItem.FullDNSRegistrationEnabled & @CRLF
      $strGatewayCostMetric = $objItem.GatewayCostMetric(0)
      $Output = $Output & "GatewayCostMetric: " & $strGatewayCostMetric & @CRLF
      $Output = $Output & "IGMPLevel: " & $objItem.IGMPLevel & @CRLF
      $Output = $Output & "Index: " & $objItem.Index & @CRLF
      $strIPAddress = $objItem.IPAddress(0)
      $Output = $Output & "IPAddress: " & $strIPAddress & @CRLF
      $Output = $Output & "IPConnectionMetric: " & $objItem.IPConnectionMetric & @CRLF
      $Output = $Output & "IPEnabled: " & $objItem.IPEnabled & @CRLF
      $Output = $Output & "IPFilterSecurityEnabled: " & $objItem.IPFilterSecurityEnabled & @CRLF
      $Output = $Output & "IPPortSecurityEnabled: " & $objItem.IPPortSecurityEnabled & @CRLF
      $strIPSecPermitIPProtocols = $objItem.IPSecPermitIPProtocols(0)
      $Output = $Output & "IPSecPermitIPProtocols: " & $strIPSecPermitIPProtocols & @CRLF
      $strIPSecPermitTCPPorts = $objItem.IPSecPermitTCPPorts(0)
      $Output = $Output & "IPSecPermitTCPPorts: " & $strIPSecPermitTCPPorts & @CRLF
      $strIPSecPermitUDPPorts = $objItem.IPSecPermitUDPPorts(0)
      $Output = $Output & "IPSecPermitUDPPorts: " & $strIPSecPermitUDPPorts & @CRLF
      $strIPSubnet = $objItem.IPSubnet(0)
      $Output = $Output & "IPSubnet: " & $strIPSubnet & @CRLF
      $Output = $Output & "IPUseZeroBroadcast: " & $objItem.IPUseZeroBroadcast & @CRLF
      $Output = $Output & "IPXAddress: " & $objItem.IPXAddress & @CRLF
      $Output = $Output & "IPXEnabled: " & $objItem.IPXEnabled & @CRLF
      $strIPXFrameType = $objItem.IPXFrameType(0)
      $Output = $Output & "IPXFrameType: " & $strIPXFrameType & @CRLF
      $Output = $Output & "IPXMediaType: " & $objItem.IPXMediaType & @CRLF
      $strIPXNetworkNumber = $objItem.IPXNetworkNumber(0)
      $Output = $Output & "IPXNetworkNumber: " & $strIPXNetworkNumber & @CRLF
      $Output = $Output & "IPXVirtualNetNumber: " & $objItem.IPXVirtualNetNumber & @CRLF
      $Output = $Output & "KeepAliveInterval: " & $objItem.KeepAliveInterval & @CRLF
      $Output = $Output & "KeepAliveTime: " & $objItem.KeepAliveTime & @CRLF
      $Output = $Output & "MACAddress: " & $objItem.MACAddress & @CRLF
      $Output = $Output & "MTU: " & $objItem.MTU & @CRLF
      $Output = $Output & "NumForwardPackets: " & $objItem.NumForwardPackets & @CRLF
      $Output = $Output & "PMTUBHDetectEnabled: " & $objItem.PMTUBHDetectEnabled & @CRLF
      $Output = $Output & "PMTUDiscoveryEnabled: " & $objItem.PMTUDiscoveryEnabled & @CRLF
      $Output = $Output & "ServiceName: " & $objItem.ServiceName & @CRLF
      $Output = $Output & "SettingID: " & $objItem.SettingID & @CRLF
      $Output = $Output & "TcpipNetbiosOptions: " & $objItem.TcpipNetbiosOptions & @CRLF
      $Output = $Output & "TcpMaxConnectRetransmissions: " & $objItem.TcpMaxConnectRetransmissions & @CRLF
      $Output = $Output & "TcpMaxDataRetransmissions: " & $objItem.TcpMaxDataRetransmissions & @CRLF
      $Output = $Output & "TcpNumConnections: " & $objItem.TcpNumConnections & @CRLF
      $Output = $Output & "TcpUseRFC1122UrgentPointer: " & $objItem.TcpUseRFC1122UrgentPointer & @CRLF
      $Output = $Output & "TcpWindowSize: " & $objItem.TcpWindowSize & @CRLF
      $Output = $Output & "WINSEnableLMHostsLookup: " & $objItem.WINSEnableLMHostsLookup & @CRLF
      $Output = $Output & "WINSHostLookupFile: " & $objItem.WINSHostLookupFile & @CRLF
      $Output = $Output & "WINSPrimaryServer: " & $objItem.WINSPrimaryServer & @CRLF
      $Output = $Output & "WINSScopeID: " & $objItem.WINSScopeID & @CRLF
      $Output = $Output & "WINSSecondaryServer: " & $objItem.WINSSecondaryServer & @CRLF
      if Msgbox(1,"WMI Output",$Output) = 2 then ExitLoop
      $Output=""
   Next
Else
   Msgbox(0,"WMI Output","No WMI Objects Found for class: " & "Win32_NetworkAdapterConfiguration" )
Endif
Func WMIDateStringToDate($dtmDate)

    Return (StringMid($dtmDate, 5, 2) & "/" & _
    StringMid($dtmDate, 7, 2) & "/" & StringLeft($dtmDate, 4) _
    & " " & StringMid($dtmDate, 9, 2) & ":" & StringMid($dtmDate, 11, 2) & ":" & StringMid($dtmDate,13, 2))
EndFunc
that's more a support question than a report

Share this post


Link to post
Share on other sites

Ad-Aware now detects active Auto-It scripts as WIN32.Trojandropper or something similar to this.

You have struck an arrow of deepest sorrow and dread to the very epicenter of my soul.

[center][/center]Working on the next big thing.Currently Playing: Halo 4, League of LegendsXBL GT: iRememberYhslaw

Share this post


Link to post
Share on other sites

I just wanted to bring this to everyone's attention, as Ad-Aware JUST started doing this. As of last week, it was fine with every script I threw at it, but now it deletes them. Whether this is something that can be fixed on this end, or a fault on Lavasoft's part, or maybe working-as-intended, I just wanted everyone to be aware that their scripts may be deleted if they don't check their Ad-Aware reports.

Share this post


Link to post
Share on other sites

Did you report your file to AdAware/Lavasoft for them to check if it is a false positive?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0