curiousmaniac Posted February 11, 2009 Share Posted February 11, 2009 Hello, this my code for my simple antivirus, hope its not quiet dizzy because i am only newbie in this write code stuff, ok2. this script do fast delete when detecting autorun.inf in removable disk. but when you click at tray menu..example like i click "About" tray menu..its wait for 1 minutes or more for display it..all same goes on with other menu..have any idea for remove the delay? expandcollapse popup#include <file.au3> #include <Misc.au3> #RequireAdmin Opt("WinTitleMatchMode", 4) Opt("TrayMenuMode", 1) If _Singleton(@scriptname,1) = 0 Then MsgBox(64, "Same Process Detection", "Realtime Detection - was already running ", 5) Exit EndIf TraySetToolTip("Realtime Detection v1.0") TraySetState() $FIXREGISTRY = TrayCreateItem("Clean Registry") $STARTUP = TrayCreateMenu("Startup") $ADDSTARTUP = TrayCreateItem("Run Realtime Detection when system startup", $STARTUP) $REMOVESTARTUP = TrayCreateItem("Remove Realtime Detection from system startup", $STARTUP) TrayCreateItem("") $ABOUTITEM = TrayCreateItem("About") TrayCreateItem("") $EXITITEM = TrayCreateItem("Exit") If FileExists("C:\Realtime Detection\Realtime Detection.exe") = False Then TrayTip("Realtime Detection v1.0", "Right click for menu.", 5, 1) EndIf $NOTRAYITEMSDISPLAY = RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayContextMenu") If $NOTRAYITEMSDISPLAY = "1" Then RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayItemsDisplay") RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayItemsDisplay") ProcessClose("explorer.exe") If ProcessExists("explorer.exe") = False Then Run("explorer.exe") EndIf EndIf $NOTRAYCONTEXTMENU = RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayContextMenu") If $NOTRAYCONTEXTMENU = "1" Then RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayContextMenu") RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoTrayContextMenu") ProcessClose("explorer.exe") If ProcessExists("explorer.exe") = False Then Run("explorer.exe") EndIf EndIf While 1 $MSG = GUIGetMsg() If $MSG = -3 Then Exit $REM = DriveGetDrive("REMOVABLE") If Not @error Then For $IREM = 1 To $REM[0] $REMDRIVE = $REM[$IREM] If $REMDRIVE <> "A:" And DriveGetFileSystem($REMDRIVE) <> "" Then If FileExists($REM[$IREM] & "\autorun.inf") Then $REMOPEN = IniRead($REMDRIVE & "\autorun.inf", "autorun", "open", "None") $REMSHELL = IniRead($REMDRIVE & "\autorun.inf", "autorun", "shellexecute", "None") If Not @error Then $SPLITREMSHELL = StringSplit($REMSHELL, " ") $SPLITREMOPEN = StringSplit($REMOPEN, " ") For $IREMOPEN = 1 To $SPLITREMOPEN[0] If $REMOPEN = "None" Then Sleep(1000) Else FileSetAttrib($REMDRIVE & "\" & $SPLITREMOPEN[$IREMOPEN], "-RASH") FileDelete($REMDRIVE & "\" & $SPLITREMOPEN[$IREMOPEN]) FileSetAttrib($REMDRIVE & "\autorun.inf", "-RASH") FileDelete($REMDRIVE & "\autorun.inf") TrayTip("Malware detected!", "Malware " & $REMOPEN & " hase been kick away from your " & $REMDRIVE & " drive. You can relax now.", 5, 1) _FILEWRITELOG(@ScriptDir & "\RealtimeDetection.log", "[Malware] " & $REMSHELL & " was removed from " & $REMDRIVE & @CRLF) ProcessClose($SPLITREMOPEN[$IREMOPEN]) EndIf Next For $IREMSHELL = 1 To $SPLITREMSHELL[0] If $REMSHELL = "None" Then Sleep(1000) Else FileSetAttrib($REMDRIVE & "\" & $SPLITREMSHELL[$IREMSHELL], "-RASH") FileDelete($REMDRIVE & "\" & $SPLITREMSHELL[$IREMSHELL]) FileSetAttrib($REMDRIVE & "\autorun.inf", "-RASH") FileDelete($REMDRIVE & "\autorun.inf") TrayTip("Malware detected!", "Malware " & $REMOPEN & " hase been kick away from your " & $REMDRIVE & " drive. You can relax now.", 5, 1) _FILEWRITELOG(@ScriptDir & "\RealtimeDetection.log", "[Malware] " & $REMSHELL & " was removed from " & $REMDRIVE & @CRLF) ProcessClose($SPLITREMSHELL[$IREMSHELL]) EndIf Next EndIf EndIf EndIf Next EndIf $FIX = DriveGetDrive("FIXED") If Not @error Then For $F = 1 To $FIX[0] $FIXDRIVE = $FIX[$F] If $FIXDRIVE <> "A:" And DriveGetFileSystem($FIXDRIVE) <> "" Then If FileExists($FIX[$F] & "\autorun.inf") Then $FIXOPEN = IniRead($FIXDRIVE & "\autorun.inf", "autorun", "open", "None") $FIXSHELL = IniRead($FIXDRIVE & "\autorun.inf", "autorun", "shellexecute", "None") $SPLITFIXOPEN = StringSplit($FIXOPEN, " ") $SPLITFIXSHELL = StringSplit($FIXSHELL, " ") For $FOPEN = 1 To $SPLITFIXOPEN[0] $INSPLITOPEN = $SPLITFIXOPEN[$FOPEN] If $FIXOPEN = "None" Then Sleep(1000) Else ProcessClose($SPLITFIXOPEN[$FOPEN]) FileSetAttrib($FIXDRIVE & "\" & $SPLITFIXOPEN[$FOPEN], "-RASH") FileDelete($FIXDRIVE & "\" & $SPLITFIXOPEN[$FOPEN]) FileSetAttrib($FIXDRIVE & "\autorun.inf", "-RASH") FileDelete($FIXDRIVE & "\autorun.inf") EndIf Next For $FSHELL = 1 To $SPLITFIXSHELL[0] $INSPLITSHELL = $SPLITFIXSHELL[$FSHELL] If $FIXSHELL = "None" Then Sleep(1000) Else ProcessClose($SPLITFIXSHELL[$FSHELL]) FileSetAttrib($FIXDRIVE & "\" & $SPLITFIXSHELL[$FSHELL], "-RASH") FileDelete($FIXDRIVE & "\" & $SPLITFIXSHELL[$FSHELL]) FileSetAttrib($FIXDRIVE & "\autorun.inf", "-RASH") FileDelete($FIXDRIVE & "\autorun.inf") EndIf Next EndIf EndIf Next EndIf $MSG = TrayGetMsg() Select Case $MSG = $FIXREGISTRY $HCUEXPLORER = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" $HLMEXPLORER = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" $HCUSYSTEM = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" $HCUADVANCED = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" $HLMWINLOGON = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" $HCUMAIN = "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" RegDelete($HCUEXPLORER, "NoFolderOptions") RegDelete($HLMEXPLORER, "NoFolderOptions") RegDelete($HCUEXPLORER, "NoViewContextMenu") RegDelete($HLMEXPLORER, "NoViewContextMenu") RegDelete($HLMEXPLORER, "NoStartMenuMorePrograms") RegDelete($HCUEXPLORER, "NoStartMenuMorePrograms") RegDelete($HCUEXPLORER, "HideClock") RegDelete($HLMEXPLORER, "HideClock") RegDelete($HCUEXPLORER, "NoDesktop") RegDelete($HLMEXPLORER, "NoDesktop") RegDelete($HCUEXPLORER, "NoRun") RegDelete($HLMEXPLORER, "NoRun") RegDelete($HCUEXPLORER, "NoControlPanel") RegDelete($HLMEXPLORER, "NoControlPanel") RegDelete($HCUEXPLORER, "NoSMMyDocs") RegDelete($HLMEXPLORER, "NoSMMyDocs") RegDelete($HCUEXPLORER, "NoRecentDocsMenu") RegDelete($HLMEXPLORER, "NoRecentDocsMenu") RegDelete($HCUEXPLORER, "NoSMMyPictures") RegDelete($HLMEXPLORER, "NoSMMyPictures") RegDelete($HCUEXPLORER, "NoStartMenuMyMusic") RegDelete($HLMEXPLORER, "NoStartMenuMyMusic") RegDelete($HLMEXPLORER, "NoStartMenuNetworkPlaces") RegDelete($HCUEXPLORER, "NoStartMenuNetworkPlaces") RegDelete($HCUSYSTEM, "DisableRegistryTools") RegDelete($HCUSYSTEM, "DisableCMD") RegDelete($HCUSYSTEM, "Disabletaskmgr") RegDelete($HCUADVANCED, "HideFileExt") RegDelete($HCUMAIN, "Window Title") RegDelete($HCUEXPLORER, "NoFind") RegDelete($HLMEXPLORER, "NoFind") RegDelete($HCUEXPLORER, "NoWinKey") RegDelete($HLMEXPLORER, "NoWinKey") RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "CheckedValue", "REG_DWORD", "1") RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL", "DefaultValue", "REG_DWORD", "2") RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN", "CheckedValue", "REG_DWORD", "2") RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN", "DefaultValue", "REG_DWORD", "2") ProcessClose("explorer.exe") If ProcessExists("explorer.exe") = False Then Run("explorer.exe") EndIf MsgBox(64, "Realtime Detection v1.0", "Registry has been fixed") Case $MSG = $ADDSTARTUP FileCopy(@ScriptFullPath, "C:\Realtime Detection\Realtime Detection.exe", "9") RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Realtime Detection", "REG_SZ", "C:\Realtime Detection\Realtime Detection.exe") MsgBox("64", "Realtime Detection v1.0", "Thanks for adding me.") Case $MSG = $REMOVESTARTUP FileDelete("C:\Realtime Detection\Realtime Detection.exe") RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Realtime Detection") MsgBox("64", "Realtime Detection v1.0", "You remove me..:-|.") Case $MSG = $ABOUTITEM ABOUT() Case $MSG = $EXITITEM ExitLoop EndSelect WEnd Func ABOUT() MsgBox("64", "Realtime Detection v1.0", "Is This OK?.") EndFunc Mr.Fix.au3 Link to comment Share on other sites More sharing options...
Aladdin Posted February 11, 2009 Share Posted February 11, 2009 Keep in mind that this script will not completely stop execution of file which is written in AutoRun.Inf File until you dismount and remount your USB Disk Drive. i don't know why it happens but once i tried to create such script but even after deleting the AutoRun.Inf file the virus will be not removed. it was just a learning test and i did not tried writing something similar to that again. let me know the results if it really works.Aladdin _______________________________ Link to comment Share on other sites More sharing options...
curiousmaniac Posted February 11, 2009 Author Share Posted February 11, 2009 Thanks Alladdin, about what you say is right..sometimes user must plug out and in again the removable disk...i'll try till it work..anyone have any idea to remove the delay? Link to comment Share on other sites More sharing options...
maniack Posted April 1, 2009 Share Posted April 1, 2009 u write all this code? cuz this script look very familiar Link to comment Share on other sites More sharing options...
rajeshontheweb Posted April 1, 2009 Share Posted April 1, 2009 thats because of mount points created in windows registry i fill post the details shortly actually i missed the link somewhere i had tried to device such a stuff using wmi that will detect any usb inserted and try to act immediately. stuff like usbcillin and ninja pendisk do it well. Started late is much better than having never started it!!!!Failure is another step towards success. I've been messing around with: Adding Entry to 'Hosts'File Information Lister (Logger)Yet Another AutoIT Error Handler Yet Another AutoIT Error Handler & Debugger Control your App's TaskBar Button YCurrency Ticker (Latest Release : 16 Apr 2009)_WinInetInternetCheckConnection UDF Symantec Definitions Lister UDF _GetLocalIPAddresses UDF UDF to get Special Folder Information WMI_NetworkAdapterConfiguration2Array WMI_CDRomDriveCapabilities _ScriptExists - Check if your au3 script is running!! Uninstaller UDF Get Version for your application (at script level or compiled stage) Uninstaller Pro - faster alternative to windows application removal applet Link to comment Share on other sites More sharing options...
rajeshontheweb Posted April 1, 2009 Share Posted April 1, 2009 guys, it is Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints but be careful. u have to backup the registry before you delete any keys. I would recommend even all those registry delete commands you have in your scripts, you better use the registry backup function as well before you delete - it is always safe :-) Started late is much better than having never started it!!!!Failure is another step towards success. I've been messing around with: Adding Entry to 'Hosts'File Information Lister (Logger)Yet Another AutoIT Error Handler Yet Another AutoIT Error Handler & Debugger Control your App's TaskBar Button YCurrency Ticker (Latest Release : 16 Apr 2009)_WinInetInternetCheckConnection UDF Symantec Definitions Lister UDF _GetLocalIPAddresses UDF UDF to get Special Folder Information WMI_NetworkAdapterConfiguration2Array WMI_CDRomDriveCapabilities _ScriptExists - Check if your au3 script is running!! Uninstaller UDF Get Version for your application (at script level or compiled stage) Uninstaller Pro - faster alternative to windows application removal applet Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now