I'm doing a QC check on my finished md5 malware scanner using a Hyper-V VM running Windows 10. The scanner didn't remove the malware samples supplied from https://virusshare.com which hashes were contained in the scanner database and were up-to-date.
I've already tried reverting into the original SachaDee's code, but it didn't work. It is probably due to environment variables improperly set somewhere.
:MD5
cls
color 1c
title MD5 scanner
echo.
echo Warning!
echo.
echo This feature is undergoing multiple test-runs.
echo.
echo This moldule will auto remove malware when scanning.
echo.
echo This moldule could delete system or private files without any intent to do it.
echo.
echo We are not responsible for any damage to your computer or your files by using this moldule.
echo.
echo You have been WARNED!
echo.
pause
:dbpatch
cls
color B5
title MD5 scanner - Database Updates [0/4]
cd /d "%~dp0\wget-1.11.4-1-bin\bin"
wget --timeout=30 --timestamping --continue --no-check-certificate https://media.githubusercontent.com/media/Richienb/virusshare-hashes/master/virushashes.txt
pause
goto :Asksect
:Asksect
cls
title MD5 scanner - Database Updates [0/4]
echo Do you want to retry the update?
echo.
echo Y/N
echo.
set /p chc45=
if %chc45%==y goto :dbpatch
if %chc45%==Y goto :dbpatch
if %chc45%==n goto :scan
if %chc45%==N goto :scan
goto :Asksect
:scan
cd /d "%~dp0"
cls
title MD5 scanner - Database Updates [0/4]
echo Checked for Database Updates! Proceeding to Scan Engine...
echo.
pause
cls
title MD5 scanner - Scan Path [0/4]
REM Copyright 2014 BatchProg
echo please specify path to scan down here
echo example C:\Users
echo AND PLEASE DONT ENTER SOMETHING THAT ISNT A COMPUTER PATH
echo IF YOU ENTER SOMETHING THAT ISNT A COMPUTER PATH THE PROGRAM WILL CRASH
set /p pathscan2=path:
cls
title MD5 scanner - Setting up necessary things [1/4]
del /f /q %~dp0\output.txt
REM for /r %%x in (*) do set /a fcount=%fcount%+1
REM set /a totsecscan=%fcount%*15
REM set /a totminscan=%totsecscan%/60
REM if %totminscan%==0 set /a etascan=%totsecscan% seconds && goto :md5hash
REM set /a tothourscan=%totminscan%/60
REM if %tothourscan%==0 set /a etascan=%totminscan% minutes && goto :md5hash
REM set /a totdayscan=%tothourscan%/24
REM if %totdayscan%==0 set /a etascan=%tothourscan% hours && goto :md5hash
REM set /a etascan=%totdayscan% days
goto :md5hash
:md5hash
cls
title MD5 scanner - Hashing [2/4]
set "$base=%~dp0\wget-1.11.4-1-bin\bin\virushashes.txt"
for /r %%f in (%pathscan2%) do %~dp0\md5.exe "%%f " >> %~dp0\output.txt
cd /d "%~dp0"
title MD5 scanner - Comparing Hashes with known malware hashes [3/4]
cls
%pathscan2% echo ETA of scan:%etascan%
echo.
echo Uses a lot of CPU power to process but this is real scanner.
echo It does find real malware but the ability to remove it-
echo is related with the environment it is run on.
echo Run on Safe mode with networking for best results.
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
title MD5 scanner - Deleting Temporary Files [4/4]
del /f /q %~dp0\output.txt
cls
title MD5 scanner - Completed
echo Scan and Delete completed
echo.
pause
goto :menu
I expect that
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
Will compare the hash in output.txt with the Malware Hash base and deletes any malicious file (prompting the user if possible) but the code did not remove any files at all.
Additional info; Sample output.txt
D3041FF4F3B76CC0353064D1133BFEDE D:\EvaxHybrid\backup\.tmp.drivedownload\1191564.driveupload
6756458290BE387639F0068C706E8881 D:\EvaxHybrid\backup\.tmp.drivedownload\1659364.driveupload
9A66042E5A3619A7B49633752044FCEA D:\EvaxHybrid\backup\.tmp.drivedownload\1977560.driveupload
9E44B511DD344F2D35FA513EEA0D54E4 D:\EvaxHybrid\backup\.tmp.drivedownload\2110290.driveupload
A845071F7C4B4E67EF64BFB4BF5C3FB5 D:\EvaxHybrid\backup\.tmp.drivedownload\2923965.driveupload
C49B5CD76F60FCD284209384E2E4EB55 D:\EvaxHybrid\backup\.tmp.drivedownload\2924089.driveupload
6B7484B3ADCE8141A4E7411C7F66A9D7 D:\EvaxHybrid\backup\.tmp.drivedownload\3048269.driveupload
5A48A1B8A70B5A3A39D5EBC9B370BE4D D:\EvaxHybrid\backup\.tmp.drivedownload\3395701.driveupload
58B19F4875C82A846AD6DE62096D5F19 D:\EvaxHybrid\backup\.tmp.drivedownload\3488031.driveupload
C7E363D722920967E737747DB0C79EDE D:\EvaxHybrid\backup\.tmp.drivedownload\3660857.driveupload
DBC938D49B09BE7E0FC1E7BEB74F487D D:\EvaxHybrid\backup\.tmp.drivedownload\3673375.driveupload
6068C7836BFF997EDBE52C6EC0AE7DF3 D:\EvaxHybrid\backup\.tmp.drivedownload\4033639.driveupload
CD86C81B193594F8320832D34294CFA0 D:\EvaxHybrid\backup\.tmp.drivedownload\4132442.driveupload
91D6210AA04AA666E2F32FF64B996E7E D:\EvaxHybrid\backup\.tmp.drivedownload\4155809.driveupload
7941801B8AF887E45B5021ED2466D4F8 D:\EvaxHybrid\backup\.tmp.drivedownload\4166678.driveupload
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find "%%a" "%$base%" >nul && del /p /f /s "%%b "
for /f "tokens=1* delims= " %%a in (%~dp0\output.txt) do find /I "%%a" "%$base%" >nul && del /p /f /s "%%b "
Changed find "%%a" "%$base%" >nul to find /I "%%a" "%$base%" >nul due to difference in letter case within the DB and hashing algorithm output (output.txt).