I've been totally caught up in a new project (shock!) for windows (whaaaaa?!) called Startalyzer. It does more than HijackThis and its ilk, but less than Spybot S&D and its. We only examine known startup/hijack points, scheduled jobs, etc. Everything we find is compared to a database of known Microsoft filenames, version numbers, product names, etc. and WHIRLPOOL hashes :D The idea being that there could also be databases of known legitimate software, drivers, and malware.
But we don't scan for malware specifically, and we don't automatically take any action. Just present file/version info, strings
output, etc., and highlight known files. The user decides what to remove from startup, which Startalyzer should be able to do for any origin. So the "user" is not the end-user but a technician or high school student.
Yesterday, I got all the little pieces together for the first time: the origin wrangler, a few test origins, the file database, the PE parser, the classifier, and the GUI. Just from this test I can see I still have to do a bunch of little stupid things like follow LNK files and parse RUNDLL32 commandlines. And also extract both ASCII and unicode strings. Yikes.
Python, wxWindows, sqlite, and mhash. I'm not as impressed with wx as I was several years ago beacuse I used a recent version of GTK+ a few months ago. GTK+, at least on python, is so much more powerful. Too bad the result looks totally out of place on windows.
P.S. Reward for getting to the end: small Kari Byron photoshoot