ripdad Posted March 16, 2010 Posted March 16, 2010 (edited) This Tool will close all non-essential programs on your computer automatically -- and keep them closedVery useful for when a computer is infested with viruses and spyware - so you can run scans for them. Just unzip, double-click on the Tool and follow the prompts. Type the programs you wish to run into the white fields. All other programs will be persistently closed while you work on removing the viruses or spyware.More Information and the Executables are here: http://fmchain.110mb.com/vct/index.htm04-11-2010 - Released - KillProcsVista (BETA) - Download the executable at the website.04-11-2010 - Released - KillProcsXP-OneShot04-11-2010 - Released - KillProcsXP v2.5New in v2.5 - Added Rename Support - Added Extra File Checking - Additional Streamlining (which increased speed a bit)expandcollapse popup; KillProcsXP v1.1 ; Updated to include userinit.exe ; Released: March 15, 2010, by ripdad ; If Not (@OSVersion = 'WIN_XP') Then MsgBox(16, 'KillProcsXP', 'This Program has only been tested on Windows XP' & @CRLF & @CRLF & 'Click OK to Exit', 15) Exit EndIf $answer = MsgBox(4, 'KillProcsXP', 'Close All Non-Essential Programs ?') If $answer = 7 Then Exit ; ; ######## EXCLUDED PROCESSES ######### ; ; ABSOLUTE REQUIRED SYSTEM PROCESSES ;----------------------------------- Global $s01 = '[System Process]' Global $s02 = 'System' Global $s03 = 'alg.exe' Global $s04 = 'csrss.exe' Global $s05 = 'ctfmon.exe' Global $s06 = 'explorer.exe' Global $s07 = 'lsass.exe' Global $s08 = 'services.exe' Global $s09 = 'smss.exe' Global $s10 = 'svchost.exe' Global $s11 = 'winlogon.exe' Global $s12 = 'userinit.exe' ;----------------------------------- ; Global $i01 = 'KillProcsXP.exe'; This Process Compiled Global $i02 = 'AutoIt3.exe'; This Process Non-Compiled ; ; Additional Processes (Example) Global $p01 = 'spybotsd162.exe'; Spyware Scanner Install Global $p02 = 'SpybotSD.exe'; Spyware Scanner Program Global $p03 = 'spybotsd_includes.exe'; Spyware Scanner Update Global $p04 = 'taskmgr.exe'; Task Manager Global $p05 = 'UEDIT32.EXE'; Editor ; ; ###### END EXCLUDED PROCESSES ###### ; ; Tray Options - Slows it down if you use menumode ; TraySetIcon('') TraySetToolTip('KillProcsXP') ; TrayTip('KillProcsXP', 'Closing Programs - Please Wait ', 59, 1) ; ; Initial Slow Kill if Not in List Above - Giving Time for Each Process to Close $pr = ProcessList() For $i = 1 To $pr[0][0] Switch $pr[$i][0] Case $s01, $s02, $s03, $s04, $s05, $s06, $s07, $s08, $s09, $s10, $s11, $s12; System Case $i01, $i02, $p01, $p02, $p03, $p04, $p05; Allowed Case Else ProcessClose($pr[$i][1]); Disallowed EndSwitch Sleep(1000); Slow Kill Delay Next TrayTip('', '', 5, 1) ; $answer = MsgBox(68, 'KillProcsXP', 'Closed All Non-Essential Programs' & @CRLF & @CRLF & 'Continue Persistent ?') If $answer = 7 Then Exit ; ; GUI With Three Additional Manual Entry Processes Called Excludes ; (ie: excludes from being closed as if it were in the list above) $kpxp = GUICreate("KillProcsXP v1.0", 180, 150, -1, -1) GUICtrlCreateLabel('Exclude These Programs' & @CRLF & ' example: notepad.exe ', 15, 15, 140, 40) Global $g01 = GUICtrlCreateInput("", 15, 50, 150, 20) Global $g02 = GUICtrlCreateInput("", 15, 80, 150, 20) Global $g03 = GUICtrlCreateInput("", 15, 110, 150, 20) ; GUISetState(@SW_SHOW, $kpxp) ; ; Persistent Fast Kill if Not in List Above or GUI Excludes Local $kpxp_msg While 1 Sleep(10) $kpxp_msg = GUIGetMsg() Switch $kpxp_msg Case -3 GUISetState(@SW_MINIMIZE, $kpxp); Minimize when "x'd" EndSwitch $pr = ProcessList() For $i = 1 To $pr[0][0] Switch $pr[$i][0] Case $s01, $s02, $s03, $s04, $s05, $s06, $s07, $s08, $s09, $s10, $s11, $s12; System Case $i01, $i02, $p01, $p02, $p03, $p04, $p05; Allowed Case GUICtrlRead($g01), GUICtrlRead($g02), GUICtrlRead($g03); Allowed Case Else ProcessClose($pr[$i][1]); Disallowed EndSwitch Next WEnd GUIDelete($kpxp) ; Edited April 11, 2010 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
FinalVersion Posted March 16, 2010 Posted March 16, 2010 This is what task manager is for. But nice idea for the people that don't know what processes are safe to close. [center][+] Steam GUI [+][+] Clipboard Tool [+][+] System :: Uptime [+][+] StarCraft II Mouse Trap [+][/center]
ripdad Posted March 16, 2010 Author Posted March 16, 2010 (edited) Hi FinalVersion, Viruses have a way of disabling Task Manager and other utilities, including anti-virus programs. The latest rash of them is causing alot of misery -- and we need all the help we can get. Thanks for your reply Edited March 16, 2010 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 16, 2010 Posted March 16, 2010 Hey. I can see you put a lot into it. But still it can be quite fruitless. I am not trying to over look the amount of work you went through. What I want to say is that if you make a sample exe file (any exe) and rename it to svchost.exe and run it (which is a very common thing for a virus or malware). So my suggestion is to get the path from which the process initiates. There are more than one udf to do so in this forum. All you need to do is to implement one of them into your code. And then it will become very close to perfect. [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 16, 2010 Author Posted March 16, 2010 Hi Shafayat, Yes, I'm aware that svchost is a favorite of viruses. What you suggested can be easily implemented. I already have the code for it. This script is part of a larger one that I'm developing. When finished - it should be a pretty good program. Thanks for your reply "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
ripdad Posted March 17, 2010 Author Posted March 17, 2010 Well, well, well Now I know why viruses like to use svchost. It's very hard to get consistent and "accurate" information from it. But -- I found a way around it. I doubt I will release the code for it. Too dangerous in the wrong hands. Especially - since I found a very bad exploit testing it. It will be in the next version of the executable soon. @Shafayat - Not only svchost - but the other system files also - thanks "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 17, 2010 Posted March 17, 2010 I simple and not dangerous workaround would be that even though svchost is very cryptic about it's properties, viruses are not. Most viruses are not even run from system account. which easily give them away. [Not using this account any more. Using "iShafayet" instead]
FranckGr Posted March 17, 2010 Posted March 17, 2010 (edited) You can use this to help you on cleanning viruses.- Run it in learning mode (It is building a "White list" of processes)- stop it by renaming KUPON as KUPOFF- edit WProcesses entry of KUP.INI- restart it (It will be in Production mode, killing any process not in the "WProcesses" list)- have a look in _KillUnknownProcesses.logAnother trickOne of the most usefull command to find if a virus is on your disk is :C:\>DIR /S /ASRHFranckG Edited March 17, 2010 by FranckGr
ripdad Posted March 17, 2010 Author Posted March 17, 2010 KillProcsXP - Updated to version 2 - @FranckGr - Welcome to the war "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 17, 2010 Posted March 17, 2010 Nice update mate. Cheers! This script will surely do the trick for most viruses. But there is a little snag. (yeah, there really is.) Have you ever heard of a tiny little thing called kernel mode debugging? (un)fortunately such a thing exist. I don't really understand it much. But all that is important now is it can be used to successfully hide(actual hiding, not tricks like removing itself from taskman list) the process itself. It is more than a fact that such tech exist. I tested one myself and got it working. Just google for "kernel mode hide process" and you'll probably get a driver with source code in C. It is a relief that autoit can't do kernel mode debugging itself or mods would probably be removing this post. Best of luck Shafayat [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 17, 2010 Author Posted March 17, 2010 @ShafayatYes sir - I came across one about 2 weeks ago. Screen went blue and started formatting the hard drive. I saw that the HD activity led was full on and forced the pc down. Got the data recovered 4 hours later. Never did find the virus that did it -- even after 5 different scans.I know that TSR's exist. I know one way to deal with them -- format the hd and reload.Very rare that I come across them though.Thanks for the reply "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 18, 2010 Posted March 18, 2010 In my case, they weren't so rare. my company (actually where I work in, anyway) needs to maintain a not-so-small server. And there it is not really an option to reformat the harddisk. So, basically it is prevention, not cure. Along with paid antivirus and strict physical access monitoring by cc cameras, I created a tiny little software that simply reassign the exe com bat and reg file association to itself and asks for a password when shell issues an execute command(like shellexecute does in autoit). This is what I did with my server. Maybe it'll help you too. [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 18, 2010 Author Posted March 18, 2010 I thought about writing a program that enforces permission to run -- sort of like Vista does when you want to access certain areas of the system. I still might do it. It's down the list though. Your program sounds good for a server environment. Did you make that in AutoIt? "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 18, 2010 Posted March 18, 2010 Yeah. I did it in autoit. Apart from Php and a little bit of legacy vb, Autoit is the only programming language I know. I'm an enthusiastic computer user come hobbyist programmer, not a pro. Even if I knew something like c, I'd still use autoit for this. [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 18, 2010 Author Posted March 18, 2010 I'd like to see the code. Do you have it posted on the forums? If Not ('post = forums') Then Can_you_post_it_here?() "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 19, 2010 Posted March 19, 2010 It's not publicly available yet. Mostly because I didn't think it was worthy enough. But I'll certainly post the code if you like. I'll post the code when I get home. I'm at work now. [Not using this account any more. Using "iShafayet" instead]
Shafayat Posted March 19, 2010 Posted March 19, 2010 I opened a separate topic. Here, http://www.autoitscript.com/forum/index.php?showtopic=111815 [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 19, 2010 Author Posted March 19, 2010 I think I got the general idea of these scripts - thanks "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
storme Posted March 19, 2010 Posted March 19, 2010 I'd like to see the code. Do you have it posted on the forums?If Not ('post = forums') Then Can_you_post_it_here?()I think this is a great tool. I was thinking of programming it with ALL the regular MAIN programs from ALL the computers I work on and using this as a baseline. Whenever I come to a messed up computer running your script to get back to a clean machine.For my purposes I'd like to see a log window showing what has been turned off (including its path).That way it's easy to track down what is bad especially if the same program keeps popping up.It'd be nice to see the version 2 source adn try it out.ThanksJohn MorrisonakaStorm-E Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E
ripdad Posted March 19, 2010 Author Posted March 19, 2010 @Shafayat I got your script updated with the up-to-date #includes for AutoIt 3.3.6 - as I was getting all kinds of errors. Made a few minor changes -- and waalaa. Works a charm. Great script man - thumbs up! And you didn't think it worthy -- shame on you! "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now