engjcowi Posted May 29, 2011 Posted May 29, 2011 On 5/28/2011 at 10:54 PM, 'llewxam said: Very nice work! The problem you were having was you weren't giving the ProcessClose enough time to do it's job before the FileDelete kicked in. I made a tiny tweak: Func DeleteProcess() $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ????? ConsoleWrite($delfile & @LF) $list = ProcessList($delfile) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1] & @LF) $filetodelete = _WinGetPath($list[1][1]) ConsoleWrite($filetodelete & @LF) If $filetodelete = "" Then ConsoleWrite("No Path Found" & @LF) Else ConsoleWrite("Path Found Closing and Deleting Process" & @LF) ProcessClose($delfile) ProcessWaitClose($delfile) FileDelete($filetodelete) If @error Then ConsoleWrite("Cannot Delete" & @LF) EndIf EndFunc ;==>DeleteProcess This one worked fine - at least on my non-virus-infected computer!! Thanks a lot for doing this, I will do a little more tweaking and include the changes in an update! Ian Thanks. Its something ill defo be using. I might change the gui if thats ok. Maybe we could add another bit in the delete function, after the first delete command has been run, maybe a small sleep and a filecheck to see if it still exists or has been recreated and then another file delete? or mayabe a persistent file delete function? jamie Drunken Frat-Boy Monkey Garbage
Manko Posted May 29, 2011 Posted May 29, 2011 Maybe use a timeout-value for ProcessWaitClose, so as not to lock up script, if process refuses to close... Also... There is a nifty "delete on restart"-function floating around, if you can't delete... /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
llewxam Posted May 29, 2011 Author Posted May 29, 2011 On 5/29/2011 at 12:53 PM, 'Manko said: Maybe use a timeout-value for ProcessWaitClose, so as not to lock up script, if process refuses to close.../MankoOOOOOHHHHHHHHHHH!!!!! Good call!!!!!!! Thanks for that! Ian My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
llewxam Posted May 29, 2011 Author Posted May 29, 2011 On 5/29/2011 at 11:02 AM, 'engjcowi said: Thanks. Its something ill defo be using. I might change the gui if thats ok. Maybe we could add another bit in the delete function, after the first delete command has been run, maybe a small sleep and a filecheck to see if it still exists or has been recreated and then another file delete? or mayabe a persistent file delete function?jamieDo whatever you want with this code my friend - it is open-source after all! If you choose to take a different path with a few things that is cool with me, I am always open to suggestions and may incorporate features others suggest/donate in to the offerings I put here.As for the persistent file delete - not a bad idea. Maybe I'll add that in to the current main loop after _Execute. ThanksIan My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
engjcowi Posted May 29, 2011 Posted May 29, 2011 Thanks I may try to compile a list of randomly named .exe files that malware and syware use especially those fake antivirus programs. we can hopefully get a nice enough list so that when the program is started it will auto seek out and stop those programs on its own. sort of like an rkill +1 thoughts? i appreciate there is the nuke command line though. Drunken Frat-Boy Monkey Garbage
llewxam Posted May 29, 2011 Author Posted May 29, 2011 On 5/29/2011 at 3:03 PM, 'engjcowi said: Thanks I may try to compile a list of randomly named .exe files that malware and syware use especially those fake antivirus programs. we can hopefully get a nice enough list so that when the program is started it will auto seek out and stop those programs on its own. sort of like an rkill +1 thoughts? i appreciate there is the nuke command line though. I'm not much on adding what TO kill, I prefer to add what NOT TO kill and let the dust settle that way. To keep adding what to look for is too cumbersome with how often new threats come out. But here is where you could make changes to suit your own needs! One OLD version of the nuke command was this little gem: expandcollapse popupGlobal $current, $dirty Local $iMax = 1 Local $i, $bw Dim $arr[$iMax] $list = ProcessList() For $i = 1 To $list[0][0] $current = StringLower($list[$i][0]) _clean() If $dirty = 0 Then ProcessClose($current) $iMax = $iMax + 1 ReDim $arr[(UBound($arr) + 1)] $arr[$iMax - 1] = $current EndIf Next Exit Func _clean() $dirty = 0 If $current = "explorer.exe" Then $dirty = 1 If $current = "lsass.exe" Then $dirty = 1 If $current = "taskmgr.exe" Then $dirty = 1 If $current = "services.exe" Then $dirty = 1 If $current = "winlogon.exe" Then $dirty = 1 If $current = "system" Then $dirty = 1 If $current = "svchost.exe" Then $dirty = 1 If $current = "csrss.exe" Then $dirty = 1 If $current = "smss.exe" Then $dirty = 1 If $current = "taskswitch.exe" Then $dirty = 1 If $current = "[system process]" Then $dirty = 1 If $current = "TCPSVCS.EXE" Then $dirty = 1 If $current = "mdm.exe" Then $dirty = 1 If $current = "wdfmgr.exe" Then $dirty = 1 If $current = "usnsvc.exe" Then $dirty = 1 If $current = "explore.exe" Then $dirty = 1 If $current = "iexplore.exe" Then $dirty = 1 If $current = "mbam.exe" Then $dirty = 1 If $current = "mbam-setup.tmp" Then $dirty = 1 If $current = "aawtray.exe" Then $dirty = 1 If $current = "aawservice.exe" Then $dirty = 1 If $current = "ad-aware.exe" Then $dirty = 1 If $current = "ad-awareadmin.exe" Then $dirty = 1 If $current = "spybotsd.exe" Then $dirty = 1 If $current = "sdupdate.exe" Then $dirty = 1 EndFunc ;==>_clean This code really shows its age - nowadays I would have done _clean with an array, and I can't remember the last time I used Ad-Aware or Spybot!!!! My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
engjcowi Posted May 29, 2011 Posted May 29, 2011 Nice. Thanks I suppose that does make alot of sense. It would be easier your way rather than keep adding to a list. Ill take that and run with it jamie Drunken Frat-Boy Monkey Garbage
Chimaera Posted June 1, 2011 Posted June 1, 2011 Can this be done with a known trouble causers list so that repeat offenders can be dealt with as soon as script is running, a bit like what jamie said, but just dealt with and/or deleted to stop them respawning etc? I tried the origanal script at work with one of the new vista variant viruses and it stopped and kept it nulled which was fine but the little popups that come around every 30 secs or so weren't so easy to stall. Is this based using task manager as some of these damn viruses block access to it? If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices()
llewxam Posted June 1, 2011 Author Posted June 1, 2011 (edited) On 6/1/2011 at 9:28 PM, 'Chimaera said: Can this be done with a known trouble causers list so that repeat offenders can be dealt with as soon as script is running, a bit like what jamie said, but just dealt with and/or deleted to stop them respawning etc?I tried the origanal script at work with one of the new vista variant viruses and it stopped and kept it nulled which was fine but the little popups that come around every 30 secs or so weren't so easy to stall.See post #26 above Quote Is this based using task manager as some of these damn viruses block access to it?Well, not Task Manager per se, it is using a ProcessList function. If you run the compiled script as Administrator then you will get more results, perhaps that was the problem when you last used it. Maybe the next time it seems like you are still having recurring processes, close the script and run it again with Admin privileges.Ian Edited June 1, 2011 by llewxam My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
engjcowi Posted June 7, 2011 Posted June 7, 2011 (edited) Hi Guys Just thought id share htis update with you. Ive update the GUI Ive added a report tool (still in process of being finished off). Ive added some more buttons to assist with malware identification. If you have difficulty in identifying which process is currently causing you bother then you can press the select window button and identify the process that way. The only issue i have is at the moment when selecting the process its a little slow to pickup the selection at times or just doesnt register. Anyone any clues? Sorry i would load the script in between the tags but i always have an issue when putting even medium sized code up so ive had to put it in a rar file. sorry All Credits and script in the rar file PPK Project trans.rar #Edit Hi guys below is a newer version of the code. The issue above is now sorted and ive added the AV pages to the buttons and included a basic uninstaller as well. you will still need the rar above but replace the au3 file with the 1 below - thanks UEZ for your help today Process Killer.au3 Edited June 9, 2011 by engjcowi Drunken Frat-Boy Monkey Garbage
engjcowi Posted June 10, 2011 Posted June 10, 2011 Updated - see addition to previous post Drunken Frat-Boy Monkey Garbage
engjcowi Posted June 20, 2011 Posted June 20, 2011 OK just had an idea and thought id run it by you guys to see what you think. So lets say you have a Fake AV program that wont let you get to your my computer or to run anything as it keeps popping up and htis program could help you out as you need to get web and usb access from your main session of windows and not safe mode as that restricts access to basic functions. Im thinking of adding a button to the prog so you could log into safe mode and run the program, press the new button which for now ill call "run me" and it will add some reg keys with the nuke option and then to run the program without the nuke option. then as soon as you load windows normally the program will run from the run once reg key or run reg keys to kill the Fake AV and get you access to your programs. Thoughts before i start? Hope that made sense jamie Drunken Frat-Boy Monkey Garbage
llewxam Posted June 20, 2011 Author Posted June 20, 2011 On 6/20/2011 at 10:19 AM, 'engjcowi said: OK just had an idea and thought id run it by you guys to see what you think.So lets say you have a Fake AV program that wont let you get to your my computer or to run anything as it keeps popping up and htis program could help you out as you need to get web and usb access from your main session of windows and not safe mode as that restricts access to basic functions. Im thinking of adding a button to the prog so you could log into safe mode and run the program, press the new button which for now ill call "run me" and it will add some reg keys with the nuke option and then to run the program without the nuke option. then as soon as you load windows normally the program will run from the run once reg key or run reg keys to kill the Fake AV and get you access to your programs.Thoughts before i start?Hope that made sensejamieI'd say it makes perfect sense, anything that can automate a few steps and make life easier is always a good thing!! Ian My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
engjcowi Posted June 23, 2011 Posted June 23, 2011 Its been pointed out to me by a friend who has used the prog that malware sometimes tries to use some of the names in the exception list. im going to trim it to the very bare essentials and make sure it also shows the processes that are also listed numerous times such as svchost as this can show up many times and malware coul dbe called this to attempt to hide itself. Im going to try to write a routine that will not list the essential processes such as svchost but ill get the function to check the file location for verification first then if its a true process then it wont be listed. Hope it makes sense jamie Drunken Frat-Boy Monkey Garbage
Chimaera Posted February 12, 2012 Posted February 12, 2012 I decided to have another look at this as i had a few mins, i get an error when i run the script from post 1 Quote C:UsersJDesktopPPK v3.au3 (97) : ==> "ContinueLoop" statement with no matching "While", "Do" or "For" statement.: If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop Not sure if this is because im running the latest version of autoit maybe? If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices()
llewxam Posted February 12, 2012 Author Posted February 12, 2012 On 2/12/2012 at 10:12 AM, 'Chimaera said: I decided to have another look at this as i had a few mins, i get an error when i run the script from post 1Not sure if this is because im running the latest version of autoit maybe?I can confirm your bug on the latest version of the code too. Not sure why, very strange. If the lines containing ContinueLoop are commented out then execution does not fail. Not quite sure when I will do anything about it but I do thank you for pointing this out.....I was planning a couple hours of coding today anyway, hopefully I can experiment a bit.Ian My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
llewxam Posted February 13, 2012 Author Posted February 13, 2012 I found a syntax change that was causing the problem above. Apparently this used to work but now throws a complaint: For $A = 1 To 10 If $A == 7 Then ContinueLoop Next To make it happy, you have to put ContinueLoop on another line: For $A = 1 To 10 If $A == 7 Then ContinueLoop EndIf Next I am not ready to post PPK4 yet, but this will allow you to have a quick fix on PPK3 if you want to check that out in the meantime. Ian My projects: Reveal hidden contents IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase.
Chimaera Posted February 13, 2012 Posted February 13, 2012 Hi Ian Thanks for the quick reply I rechecked the script and nowhere in the script i have is this For $A = 1 To 10 If $A == 7 Then ContinueLoop Next So im not sure if we are talking about the same script. Thanks for looking If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices()
engjcowi Posted February 13, 2012 Posted February 13, 2012 Hi ian Cheers for that. Ill update my ver of ppk and some other scripts where its relevant Any new goodies we can expect with ppk4? @chimera Its just an example. Look for the continue loops in ppk Drunken Frat-Boy Monkey Garbage
Chimaera Posted February 13, 2012 Posted February 13, 2012 (edited) On 2/13/2012 at 2:36 PM, 'engjcowi said: @chimeraIts just an example. Look for the continue loops in ppkYep i tried that on the three instances on the script but it gave For Next errorsNo No i got it being a nub and forgetting the EndIf Edited February 13, 2012 by Chimaera If Ive just helped you ... miracles do happen. Chimaera CopyRobo() * Hidden Admin Account Enabler * Software Location From Registry * Find Display Resolution * _ChangeServices()
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now