KillProcsXP

[ripdad]

This Tool will close all non-essential programs on your computer automatically -- and keep them closed

Very useful for when a computer is infested with viruses and spyware - so you can run scans for them. Just unzip, double-click on the Tool and follow the prompts. Type the programs you wish to run into the white fields. All other programs will be persistently closed while you work on removing the viruses or spyware.

More Information and the Executables are here: http://fmchain.110mb.com/vct/index.htm

04-11-2010 - Released - KillProcsVista (BETA) - Download the executable at the website.

04-11-2010 - Released - KillProcsXP-OneShot

04-11-2010 - Released - KillProcsXP v2.5

New in v2.5 - Added Rename Support - Added Extra File Checking - Additional Streamlining (which increased speed a bit)

expandcollapse popup

; KillProcsXP v1.1
; Updated to include userinit.exe
; Released: March 15, 2010, by ripdad
;
If Not (@OSVersion = 'WIN_XP') Then
    MsgBox(16, 'KillProcsXP', 'This Program has only been tested on Windows XP' & @CRLF & @CRLF & 'Click OK to Exit', 15)
    Exit
EndIf
$answer = MsgBox(4, 'KillProcsXP', 'Close All Non-Essential Programs ?')
If $answer = 7 Then Exit
;
; ######## EXCLUDED PROCESSES #########
;
; ABSOLUTE REQUIRED SYSTEM PROCESSES
;-----------------------------------
Global $s01 = '[System Process]'
Global $s02 = 'System'
Global $s03 = 'alg.exe'
Global $s04 = 'csrss.exe'
Global $s05 = 'ctfmon.exe'
Global $s06 = 'explorer.exe'
Global $s07 = 'lsass.exe'
Global $s08 = 'services.exe'
Global $s09 = 'smss.exe'
Global $s10 = 'svchost.exe'
Global $s11 = 'winlogon.exe'
Global $s12 = 'userinit.exe'
;-----------------------------------
;
Global $i01 = 'KillProcsXP.exe'; This Process Compiled
Global $i02 = 'AutoIt3.exe'; This Process Non-Compiled
;
; Additional Processes (Example)
Global $p01 = 'spybotsd162.exe'; Spyware Scanner Install
Global $p02 = 'SpybotSD.exe'; Spyware Scanner Program
Global $p03 = 'spybotsd_includes.exe'; Spyware Scanner Update
Global $p04 = 'taskmgr.exe'; Task Manager
Global $p05 = 'UEDIT32.EXE'; Editor
;
; ###### END EXCLUDED PROCESSES ######
;
; Tray Options - Slows it down if you use menumode
; TraySetIcon('')
TraySetToolTip('KillProcsXP')
;
TrayTip('KillProcsXP', 'Closing Programs - Please Wait  ', 59, 1)
;
; Initial Slow Kill if Not in List Above - Giving Time for Each Process to Close
$pr = ProcessList()
For $i = 1 To $pr[0][0]
    Switch $pr[$i][0]
        Case $s01, $s02, $s03, $s04, $s05, $s06, $s07, $s08, $s09, $s10, $s11, $s12; System
        Case $i01, $i02, $p01, $p02, $p03, $p04, $p05; Allowed
        Case Else
            ProcessClose($pr[$i][1]); Disallowed
    EndSwitch
    Sleep(1000); Slow Kill Delay
Next
TrayTip('', '', 5, 1)
;
$answer = MsgBox(68, 'KillProcsXP', 'Closed All Non-Essential Programs' & @CRLF & @CRLF & 'Continue Persistent ?')
If $answer = 7 Then Exit
;
; GUI With Three Additional Manual Entry Processes Called Excludes
; (ie: excludes from being closed as if it were in the list above)
$kpxp = GUICreate("KillProcsXP v1.0", 180, 150, -1, -1)
GUICtrlCreateLabel('Exclude These Programs' & @CRLF & ' example: notepad.exe ', 15, 15, 140, 40)
Global $g01 = GUICtrlCreateInput("", 15, 50, 150, 20)
Global $g02 = GUICtrlCreateInput("", 15, 80, 150, 20)
Global $g03 = GUICtrlCreateInput("", 15, 110, 150, 20)
;
GUISetState(@SW_SHOW, $kpxp)
;
; Persistent Fast Kill if Not in List Above or GUI Excludes
Local $kpxp_msg
While 1
    Sleep(10)
    $kpxp_msg = GUIGetMsg()
    Switch $kpxp_msg
        Case -3
            GUISetState(@SW_MINIMIZE, $kpxp); Minimize when "x'd"
    EndSwitch
    $pr = ProcessList()
    For $i = 1 To $pr[0][0]
        Switch $pr[$i][0]
            Case $s01, $s02, $s03, $s04, $s05, $s06, $s07, $s08, $s09, $s10, $s11, $s12; System
            Case $i01, $i02, $p01, $p02, $p03, $p04, $p05; Allowed
            Case GUICtrlRead($g01), GUICtrlRead($g02), GUICtrlRead($g03); Allowed
            Case Else
                ProcessClose($pr[$i][1]); Disallowed
        EndSwitch
    Next
WEnd
GUIDelete($kpxp)
;

Edited April 11, 2010 by ripdad

[FinalVersion]

This is what task manager is for. But nice idea for the people that don't know what processes are safe to close.

[ripdad]

Hi FinalVersion,

Viruses have a way of disabling Task Manager and other utilities, including anti-virus programs.

The latest rash of them is causing alot of misery -- and we need all the help we can get.

Thanks for your reply

Edited March 16, 2010 by ripdad

[Shafayat]

Hey. I can see you put a lot into it. But still it can be quite fruitless.

I am not trying to over look the amount of work you went through. What I want to say is that if you make a sample exe file (any exe) and rename it to svchost.exe and run it (which is a very common thing for a virus or malware). So my suggestion is to get the path from which the process initiates. There are more than one udf to do so in this forum. All you need to do is to implement one of them into your code. And then it will become very close to perfect.

[ripdad]

Hi Shafayat,

Yes, I'm aware that svchost is a favorite of viruses. What you suggested can be easily implemented. I already have the code for it.

This script is part of a larger one that I'm developing. When finished - it should be a pretty good program.

Thanks for your reply

[ripdad]

Well, well, well

Now I know why viruses like to use svchost.

It's very hard to get consistent and "accurate" information from it.

But -- I found a way around it.

I doubt I will release the code for it. Too dangerous in the wrong hands.

Especially - since I found a very bad exploit testing it.

It will be in the next version of the executable soon.

@Shafayat - Not only svchost - but the other system files also - thanks

[Shafayat]

I simple and not dangerous workaround would be that even though svchost is very cryptic about it's properties, viruses are not. Most viruses are not even run from system account. which easily give them away.

[FranckGr]

You can use this to help you on cleanning viruses.

- Run it in learning mode (It is building a "White list" of processes)

- stop it by renaming KUPON as KUPOFF

- edit WProcesses entry of KUP.INI

- restart it (It will be in Production mode, killing any process not in the "WProcesses" list)

- have a look in _KillUnknownProcesses.log

Another trick

One of the most usefull command to find if a virus is on your disk is :

C:\>DIR /S /ASRH

FranckG

Edited March 17, 2010 by FranckGr

[ripdad]

KillProcsXP - Updated to version 2

-

@FranckGr - Welcome to the war

[Shafayat]

Nice update mate. Cheers!

This script will surely do the trick for most viruses. But there is a little snag. (yeah, there really is.)

Have you ever heard of a tiny little thing called kernel mode debugging? (un)fortunately such a thing exist. I don't really understand it much. But all that is important now is it can be used to successfully hide(actual hiding, not tricks like removing itself from taskman list) the process itself.

It is more than a fact that such tech exist. I tested one myself and got it working. Just google for "kernel mode hide process" and you'll probably get a driver with source code in C.

It is a relief that autoit can't do kernel mode debugging itself or mods would probably be removing this post.

Best of luck

Shafayat

[ripdad]

@Shafayat

Yes sir - I came across one about 2 weeks ago. Screen went blue and started formatting the hard drive. I saw that the HD activity led was full on and forced the pc down. Got the data recovered 4 hours later. Never did find the virus that did it -- even after 5 different scans.

I know that TSR's exist. I know one way to deal with them -- format the hd and reload.

Very rare that I come across them though.

Thanks for the reply

[Shafayat]

In my case, they weren't so rare. my company (actually where I work in, anyway) needs to maintain a not-so-small server. And there it is not really an option to reformat the harddisk. So, basically it is prevention, not cure. Along with paid antivirus and strict physical access monitoring by cc cameras, I created a tiny little software that simply reassign the exe com bat and reg file association to itself and asks for a password when shell issues an execute command(like shellexecute does in autoit). This is what I did with my server. Maybe it'll help you too.

[ripdad]

I thought about writing a program that enforces permission to run -- sort of like Vista does when you want to access certain areas of the system. I still might do it. It's down the list though.

Your program sounds good for a server environment. Did you make that in AutoIt?

[Shafayat]

Yeah. I did it in autoit. Apart from Php and a little bit of legacy vb, Autoit is the only programming language I know. I'm an enthusiastic computer user come hobbyist programmer, not a pro. Even if I knew something like c, I'd still use autoit for this.

[ripdad]

I'd like to see the code. Do you have it posted on the forums?

If Not ('post = forums') Then Can_you_post_it_here?()

[Shafayat]

It's not publicly available yet. Mostly because I didn't think it was worthy enough. But I'll certainly post the code if you like. I'll post the code when I get home. I'm at work now.

[Shafayat]

I opened a separate topic. Here, http://www.autoitscript.com/forum/index.php?showtopic=111815

[ripdad]

I think I got the general idea of these scripts - thanks

[storme]

I'd like to see the code. Do you have it posted on the forums?

If Not ('post = forums') Then Can_you_post_it_here?()

I think this is a great tool. I was thinking of programming it with ALL the regular MAIN programs from ALL the computers I work on and using this as a baseline. Whenever I come to a messed up computer running your script to get back to a clean machine.

For my purposes I'd like to see a log window showing what has been turned off (including its path).

That way it's easy to track down what is bad especially if the same program keeps popping up.

It'd be nice to see the version 2 source adn try it out.

Thanks

John Morrison

aka

Storm-E

[ripdad]

@Shafayat

I got your script updated with the up-to-date #includes for AutoIt 3.3.6 - as I was getting all kinds of errors.

Made a few minor changes -- and waalaa. Works a charm. Great script man - thumbs up!

And you didn't think it worthy -- shame on you!