Jump to content
TryWare90Days

how to get a pid for a *32 process

Recommended Posts

I'm trying to kill a malware process, that I can't remove with my www.sophus.com/hom antivirus.

The malware is known as coinminer,config and my Sophus only creates popups of blocking the malware.

I know that the malware is constantly launching a svchost *32.exe processes, where the svchost.exe processes are from my Windows 7 operating system.

I have with no luck tried to do this:

Global $_bStatus = False

While $_bStatus = False
           Global $_iPid
           Global $_sActiveTitleNew = "svchost *32.exe"
           $_iPid = WinGetProcess($_sActiveTitleNew)
           If $_iPid <> -1 Then $_bStatus = ProcessClose($_iPid)   
Wend
EXIT
 

But the $_iPid doesn't ever show anything else than  -1, even if I can see the svchost *32.exe process in my TaskManager

 

YES - I know I shouldn't EXIT after killing the first malware detection, but it is easier to explain the above for you, so I can get a solution.

Share this post


Link to post
Share on other sites

Find out how it's being started instead of trying to kill the processes it's spawning. Find the exe that is being run first, delete it and go from there. If you can't delete it, download something like Unlocker and see if that will let you kill it. Or reboot in safe mode and delete it. There's probably a registry setting that needs to be deleted for it as well. 


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

To solve that problem I recomand you to,

Check these keys :
 

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Nothing about svhost should be found. Or also suspicius exe name.

Or double check the  names of your services. Then google them. If looking suspicius.

Services.msc

If you find somthing you delete and reboot. If it s a service you can unregister it.

Edit: You got some rare case where WUpdate doing this problem.

I dont get it. Do you want a solution for your problem or a way to do it with autoIT ?

 

Edited by caramen

My video tutorials : HERE ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By gspino
      I hoping some of you young people can help an old man get off the nickel...  I have a small project I'd like to complete before I retire.  My problem is that on a terminal server environment I need to be able to detect the PID of a process by 'process name' AND 'process owner' so I can kill that specific process and not affect others who may be running the same process in another session.    I can seem to do one or the other but not both.  Can anyone please point me in the right direction?  Thanks very much in advance. -Glen
    • By Miliardsto
      I want to detect if exact process or window uses directx or opengl or maybe something else library used in applications.
      Thats becouse there could be many windows with same names and different names and the same with process. I got so much process names I want to my script works with all, so i want standardize.
      All of this processes uses DirectX or OpenGL so then If I check this window/process uses these libraries I will be sure thats the right process
    • By nacerbaaziz
      Hello my friends
      I have an inquiry after your permission
      I found a function to get the special line commands for any operation
      It requires the name of the process to be searched
      I want to use it to know the process
      Is this possible with this function
      Here is the code
       
      Func commandLineGet($proc, $strComputer=".")
      dim $array[1]
      local $ArrayNumber
      local $oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
      local $oProcessColl = $oWMI.ExecQuery("Select * from Win32_Process where Name= " & '"'& $Proc & '"')
      local $Process
      For $Process In $oProcessColl
      $Process = $Process.Commandline
          ReDim $Array[UBound($Array)+1]
      $ArrayNumber = UBound($Array)-1
      $array[$ArrayNumber] = $Process
      Next
      $ArrayNumber = UBound($Array)-1
      $array[0] = $ArrayNumber
      return $array
      EndFunc
    • By simy8891
      Hi guys,
      It's been a while since I wrote my last message here and a while since I used AutoIt. I'm currently sort of desperate and I'm trying to find some help in regards of getting the network usage per process!
      I'm not interested in the total network usage of the NIC, but only on a specific PID's network utilization. They idea is to collect the amount of traffic uploaded and downloaded by a list of specific processes. So far Process Hacker and Process Explorer are capable of getting what I need, but I need to use these numbers in another script so they're sort of useless to me. I can't seem to find a way around it.
      Any idea, help is greatly appreciated.
      Thanks
    • By ur
      with the below code, I am keeping waiting for a particular file and waiting in the background.
      While $i <> 10 Sleep(60000) If FileExists(@ScriptDir&"\Binaries.ini") then --some processing-- $i = 10 endif WEnd I thought keeping the Sleep will freeze the process from resources but the CPU being uilized.But it is taking 47%.
      How to free this CPU usage also.?

×
×
  • Create New...