Jump to content

how to get a pid for a *32 process


Recommended Posts

I'm trying to kill a malware process, that I can't remove with my www.sophus.com/hom antivirus.

The malware is known as coinminer,config and my Sophus only creates popups of blocking the malware.

I know that the malware is constantly launching a svchost *32.exe processes, where the svchost.exe processes are from my Windows 7 operating system.

I have with no luck tried to do this:

Global $_bStatus = False

While $_bStatus = False
           Global $_iPid
           Global $_sActiveTitleNew = "svchost *32.exe"
           $_iPid = WinGetProcess($_sActiveTitleNew)
           If $_iPid <> -1 Then $_bStatus = ProcessClose($_iPid)   
Wend
EXIT
 

But the $_iPid doesn't ever show anything else than  -1, even if I can see the svchost *32.exe process in my TaskManager

 

YES - I know I shouldn't EXIT after killing the first malware detection, but it is easier to explain the above for you, so I can get a solution.

Link to post
Share on other sites

Find out how it's being started instead of trying to kill the processes it's spawning. Find the exe that is being run first, delete it and go from there. If you can't delete it, download something like Unlocker and see if that will let you kill it. Or reboot in safe mode and delete it. There's probably a registry setting that needs to be deleted for it as well. 

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to post
Share on other sites

To solve that problem I recomand you to,

Check these keys :
 

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Nothing about svhost should be found. Or also suspicius exe name.

Or double check the  names of your services. Then google them. If looking suspicius.

Services.msc

If you find somthing you delete and reboot. If it s a service you can unregister it.

Edit: You got some rare case where WUpdate doing this problem.

I dont get it. Do you want a solution for your problem or a way to do it with autoIT ?

 

Edited by caramen

My video tutorials : ( In construction )  || My Discord : https://discord.gg/S9AnwHw

How to Ask Help ||  UIAutomation From Junkew || WebDriver From Danp2 || And Water's UDFs in the Quote

Spoiler

 Water's UDFs:
Active Directory (NEW 2018-10-19 - Version 1.4.10.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (2018-10-31 - Version 1.3.4.1) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By CarlD
      Tsk is a CLI task lister that includes PIDs, process names, hWnds and window titles. The listing can be limited by supplying a substring of the process name or window title. Here is the usage:
      TSK.exe: TaSK Lister|Switcher [CLD rev.2021-03-27] Usage ----- TSK [sub$tring] List running tasks: all tasks [tasks with process_names|window_titles matching sub$tring] TSK /SW window_title(sub$tring)|PID|hWnd Switch focus to window with matching window_title(sub$tring)|PID|hWnd TSK /?|/H Show this Help And here's the code (compiled executable is HERE):
      #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile_type=exe #AutoIt3Wrapper_Outfile=tsk.exe #AutoIt3Wrapper_UseUpx=y #AutoIt3Wrapper_Change2CUI=y #AutoIt3Wrapper_Run_Au3Stripper=y #AutoIt3Wrapper_AU3Check_Parameters=-w 3 -w 4 -w 5 -w 6 -d #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** ; ; CLD rev.2021-03-27 AutoItSetOption("WinTitleMatchMode", -2) Global $sSub = "", $sOut = "", $iC = 0, $aW, $bSwW = 0 Global $aWinList = WinList() If $CmdLine[0] > 0 Then If StringInStr($CmdLineRaw, "/?") Or StringInStr($CmdLineRaw, "/H") Then Exit _ShowHelp() ElseIf StringInStr($CmdLineRaw, "/sw") Then $bSwW = 1 Else $sSub = $CmdLine[1] EndIf EndIf If $CmdLine[0] > 1 Then For $i = 1 To 2 If $CmdLine[$i] = "/sw" Then ContinueLoop Else $sSub = $CmdLine[$i] EndIf Next EndIf If $bSwW = 1 Then If StringInStr($sSub, "0x") = 1 Then WinActivate(HWnd($sSub)) ElseIf StringIsDigit($sSub) Then WinActivate(_GetHwndFromPID($sSub)) Else $aW = WinList($sSub) If $aW[0][0] > 1 Then WinActivate($aW[2][1]) Else ConsoleWrite("No matching window title for """ & $sSub & """" & @CRLF) EndIf EndIf Exit EndIf Global $aP = ProcessList() Global $aW[1 + $aP[0][0]][1 + $aP[0][0]] For $j = 1 To $aP[0][0] If String($aP[$j][1]) <> "" Then $aW[$j][0] = _GetHwndFromPID($aP[$j][1]) $aW[$j][1] = WinGetTitle($aW[$j][0]) Else $aW[$j][0] = "" $aW[$j][1] = "" EndIf Next Global $iX = 10 For $k = 1 To $aP[0][0] If $sSub Then If StringInStr($aP[$k][0], $sSub) = 0 Then If $aP[$k][1] Then If StringInStr($aW[$k][1], $sSub) = 0 Then ContinueLoop Else ContinueLoop EndIf EndIf EndIf If StringLen($aP[$k][0]) >= $iX Then $iX = 2 + StringLen($aP[$k][0]) Next Global $sHdr = StringFormat("%7s", "PID") & " " & StringFormat("%-" & $iX & "s", "Process") & StringFormat("%-12s", "hWnd") & "Window Title" & @CRLF For $i = 1 To $aP[0][0] If $sSub Then If StringInStr($aP[$i][0], $sSub) = 0 Then If $aW[$i][0] Then If StringInStr($aW[$i][1], $sSub) = 0 Then ContinueLoop Else ContinueLoop EndIf EndIf EndIf $iC += 1 $sOut &= StringFormat("%7s", $aP[$i][1]) & " " & StringFormat("%-" & $iX & "s", $aP[$i][0]) & StringFormat("%-12s", $aW[$i][0]) & $aW[$i][1] & @CRLF Next If $iC > 0 Then If $CmdLine[0] = 0 Then $sOut &= @CRLF & "Command " & StringUpper(StringTrimRight(@ScriptName, 4)) & StringLower(StringRight(@ScriptName, 4)) & " /? for usage" & @CRLF ConsoleWrite($sHdr & $sOut) Else ConsoleWrite("No matches" & @CRLF) EndIf Exit Func _GetHwndFromPID($PID) Local $hWnd = 0 Local $stPID = DllStructCreate("int") For $i = 1 To $aWinList[0][0] If $aWinList[$i][0] <> "" Then DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $aWinList[$i][1], "ptr", DllStructGetPtr($stPID)) If DllStructGetData($stPID, 1) = $PID Then Return $aWinList[$i][1] EndIf Next Return $hWnd EndFunc ;==>_GetHwndFromPID Func _ShowHelp() Local $sTxt = StringUpper(StringTrimRight(@ScriptName, 4)) & StringLower(StringRight(@ScriptName, 4)) & ": TaSK Lister|Switcher [CLD rev.2021-03-27]" & @CRLF & @CRLF & "Usage" & @CRLF & "-----" & @CRLF & StringUpper(StringTrimRight(@ScriptName, 4)) & " [sub$tring]" & @CRLF & " List running tasks: all tasks [tasks with process_names|window_titles matching sub$tring]" & @CRLF & StringUpper(StringTrimRight(@ScriptName, 4)) & " /SW window_title(sub$tring)|PID|hWnd" & @CRLF & " Switch focus to window with matching window_title(sub$tring)|PID|hWnd" & @CRLF & StringUpper(StringTrimRight(@ScriptName, 4)) & " /?|/H" & @CRLF & " Show this Help" ConsoleWrite($sTxt & @CRLF) EndFunc ;==>_ShowHelp  
    • By emendelson
      I have a script that runs another application (vDos.exe), and the same script can be run multiple times to open other instances of the same vDos.exe application.
      When I open a new instance of vDos.exe, I want to make sure that its window does not open directly over a previous instance, so I want to get the window positions of previous instances. Has someone written a method of finding the PIDs of all instances of the same executable, so that I can get the window positions of each of them?
      I've found various application counters in the forum, but they seem to be designed to find multiple instances of the script, not of another application.
      Many thanks for any pointers.
       
    • By DesireDenied
      Hey guys,
      I having some hard times getting false-positive, probably because I am trying to execute my AutoUpdater.
      Here is my code:
       
      Global $iUpdateTimer = 0 While 1 checkUpdates(10) WEnd Func checkUpdates($iDelay = 10) $iDelay = $iDelay * 1000 * 60 If TimerDiff($iUpdateTimer) > $iDelay Then ConsoleWrite('checking for updates...' & @CRLF) $iUpdateTimer = TimerInit() If FileExists('AutoUpdater.exe') Then ShellExecuteWait('AutoUpdater.exe') ; this is the line which cause my problem EndIf EndFunc And AutoUpdater code:
      #include <MsgBoxConstants.au3> #include <FileConstants.au3> Global $sExecName = 'test.exe' Global $sUpdatePath = @UserProfileDir &'\desktop\AnyAppName\update\'& $sExecName Global $sUserPath = @UserProfileDir &'\desktop\AnyAppName\'& $sExecName Global $sCopyright = 'someUniqueStringHere' If Not FileExists($sUpdatePath) Then Exit 0 If FileGetVersion($sUpdatePath, $FV_LEGALCOPYRIGHT) <> $sCopyright Then Exit 0 ; checking if we really want to update and execute the file If FileGetVersion($sUpdatePath) > FileGetVersion($sUserPath) Then $iResponse = MsgBox(BitOR($MB_YESNO, $MB_ICONQUESTION),'AnyAppName', 'There is an update available, would you like to update?') If $iResponse == $IDYES Then If ProcessExists($sExecName) Then ProcessClose($sExecName) Sleep(500) EndIf FileCopy($sUpdatePath, $sUserPath, $FC_OVERWRITE) Sleep(3000) ShellExecute($sUserPath) Exit 1 EndIf EndIf Exit 0 I am not trying to ask, why is my code is getting recognized as false-positive, because this is quite obvious, but is there any other way to get things done without running external process?
       

    • By nacerbaaziz
      hello autoit team
      is there any wey to check if any process run as admin or no?
      i mean e.g if i want to restart any process, now i have the ability to get the process path and commands line
      what i need is a wey to check if the process was runing as admin or no to restart it with the same state.
      here is the part that am using it to restart the process
      func _processRestart($i_pid, $s_ProcessPath) if not (ProcessExists($i_ProcessPid)) then return SetError(1, 0, -1) local $s_ProcessWorkDir = _WinAPI_GetProcessWorkingDirectory($i_ProcessPid) ProcessClose($i_ProcessPid) ProcessWaitClose($i_ProcessPid) ProcessWait(ShellExecute($i_pid,"", $s_ProcessWorkDir)) ProcessesGetList() return true endFunc thanks in advance
    • By gspino
      I hoping some of you young people can help an old man get off the nickel...  I have a small project I'd like to complete before I retire.  My problem is that on a terminal server environment I need to be able to detect the PID of a process by 'process name' AND 'process owner' so I can kill that specific process and not affect others who may be running the same process in another session.    I can seem to do one or the other but not both.  Can anyone please point me in the right direction?  Thanks very much in advance. -Glen
×
×
  • Create New...