Sign in to follow this  
Followers 0
kcd-clan

Need to help get rid of virus or just need to run you computers faster?

12 posts in this topic

#1 ·  Posted (edited)

What happens?

It has a log of all safe products for windows

Kills anything else running

I know some of you say no that wont get rid of them.

Ok well it wont but it will stop them.

Its not the number one program but it is how iv done it for many years and have not had a virus or anything in a long as time.

I sujgest windows xp for it.

will do fine on others as well just not tested.

Well i cant upload ANY of the files so u have to read the script.

cause the global upload crap.........

ProgressOn("Progress Meter", "Progess please do nothing while we run.", "0 percent")
process()

Func process()
$list = ProcessList()
For $i = 1 to $list[0][0]
    
If $list[$i][0]<>"[System Process]" And $list[$i][0]<>"Autoit3.exe" And $list[$i][0]<>"spoolsv.exe" And $list[$i][0]<>"System" And $list[$i][0]<>"csrss.exe" And $list[$i][0]<>"svchost.exe" And $list[$i][0]<>"lsass.exe" And $list[$i][0]<>"services.exe"     And $list[$i][0]<>"devldr32.exe"    And $list[$i][0]<>"devldr32.exe"    And $list[$i][0]<>"smss.exe"    And $list[$i][0]<>"winlogon.exe" Then 
kill($list[$i][0])
EndIf
ProgressSet( $i, $list[0][0]& " percent")
Next
Sleep(100)
EndFunc

Func kill($process)
    ProcessClose($process)
EndFunc

ProgressSet(100 , "Done", "Complete")
Sleep(500)
ProgressOff()
Edited by kcd-clan

Visit mEMy programs made.Iul - IulG-V Console - G-V Console_RandomLetter - _RandomLetter()Saftey Kill - Saftey Killcolorzone() = colorzone()

Share this post


Link to post
Share on other sites



How about explorer.exe or do you run your computer without a shell? lol

Share this post


Link to post
Share on other sites

svchost.exe is not a virus its your network client.alot of virus protectors says it is but its not.

IF you read and are using windows xp it willo reboot explorer.


Visit mEMy programs made.Iul - IulG-V Console - G-V Console_RandomLetter - _RandomLetter()Saftey Kill - Saftey Killcolorzone() = colorzone()

Share this post


Link to post
Share on other sites

In XP Pro at least, svchost.exe is used as a name for services that run from dll files....what w0uter was saying is that some viruses are released with the name svchost.exe in order to avoid simple process detection. Also, it might be easier to not kill the explorer.exe process and have it restarting all the time. Could make your windows session unstable.


_____________________________________________________"some people live for the rules, I live for exceptions"Wallpaper Changer - Easily Change Your Windows Wallpaper

Share this post


Link to post
Share on other sites

It's wierd but you can manually kill the explorer process using the Windows Task Manager in XP and it won't respawn, however, if you kill it using a program other than the task manager it always seems to respawn. I'm sure there is a reg key somewhere to stop this behaviour.

Share this post


Link to post
Share on other sites

My take on this is that you are trying to kill known bad processes, not specifically find and terminate a virus. I took this same aproach when I put together a "BadProcKiller". I originally wrote this in PERL. The intent was for PERL to kill the processes that I would normally manually scan the task manager for. I rewrote this in AutoIT (Cuz AutoIT is very cool). The program reads a known bad process list and will kill anything that is running that is on the list. Yes, this is very basic. No, this is not intended to be an endall cure for viruses. However, where it does help is with those pesky twin spyware/virus combos that keep an eye on each other and restart them when one goes down. I found I couldnt manually kill them fast enough. This program will kill them fast enough that neither can restart the other. Please be kind on my coding as this is one of the first programs I have coded in AutoIT. :D

#include <GUIConstants.au3>
#include <file.au3>
#include <array.au3>

$version = "2.0 beta"

Dim $aryBadProcs
Dim $arySysProcs
Dim $aryKilledProcs[1]

; read in the bad processes list
; enumerate all running processes
; kill processes that are in both lists


$Form1 = GUICreate("Bad Proc Killer", 325, 82, 283, 252)
$Progress1 = GUICtrlCreateProgress(16, 8, 289, 17)
GUICtrlSetColor(-1, 0x316AC5)
$Button1 = GUICtrlCreateButton("Cancel", 256, 40, 49, 17)
$Button2 = GUICtrlCreateButton("Kill", 200, 40, 49, 17)
$Button3 = GUICtrlCreateButton("Log", 256, 60, 49, 17)
$Label1 = GUICtrlCreateLabel("", 16, 40, 179, 17)
$Checkbox1 = GUICtrlCreateCheckbox("reload",200,57)
GUICtrlCreateLabel("ReaperWare v" & $version, 24, 64, 124, 14)
GUICtrlSetFont(-1, 7, 400, 0, "Arial")
GUICtrlSetColor(-1, 0x0000ff)
$Pic1 = GUICtrlCreatePic("reaperware.gif", 7, 60, 15, 19)

GUISetState(@SW_SHOW)

; Initialize display
GUICtrlSetState($Button2,$GUI_DISABLE)

; Load the file
$aryBadProcs = Read_Bad_Processes()

While 1
    $msg = GuiGetMsg()
    Select
    Case $msg = $GUI_EVENT_CLOSE
        ExitLoop
    Case $msg = $Button1
        ExitLoop
    Case $msg = $Button2
        #region - main decision loop
        if (guictrlread($Checkbox1) = 1) Then
            $aryBadProcs = Read_Bad_Processes()
            GUICtrlSetState($Checkbox1,$GUI_UNCHECKED)
        EndIf
        
    ;;debug("",GUICtrlRead($Checkbox1))
        $arySysProcs = Read_System_Processes()
        $killcount=0
        GUICtrlSetData($Progress1,0)
        GUICtrlSetData($Label1,"Scanning system for bad processes.")
        
    ; setup the progress bar increments
        $increment = 100 / $arySysProcs[0][0]
        $incrementcount = $increment
        
        for $i = 2 to $arySysProcs[0][0]
            for $j = 1 to $aryBadProcs[0][0]
            ;debug("compare","comparing" & $arySysProcs[$i][0] & "&" & $aryBadProcs[$j][0])
                if  ($arySysProcs[$i][0] = $aryBadProcs[$j][0]) Then
                ;MsgBox(0,"matching",$arySysProcs[$i][0] & $arySysProcs[$i][1] & "<>" &$aryBadProcs[$j][0])
                    if ProcessExists($arySysProcs[$i][1]) Then
                        ProcessClose($arySysProcs[$i][1])
                    ;;debug("killed",$arySysProcs[$i][1] & $aryBadProcs[$j][1]& $aryBadProcs[$j][0])

                        ReDim $aryKilledProcs[$killcount+1]
                        $aryKilledProcs[$killcount] = $aryBadProcs[$j][1] & "-" & $aryBadProcs[$j][0]
                        $killcount = $killcount + 1
                    EndIf
                EndIf

            Next
        ;sleep(1)
            GUICtrlSetData($Progress1,$incrementcount)
            $incrementcount = $incrementcount + $increment
        Next
        GUICtrlSetData($Label1,$killcount & " harmful processes killed.")
        
        $icon = 1
        if $killcount > 0 then
            $icon = 2
        EndIf
        
        TrayTip("Killed",$killcount & " harmful processes killed.", 5, $icon)
        GUICtrlSetData($Button1,"Exit")
    ;sleep(1)
        GUICtrlSetData($Progress1,0)
    ;msgbox(0,"sys procs",$message)
        #region
    Case $msg = $Button3
    ;debug("test",$aryKilledProcs[0])
        _ArrayDisplay($aryKilledProcs,"Killed Processes")
    Case Else
    ;;;;;;;
    EndSelect
WEnd
Exit


Func Read_Bad_Processes()
    Dim $aryfilelines
    Dim $line[2]
    
    GUICtrlSetData($Label1,"Loading data...")
    $filename = @ScriptDir & "\badproc.txt"
    $File = FileOpen($filename ,0)
    $linecount = _FileCountLines($filename)
    $linecount = $linecount + 1
    
; did this because anything less than 100 doesnt fill the progress bar
;$barlimit = $linecount * 100
;;
    
;MsgBox(0,"lines",$linecount)
    Dim $aryfilelines[$linecount][2]
    $aryfilelines[0][0] = $linecount -1
    
; setup total so that it is a divisor of 100
; this provides even increments to fill the progress bar
    $increment = 100/($linecount-1)
    $incrementcount = $increment
    for $i = 1 to $linecount -1
    ;$line = FileReadLine($File)
    ;If @error = -1 Then ExitLoop
    ;MsgBox(0, "Char read:", $line)
        $line = StringSplit(FileReadLine($File),",")
    ;if(StringLeft($line,1) = "#") then 
    ;   debug("comment","")
    ;EndIf
        $aryfilelines[$i][0] = $line[1]
        $aryfilelines[$i][1] = $line[2]
    ;debug("line",$line)
    ;debug("line1",$line[1])
    ;debug("line2",$line[2])
        sleep(1)
        GUICtrlSetData($Progress1,$incrementcount)
        $incrementcount = $incrementcount + $increment
    next
    FileClose($file)

    GUICtrlSetData($Label1,$linecount-1 & " bad proc profiles loaded.")
    GUICtrlSetState($Button2,$GUI_ENABLE)
    GUICtrlSetData($Progress1,0)
;_ArrayDisplay($aryfilelines,"bad procs")
    ;debug("badproc",$aryfilelines[1][0])
    ;debug("badproc",$aryfilelines[2][0])
    Return $aryfilelines
EndFunc

Func Read_System_Processes()
    $list = ProcessList()
    Return $list
EndFunc

Func Debug($title,$message)
    MsgBox(0,$title,$message)
EndFunc

#region - Comments
;       v2.0    03-17-2006  Initial build incorporated all features of PERL version
;                           as well as added GUI, progress bar and tray tip.  
;                           Added functionality to reload data file.
;       v2.1                Plan to have Internet logging and update (for customer use)
;                           Logging will upload unknown processes for investigation. Perhaps include checkbox
#region

The list of bad processes was actually ripped from one of those spyware sites on the Internet somewhere (I forget where now). Here is the list I use if you want to see. Its just a comma separated list (name, description). The last line has notepad.exe for a test. remove that if you really want to use the list.

180ax.exe,180ax.exe is registered as the TROJ.ISTZONE.H downloader
a.exe,a.exe is registered as the W32.Ahlem.A@mm worm which is transmitted via e-mail 
actalert.exe,actalert.exe is an advertising program
adaware.exe,adaware.exe is a variant of the RapidBlaster parasite. The parasite copies itself to new directories to spread  
Alchem.exe,Alchem.exe is an advertising program by ClickAlchemy.com  
alevir.exe,alevir.exe is a security threat which spreads itself across networks via network shares 
aqadcup.exe,aqadcup.exe is a process which is registered as the Backdoor.Agent.bg worm  
arr.exe,arr.exe is a process which attempts to dial a high cost telephone number in order to access pornographic material for the user  
ARUpdate.exe,ARUpdate.exe is a spyware from Adroar 
asm.exe,asm.exe is an advertising program by Gator  
av.exe,av.exe is a process which is registered as the W32/Alphx.worm.a virus. This virus changes your start-page for Internet explorer  
avserve.exe,avserve.exe is a process which is registered as the W32/Sasser.a virus. It takes advantage of the Windows LSASS vulnerability which creates a buffer overflow and instigates your computer to shut down 
avserve2.exe,avserve2.exe is a process which is registered as the TROJ_SUA.A virus. It takes advantage of the Windows LSASS vulnerability which creates a buffer overflow and instigates your computer to shut down  
backWeb.exe,backWeb.exe is an adware by Backweb Technologies which offers news and entertainment services in exchange for personal usage information regarding the PC being sent back to BackWeb's servers for analysis  
bargains.exe,bargains.exe is a spyware which generates pop-up advertisements and analyses your computer usage for analysis by Exact Advertising 
#basfipm.exe,basfipm.exe is a process which is installed alongside Broadcom communications hardware  
belt.exe,searchv.com is an advertising program by searchv.com. This process monitors your browsing habits and distributes the data back to the author's servers for analysis  
Biprep.exe,Biprep.exe is an advertising program by Gator 
blss.exe,blss.exe is a the CBlaster Trojan/dialer/downloader  
bokja.exe,bokja.exe is an advertising program by SecondThought  
bootconf.exe,bootconf.exe a process hijacking your default internet homepage redirecting to a advertisment website 
bpc.exe,bpc.exe a spyware i process included in common application such as Grokster  
brasil.exe,brasil.exe is process added to the system as a result of the OPASERV.E virus  
BRIDGE.DLL,BRIDGE.DLL is a module installed by Flingstone Bridge SpyWare 
BUGSFIX.EXE,BUGSFIX.EXE is registered as the Loveletter Virus which is distributed via e-mail and attempts to install itself with the view of e-miling to other persons in the local addrses book  
bundle.exe,bundle.exe is a process downloading and displaying advertisments from an online location  
bvt.exe,bvt.exe is a malicious worm which copies itself across the network via your pc. The Backdoor.Autoupder virus should be removed immediatly from your computer 
cashback.exe,cashback.exe is an advertising program  
cmd32.exe,cmd32.exe is added to the system as a result of the P2P.TANKED virus  
cmesys.exe,cmesys.exe is an AdWare by Thiefware.com, from the Gator variant.this Adware pops up advertisements as well as analyses computer usage 
conime.exe,conime.exe is a process which is registered as the BFGhost 1.0 Remote administration backdoor tool. This backdoor application can allow attackers to access your computer stealing passwords and personal data  
conscorr.exe,consol32.exe is registered as the TrojanDownloader.Win32.Stubby.c downloader. This process usually comes bundled with a virus and its main role is to do nothing other than download other viruses to your computer  
datemanager.exe,datemanager.exe is a process installed via the Internet through a consenting pop-up screen from Gator Corp 
dcomx.exe,dcomx.exe is registered as the CIREBOT virus and should be removed immediatly  
directs.exe,directs.exe is a process which is registered as the W32/Bagle.t@MM worm. This worm attempts to install itself on your comupter and gather e-mail addresses for re-distribution  
divx.exe,divx.exe is documented as being of the MASTAK virus 
dllreg.exe,dllreg.exe is registered as the Dumaru.c Virus. This virus searches the hard disk drive looking for files  
dmserver.exe,dmserver.exe is an advertising program by Gator  
dpi.exe,dpi.exe is an advertising program by The DelFin Project 
dssagent.exe,dssagent.exe is a process authored by Broderbund and is spyware  
dvdkeyauth.exe,dvdkeyauth.exe is an adult dialer application. This application will try to disconnect your current connection and call an expensive toll number  
emsw.exe,emsw.exe is a spyware from Alset Inc and is also known as "HelpExpress" 
exdl.exe,exdl.exe is an advertising program by CashBackBuddy.com  
exec.exe,exec.exe is a part of the Death Zone Remote Administration Tool which allows an attacker to take control of your desktop  
explore.exe,explore.exe is added to the system as a result of the GRAYBIRD.G virus 
explored.exe,explored.exe is a process which is registered as the W32/Nexiv.worm. This backdoor virus allows attackers to access your computer stealing passwords and personal data  
Fash.exe,Fash.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors  
fntldr.exe,fntldr.exe is an advertising program by Gator 
fsg_4104.exe,fsg_4104.exe is a spyware installed with common application such as the file sharing software iMesh  
FVProtect.exe,FVProtect.exe is a process which is registered as the W32/Netsky-P worm  
game.exe,Game.exe is a process which is registered as the W32.Gaze@mm worm
gator.exe,gator.exe is an advertising program by Gator  
gmt.exe,gmt.exe is an Adware installed via a consenting pop-up in Internet Explorer  
goidr.exe,goidr.exe is an advertising program by Gator
hbinst.exe,hbinst.exe is an advertising program by Hotbar.com
hbsrv.exe,hbsrv.exe is an advertising program by hbsrv.exe   
hxdl.exe,hxdl.exe is an advertising program by Gator
hxiul.exe,hxiul.exe is apart of the HelpExpress adware program by Alset inc  
iedll.exe,iedll.exe is a process that hijacks the browser default home page and redirects you and advertisment webpage  
iedriver.exe,iedriver.exe is a process associated with common peer-to-peer file sharing software 
IEHost.EXE,IEHost.EXE is an advertising program  
iexplorer.exe,iexplorer.exe is the executable for a virus that is a variant of the RapidBlaster parasite that downloads and displays advertising from an Internet location  
infus.exe,infus.exe is a background process that disconnects you from your current internet connection and then tries to call a tool number with a high minute rate 
infwin.exe,infwin.exe is a variant of Msview parasite. It monitors your web usage and displays targeted popups  
intdel.exe,intdel.exe is an adware application that displays adverts to users using popups 
isass.exe,isass.exe is registered as the Optix.Pro virus which carries in it's payload. the ability to disable firewalls and local security protections and a backdoor capability 
istsvc.exe,istsvc.exe is an advertising program by Integrated Search Technologies  
jawa32.exe,jawa32.exe is a process which is registered as the Backdoor.Agent.bg worm  
jdbgmrg.exe,jdbgmrg.exe is registered as the TROJ_DASMIN.B virus 
kazza.exe,kazza.exe is a virus possibly of the OPTIXPRO.12.C. / Backdoor.OptixPro.12.c type  
keenvalue.exe,keenvalue.exe is an advertising program by Gator 
kernel32.exe,kernel32.exe is a Floodnet virus and attempts to send e-mails to everyone using Outlook aliases 
lass.exe,lass.exe is a process which is registered as the Troj.Bdoor.AKM Trojan  
launcher.exe,launcher.exe is an advertising program by Intercort Systems  
loader.exe,loader.exe is a virus which changes the victims homepage to coollllwebsearch.com and changes personalised settings on your computer 
lssas.exe,lssas.exe is a process which is registered as the W32.AGOBOT.RL Trojan  
mapisvc32.exe,mapisvc32.exe is registered as the KX virus  
mario.exe,mario.exe is a process which is registered as the trojan.mario
md.exe,md.exe is a virus which changes your homepage and redirects you to a pornographic website 
mfin32.exe,mfin32.exe is an advertising program
mmod.exe,mmod.exe is a spyware application often installed with common applications such as the popular iMesh and KaZaA file-sharing programs
mostat.exe,mostat.exe is a spyware process which gathers computer usage information  
msapp.exe,msapp.exe is added to the system as a result of the RSBOT virus  
msbb.exe,msbb.exe is an advertising program by 180 Solutions 
msblast.exe,msblast.exe is the process for the MSBlast Internet worm that uses a vulnerability in DCOM/RPC (port 135) to infect 2000/XP systems  
mscache.exe,mscache.exe is an advertising program by Integrated Search Technologies  
msccn32.exe,msccn32.exe is added to the system as a result of Win32.Sobig.B@mm (Palyh) virus. It is a mass mailer virus and spreads using email applications
mscman.exe,mscman.exe is an advertising program by Odysseus Marketing  
msdm.exe,msdm.exe is registered as the MULDROP.352 virus  
msgfix.exe,msgfix.exe is a process which is registered as the W32.Gaobot.SN Trojan 
msiexec16.exe,msiexec16.exe is registered as the Troj/OptixP-13 Trojan  
msinfo.exe,msinfo.exe is an advertising program by Gator  
mslagent.exe,mslagent.exe is an advertising program 
mslaugh.exe,mslaugh.exe is added to the system as a result of as a result of the BLASTER.E WORM  
msmc.exe,msmc.exe is a process which is registered as the Win32.Small.i Trojan  
msmgt.exe,msmgt.exe is an advertising program by Total Velocity 
msmsgri32.exe,msmsgri32.exe is a process which is registered as the RANDEX.D virus  
MSN.exe,MSN.exe is a process which is registered as the W32.Flita Trojan  
msrexe.exe,msrexe.exe is added to the system as a result of an ICQ Trojan that alters Win.ini and System.ini 
mssvc32.exe,mssvc32.exe is a process which is registered as the W32/Gaobot.WU Trojan  
mssys.exe,mssys.exe is a process which is registered as the MYSS.B virus  
msvxd.exe,Msvxd.exe is the executable process of the W32/Datom-A virus 
mwsoemon.exe,mwsoemon.exe is an advertising program by MyWebSearch  
mwsvm.exe,mwsvm.exe is an advertising program  
netd32.exe,netd32.exe is added to the system as a result of the RANDEX.F virus 
nls.exe,nls.exe is an advertising program by Webrebates  
nssys32.exe,nssys32.exe is added to the system as a result of an unidentified virus  
nstask32.exe,nstask32.exe is added to the system as a result of the RANDEX.E virus 
nsupdate.exe,nsupdate.exe is an automatic redialer sowftare  
omniscient.exe,omniscient.exe is a process belonging to the Search Assistant adware  
onsrvr.exe,onsrvr.exe is an advertising program by OnWebMedia
P2P Networking.exe,P2P Networking.exe is an advertising program by Joltid  
pcsvc.exe,PCSvc.exe is an advertising program by The Delfin Project  
pgmonitr.exe,pgmonitr.exe is an adware usually installed by Kazaa 
PIB.exe,PIB.exe is an advertising program  
powerscan.exe,powerscan.exe is an advertising program by Integrated Search Technologies  
prizesurfer.exe,prizesurfer.exe is an advertising program by Prizesurfer 
prmt.exe,prmt.exe is an advertising program by OpiStat  
prmvr.exe,prmvr.exe is an advertising program by Adtomi  
ray.exe,ray.exe is a process that hijacks the browser default home page and re-directs it to adult content web sites 
rb32.exe,rb32.exe is variant of the RapidBlaster parasite. It adds itself to the Windows start-up and is running in the background  
rcsync.exe,rcsync.exe is a process related to the PrizeSurfer application  
run32dll.exe,run32dll.exe is a part of the PAL PC Spy application. It is a key recorder and screen capture utility that monitors everything that happens on your computer 
#rundll.exe,rundll.exe can also be the LOXOSCAM virus depending on Operating System and file path; this is always a virus on Windows XP and 2000 operating systems 
rundll16.exe,rundll16.exe is added to the system as a result of the Sdbot.F virus  
ruxdll32.exe,ruxdll32.exe is added to the system as a result of the MAPSON.D virus 
saap.exe,saap.exe is an advertising program by 180 Solutions  
sahagent.exe,sahagent.exe is a SpyWare from ShopAtHomeSelect.com   
sais.exe,sais.exe is an advertising program by 180 solutions Spyware 
save.exe,save.exe is an advertising program by WhenU.com  
savenow.exe,savenow.exe is an application from WhenU company which offers coupons during your Internet experience  
sc.exe,sc.exe is an advertising program by Rhombus 
scam32.exe,scam32.exe is a process which is registered as the SIRCAM virus  
scrsvr.exe,scrsvr.exe is a process which is registered as the OPASERV virus  
scvhost.exe,scvhost.exe is a process which is registered as the W32/Agobot-S virus 
SearchUpgrader.exe,SearchUpgrader.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors  
service.exe,service.exe is a process which is registered as the Worm.Win32.Raleka virus  
showbehind.exe,showbehind.exe is an advertising program by MicroSmarts Enterprise 
soap.exe,soap.exe is an executable belonging to the System Soap Pro Internet cleaning software  
spoler.exe,spoler.exe is a process which is registered as the RANDEX.J virus  
start.exe,start.exe is an advertising program by Secret-Crush 
stcloader.exe,stcloader.exe is a part of the 2nd-Thought spyware  
support.exe,support.exe is a process which is registered as the W32.Akosw@mm virus  
svc.exe,svc.exe is an advertising SpyWare 
svchosts.exe,svchosts.exe is a process which is registered as the Troj/Sdbot-N Trojan  
svshost.exe,svshost.exe is a process which is registered as the Worm.P2P.Spybot.gen virus  
#system.exe, 
system32.exe,system32.exe is a process which is registered as the TROJ_SUA.A Trojan  
tb_setup.exe,tb_setup.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors  
teekids.exe,teekids.exe is added to the system as a relut of the Lovesan worm 
trickler.exe,trickler.exe is a part of the Gator Advertising and Informational Network (GAIN)   
tsadbot.exe,tsadbot.exe is the executable for an adware application that is known to reduce the performance of your Internet connection  
Tvm.exe,Tvm.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors 
tvmd.exe,tvmd.exe is a process is process that are delivered with common applications. It is installed automatically and is clasified as a spyware  
tvtmd.exe,tvtmd.exe is a process that is installed with common applications and is classified as a spyware  
update.exe,update.exe is a process related to numerous of different adwares and security threats 
updmgr.exe,updmgr.exe is an advertising program by eUniverse.com  
ViewMgr.exe,ViewMgr.exe is an advertising program by Viewpoint  
VVSN.exe,VVSN.exe is an advertising program by WhenU 
wast.exe,wast.exe is an advertising program by Wast 
web.exe,web.exe is a process which is registered as the W32.Gokar.A@mm worm  
webdav.exe,webdav.exe is an trojan used to gain access of a targeted system 
webrebates.exe,webrebates.exe is an advertising program  
webrebates0.exe,webrebates0.exe is an advertising program  
win-bugsfix.exe,win-bugsfix.exe is added to the system as a result of the LOVELETTER (I Love You) virus 
win_upd2.exe,win_upd2.exe is a process which is registered as the Trojan.BAGLE.AC Trojan  
win32.exe,win32.exe is added to the system as a result of the RATEGA virus. It is a Trojan horse give a remote user access to your computer  
win32us.exe,win32us.exe is a process belonging to an adult content dialer application that automatically tries to disconnect you internet connection and then dial a toll number 
winactive.exe,winactive.exe is a homepage hijacker process the changes your default homepage to a new homepage that displays advertisements  
winad.exe,winad.exe is an advertising program  
WinAdTools.exe,WinAdTools.exe is a free ad delivery software which provides targeted advertising offers 
WINdirect.exe,WINdirect.exe is a process which is registered as the Trojan.BAGLE.AC Trojan 
windows.exe,windows.exe is added to the system as a result of W32.HLLW.Nulut WORM  
wingo.exe,wingo.exe is a process which is registered as the W32/Bagle.bd@MM worm 
wininetd.exe,wininetd.exe is added to the system as a result of the WINET virus  
wininit.exe,wininit.exe is added to the system as a result of the WOLLF.16 virus 
winlock.exe,winlock.exe is registered as the downloader Trojan WinCommX
winlogin.exe,winlogin.exe is added to the system as a result of the RANDEX.E virus  
winmain.exe,winmain.exe is a process associated with the HTASploit.winmain trojan  
winnet.exe,Winnet.exe is an add-on for the Internet Explorer allowing you to search for sites related to a specific keyword 
winppr32.exe,winppr32.exe is a process which is registered as the system.W32.Sobig.F Virus 
WinRatchet.exe,WinRatchet.exe is a free ad delivery software which provides targeted advertising offers  
winservn.exe,winservn.exe by ClickSpring s an advertising SpyWare 
winssk32.exe,winssk32.exe is a process which is registered as the system.W32.Sobig.E  
winstart.exe,winstart.exe is an application from iGetNet  
winstart001.exe,WinStart001.exe is and add-on for Internet Exploring allowing you to find sites related to a specific keyword 
Wintime.exe,Wintime.exe is a virus which downloads other viruses  
wintsk32.exe,wintsk32.exe is added to the system as a result of the YAHA.U virus  
winupdate.exe,winupdate.exe is added to the system as a result of the RADO virus 
winxp.exe,winxp.exe is a process which is registered as the W32.Beagle.AG@mm  
wmon32.exe,wmon32.exe is a process which is registered as the W32.Agobot-IT Trojan  
wnad.exe,wnad.exe is an advertising program by Twistedhumor.com
wo.exe,wo.exe is ana application from Ezula which adds an extra button onto your Explorer bar for searching  
wovax.exe,wovax.exe is a process which is registered as the Win32.Daqa.A Trojan  
wsup.exe,wsup.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors 
WToolsA.exe,WToolsA.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of its authors sponsors  
wtoolss.exe,wtoolss.exe is registered as the Adware  
wuamgrd.exe,wuamgrd.exe is a process which is registered as the WORM_AGOBOT.GY Trojan 
wupdate.exe,wupdate.exe is an advertising program by Wengs  
wupdater.exe,wupdater.exe is a process which is registered as the TrojanDownloader  
wupdmgr.exe,wupdmgr.exe is a process which is registered as the WORM_SPYBOT.B Trojan 
wupdt.exe,wupdt.exe is added to the system as a result of the IMISERV virus. It is a backdoor Trojan used to control a target computer from a remote location  
y.exe,y.exe is a process which is registered as the w32.small Trojan
notepad.exe,notepad bad bad bad  <-- this is a test

Share this post


Link to post
Share on other sites

It's wierd but you can manually kill the explorer process using the Windows Task Manager in XP and it won't respawn, however, if you kill it using a program other than the task manager it always seems to respawn. I'm sure there is a reg key somewhere to stop this behaviour.

BTW PartyPooper, I think the reason here is because Explorer thinks it has crashed when it gets killed outside of task manager. When Explorer crashes, it restarts itself. If it is shutdown/killed from the task manager, it doesnt do that. If you could figure out a way to stop the process in a "kind" way, it may not think it crashed, and therefore wouldnt restart.

Share this post


Link to post
Share on other sites

I think he was going for a more "proactive" approach hints the whitelisting of system critical processes.. rather than relying on blacklists.. but the code you posted is pretty good!

Share this post


Link to post
Share on other sites

I think he was going for a more "proactive" approach hints the whitelisting of system critical processes.. rather than relying on blacklists.. but the code you posted is pretty good!

I guess I missed that. That seems like it would really lock a system down in terms of adding software. My take on that is that a simple install would be quashed simply because the installer process would be killed. I guess that would work, but it doesnt make the system too flexible. I think Ill run the risk. :D

Share this post


Link to post
Share on other sites

What if someone binded the virus to explorer.exe? lol...

another thing.. viruses tend to start another process when one is closed.. u might want to close all applications in a constant LOOP.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0