Recent Posts1
RogueKiller / Re: I was dumb - got a virus
« Last post by markem on August 08, 2020, 05:08:57 am »Ok. For the FUTURE - here is my solution
Step #1 : Do a Google search for a site that has the top 25 FREE antivirus programs including such things as Malwarebytes, SuperAntiSpyware, Avira, Kaspersky, and CLAMWIN. ClaimWin is a really neat free piece of software. It is still running but so is Kaspersky. Anyway - a small plug there for free software. :-) I currently have HitManPro running, RogueKiller running, Kaspersky running, and ClamWin running. This is to keep my system safe while I get rid of the virus stuff. Also I have #3 below running.
Step #2 : Download or RE-download all of your drivers. Look for the USB driver install and RE-install it. Then, reboot, then check to see if you can see every USB device you own. If not - RE-install it again and repeat. At some point you should be able to see your devices.
Step #3 : YOU NEED TO HAVE THIS AND RUN IT if netsh.exe (or NETSH.EXE) shows up in your Task Manager. Or better yet - download Microsoft's excellent Process Explorer and then look for the above program. If you have it you REALLY NEED my little program. This is called process.au3 (or PROCESS.AU3). It is an AUTOIT program. You can find and download AutoIt by Googling it, click on the download, go ALL THE WAY down to the bottom and download it. There is also a Script Editor (I use VIM). Install AutoIt and then run this simple program. What does the program do? It looks at your tasks, checks to see if netsh.exe is running, and if so - it kills it. It does this until there ARE no netsh.exe programs running, then it sleeps for 30 seconds and checks again. Here is the program:
You should be able to run the program by just typing "autoit3 process.au3". This will keep netsh.exe from downloading more viruses onto your system. Ok - so first you download AutoIt3, install, run this program AND THEN you run something like Kaspersky and ClamWin (I am running a lot of them and none of them seem to interfere with the other antivirus programs.)
Step #4 : So you have made it this far - after days of reading information online about what to do I FINALLY found how to stop netsh.exe. This is how you do it:
This resets your internet interface, gets rid of any commands that might have been put into netsh.exe's execution loop. You MUST reboot after this or netsh.exe will just continue to start up new instances of it.
This is what I have so far. I have NOT yet rebooted because I am backing everything up and I am making a DVD with drivers for my laptop.
PS: The Preview didn't seem to do anything. Let me check this again. Ah! That got it! :-)
PPS: The AutoIt3 program was taken, in part, from examples in the AutoIt3 documentation. The netsh command was taken from:
https://lizardsystems.com/articles/configuring-network-settings-command-line-using-netsh/
You can also use:
Which can clear the arpcache.
And - argh. Netsh.exe is still trying to run - but wait! I still have not rebooted. Ugh. I will reboot tomorrow. Hopefully all of the 7-zip programs will have finished and yes - I know the archives might have a virus in them. Probably not with all of the antivirus software that is running - but we shall see! :-)
Mark
Step #1 : Do a Google search for a site that has the top 25 FREE antivirus programs including such things as Malwarebytes, SuperAntiSpyware, Avira, Kaspersky, and CLAMWIN. ClaimWin is a really neat free piece of software. It is still running but so is Kaspersky. Anyway - a small plug there for free software. :-) I currently have HitManPro running, RogueKiller running, Kaspersky running, and ClamWin running. This is to keep my system safe while I get rid of the virus stuff. Also I have #3 below running.
Step #2 : Download or RE-download all of your drivers. Look for the USB driver install and RE-install it. Then, reboot, then check to see if you can see every USB device you own. If not - RE-install it again and repeat. At some point you should be able to see your devices.
Step #3 : YOU NEED TO HAVE THIS AND RUN IT if netsh.exe (or NETSH.EXE) shows up in your Task Manager. Or better yet - download Microsoft's excellent Process Explorer and then look for the above program. If you have it you REALLY NEED my little program. This is called process.au3 (or PROCESS.AU3). It is an AUTOIT program. You can find and download AutoIt by Googling it, click on the download, go ALL THE WAY down to the bottom and download it. There is also a Script Editor (I use VIM). Install AutoIt and then run this simple program. What does the program do? It looks at your tasks, checks to see if netsh.exe is running, and if so - it kills it. It does this until there ARE no netsh.exe programs running, then it sleeps for 30 seconds and checks again. Here is the program:
Code: [Select]
#include <WinAPI.au3>
#include <Date.au3>
Local $iConsole, $hConsole, $aGetConsoleWin
$iConsole = _WinAPI_AttachConsole(-1)
If $iConsole = 0 Then Exit
$hConsole = _WinAPI_GetStdHandle(1)
If $hConsole = -1 Then Exit
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & "Hello World" & @CRLF)
$aGetConsoleWin = DllCall("kernel32", "ptr", "GetConsoleWindow")
local $c = 0
while 1
$c = $c + 1
; if $c > 10 then exit
$iPID = ProcessExists( "netsh.exe" );
If $iPID Then ; Check if the Notepad process is running.
killProcess( $iPID )
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is running" & @CRLF)
Else
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is NOT running" & @CRLF)
sleep( 50000 );
EndIf
wend
If Not @error Then
DllCall("user32", "bool", "PostMessage", _
"hwnd", $aGetConsoleWin[0], _
"uint", 256, _ ; WM_KEYDOWN
"wparam", 13, _ ; VK_RETURN
"lparam", 0)
EndIf
end
Func getProcess()
; Run Notepad
Run("notepad.exe")
; Wait 10 seconds for the Notepad window to appear.
Local $hWnd = WinWait("[CLASS:Notepad]", "", 10)
; Display a list of Notepad processes returned by ProcessList.
Local $aProcessList = ProcessList("notepad.exe")
For $i = 1 To $aProcessList[0][0]
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : " & _
$aProcessList[$i][0] & @CRLF & "PID: " & $aProcessList[$i][1] & @CRLF )
Next
; Close the Notepad window using the handle returned by WinWait.
WinClose($hWnd)
EndFunc ;==>Example
Func killProcess( $iPID )
; Run Notepad
; Close the Notepad process using the PID returned by Run.
ProcessClose($iPID)
EndFunc ;==>Example
You should be able to run the program by just typing "autoit3 process.au3". This will keep netsh.exe from downloading more viruses onto your system. Ok - so first you download AutoIt3, install, run this program AND THEN you run something like Kaspersky and ClamWin (I am running a lot of them and none of them seem to interfere with the other antivirus programs.)
Step #4 : So you have made it this far - after days of reading information online about what to do I FINALLY found how to stop netsh.exe. This is how you do it:
Code: [Select]
netsh interface ip reset log.txtThis resets your internet interface, gets rid of any commands that might have been put into netsh.exe's execution loop. You MUST reboot after this or netsh.exe will just continue to start up new instances of it.
This is what I have so far. I have NOT yet rebooted because I am backing everything up and I am making a DVD with drivers for my laptop.
PS: The Preview didn't seem to do anything. Let me check this again. Ah! That got it! :-)
PPS: The AutoIt3 program was taken, in part, from examples in the AutoIt3 documentation. The netsh command was taken from:
https://lizardsystems.com/articles/configuring-network-settings-command-line-using-netsh/
You can also use:
Code: [Select]
netsh interface ip delete arpcacheWhich can clear the arpcache.
And - argh. Netsh.exe is still trying to run - but wait! I still have not rebooted. Ugh. I will reboot tomorrow. Hopefully all of the 7-zip programs will have finished and yes - I know the archives might have a virus in them. Probably not with all of the antivirus software that is running - but we shall see! :-)
Mark
