Make a running program crash [RESOLVED]

[Ruku]

I received a message on hotmail and downloaded a screen saver,
DONT DOWNLOAD IT!
...
It is a virus...
So I installed it... stupidly... not knowing the freeking file was infected... and I rebooted a few hours later.

I found a .txt file on my desktop called "aYerHS.txt",
The hackers manifesto.
here is the file content... wich is randomly ouputed on boot...

=================================================
W32.@YerH$.B,Made in India.
wE aRe thE greAt iNdiAnS.
----------------------------

iNdiAn hAckeRs + vXerS teAm up...
aNd kicK lamEr a**

no m0re pAk ****..
itZ oUr tiMe to shOw tHem, the p0wer of teaM w0rk.

f**k AIC,GFORCE,SILVERLORDS,WFD..f*****g k1dd1es..
no **** bUsineSS iN heRe aNd
nO lamE stuFF..
=================================================

>> [email protected]



Now, I sent the Ctrl+Alt+Delete keys to look at the running programs and a new program was running...

(Paniked, freaked out, kicked my dog... set the house on fire bla bla bla... the usual stuf... and then *DELETED THE INTALLATION FILES OF THE SCREEN SAVERS* wich did not do anything at all)

"Winservices"

......REALY?!, did I say...
I shutdown the program... but my computer sudenly crashes...
(this problem also occured in the past sometimes)...

I reebooted... and looked at the Start -> Run...

Typed: "msconfig"

Then checked for booting programs... Unchecked The "Winservices" program to hopefully not start at windows boot...

But it did...

However, the booting list of msconfig indicates the location of the file executed , soooo the only thing I need to do is to delete the file located in "C:\Windows\System\Winservices.exe".
However... it is well know that you cannot delete a file that is curently running nor modify its content... so......

======================
=====MAIN OBJECTIVE =====
======================

I need to program something in visual basic, similar to the ctrl+alt+delete window that would

0. List all the running programs.
1. Make a selected program crash.

Plus, I found that some programs can run in the taskbar without being displayed in the running programs list, I would like to list those programs also.

2. List hidden running programs also

======================
===FOR YOUR OWN SAFETY ==
======================

If you ever receive an e-mail with a screen saver download, simply delete the e-mail.






Well, that is all fellow readers... Also, while writing this message I have an idea who could actually work... deleting the infected exe in DOS MODE, pressing F8 button while windows is loading..... lets hope it works!

If you have suggestions about the virus or the VB program (By the way I use VB6), please post right away...!

[MartinLiss]

You should take a look at this

[Ruku]

Originally posted by MartinLiss
You should take a look at this

Oh... I think I forgot to mention... the anti-virus I used

Norton

Does not boot anymore...
And when I start it...
It does not load...

And the only other effects I found were:

1. Internet explorer browser Homepage randomly changes to a hacker website
2. The "My documents" folder is entirely considered as hidden files, so unexperimented users think their files are lost...
3. Little use of ram...
4. Add the .txt file to your desktop when you boot
5. Add the Winservices program to running programs list

...

I consider myself lucky to have only an innofensiv virus like this one... However... it may and probably does contain other stuff I am unaware of... Like sharing internet information

Thanks for the link anyways...!

[Ruku]

I found a way to delete the winser~1.exe in SAFETY DOS MODE by pressing F8,

I did these commands in order to erase the virus:

VB Code:

Cd\ 'Changes directory to c:\
Cd Windows 'Change into directory "windows"
Cd System 'Change to sub directory "system"
attrib 'Shows EVERY files
attrib winser~1.exe -H 'Unsets the file to be normal instead of hidden
del winser~1.exe

Well, it worked

That wuz fun... but still, I would be interested in doing the program that I talked about earlyer!

[mlewis]

There's a thread on here from quite a while back that talks about doing just that. Have a look around with the good ol' Search and see what you can find. I'd give you more info on the thread if I could recall anything

[axion_sa]

Have a look at the site MartinLiss posted. Definitely a bugger up - I've got the worm as well.
Have a look at http://housecall.trendmicro.com - it's a free online AV.

[aafuss]

Originally posted by Ruku
I found a way to delete the winser~1.exe in SAFETY DOS MODE by pressing F8,

I did these commands in order to erase the virus:

VB Code:

Cd\ 'Changes directory to c:\
Cd Windows 'Change into directory "windows"
Cd System 'Change to sub directory "system"
attrib 'Shows EVERY files
attrib winser~1.exe -H 'Unsets the file to be normal instead of hidden
del winser~1.exe

Well, it worked

That wuz fun... but still, I would be interested in doing the program that I talked about earlyer!

That is good that you got your computer fre of the virus. Good to gear that. Which a OS was you using?

[Peter1]

I had the same one, i donwloaded and installed an scr from hotmail as well.

But i don't have any antivirus installed I know stupid.

With the one i downloaded it wouldnt let me open the task manager, and it wouldnt let me delete the numerous screensavers that were installed and hidden in the System32 folder. So i booted up in Safe mode and deleted the screensavers in there, but it still didn't work.

So i had to do a system restore to the previous day, worked like a charm I'm runnin XP Pro. A mate of mine also had the same virus and he got rid of it the same way.

Pete

[Ruku]

Originally posted by aafuss
That is good that you got your computer fre of the virus. Good to gear that. Which a OS was you using?

I'm using Windows 98se...

But I got the virus out by deleting it in DOS (wich is an operating system), with the command attrib who can list EVERY files like the dir command but the attrib command can ALSO change the file attributes.

[Ruku]

Originally posted by mlewis
There's a thread on here from quite a while back that talks about doing just that. Have a look around with the good ol' Search and see what you can find. I'd give you more info on the thread if I could recall anything

Post the URL please........ coz I cant find it.....!!!!!!

I'm currently searching threw the forums... but I found nothing but things who access the windows registry... however... if a virus would not use the windows registry... wich is very likely... then it wont do anything...

( http://www.vbforums.com/showthread.p...ht=SaveSetting )

What I am looking for is to make a program crash...

This thread was on the right track, however... it didn't give ANY answer to my questions...

( http://www.vbforums.com/showthread.p...37#post1318037 )

........

And so, this thread is still looking for an answer!!!!

[kleinma]

check this link if you have not already..

http://securityresponse.symantec.com...oval.tool.html

[Ruku]

Originally posted by kleinma
check this link if you have not already..

http://securityresponse.symantec.com...oval.tool.html

I eliminated the virus manually.....


THE THREAD TOPIC HAS CHANGED, NOW I WANT TO KNOW HOW TO LIST THE RUNNING PROGRAMS IN VB, SIMILAR TO THE CTRL+ALT+DELETE WINDOW AND SHUTDOWN PROGRAMS BY MAING THEM CRASH,

EVERYTHING CLEAR NOW?


send me links to post of VBFORUMS or something that could help me build this program.........!

[1+1=2]

Wow thx for telling this out I got one to and it was from a friends of mine "email" so I blamed him burt it wasent even him so hmmm thx but my nortan stooped it thankfully

[TheBionicOrange]

Nortan is good for stooping

[VisionIT]

I have used Norton AV 2002 for a while with no problems, and have just upgraded to 2003. NEVER had any problems with it.

A few days ago, i downloaded a file called ISO.exe, which was infected with this virus:

BKDR_BO2K.10

Be very careful with the virus, it can be potentially damaging. It completely crashed two systems, and Bl**dy Norton 2003 (with LiveUpdate installed 4 mins prior) didn't pick it up!

Symantec don't even know of this virus! I have stopped ordering NAV now, and use http://www.trendmicro.com

It scans all your files locally, via the net. It uses a secure applet file, which picked the file up in seconds. I now do all my scanning via that website, and wouldn't go back to Norton ever.

Sorry Symantec... but it's happened more than once, i can no longer trust the package. I need business systems stable!

Everyone... try http://www.trendmicro.com , PLEASE! You would be surprised how good it really is.

Regards,

Paul.

[Shawn N]

Ruku use these API functions

To kill a process:

Declare Function TerminateProcess Lib "kernel32" Alias "TerminateProcess" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long

To get all running processes:

Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long

[Ruku]

Originally posted by Shawn N
Ruku use these API functions

To kill a process:



To get all running processes:

Finaly, an answer

Thanks a lot...

However... I dont think it will enumerate the hidden programs in the taskbar, but which are not listed on Ctrl+alt+del window...

Any help for that one?

[Shawn N]

Have you actually tried it? I don't have the virus so I couldn't say whether or not it'd work. Good luck.

[Ruku]

Would you be minding to explain how to use the functions you mentioned earlier...?

VB Code:

EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long

and

VB Code:

Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long

.......

I can't figure out what the "lpidProcess" means... neither any component of the function


...

just post a sample of how to use it... something like

VB Code:

msgbox EnumProcesses(0,0,0)

Or just send me a URL link who would explain in details the entire function... pretty please

[Lord Orwell]

another option to booting in dos mode for those of use who don't have one is to boot in safe mode, which doesn't load anything but the os.

[randem]

RuKu,

A sure fire way of getting rid of any offending file or service is using regedit or regedt32. If you can not kill the process or delete the file and you know the file name.

Search the register change for the file, change the directory location of the offending file and reboot (directory name does not even have to be real). Windows will not be able to find the file to load it. Then you can do what you please to the @#$#% file.

[Franky]

I used a while Norton Antivirus but uninstalled it, because it makes my PC slow. So i tried McAfee and was not happy too.
I changed to Pc-Cillin and since then no problems anymore.

To your virus:
All the big Antivirus-companies have updated pattern-files. You should regulary update them on your PC.
BUT .... there exist some Viruses they are new written and don't have the standard technics to spread. That means that the heuristic search technics from the Anitvirusprogs have no chance to dedect them. This viruses can make some damages. The problem is that you gamble with the start of any "not trusted" program. I never open a greeting card, or any other attachment, even if it is from a friend. No Exe, Dll, OVL or whatever will be started if it don't come from a original-CD or if it is not downloaded from many other people without negative response.
That you can change the attrib in Dos is no problem for some files, but if they use hidden characters makes it easier. Fortunatly was this virus-idiots not profesionell enough, otherwise you would hvae much more pain.

nice greetings
Franky

[Ruku]

...
Hey readers...
I found out that other files wer attached to this virus, s I deleted them (I knew this because the virus, screensavers, etc... had the same icon)... but bad news:

ONE OF THEM IS USED BY WINDOWS

And my problem is this...

Everytime I open a shortcut, it tells me that it cant find the program, ... So I have to browse threw directories everytime I want to open an unbrowsed shortcut... Because once its located, it doesn't ask again...

Uh oh...

The bigest bad news...: I didn't check the files names...

I know... that was quite the stupid thing to do.....

But now... would anyone happen to know what files should I download to get windows back in order???


And i'd still want to do the program I asked for.....
but I had only one reply over that one...

[Lord Orwell]

not sure what you meant by "files were attached to the virus"
do you mean they were infected?

Anyway, there are dozens of ways for a virus to be ran, and most of them don't use the registry. run= or load= in the win.ini file, putting a name after the explorer.exe in system.ini, a file in the startup menu, replacing a system file or commonly used one (aol.exe comes to mind, and the virus could run the waol.exe hidden file and no one would be wiser). Just a couple of examples.

well, yall get the idea i hope.

[Muddy]

Originally posted by Ruku
...
Hey readers...
I found out that other files wer attached to this virus, s I deleted them (I knew this because the virus, screensavers, etc... had the same icon)... but bad news:

ONE OF THEM IS USED BY WINDOWS

And my problem is this...

Everytime I open a shortcut, it tells me that it cant find the program, ... So I have to browse threw directories everytime I want to open an unbrowsed shortcut... Because once its located, it doesn't ask again...

Uh oh...

The bigest bad news...: I didn't check the files names...

I know... that was quite the stupid thing to do.....

But now... would anyone happen to know what files should I download to get windows back in order???


And i'd still want to do the program I asked for.....
but I had only one reply over that one...

Just reformat ... whats the big deal? You do stay backed up, right? Judging from this thread, youve already expended the energy and time of 10 re-formats already ...

[LITHIA]

hey! very nice virus u got tha.
Gives me great ideas for my own. I hate Anti-Virus software. Its a load of rubbish if the virus's are new. Anti-Virus can only find out if the file is a virus or not, by reading its code and seeing if the code is the same as the code in its virus database. And if it is the same, it says its a virus, and hates it.

Load of rubbish really. As soon as somone makes a new virus, they have quite a long time for it to be infecting peeps before anyone or anti-virus companys even know about it. By the time they have got the code, and made an update, the virus has infected enough peeps, to go around doing more. And hardly anyone knows they can update or do anyway.

But i suppose its always good to have one, so that ur protected from old virus's i suppose. Be sensible, and keep updated, and reduce the ammount of files you download. Only accept file transfers from people you know well, although, even ur best friend can be sending u a virus without u even knowing it, or him/herself infact!

I dunno why i have given this little lecture, but i felt bored and wanted to type somet!

Thanks for the help, i never knew about the auto opening when a exe file is opened using the registry.
I am not into making the damaging virus's, i just like makin the trojans/remote administration programs. Damaging virus's suck, and i dont see the point in them. If you need to damage somone, why damage everyone in the process? just make a trojan and send it to the person u want. connect to their comp, call a function, u wrote earlier which is nasty, and bye bye!

Cya!

[axion_sa]

Originally posted by Ruku
...
Hey readers...
I found out that other files wer attached to this virus, s I deleted them (I knew this because the virus, screensavers, etc... had the same icon)... but bad news:

ONE OF THEM IS USED BY WINDOWS

And my problem is this...

Everytime I open a shortcut, it tells me that it cant find the program, ... So I have to browse threw directories everytime I want to open an unbrowsed shortcut... Because once its located, it doesn't ask again...

Uh oh...

The bigest bad news...: I didn't check the files names...

I know... that was quite the stupid thing to do.....

But now... would anyone happen to know what files should I download to get windows back in order???

Yaha modifies HKEY_CLASSES_ROOT\exefile\shell\open\command so that it's run everytime you open an executable. Windows is giving you that error because it can't find one the virus files which you deleted, probably WinServices.exe.
You should be able to open regedit now, so change the value in that key to
"%1" %*
With quotes.

[Shawn N]

I went ahead and exported my registry setting for that key for you. Just take off the txt extension.

[kleinma]

you should have used the free virus cleaner from norton instead of deleting the virus files yourself...

[Ruku]

Originally posted by axion_sa
Yaha modifies HKEY_CLASSES_ROOT\exefile\shell\open\command so that it's run everytime you open an executable. Windows is giving you that error because it can't find one the virus files which you deleted, probably WinServices.exe.
You should be able to open regedit now, so change the value in that key to
"%1" %*
With quotes.

Yes, probaly... but no it wasn't the file Winservices.exe....

[Ruku]

Originally posted by kleinma
you should have used the free virus cleaner from norton instead of deleting the virus files yourself...

I would... but the virus denied any access to the anti virus...
I had to go in "SAFE-DOS" mode...

[Ruku]

Originally posted by Shawn N
I went ahead and exported my registry setting for that key for you. Just take off the txt extension.

Thanks, I'll check this out immidialtely!

[Ruku]

Originally posted by Ruku
Thanks, I'll check this out immidialtely!

I totaly forgot to mention,
there is a program located @ download.com who can crash any program running. It is very usefull and I dont think I would ever create a better program in VB...

use KILLER32

I tryed much stuff with this... for exemple... if a security program is watching your computer... simply make it crash ...

Of course... this must work with viruses!

[Lord Orwell]

It might work with a trojan, but a virus will be hidden INSIDE a regular program. (hence infecting it). Therefore it wouldnt show up on the task bar or process list since it would be part of another process.
That TROJAN would be easy to kill probably however.