469,331 Members | 1,785 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,331 developers. It's quick & easy.

How do you find the owner of a process ? (2nd try)

DD
I'm not sure that this msg made it out, the first time I sent it, so I
am trying again. --

Win XP Home Edition

I use System.Diagnostics.Process.GetProcesses()) to get info about the
processes running.
I don't see any members of class' Process' which allows me to get the
name of the owner of the process.

A related question: Can a running process hide itself from the
GetProcesses() call? If so, how can I find and kill it?

The reason I am asking this question, is that I apparently just picked
up a virus of some kind.

It is doing these things:
- trying to send a msg to IP 1.1.1.1 port 6667 every few seconds.
I prevented this from succeeding.
- immediately shutting down the window I get when I type Ctl-Alt-Del
- Immediately shutting down regedit, when I try to run it.
- runs even after a restart of the machine

So, I figured I would write a program to kill any process I want.
But sometimes I get an exception "access denied", even tho I am
running with admin privliges. I am guessing that this is for
processes owned by System.

If anyone has other ideas about what I can do, I'd sure like to hear
them. In particular, how can I find out which processes will
automatically run at startup, and how can I change that?

Alan
Nov 15 '05 #1
1 4134

<DD@chi-town> wrote in message
news:bd********************************@4ax.com...
I'm not sure that this msg made it out, the first time I sent it, so I
am trying again. --

Win XP Home Edition

I use System.Diagnostics.Process.GetProcesses()) to get info about the
processes running.
I don't see any members of class' Process' which allows me to get the
name of the owner of the process.
That's because it's not there.
A related question: Can a running process hide itself from the
GetProcesses() call? If so, how can I find and kill it?
Not sure. They might be able to. If they hide from you, it's
because you don't have enough privilege to see them, in which
case trying to find them is pointless. I'm not sure they can
do this, but if they can, you would have to be a user with a
higher set of privileges.
The reason I am asking this question, is that I apparently just picked
up a virus of some kind.

It is doing these things:
- trying to send a msg to IP 1.1.1.1 port 6667 every few seconds.
I prevented this from succeeding.
- immediately shutting down the window I get when I type Ctl-Alt-Del
- Immediately shutting down regedit, when I try to run it.
- runs even after a restart of the machine

So, I figured I would write a program to kill any process I want.
But sometimes I get an exception "access denied", even tho I am
running with admin privliges. I am guessing that this is for
processes owned by System.

If anyone has other ideas about what I can do, I'd sure like to hear
them. In particular, how can I find out which processes will
automatically run at startup, and how can I change that?


I think that this might be the ie85rk or whatever it's called.

It's a rootkit that shims itself in the kernel and hides all
traces of itself. There's nothing you can do to find it other
than to boot into safe mode and look at the list of drivers
in HKLM\System\CurrentControlSet somewhere, I forget.

Search www.ntbugtraq.com for more information about this.
Try searching for "root kit".

As far as killing processes, that's a bad idea. Some
processes are owned by SYSTEM and you can't kill them unless
you're logged in as SYSTEM (hint: set scheduler service
to run as SYSTEM and schedule cmd.exe to run with
INTERACTIVE 30 seconds from now, then, when it pops up,
open taskmgr.exe to kill the process), but that's a VERY
VERY BAD IDEA(TM).

Try the Safe Mode idea and look for the root kit.

-c
Nov 15 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Victor Spång Arthursson | last post: by
3 posts views Thread by Dave Coate | last post: by
4 posts views Thread by Nayan | last post: by
7 posts views Thread by MarkJ | last post: by
1 post views Thread by Vishal Sethia | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by Purva khokhar | last post: by
1 post views Thread by haryvincent176 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.