How do you find the owner of a process ? (2nd try)

[DD@chi-town]

I'm not sure that this msg made it out, the first time I sent it, so I
am trying again. --

Win XP Home Edition

I use System.Diagnostics.Process.GetProcesses()) to get info about the
processes running.
I don't see any members of class' Process' which allows me to get the
name of the owner of the process.

A related question: Can a running process hide itself from the
GetProcesses() call? If so, how can I find and kill it?

The reason I am asking this question, is that I apparently just picked
up a virus of some kind.

It is doing these things:
- trying to send a msg to IP 1.1.1.1 port 6667 every few seconds.
I prevented this from succeeding.
- immediately shutting down the window I get when I type Ctl-Alt-Del
- Immediately shutting down regedit, when I try to run it.
- runs even after a restart of the machine

So, I figured I would write a program to kill any process I want.
But sometimes I get an exception "access denied", even tho I am
running with admin privliges. I am guessing that this is for
processes owned by System.

If anyone has other ideas about what I can do, I'd sure like to hear
them. In particular, how can I find out which processes will
automatically run at startup, and how can I change that?

Alan

 

[Chad Myers]

I'm not sure that this msg made it out, the first time I sent it, so I
am trying again. --

Win XP Home Edition

I use System.Diagnostics.Process.GetProcesses()) to get info about the
processes running.
I don't see any members of class' Process' which allows me to get the
name of the owner of the process.

That's because it's not there.

A related question: Can a running process hide itself from the
GetProcesses() call? If so, how can I find and kill it?

Not sure. They might be able to. If they hide from you, it's
because you don't have enough privilege to see them, in which
case trying to find them is pointless. I'm not sure they can
do this, but if they can, you would have to be a user with a
higher set of privileges.

The reason I am asking this question, is that I apparently just picked
up a virus of some kind.

It is doing these things:
- trying to send a msg to IP 1.1.1.1 port 6667 every few seconds.
I prevented this from succeeding.
- immediately shutting down the window I get when I type Ctl-Alt-Del
- Immediately shutting down regedit, when I try to run it.
- runs even after a restart of the machine

So, I figured I would write a program to kill any process I want.
But sometimes I get an exception "access denied", even tho I am
running with admin privliges. I am guessing that this is for
processes owned by System.

If anyone has other ideas about what I can do, I'd sure like to hear
them. In particular, how can I find out which processes will
automatically run at startup, and how can I change that?

I think that this might be the ie85rk or whatever it's called.

It's a rootkit that shims itself in the kernel and hides all
traces of itself. There's nothing you can do to find it other
than to boot into safe mode and look at the list of drivers
in HKLM\System\CurrentControlSet somewhere, I forget.

Search www.ntbugtraq.com for more information about this.
Try searching for "root kit".

As far as killing processes, that's a bad idea. Some
processes are owned by SYSTEM and you can't kill them unless
you're logged in as SYSTEM (hint: set scheduler service
to run as SYSTEM and schedule cmd.exe to run with
INTERACTIVE 30 seconds from now, then, when it pops up,
open taskmgr.exe to kill the process), but that's a VERY
VERY BAD IDEA(TM).

Try the Safe Mode idea and look for the root kit.

-c