StarDestroyer.Net BBS

I was helping someone ferret out a mIRC Trojan on their laptop when I discovered this while troubleshooting.

Ever want to match a running application to it's process in Task Manager?

1. Open several applications. ( IE, Winzip, Paint, etc )
2. Open the Task Manager
3. Go to the Applications Tab
4. Highlight the Application you want to match with a process.
5. Right click and select ' Go to process'

This should work on XP as well, not so sure on NT. Have not tested that yet.

Excellent tip, TPJ!

IIRC, that worked under NT4 as well.

I believe it does work with XP also.


And don't forget that besides the "End process" option, you also have the option of ending an entire tree of processes, which I think is used to close, say, all currently open IE windows, if you're hit by a mass popup attack or something.

Always use that if a proggie is acting up and won't die properly.

Shinova wrote:I believe it does work with XP also.


And don't forget that besides the "End process" option, you also have the option of ending an entire tree of processes, which I think is used to close, say, all currently open IE windows, if you're hit by a mass popup attack or something.

I just tried that, it stops related processes but not all of the same name.

I opened 3 instances of MS Paint and chose to end the entire tree. It only closed 1 MS Paint.

That's because the three instances of Microsoft Paint are seperate from each other. End Tree only works with child processes.

I don't get it.

Superman wrote:I don't get it.

Here you go:

Eh Faram d00d, you have BackWeb.

I see a Backweb-7681197.exe in your tasklist.

Einhander Sn0m4n wrote:Eh Faram d00d, you have BackWeb.

I see a Backweb-7681197.exe in your tasklist.

Yeap I know...

F-Secure uses it to automaticaly dload AV updates.

But don't worry I have it locked down





Btw Kerio 2.1.5 is out

Thought you had me there did't you

phongn wrote:That's because the three instances of Microsoft Paint are seperate from each other. End Tree only works with child processes.

Yeah, thats what I figured.

This came in real handy when I used it. The laptop I was working would launch mIRC everytime at boot up. But mIRC was not installed in the Programs sections, not in the registry, and not in the usual places like Start Up Folder.

When I matched the application to the process, the trojan was renamed at TaskMngr.exe . Pretty clever, because I did not catch it in the processes that were running because they were sorted by CPU % and not name.

Not very useful, since I seemed to have memorized the names of most of the EXEs that I run, and I don't run multiple instances of stuff thanks to tabbed interfaces, except for OO.

Pu-239 wrote:Not very useful, since I seemed to have memorized the names of most of the EXEs that I run, and I don't run multiple instances of stuff thanks to tabbed interfaces, except for OO.

Thats great for your OWN computer. When you are supporting other computers that people walk up and bring to your desk it can be quite useful.

I still don't get it.

Good tip Jawa. Works with XP.

Yeah, thats a really useful one.