Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - How to find out who is launching a process?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How to find out who is launching a process?
 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
FreezeFIN View Drop Down
Newbie
Newbie


Joined: 01 November 2008
Location: Finland
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote FreezeFIN Quote  Post ReplyReply Direct Link To This Post Topic: How to find out who is launching a process?
    Posted: 01 November 2008 at 7:54am
Hi!

Since my last Vista re-install, I've wondered about several (3 at maximum) simultaneous conime.exe processes running on my PC. Since apparently Console IME can be used for malware, I'd like to know which application is triggering these processes.

Their parent seems to be explorer.exe ... if I kill the conime.exe processes, they will pop up eventually. I've read something about MSVC 2005 compilation launching conime.exe's, but haven't got MSVC development tools installed.

Is there any tool that can to the job?

I've scanned my PC for malware and viruses every now and then, and I've got Adware 2008 and F-Secure Internet Security 2009 installed. System seems ok otherwise.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17506 		Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 03 November 2008 at 3:18am
Hi FreezeFIN,

conime.exe is a legitimate Windows file.  If you're concerned about it you could verify its digital signature, or upload it to VirusTotal.com.  Process Explorer or Process Monitor can be used to determine the parent of a process.

Also, note SvenBomwollen's statement here:
Quote conime.exe will be launched and stay resident as soon as the first cmd.exe instance is launched...
Daily affirmation:
net helpmsg 4006
Back to Top
FreezeFIN View Drop Down
Newbie
Newbie


Joined: 01 November 2008
Location: Finland
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote FreezeFIN Quote  Post ReplyReply Direct Link To This Post Posted: 03 November 2008 at 5:03pm
It has the correct signature - what I'm wondering, is what is triggering it - combined to Kapersky Labs forum http://forum.kaspersky.com/lofiversion/index.php/t19964.html message that says it could be used by BFGhost trojan. Also, why there are 3 of the same processes sometimes?

Regarding to my earlier post, I stand corrected - it has no parent process ... sorry, my mistake.

Process Explorer says:
Parent: <Non-existent Process>(3792)

I'm also getting sporadic reports about Trojan-Mailfinder.Win32.Blen.dz (virus) located in file C:\Users\Koti\AppData\Local\Temp\~tmp\hmunmlc11\hmunmlc11.exe - the "11" changes to "12" in next detection and so forth. Each time I zap it, it returns ~ a day later.

Not in panic mode, I'm investigatingz :) But any hints are appreciated.
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17506 		Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 03 November 2008 at 5:09pm
Quote Regarding to my earlier post, I stand corrected - it has no parent process ... sorry, my mistake.
Perhaps, use Procmon's "Process and Thread Activity" events to find out the creator of the process.
Daily affirmation:
net helpmsg 4006
Back to Top
obygyv View Drop Down
Newbie
Newbie


Joined: 04 November 2008
Status: Offline
Points: 1 		Post Options Post Options   Thanks (0) Thanks(0)   Quote obygyv Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2008 at 3:21pm
Hi.

I have the same "trojan". Did you find how to resolve this problem?
Back to Top
SvenBomwollen View Drop Down
Senior Member
Senior Member


Joined: 29 August 2008
Location: Germany
Status: Offline
Points: 1630 		Post Options Post Options   Thanks (0) Thanks(0)   Quote SvenBomwollen Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2008 at 3:39pm
Hello, obygyv.
Originally posted by obygyv obygyv wrote:

Hi.I have the same "trojan". Did you find how to resolve this problem?
Perhaps this instruction will help you get rid of Trojan-Mailfinder: Trojan-Mailfinder.Win32.small.ac.

HTH,
Sven
Back to Top
FreezeFIN View Drop Down
Newbie
Newbie


Joined: 01 November 2008
Location: Finland
Status: Offline
Points: 3 		Post Options Post Options   Thanks (0) Thanks(0)   Quote FreezeFIN Quote  Post ReplyReply Direct Link To This Post Posted: 04 November 2008 at 3:40pm
Yep - I downloaded executed Malwarebytes' Anti-malware software in Windows Safe mode, and it found + deleted a bunch of infections:


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mstsc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\spool (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Infected registry items:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\windows\system32\drivers\logman.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: system32\drivers\logman.exe -> Quarantined and deleted successfully.

Infected folders:
C:\Windows\System32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

Infected files:
C:\Windows\system\mstsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\logman.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Koti\AppData\Roaming\Microsoft\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Then, later, FSIS 2009 popped up a window about mstsc.exe requesting internet connection - it was an .exe of 80 kb located in c:\users\<name>\appdata\local ... Windows original mstsc.exe is in > c:\Windows\System32 and 662 kb in size. Additionally, the fake mstsc.exe had no version information or digital signature, so it was pretty obvious this .exe wasn't legit.

Later today, F-Secure confirmed that the mstsc.exe file I send them contained malware, and they are updating their virus databases accordingly.


Edited by FreezeFIN - 04 November 2008 at 5:11pm
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down