I've realized that some process is shelling the CMD, and each time the CMD appears in the TaskList the CPU usage goes to a hundred percent. Is there anyway to detect who is shelling it?
Printable View
I've realized that some process is shelling the CMD, and each time the CMD appears in the TaskList the CPU usage goes to a hundred percent. Is there anyway to detect who is shelling it?
If you pass the hWnd of the console window either Get_Ancestor or iterate thru GetParent calls:
Code:Private Declare Function GetAncestor Lib "user32.dll" (ByVal hwnd As Long, ByVal gaFlags As Long) As Long
Private Declare Function GetParent Lib "user32" (ByVal hwnd As Long) As Long
Private Const GA_ROOT = 2
Private Sub Form_Load()
Dim ParenthWnd_1 As Long
Dim ParenthWnd_2 As Long
ParenthWnd_1 = GetAncestor(Text1.hwnd, GA_ROOT)
ParenthWnd_2 = GetParent(Text1.hwnd)
Me.AutoRedraw = True
Me.Print "Parent of the textbox: " + CStr(ParenthWnd_2)
Me.Print "Root ancestor of the textbox: " + CStr(ParenthWnd_1)
Me.Print "This form's handle: " + CStr(Me.hwnd)
End Sub
That will be hard!! The cmd stays opened like a second or two. Anyway... I've studied the TaskList and realized that two processes were created when the 100% CPU Usage started. So, I started looking which one was the second one.... and I found that the file is net.exe
Holy c**p!! Wouldn't be a virus?? I'm scanning my system now, and the stupid antivirus (who should have been resident avoiding the infection) says that the WORM/NIMDA.E was found in dozens of files.
I'll let you know the results... and if this was the problem.
BTW.... neverr, in your whole life, spend a dime on this antivirus. I had a discussion some months ago, with a file which I knew it was a virus (even because Symantec on its site stated exactly what the file should do, and the subject of the email, name of the file, etc.). I've sent this file to them because my antivirus said that was clean. I got an answer from them stating that the file was harmless.
I agreed with them at that part. It was harmless, but the file created some keys on the registry (to be run the next tiem you boot), copies itself to the Windows folder and when you reboot, it starts and sends himself to all your address book. Apparently, that was not a virus for this antivirus tech support.
So, I tested the EXE (since I knew thanks to Symantec that the virus was rather stupid and harmless).... and got the keys created, the file copied, etc. I had a big fight with them by email in which I included the Run's registry key branch exported (previous the virus and post it), the file created in the Windows folder, etc... but they almost ignored me. Obviously, I deleted the file from the Windows folder and the registry before rebooting, so the virus wasn't spread.
And now... this. To sum up, Never, ever buy MultiVac, or TabGuard or any other antivirus (with similar features) this people do
Thanks, MartinLiss... I'll have a look at that virus too. Anyway, I cannot see any key like that one in the registry. This is what I have:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"iamapp"="D:\\Archivos de programa\\Norton Personal Firewall\\IAMAPP.EXE"
"Iomega Startup Options"="D:\\Archivos de programa\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="D:\\Archivos de programa\\Iomega\\DriveIcons\\ImgIcon.exe"
"WheelMouse"="D:\\ARCHIV~1\\A4Tech\\Mouse\\Amoumain.exe"
"QuickTime Task"="C:\\WINNT\\System32\\qttask.exe"
"Disc Detector"="D:\\Archivos de programa\\Creative\\ShareDLL\\CtNotify.exe"
"UpdReg"="C:\\WINNT\\Updreg.exe"
"AudioHQ"="D:\\Archivos de programa\\Creative\\SBLive2k\\AudioHQ\\AHQTB.EXE"
"LoadQM"="loadqm.exe"
"AppPlus"="D:\\Archivos de Programa\\AppPlus\\AppPlus.exe"
"T@B Guard"="c:\\solinfo\\load_nt.exe"
"TaskReg"="C:\\WINNT\\system32\\w32com.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"