Comments on: Tip: Tracking Down That Wiley Svchost Process http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/ A Technology Crow in search of Bright Shiny Objects Sat, 11 Feb 2012 03:40:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11765 Chris Sun, 02 Sep 2007 13:42:58 +0000 http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11765 @Sephyroth - It's built-in with winxp & up. I just tried it again on a couple XP SP2 machines and they all ran it just fine. On my machine, tasklist.exe is located in c:\windows\system32. Dated 8/4/2004 and is 71KB. My win2k machine gave the same error you mention though. @Sephyroth – It’s built-in with winxp & up. I just tried it again on a couple XP SP2 machines and they all ran it just fine.

On my machine, tasklist.exe is located in c:\windows\system32. Dated 8/4/2004 and is 71KB.

My win2k machine gave the same error you mention though.

]]> By: Sephyroth http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11745 Sephyroth Sun, 02 Sep 2007 05:01:59 +0000 http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11745 I'm using XP SP2, and tried to do that tasklist /svc command, but all I got was that 'tasklist' is not recognized as a command or program, etc. Is this a separately downloaded program, or is it something built into another version of Windows? Sephyroth I’m using XP SP2, and tried to do that tasklist /svc command, but all I got was that ‘tasklist’ is not recognized as a command or program, etc.

Is this a separately downloaded program, or is it something built into another version of Windows?

Sephyroth

]]> By: Chris http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11540 Chris Wed, 29 Aug 2007 15:36:54 +0000 http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11540 Great tale, Michael! And a good example of where runnning as LPU can be so very helpful -- and how much sysinternals tools rock. :-) Great tale, Michael! And a good example of where runnning as LPU can be so very helpful — and how much sysinternals tools rock. :-)

]]> By: Michael http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11533 Michael Wed, 29 Aug 2007 13:38:19 +0000 http://www.solo-technology.com/blog/2007/08/28/tip-tracking-down-that-wiley-svchost-process/#comment-11533 I got hiyt by the mljjh.dll adware last week, but it was hard to detect since it was running behind an rundll.exe process. The malware was constantly accessing the disk, so I knew something was wrong. Using FileMon, I looked at what was making all the disk pings (rundll.exe), and then using Process Explorer, I identified the file behind the operation (mljjh.dll). Only problem was that ending rundll.exe wouldn't help; it would just relaunch itself. Since I run as an LPU (least priveleged user), Iw as able to switch to an admin user, and delete the DLL from there (since it wasn't running on that user). I got hiyt by the mljjh.dll adware last week, but it was hard to detect since it was running behind an rundll.exe process. The malware was constantly accessing the disk, so I knew something was wrong.

Using FileMon, I looked at what was making all the disk pings (rundll.exe), and then using Process Explorer, I identified the file behind the operation (mljjh.dll). Only problem was that ending rundll.exe wouldn’t help; it would just relaunch itself.

Since I run as an LPU (least priveleged user), Iw as able to switch to an admin user, and delete the DLL from there (since it wasn’t running on that user).

]]>