How to view hidden tasks - using free program?

I've just started running Security Task Manager which is useful in helping me stop unwanted processes coming to my gateway machine from my kids' machines.

They run AIM alot and I think that this is going to be a constant source of trouble. However Security Task Mgr is shareware and eventually I'll either have to buy it or stop using it.

Are there any freeware programs out there doing much the same thing? I'm running XP fwiw.

Thanks.

Marty

 

Hello Marty,

Process Explorer:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Regards - Charles

 

Hi Charles,

That looks really good, maybe even better than what I've been using.

Any others out there folks recommend? I'm finding that this has now become an ongoing battle to retain control of my bandwidth.

The first time I woke up in the morning to see my dial-up connection had sent over 100MB /out/ the night before I almost flipped. So now I disconnect whenever I'm not at my desk.

Must admit the Internet is evolving a bit differently than I'd imagined only a few years ago.

Marty

 

Hi Marty,

You put this in a section for malware removal - probably would get more reponses in the "Other Software" or "General Security" sections.

One of the Mods will make a judgement and perhaps move it.

Don't post the same question somewhere else though, its frowned upon.

Regards - Charles

 

Pete moved it.

Marty - if sysinternals has a utility, you normally can't find a better one anywhere. Mark Russinovich (and Bryce Cogswell for some at that site) writes them about as well as they can be written.

 

Hi Newt,

I've been running V8.52, d/l'd and installed a while ago but forgot about it until Charles reminded me yesterday.

Have just upgraded to V9.02.

What I found over the last day is that Security Task Mgr displays processes which are hidden and have non-existent files e.g. smsse.exe (smss.exe is a bona fide MS process). Apparently whatever is bugging my network is smart enough to start hidden processes with names that look close to geniune tasks, and then remove evidence of them from the hard drive.

The older version of sysinternals.com's Process Explorer didn't spot these, but Security Task Mgr did. I should know sometime today if this is a problem with the latest version of Process Explorer.

What a *&#^*&%#@ pita.

Marty

 

Marty,

Apparently whatever is bugging my network is smart enough to start hidden processes with names that look close to geniune tasks, and then remove evidence of them from the hard drive.
That sounds like a RootKit of which I've had no experience with.

Here are some threads on the subject from Wilders:

http://www.wilderssecurity.com/showthread.php?t=67742 On sysinternals RootKit Revealer - links to other tools as well

http://www.wilderssecurity.com/showthread.php?t=69658 Other anti RootKit tools

You might also look at AT's: ewido (there's a free scan only version) and TDS which has a trial.

Regards - Charles

 

Hi Marty,

Some more software:

System Safety Monitor - actually my fav:

http://maxcomputing.narod.ru/ssme.html?lang

Another proccess firewall: ProcessGuard by DiamondCS - a free version as well as a paid one, the difference is the free will protect only app from being terminated.

http://www.wilderssecurity.com/forumdisplay.php?f=13 PG section at Wilders forum.

Regards - Charles

 

Thanks Charles, I'm beginning to feel enlightened. OTOH I ran RootkitRevealer and came up with 15 discrepencies, all listed on http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml as NTFS metadata files.

So my conclusion is no rootkit, at least based on this one test.

------------------------------

Here's some more info about my problem.

The software seems to be using my computer to send out stuff. I'm thinking it may be using my box to send spam email, because that's what has come to mind. Even though I'm on dial-up, have a static IP which probably makes me a more diserable target.

I've been doing some cleanup on my own lately. Besides junk in my registry which I locate searching for keys containing 'run', but which has been ok lately, have noticed crapola written to the following hd locations:

c:\
c:\windows
c:\windows\system32

The root dir stuff only showed up once so far that I noticed, but here's a list (fwiw) of what is currently on those other directories:

03/09/2005 03:29 PM 126,976 dllTSCLIBMT.dll
03/09/2005 03:30 PM 25,157 RMAgentOutput.dll
03/09/2005 03:31 PM 102,470 runtsckl.exe
03/09/2005 07:43 PM <DIR> FLEOK
03/09/2005 09:18 PM <DIR> EliteSideBar
03/10/2005 12:26 PM 13,530,531 VPTNFILE.486
03/10/2005 12:26 PM 13,530,531 lpt$vpn.486
03/10/2005 03:58 PM 32,620 SchedLgU.Txt
03/10/2005 07:35 PM 3,220,832 TMADCE.ptn
03/10/2005 09:55 PM 49 wiaservc.log
03/10/2005 09:55 PM 0 0.log
03/10/2005 10:18 PM 1,580,828 tsc.ptn
03/11/2005 08:09 AM 208,896 PATCH.EXE
03/11/2005 08:09 AM 69,689 UNZIP.DLL
03/11/2005 08:09 AM 1,142,784 TMUPDATE.DLL
03/11/2005 08:09 AM 4,342 setupapi.log
03/11/2005 08:09 AM <DIR> AU_Log
03/11/2005 08:16 AM <DIR> AU_Backup
03/11/2005 08:16 AM <DIR> Debug
03/11/2005 08:16 AM <DIR> report
03/11/2005 08:16 AM 156 GetServer.ini
03/11/2005 09:06 AM <DIR> AU_Temp
03/11/2005 09:53 AM <DIR> EliteToolBar
03/11/2005 09:53 AM <DIR> backup
03/11/2005 09:53 AM 4 RM_RESULT.DAT
03/11/2005 09:53 AM 679 TSC.ini
03/11/2005 10:24 AM 31 win.ini
03/11/2005 02:40 PM 33,898 ModemLog_BCM V.92 56K Modem.txt
03/11/2005 03:10 PM 254 wiadebug.log


...........................

system32:

03/11/2005 09:55 AM 67 o
03/11/2005 09:55 AM 0 spoolsrv.exe
03/11/2005 11:53 AM 2,126 wpa.dbl
03/11/2005 02:50 PM 0 ftpupd.exe
03/11/2005 05:36 PM 127,488 zzzxliv.exe


Heh, it's a learning experience.

Marty