Uncovering Hidden Processes on Windows System

The Real Problem

When you start your PC, lot of processes will be running. Some processes run by default and some are started by you. As you keep installing more and more software's, the process list goes bigger and bigger. Some day it reaches the stage where in it gets difficult to manage those processes and in between if some spyware come and sit on your machine, you can't make out easily until some really bad thing happens.

Detection Tools

Here I will throw some light on various methods of detecting spyware or any malicious programs running on the computer, starting from basic to advanced level. Usually startup programs are managed through various registry settings. If you are an expert, then you can edit these registry settings yourself. You can find a good list of startup registry locations here. Below are the some of very useful tools which can either be used alone or in combination with others.

1.MSConfig The 'msconfig' tool comes with Windows. It not only shows you list of processes which are started by default when you start your computer but also allows you to modify execution of startup processes. 2.HijackThis This is very good tool which shows all startup entries (processes, BHOs, services..etc) from non-windows applications. This way you can easily find out and knock off suspicious processes.   3.Autoruns One more good tool is Autoruns from Sysinternals. This tool shows all startup entries (processes, services, drivers, Winlogon notify entries, winsock providers etc). Also you can make it to display non-microsoft entries by selecting "Hide microsoft entries" from the options menu.   4.Process Explorer You can use the 'Process Explorer' from SysInternals.com to find out more detailed information about all the running processes. Once you find the process or DLL, you wants to know if its really spyware or any kind of malware programs. You can find out this by connecting to ProcessLibrary.com. This website provides information about a process or DLL to make out if its legitimate process or not. By the way you can always use Google to find out more information about any suspicious looking process. 5.BHORemover BHO stands for 'Browser Helper Objects' which are the plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the online credentials silently. To eliminate such BHO's from the computer, I have written a tool called BHORemover which scans and lists all installed BHO's on the system with detailed information. This helps in identifying malicious programs and remove them from the system.   6.WinServiceManager WinServiceManager provides single point of administration for managing various aspects of Windows services. It has got more features and provides better management functionality than built-in Windows service management console. It shows list of non-windows services which allows the user to quickly identify and remove the additional services, most of these are installed by spyware to monitor the activities.   7.RemoteDLL Some of the spywares use the DLLs to monitor and control their life cycle. Usually these DLL's are injected into windows processes such as explorer.exe, winlogon.exe etc to hide their presence. You can remove these DLL's from the process using the RemoteDLL tool.   8.Anti Rootkits All the above mentioned tools are the basic ones to find out more information about running programs. But there are more stealth programs such as rootkits which cannot be detected by normal programs. You need more sophisticated tools to view those programs. There are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from SysInternals.com and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.

Conclusion

Antivirus or Antispyware applications can't always protect you from new malicious programs. You need to defend on your own to protest your own system from these programs. Hope this article has enlightened you to some extent in that direction.

References

1. HijackThis: Remove the hijacked entries from the system.

2. Autoruns: System startup entries enumerator and eliminator.

3. Process Explorer: Dispalys process details including loaded modules.

4. BHO Remover: Scans and removes installed BHO's from the system.

5. WinServiceManager: Manage Windows services at one point

6. RemoteDLL: Tool to inject or remove the DLL from process

7. BlackLight: Light rootkit detecttior from F-Secure.

8. IceSword: Advanced rootkit detection tool.

9. Rootkit Detective: Rootkit detection tool from McAfee.

10.Rootkit Revealer: Sysinternal's rootkit detection tool.

11.IceSword & Rootkit : Using IceSword to detect rootkits.