Detect Hidden Process and Rootkit with DeepMonitor

Posted By Raymond In Category: Computer

May
27
2008

Rootkits is a computer security threat that is designed to modify the core software components of the system, inserting code which attempts to hide the “infection” and provides some additional feature or service to the attacker. Some advanced trojan also has the capability to hide itself using rootkits techniques. One example is Bifrost which is able to unhook kernel mode hooks to allow bypassing more firewalls.

Nowadays many security suite software such as Kaspersky Internet Security and Norton Internet Security is able to detect and defend against rootkits. If you are like me who doesn’t like to install and use bloated security suites, you can try this very small and simple yet powerful hidden process detector. It claims to detect most of rootkits technologies!

DeepMonitor is an hidden process detector, for Windows XP SP2 only, defeating most of rootkits technologies. It can also detect some hidden injected modules techniques. Although it is very good in detecting hidden process, this tool can’t tell you if a normal running process that can be seen at Windows Task Manager is dangerous or not. Let’s take svch0st.exe for an example. By looking at the filename, it is obviously a virus or spyware because the letter O has been replaced by the number zero (0). If you run DeepMonitor, it will also show scvh0st.exe but it will not warn you because it is not a hidden process.

One technique that many trojan authors will use to defeat traditional security measures is to co-opt other applications to do their dirty work. For example, an application can take control of privileged applications, such as Internet Explorer or Firefox, to carry out all of its malicious activity. This will cause all of the attacks to come from Internet Explorer or Firefox, not the actual trojan.

One of the trojan that does this is Bifrost. This trojan injects code into the explorer.exe process, which then spawns a non visible Internet Explorer (iexplorer.exe) or Firefox (firefox.exe) process. The trojan then injects extra code into iexplore.exe (not as an extra dll, it just writes the malicious code directly into the memory space of iexplore.exe). This extra code then causes iexplore.exe to act as a backdoor into the computer from which an attacker has complete visibility of the file system and registry.

I tried infecting my own computer with Bifrost with DeepMonitor monitoring my system. DeepMonitor detects a hidden process and shows a warning through tray balloon notification.

Detected hidden process

When I launched DeepMonitor from Windows tray bar, it shows firefox.exe in red which is a hidden process. The blue ones are legitimate processes. I can double click on the process for more information or kill the process. When I check Windows Task Manager, firefox.exe also appears in the list but I wouldn’t know whether it has been tampered or not.

Download DeepMonitor

A lot of advance trojan such as Bifrost, Poison Ivy and sHark are already using this method to fool the computer user and also to bypass firewall protection. It is good to run DeepMonitor once a while to check your system for any rootkits or hidden processes. Remember, rootkits and hidden processes are “designed” to stay in your computer undetected. You never know if you have one in your system until you run DeepMonitor.

[ Download DeepMonitor ]

How To Find Hidden Passwords in Firefox

Yahoo Messenger Secret and Undisclosed Hidden Emotions

Kill or End Process Without Getting “This System Is Shutting Down”

Reveal Passwords Hidden Under Asterisks

http://theifoneblog.blogspot.com Jash Sayani
Thanks!
Thats a good way to terminate Buffer attacks ! :)
roger
I get a ‘DeepMonitor Designed Only For XP!’ message. I’m using MCE.
xdmv
Hi!
VirusTotal.com reports as suspicious file. Is it OK?
digART
Hi Raymond,
take alook at Eset SysInspector:
http://www.eset.com/download/sysinspector.php
regards,
http://www.raymond.cc/ Raymond
@xdmv: I am sure it is safe. Just a false positive.
@digART: I’ve already posted about Eset SysInspector few months ago :)
uhoh
@xdmv kaspersky says its clean so its clean :)
thanks raymond for the helpful program i am grateful for your contributions
.:uhoh:.
commoz
thanks its good to have this
Vanamali
Ray,
How about Sysexplorer ? What do you think ? Which of the two is better ?
Vanamali
Amirz
i am simply using Systernal Process Explorer too now, but thank’s for this. will give it a try
http://www.raymond.cc/ Raymond
This tool is not really a task manager. It is a tool designed to detect hidden processes and rootkits.
Amirz
if it’s only detect a hidden process but not act as a task manager (it has no abilty to stop it), so how to stop/kill it (the hidden process), Raymond? please tell us how to do it. thx Raymond
Eugene
Is it the same as UnhackMe?
praveen
Its working fine with win xp sp3 also.
http://www.raymond.cc/ Raymond
To kill a process, just right click on the process and select “Kill that bad boy”
Amirz
Cool. Thanx Raymond.
Amirz
Strange. When i try it on Xp Sp3, the tool says “Deepmonitor only designed to Windows Xp” and then suddenly “now exit”, but later its window still shows there. there’s also a status:”the starting command failed”. i also read “designed for xp sp2 (only?)”. my question, is it only compatible with xp sp2, not xp sp3 (or even vista), or do i miss something? thank you very much for reply. regards
alok
Thanks Raymond.
Amirz
Sorry. i do miss to read whole article, it’s obviously for xp sp2 only. not available for xp sp3 except you have a luck. Sorry and Thanks Raymond
http://keine Martin
Hi,
greetings from Germany :))
Your site is very cool and usually im here every day!
Martin
http://adorablefan.blogspot.com/ chris
cool!
jeff parker
thanks for this software again raymond!
http://www.raymond.cc/ Raymond
I am using Windows XP SP3 and it works like a charm.
Titan
What’s with this thing? “advance trojan such as Bifrost, Poison Ivy and sHark are already using…”
Those RATS are old as dirt itself, and easily detected by even the worst AV’s. I would put more trust in the eset tool linked to above.
http://www.raymond.cc/ Raymond
LOL @ Titan. Those “old as dirt” RATS that you’re talking about are the PUBLIC version which of course is detectable by any antivirus. Perhaps you don’t even know that there are PRIVATE UNDETECTED versions of those RATS which can’t be detected by any antivirus.
Mojo
Useful … Thanks!
Amirz
Hello Raymond, according to your post as you said it works on your Xp sp3 well, i trust you although i still feel confused why on My Xp sp3 it doesnt? i think there\’s something wrong in my own xp sp3 system (but not xp sp3\’s fault itself). hopefully i will fix it soon. still researching.
To all Xp Sp3 users, please ignore my post above (Deepmonitor is compatible with xp sp3) and you all can download and install it without doubt. Thanks alot Raymond. Regards-Amirz
IanG
I`m running XP MCE with sp3 but after downloading it, i get told it`s only designed for XP!
IanG
I`m using Windows XP SP3 and it does not work like a charm!
irjan
Thanks a lot…. I\’ll try it!!!
Amirz
To IanG, thanks for your information. like you i am using Xp MCE sp3 too and it doesnt work. so according to my and your same problem above, i guess it works on each Xp sp3 but NOT Xp MCE edition sp3 (fine on other Xp editions such Xp pro and Xp home sp2/sp3). well, how about it Raymond? or just there’s nothing to do with it? too bad, it works perfectly on my Xp sp2 pro. but however, thank you. regards-Amirz
tai
CLEAN FILE
fox_unleashed
Do u know any software that can kill more than one process at the same time and can delete the .exe in the same time too? Coz i\\\’ve dealt with a virus that has 4 .exe running at the same time and keep on watching each other so if i kill one of them then the other 3 will notice that one of their friend is \\\”dead\\\” and will revive it ASAP so there will be 4 of them again. How can u beat that virus Ray?
Sarwalia
It has showed many files in pc in red , and all of them are named avwsc with diff PID no.I searched that name and found avwsc is a file in avira. So is it safe to del them or not.
Pingback: kingori's me2DAY
Edmund Malabo
2 Rootkit Hidden Process, Keep coming back
I had Avast warn me 4 times that I had a Rootkit Hidden Process.
c:\\Windows\system32\drivers\ATWPKT2.SYS and another one too.
I did post yesterday morning on Tech Support Forum, but had no response, so I am posting here as well.
I tried to follow the 5 steps, but I ran into a problem.
First, I didn’t scan with Panda because yesterday I scanned with Avast and today I had to do it again. It took over 1 1/4 hours, so I didn’t do it again with Panda.
Then, on Step 5, after trying to run the DSS, I got the BSOD 2x while it was trying to create a restore point.
Since DSS didnt’ work, I downlowded the current HJT program and ran that. My log is posted below.
I am using XP Pro, with a SP2. I had no problems ever with my computer,but this week I tried to upload onto YouTube, and then I had this problem. I won’t do that again..
Thanks for understanding about the steps in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:49 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PELMICED.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America Online 9.0f\waol.exe
C:\Program Files\America Online 9.0f\shellmon.exe
C:\Program Files\Common Files\AOL\1118191401\ee\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
O3 – Toolbar: (no name) – {BA52B914-B692-46c4-B683-905236F6F655} – (no file)
O3 – Toolbar: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O4 – HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 – HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 – HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O8 – Extra context menu item: &AOL Toolbar search – res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 – Extra button: Travelaxe – {32A32D38-B8ED-4b3f-AFD0-EF23B697B5C1} – C:\Program Files\Travelaxe\Travelaxe.exe
O9 – Extra button: Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {4528BBE0-4E08-11D5-AD55-00010333D0AD} – C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 – Extra button: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O9 – Extra ‘Tools’ menuitem: AOL Toolbar – {4982D40A-C53B-4615-B15B-B5B5E98D167C} – C:\Program Files\AOL Toolbar\toolbar.dll
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: PartyPoker.com – {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} – c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 – Extra ‘Tools’ menuitem: PartyPoker.com – {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} – c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O15 – Trusted Zone: http://www.classmates.com
O15 – Trusted Zone: *.partyaccount.com
O15 – Trusted Zone: *.partygaming.com
O15 – Trusted Zone: http://www.partypoker.com
O15 – Trusted Zone: dmv.state.ny.us
O16 – DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) – http://tech-a.mhi.aol.com/netagent/o…/custappx2.CAB
O16 – DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) – http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 – DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) – https://ggpextra.com/dana-cached/set…terisSetup.cab
O16 – DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} –
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.co…?1095858620475
O16 – DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) – https://www.ibm.com/pc/support/acces…d/IbmEgath.cab
O16 – DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) – http://cdn.digitalcity.com/video/kdx.cab
O16 – DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) – http://hutchence.armstrong.com/ib/da…image40803.cab
O16 – DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} – http://download.av.aol.com/molbin/sh…18/mcgdmgr.cab
O16 – DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} – http://download.abacast.com/download…basetup145.cab
O16 – DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) – http://cvs.pnimedia.com/upload/activ…v2.0.0.10.cab?
O23 – Service: Adobe LM Service – Unknown owner – C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 – Service: AOL Connectivity Service (AOL ACS) – AOL LLC – C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 – Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) – America Online, Inc – C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 – Service: Apple Mobile Device – Apple, Inc. – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: Canon Camera Access Library 8 (CCALib8) – Canon Inc. – C:\Program Files\Canon\CAL\CALMAIN.exe
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 – Service: InCD Helper (InCDsrv) – Nero AG – C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 – Service: iPod Service – Apple Inc. – C:\Program Files\iPod\bin\iPodService.exe
O23 – Service: KService – Kontiki Inc. – C:\Program Files\Kontiki\KService.exe
O23 – Service: NBService – Nero AG – C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 – Service: NMIndexingService – Nero AG – C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 – Service: Pml Driver HPZ12 – HP – C:\WINDOWS\System32\HPZipm12.exe
O23 – Service: Cyberlink RichVideo Service(CRVS) (RichVideo) – Unknown owner – C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 – Service: WAN Miniport (ATW) Service (WANMiniportService) – America Online, Inc. – C:\WINDOWS\wanmpsvc.exe
http://redmond.elasticore.nl Redmond Dudley
Hi,
This is truly an excellent tool, thanks!
Posted by Redmond Dudley
beb~
i downloaded deepmonitor already..thanx to you =) i just received an alert that hiiden rootkit is in rundll.exe..does it save to delete it?? plzz help me..my computer really in prob =(
nuwisiha
thanx atas toolnya yaw… ini sangat membantu bagi saya
imad
thank youuuuuuuuuuuuuuuu
hemnah
Hello… i have this game that hides its process.
every time i open the deepmonitor, it restarts my PC!
how is that?
by the way… my online game is protected by
Nprotect game guard.
Nicholas Harris
Thank you!
Aftab
This is gr8 tool. I caught the key-logger which was hidden by all means. I suspected but couldn’t find where it is. This tool really helped and saved me. Thanks

Raymond.CC Blog

Detect Hidden Process and Rootkit with DeepMonitor

Posted By Raymond In Category: Computer

Subscribe

Recent Posts

Friends

Ads