Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Finding a Disappearing Application in Windows? 204

Posted by Cliff
from the program-execution-audits dept.
siuengr asks: "I have a computer that has a window that pops up every few minutes, but disappears before I can figure out what it is. I have run every virus program and spybot cleaner I have, but they do not find any problems. How can I figure what is causing this window to pop-up all the time, when it doesn't stick around long enough to see anything about it? Is there any software that tracks what applications have ran over a period of time, even if they are not currently running?"
This discussion has been archived. No new comments can be posted.

Finding a Disappearing Application in Windows?

Comments Filter:
  • Task Manager (Score:2, Informative)

    by Lazbien (788979)
    Open up the Task Manager and be patient. Watch the processes.
    • Re:Task Manager (Score:5, Informative)

      by ForumTroll (900233) on Thursday September 14, 2006 @06:03PM (#16109582)
      It's trivial to replace the task manager with one that only shows certain processes, and this technique is used regularly by malware. If the security of your system has been breached the task manager isn't a reliable source of information.
    • The next step... (Score:2, Insightful)

      by hackwrench (573697)
      After doing that and then downloading Process explorer to make sure it isn't replaced is to look in your startup with either MSconfig or startup control panel.
      http://www.sysinternals.com/Utilities/ProcessExplo rer.html [sysinternals.com]
      http://www.mlin.net/StartupCPL.shtml [mlin.net]
    • Re:Task Manager (Score:4, Informative)

      by OmnipotentEntity (702752) on Thursday September 14, 2006 @09:50PM (#16110598) Homepage
      It could be that the process isn't actually a process, but a dll loaded into a process.

      You'll need to get Process Explorer as explained in the above posts. Then when you find the nasty, you'll want to kill the process housing it, and then type regsvr32 /u thenameofthe.dll into a cmd window. Then you'll want to move or remove the file.
    • Get Spyberus (Score:4, Informative)

      by Alien54 (180860) on Thursday September 14, 2006 @10:33PM (#16110736) Journal
      Available at robotgenius.net

      Spyberus is free of charge. Check out the tutorial [robotgenius.net]

      There is probably a dll that is tied into explorer or something to repopulate when you clean.

      Also, use Spybot Search and Destroy in safe mode with all of the updates, but use all of the immunize functions first. It can spot some zombie process that "look" normal, but which sure as heck aren't. and then kill them.

      Do a maximum amount of cleaning in safe mode.

      Check out Spywarewarrior.com [spywarewarrior.com] for a comperhensive list of bogus cleaners that are really infectors. For an example, see this illustration [jahewi.nl].

      I make a decent living doing nothing but cleaning things like this up. I can't give you a ten page How-to, but the links will put you on the right trail.
  • Same here. (Score:2, Informative)

    by Cybert4 (994278) *
    Same thing! Be interesting to see if anyone tracks this down. My solution was to buy a new computer (old one severely needed an upgrade anyway). I looked through my processes and didn't see anything. Tried windows live antivirus too. Happens every few minutes here. Try killing your processes or using msconfig to kill startup stuff. There's several sites that list known windows processes.

    Nuking windows and/or wiping drives or partitions will of course work as well.
    • Re: (Score:2, Insightful)

      by Simon80 (874052)
      buy a new computer? It really irks me when people cite this as a solution. You most definitely did NOT fix the problem, you are just avoiding it. At the very least, you can install another OS. This isn't a hard process, you just have to download an image, burn it to a CD, boot off the CD, and follow simple instructions.
      • Re:Same here. (Score:5, Insightful)

        by joto (134244) on Thursday September 14, 2006 @07:39PM (#16110081)

        buy a new computer? It really irks me when people cite this as a solution.

        It is a solution!

        Just because it's not the techiest, or generally lowest-cost, or whatever, doesn't disqualify it from being a solution. It solved his problem. Therefore, by definition it is a solution.

        • by iamhassi (659463)
          "It is a solution!"

          not really, it's just avoiding the problem, the problem really hasn't been solved so it's not really a solution, it's more a work-around to achieve a end result. The problem still exists, just not on the computer he's using.

          It's like "hey, my brakes squeal, how do I solve this?" And instead of really solving the squealing brakes by replacing them you just buy a new car. Do the brakes still squeal? Yes, but since you're not driving it anymore you no longer care.
          • Re:Same here. (Score:4, Insightful)

            by joto (134244) on Thursday September 14, 2006 @08:34PM (#16110313)

            It's like "hey, my brakes squeal, how do I solve this?" And instead of really solving the squealing brakes by replacing them you just buy a new car. Do the brakes still squeal? Yes, but since you're not driving it anymore you no longer care.

            Yes. It is like that. But it is still a solution !

            Just because you find it a bit silly to replace a whole computer because of spyware, or replace a whole car because of squeaky brakes, doesn't disqualify it as a solution. No matter how silly you find it, it's still a solution to the problem of the user experiencing spyware on his computer, or squeaky brakes on his car.

            In the case of the computer, as a techie, I would actually recommend this to non-techies. A new dell costs about the same as you could expect to pay if you would pay someone to fix the problem. In addition you get a new and better computer. If you were to pay someone to fix it, you would still solve the problem, and still part with your money, but you would not have a new and spiffy computer. If you invested the time into learning enough about computers to fix it yourself, by the time you were finished fixing the probem, if you'd been working overtime instead, you could have bought at least 50 dells.

            As for the car, the same logic applies. If it's an old car, which you know sooner or later will need a major (costly) overhaul, you can just as well ditch it when a problem shows up, such as squeaky brakes. You don't need to fix it yourself, or pay someone to do it, when you are going to need a new car soon enough anyway.

            • by TubeSteak (669689)

              Just because you find it a bit silly to replace a whole computer because of spyware, or replace a whole car because of squeaky brakes, doesn't disqualify it as a solution.

              The more layers of bureacracy you have to deal with, the more valid that solution becomes.

              Anyone who's dealt with military efficiency (or even standard Gov't bureaucracy) could tell you that throwing away a $2,000 item is cheaper than trying to get it fixed.

              Buying a new computer may not be a valid solution for this particular /. Submitter,

            • by lostboy2 (194153)
              Not that it matters, but I think you're both right, only you're more right. Whether or not buying a new computer is "a solution" depends on how you define the problem.

              If the problem is stated as "fix this computer", then buying a new one is not a solution. If the problem is "eliminate the offending application", then buying a new computer is a solution, although possibly just a temporary one. Since the parent post mentioned the need/desire to upgrade anyway, I'm inclined to go with the latter definition.
            • by gurps_npc (621217)
              Joto, you are making assumptions about what the word Solution, and what the real PROBLEM is.

              Specifically, you are thinking the problem is "the owner is annoyed". If that is the real problem, then putting a bullet in their brain will also solve it. Your answer demonstrates practicality, not intelligence.

              Stop thinking about it as a real life thing annoying you and pretend this is a question on a test given to you by your teacher at a car mechanic school/computer mechanic school.

              We both know you would FAI

            • by mustafap (452510)
              This is just fucking stupid.

              We are all moving into a throw-away society. Attitudes like that are the reason for so much crap being dumped into the oceans.

              Christ, will people wake up.
        • by tambo (310170)
          It is a solution!

          It is a solution that involves no learning on the part of the computer owner. This practically guarantees that the same problem will arise again on the new system. End result: ignorance-driven obsolescence.

          Computers are complex - and are only becoming more so. Burnable optical discs and flash drives are better than floppy disks for many reasons, but they're also harder to use than stupidly simple 5.25"ers. Wireless networking is preferable to wired networking, but configuration can be

        • It depends on how you define the problem. If the problem is "this computer has malware", then buying a new computer is not a solution. If the problem is "the computer I use most of the time has malware", then it is.
          • by 1u3hr (530656)
            It depends on how you define the problem. If the problem is "this computer has malware", then buying a new computer is not a solution. If the problem is "the computer I use most of the time has malware", then it is.

            It's nether of those; if you look at the top of the page, the problem is:

            How can I figure what is causing this window to pop-up all the time?

            And the reason we're discussing it at all is the idea that something interesting or sneaky is going on, and can the Great Minds of Slashdot find out

        • by dargaud (518470)
          It is a solution!
          Well... not necessarily... Get a new computer and start reinstalling all the stuff you were using on the old one... until the prog you got on IRC to do whatever reinstalls the same spyware and you are screwed back to square one.
      • by kabz (770151)
        Lots of people actually do buy a new computer. My inlaws have a stack of perfectly decent but probably jacked-up software-wise PCs, including quite a cool looking Sony Vaio 'Monolith' tower.

        To "people like us" (tm) the software is fixable, and hardware may be fixable.

        To regular Joe User it is just a failing computer, and they have not much more chance of fixing whatever it is, than performing open heart surgery on the Pentium III or whatever powers their piece of junk.
    • Re: (Score:3, Informative)

      by xtracto (837672)
      Just as a comment, I once stupidly made my machine hijacked my crapware (can you believe I actually ran the "crack.exe" file that comes with the astalavista cracks =oS) and had to spend almost 4 hours cleaning my computer.

      I used lots of anti cracpware programs that certainly cleaned a lot of things but my machine kept getting infected.

      After some time I dont know why I searched in the "Screen properties" (dont remember the exact name as I am in Linux now), where you right click the desktop and then properti
  • by sporkme (983186) * on Thursday September 14, 2006 @05:37PM (#16109426) Homepage
    Use CamStudio (GPL) [camstudio.org], or some other desktop video recorder. Record your desktop until the event has occurred a few times, then advance to a frame in the video file that contains the dialogue box/application window. Leave the task manager (ctrl-alt-delete) running off to the side. Let the event occur once with the applications tab displayed and once with the processes tab. Make sure you can see the whole process list.

    Check the event viewer (control panel->administration) for erratic messages. Try disabling processes one by one to see if one of them is the cause. What Anti-stuff are you running? Anti-stuff is only as good as the definition database. Furthermore, many malicious processes can hide their existence from the OS, and an application tracking software is almost certainly going to get this info from the OS. Make sure your video drivers are up-to-date. If you suspect that the app communicates over the netowrk, install a software firewall and set it to anal mode.

    Run a benchmarking utility or simultaneously run several resource hungry applications to slow the machine down, and maybe the window will hang around for a while.

    If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!
    • I agree- but easier than trying to find the screen real-estate to see the entire task list, click on the "CPU" column until "Sytstem Idle Process" is at the top- this will essentially sort the list by the most active programs of the second, and then the screen recording software will capture all the currently running processes.
      • by berzerke (319205)

        Unless there is a rootkit, in which case, it will never show anything. I've encountered rootkits on Windows recently, 2 in August alone. I suspect we will be seeing more and more of them.

    • by Lisandro (799651)
      If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!

      You're being funny, but i had to fix a Windows system at work after years of both working with and using at home Linux desktops, and the experience was horrid. Horrid. I had to use three different spyware programs + Avast antivirus, spent a few hours, and i'm pretty positive they left crud behind.

      I have a Windows partition i use when i'm really forc
    • Re: (Score:2, Interesting)

      by dohzer (867770)
      A camera is actually what I used to catch my Bios screen the other day when it was flashing up too quick to read, and then reseting. Because the problem was occuring before the OS could load there was no way I could actually use a program to check it.
  • by Zardus (464755) <yans@yancomm.net> on Thursday September 14, 2006 @05:38PM (#16109430) Homepage Journal
    A friend of mine had issues with Kapersky anti-virus doing this every few minutes. Do you have that installed?
  • Tiny Firewall (Score:5, Informative)

    by Microlith (54737) on Thursday September 14, 2006 @05:39PM (#16109441)
    Tiny Firewall provides a security module that requires the user authorize every unknown application be manually allowed to run.

    While I have yet to see any unknown process start on my machine, none (not even ones started by trusted processes) are allowed to proceed without first being given the OK by me. I'd give it a shot and see if TF 2006 can catch it for you.
    • by joto (134244)
      Somebody actually use tiny firewall? Wow, I tried it once, and after having clicked yes about 2579 times the last 5 minutes... it didn't get used any more!
      • by Sparr0 (451780)
        Why are you running 2579 different applications? Sounds like poor design on some OTHER developers' parts.
    • Re:Tiny Firewall (Score:4, Informative)

      by netsharc (195805) on Thursday September 14, 2006 @09:21PM (#16110499)
      I second this idea. Although I know it as Kerio Firewall (and it's nowhere to be found at kerio.kom, only at Sunbelt Software, what gives?), here's the download page [sunbelt-software.com].

      I once helped a girl who suffered the same problem. A pop-up comes up every so often. I didn't see anything wrong at first, but then I noticed wscript.exe was running. It was running a VBS-script in a loop, and every few random minutes it would launch an Internet Explorer window with an ad, which would just as quickly disappear. I search the disks for all VBS files, found the suspect file, and searched the registry for any mention of that filename.

      Another way malware might hide is when they install themselves as a service.
      • What gives is Kerio sold it's firewall to Sunbelt Software (Counterspy is what they are best known for). Reasons were not disclosed. If I was to guess I'd say they weren't making enough money on it and were worried the improved Vista firewall would cut that back further.
  • Process Explorer (Score:5, Informative)

    by greerga (2924) on Thursday September 14, 2006 @05:40PM (#16109445)
    Prcess Explorer [sysinternals.com] Options..Different Highlight Duration
  • by Anonymous Coward on Thursday September 14, 2006 @05:40PM (#16109446)
    It might be a better solution
  • Process Explorer (Score:5, Informative)

    by x2A (858210) on Thursday September 14, 2006 @05:40PM (#16109449)
    Google for it. It shows recently terminated processes in red (or whatever) for a few seconds after it's terminated (all configurable)

  • by baadger (764884) on Thursday September 14, 2006 @05:43PM (#16109472)
    Assumptions:
    1. For a dialog to be coming up it has to be iniatated by a process.
    2. Mystery process most likely isn't part of Windows

    Action:
    1. Disable all startup programs with msconfig
    2. Reboot
    3. If problem is gone re-enable startup processes one at a time.
          If the problem is back/still there go to step 5
    4. Goto step 2
    5. Visit Slashdot. Scroll past this comment and proceed to next proposed solution, one which, hopefully, won't waste your time like this one just did.
    • Re: (Score:3, Funny)

      by x2A (858210)
      You lie! If this was really slashdot, 6. would be "profit!!!"

    • Re: (Score:3, Insightful)

      by dasunt (249686)
      A binary search would be better. Split the search space (the set of startup programs) in half. Enable or disable one half. If the problem appears, adjust your search space to that half. If the problem does not appear, adjust your search space to the other half. Repeat.
  • Maybe the process continues to run, it's merely popping up some kind of window from time-to-time. I'd look through task manager for any processes that don't seem right. Google for the process names if you find anything suspicious.

    Or maybe it's just Messenger showing you when someone's logged on :P
  • by justanyone (308934) on Thursday September 14, 2006 @05:46PM (#16109489) Homepage Journal

    If nothing obvious is running as a process, this might be popping up from a scheduled task.

    Occassionally we ran these at my old job and it would pop up a window in front of whatever you were doing, very briefly. The task was a batch file that kicked off something else.
  • HP? (Score:2, Informative)

    by Anonymous Coward
    If you have an HP printer/scanner it might be their updater program.
  • Sysinternals.com (Score:3, Informative)

    by szyzyg (7313) on Thursday September 14, 2006 @05:47PM (#16109495)
    Look on sysinternals.com - the best bet would be Filemon - then you can track which files are being opened.
    • Mark Russinovich (sysinternals.com) has a whole bunch of darned useful tools for watching access to TCP/IP, the registry, filesystem, processes etc. I mainly use TCP/IP View, but the others have come in handy. Highly recommended!
  • Process Explorer (Score:2, Interesting)

    by rizzle (848961)
    Download Process Explorer [sysinternals.com]. It's like task manager on steroids. One of the things you can do is put "delays" on the list of running processes when the list changes, like with the addition/removal of a process/window.

    Go to Options > Difference Highlight Duration, and set it like 15 seconds or whatever. New processes will show up in bright green for 15 secs, and killed processes will show up as red for 15 secs.


  • your adblocker (or something like it) is proabaly closing a popup window as soon as it appears.

  • Do you use TweakUI? (Score:5, Informative)

    by WalterGR (106787) on Thursday September 14, 2006 @05:58PM (#16109559) Homepage

    Your exact scenario happened to me a few weeks ago.

    Do you use the TweakUI program that comes with Powertoys for Windows XP? If so, do you have X-Mouse turned on? Check Mouse -> X-Mouse and see if "Activation follows mouse (X-Mouse)" is turned on.

    Some poorly written Windows apps will pop up dialogs that then disappear if they lose mouse focus. If you have X-Mouse turned on, they will pop up a dialog - and if your mouse is anywhere else on the screen, they'll think they've lost focus and close the dialog.

    All I had to do was disable X-Mouse until the app popped the dialog again, then I could deal with it. Unfortunately I don't remember what the poorly written program happened to be...

  • HP Software? (Score:2, Informative)

    by Clazzy (958719)
    We have an HP PSC 2355 printer and we installed the software that came with it. Anyhow, every half an hour or so, a program would randomly appear in the taskbar and disappear very quickly afterwards, usually minimising any full-screen applications. In the end, we had to disable it in msconfig. I honestly can't remember what the entry was in msconfig, but I could find it somewhere if it's actually the problem. Of course, it probably begins with "hp" anyway.
    • The most interesting thing in this thread is that more than 10% of the posts are about badly written HP printer software.

      That is one seriously messed up company.
    • by lukas84 (912874)
      Never, ever buy consumer printers / scanners / etc. They're all complete and utter crap.

      I had to configure one of these for my mother, and they're unusuable.

      The semiprofessional equipment they offer is, however, rather good.

      We've got a new HP LaserJet color 4700 DTN, just a few weeks ago. Thats a semiprofessional 30 ppm color laser printers with 3 500 Sheet feeders.

      Works like a charm. The printer driver is a normal windows driver, no software, no nothing. Just install the 2 mbyte printer driver, and everyth
  • Spy++ (Score:5, Insightful)

    by storem (117912) on Thursday September 14, 2006 @06:06PM (#16109603) Homepage
    Spy++ (comes with Visual Studio and probably other packages) should be able to list the window, even after it disappears and trace it to the owning process. Used it many times to find information about "rogue" dialogs.
    • Re: (Score:2, Informative)

      by enharmonix (988983)
      Somebody please mod parent up! It needs to be +5 Informative.

      First thing I thought of was the Borland version (Winsight), and this is exactly how you figure this kind of nonsense out. These apps actually enumerate all current window handles and will give you owning pids, parent/child windows, message queues, etc. If you don't already have a Borland IDE license, Borland now offers free (beer) and trial versions of their products, just dl a windows version and it ought to come with this tool.

      If not, I also
  • What.... (Score:3, Funny)

    by Yusaku Godai (546058) <hyugaNO@SPAMguardian-hyuga.net> on Thursday September 14, 2006 @06:08PM (#16109615) Homepage
    Since when did Slashdot become Experts Exchange?
  • Process Lasso (Score:2, Informative)

    by nomax (165497) *
    Try Process Lasso, it has a process log feature. Very handy.

    http://www.bitsum.com/ [bitsum.com]

    --nomax
    • by grcumb (781340)
      Try Process Lasso

      I have to get out of here. I just read 'Try Princess Lasso', and I started thinking, 'What, like Wonder Woman? Hey, now there's my kind of diagnostic!'

  • But...

    Get "HighjackThis" which will give you a list of all the stuff starting in a log file.

    From there, you can start to figure out what each one is. It takes HOURS, but you'll know a lot when you are done.

    Also, get "Tlist.exe" and "kill.exe" from the Windows SDK or PowerTools.

    Then compose a batch file to use the command line switches in TList to fire periodically. Eventually the two apps will be running the at the same time. (Pipe all the results to a text file you can look at.)

    Or, call a pro who can dig
    • by jafiwam (310805)
      (Ok, bad form to reply to myself.)

      Also, learn to use "netstat" as well. Pop up windows with ads might reveal themselves by the TCP/IP connections they make.
  • by HiredMan (5546) on Thursday September 14, 2006 @06:34PM (#16109749) Journal
    You might be looking at it and not see it.

    When to a security demo and watched the security guys run a Metasploit process that actually injected the remote .dll into a currently running .dll on the target machine while showing process viewer.
    So while sys_msg.exe or whatever minimal process changed in the process viewer slightly the name remained the same and there was no way to tell that the process was suddenly pwned from a remote host and was (presumably) doing horrible and unwanted things to your computer. All from a dropdown menu, point and click interface too.

    I went back to my office and hugged my Mac, tell you what.

    =tkk
    • Macs aren't safe (Score:3, Informative)

      by Myria (562655)
      Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

      Same applies to Linux's ptrace().

      Melissa
      • Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

        Yeah, but this is software availability we're talking about. Via metasploit you can do such a thing from a drop-down menu without writing a line of code. I've seen no such, easily available, malware development tools for the Mac. That isn't to say someone could not create one, just that right now that is not the situation.

        • by jrockway (229604) *
          Metasploit has Mac exploits. And if they don't anymore, they're certainly easy to write.

          This is why I hug my OpenBSD machine. It may be my family's only line of defense!
  • I've noticed that some web sites will pop-up a browser window and hide it. For what reason, I have no idea. Poor coding practice?

    On the Mac side, you can make it appear by using Expose. It's just a tiny, blank browser window with no control bar or buttons or anything, shuffled conveniently off the screen. Until Expose makes it my bitch.

    On the Windows side, I'm sure there's got to be ways of popping IE windows, and making them not appear in the task bar. I just haven't seen it on the Windows side, becaus
  • What OS? (Score:5, Informative)

    by teridon (139550) on Thursday September 14, 2006 @08:05PM (#16110196) Homepage
    You fail to state what OS you are running.

    If you are running Windows XP Professional (I think Windows 2000 Pro also has it), you can simply turn on process tracking in Group Policy. Every process that starts will now be logged in the security log. View it with the Event Viewer (Start.. Run.. type "eventvwr.msc")

    Instructions for how to enable process tracking [ask-leo.com] (for exactly the same problem!)

    I don't think the same can be done for Windows XP Home... but I've been wrong before ;-)
  • If it is a window - use APISpy to track windows API calls - look for a call to CreateWindow() and track where it is coming from.
  • by herrlich_98 (267669) on Thursday September 14, 2006 @08:19PM (#16110255)
    I hate to just chime with my own two cents and wild guess but I've had the same experience and tracked it down to iTunes opening a song from Shared Music. It a small wide rectangular window saying "Opening URL..." or something. I have seen it up for longer when there are network problems. You can reproduce it by clicking on Next Song several times quickly just as quickly as it can load songs.
  • Slo-Mo (Score:5, Funny)

    by Mignon (34109) <satan@programmer.net> on Thursday September 14, 2006 @08:21PM (#16110272)
    Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.
    • Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.

      I vote that this should be the comment of the week.

      • by clintp (5169)
        Maybe not so far off the mark: try running a session connected to the machine via VNC or Terminal Services. Especially over dialup or otherwise constricted network. The slow redraw might give you time to figure out what it is.
        • if it shows up at all....and talk about an indirect solution, you might as well just screencap your entire desktop then...
    • by dave562 (969951)
      Also useful for quickly passing those pesky "auto-pilot" animation sequences in Wing Commander. Just make sure to take turbo off before you have to fight those pesky Ferrangi.
  • what about figuring what's causing my laptop hard drive to go constantly? the memory settings look ok...
    • by Alien54 (180860)
      what about figuring what's causing my laptop hard drive to go constantly? the memory settings look ok...

      In general, this is cause by too many processes running for the amount of ram you are running. Things like AOL have all kinds of secondary processes. A typical lean system will be running 25 to 35 processes. Some systems ship now running 70 plus processes out of the box. Also, some people run things like Norton Internet Security, or the McAfee Security Center all in paranoid mode. These can also slow a
  • by Money for Nothin' (754763) on Thursday September 14, 2006 @08:48PM (#16110378)
    Write a script (VBS, Perl, whatever) to monitor your process list. Have it poll the process list every quarter of a second or something, and keep a running list of processes that are found. On the first iteration, write the list to one file. On succeeding iterations, compare the list of the i-th iteration to the list of known processes -- if a new process appears that wasn't in a previous iteration, spit it out to another file...
  • Root-Kit? (Score:5, Interesting)

    by UltimApe (991552) on Thursday September 14, 2006 @11:39PM (#16111024)
    Why hasn't anyone mentioned root-kits?

    My gf's computer had a root-kit on it. I go to a tech school, and nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong. It kept doing pop-ups, like it had some type of ad-ware, but it didn't appear to have anything abnormal running. It didn't matter if it was IE or firefox, the ad would pop up on pretty regular intervals. Every possible thing was checked, from using standard tools like spy-bot-s&d, any number of free and bought virus scanners... Some people (including me) even poured over the registry by hand to find out if anything was running. absolutely nothing.

    It turned out to be a ROOT-KIT (2 actually, they hid each other. One user-mode, and one kernel-mode). The rogue programs actually were able to make windows "not see" the file. On boot, windows would see it just enough to turn it on, but after it was running it prevented anything from actually finding it, injecting code between the hard-disk access and low-level windows stuff. not windows-explorer, not regedit, not task-manager, not even 3rd party apps like win-task, or even defraggers.

    http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com] - RootkitRevealer 1.7 by Sysinternals showed a directory in "C:/windows", and one in "C:/program files", that if you went to look normally, didn't show up. I quickly booted up Knoppix and verified that there was some crap in there, but a search on the Internet showed nothing. Booted windows into safe mode, and since safemode doesn't run things other than windows crap, I was able to delete the two folders, and even a registry entry that showed up about it.

    If you can't find anything, maybe its because it won't let you find it!
    • by dargaud (518470)
      nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong
      Why is it that people waste time looking ? A rootkit can manipulate the user interface of the US anywhich way it wants. Plug the disk out, put it as a slave into another (clean or linux) machine, and scan from there. It's the simplest and fastest way to solve this kind of issue.
  • There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExpl o rer.html [sysinternals.com] 2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc. http://www.sysinternals.com/Utilities/Autoruns.htm l [sysinternals.com] 3. R
  • I don't know how long it stays up, but if it's more than a half-second, you may want to just hit the print screen key as fast as you can. It will save a bitmap copy of the screen to the clipboard, which you can then analyze at your leisure.

We don't know who it was that discovered water, but we're pretty sure that it wasn't a fish. -- Marshall McLuhan

Working...