| View previous topic :: View next topic |
| Author |
Message |
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
 Posted: Sat Aug 11, 2007 11:22 pm Post subject: Spyware DLL ? |
 |
|
RE: Hiding a process in Task Manager
I tried out a DLL posted here and to my surprise it works.
| Code: | PID := DllCall("GetCurrentProcessId")
DllCall("HideProcess.DLL\HideNtProcess", UInt, PID )
MsgBox, 64, %A_ScriptName%, PID:%PID%
ExitApp |
When compiled and run the above process does not show in Task Manager. However, it lists in CLI TaskList.exe . Google Search reveals nothing good and AVG Free Edition 7.5 detects nothing bad on the DLL. I have been longing for such a facility.
Can anybody throw some light on what this DLL could be ?.. and whether it is safe ?
Regards.  |
|
| Back to top |
|
 |
n-l-i-d
Guest
|
| Posted: Sun Aug 12, 2007 12:16 am Post subject: |
|
|
I wouldn't use it.
Google reveals (if it's the same file) hideprocess.dll is a process belonging to the Ace Spy advertising program by Retina-X Studios. 
But it might be easy to detect: SmOke_N's posting in the same thread |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Sun Aug 12, 2007 12:35 am Post subject: |
|
|
True! I guessed the code would be in these lines: Hack Windows Task Manager
and was wondering if I could avoid all the trouble for a meagre 42K.
Whereas, this could be a real solution : Planet-Source-Code
|
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1247
|
| Posted: Sun Aug 12, 2007 3:02 pm Post subject: |
|
|
I guess you already tested it against Process Explorer.
Then, have you tested it against Rootkit Revealer?
If it's detected by Rootkit Revealer, I'd say it used a technology out of date or not sophisticated enough.
PS. Oops. Rootkit Revealer doesn't have a facility to detect running processes.
However, there are various anti-rootkit tools around.
A good starting place may be:
http://forum.sysinternals.com/forum_topics.asp?FID=18 |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Sun Aug 12, 2007 3:57 pm Post subject: |
|
|
Sean, please. What does this reveal ?
 |
|
| Back to top |
|
|
corrupt
Joined: 29 Dec 2004
Posts: 2381
|
| Posted: Sun Aug 12, 2007 4:05 pm Post subject: |
|
|
| Skan wrote: | | What does this reveal ? |
It seems to reveal that you ran a scan, Skan  . |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Sun Aug 12, 2007 4:15 pm Post subject: |
|
|
er..., I meant, Scan complete: 5 discrepancies found. |
|
| Back to top |
|
|
tonne
Joined: 06 Jun 2006
Posts: 1143
Location: Denmark
|
| Posted: Sun Aug 12, 2007 4:17 pm Post subject: |
|
|
This accounts for two:
http://forum.sysinternals.com/forum_posts.asp?TID=1731&PN=2
_________________
there's a dog barking close within the range of my ear
sounds like he wants to escape the chain
he would probably bite me to death if he could
but the chain lets me spit in his face
- Kashmir |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Sun Aug 12, 2007 6:09 pm Post subject: |
|
|
| What should I do? Delete those keys? |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Sun Aug 12, 2007 6:34 pm Post subject: |
|
|
No! I should not.. 
Thanks friend. |
|
| Back to top |
|
|
majkinetor !
Guest
|
| Posted: Sun Aug 12, 2007 8:01 pm Post subject: |
|
|
| ROFLMAO |
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1247
|
| Posted: Mon Aug 13, 2007 12:06 am Post subject: |
|
|
| Skan wrote: | | What does this reveal ? |
Looks like there is nothing to worry about among them.
The first two keys are officially mentioned in the Rootkit Revealer Log section, and appeared in my system too.
Although I've never seen something similar to the last three myself, they are unlikely to be an activity of a rootkit, IMO.
To be 100% sure about them, please visit the forum mentioned and search there with "Error mounting volume".
BTW, what used to be on E:, F:, G: ? |
|
| Back to top |
|
|
SKAN
Joined: 26 Dec 2005
Posts: 5574
|
| Posted: Mon Aug 13, 2007 12:15 am Post subject: |
|
|
| Code: | C:\ Windows 98SE
D:\ Windows 2000 Pro
E:\ Windows XP ( Default OS )
F:\ Data
G:\ Data |
|
|
| Back to top |
|
|
Sean
Joined: 12 Feb 2007
Posts: 1247
|
| Posted: Mon Aug 13, 2007 1:44 am Post subject: |
|
|
| Skan wrote: | | Code: | C:\ Windows 98SE
D:\ Windows 2000 Pro
E:\ Windows XP ( Default OS )
F:\ Data
G:\ Data |
|
Where did you perform the scan from? Looks like from D:\?
Could you still access E: F: G: from there?
Seems that you'd better consult it in the Rootkit Revealer forum. |
|
| Back to top |
|
|
corrupt
Joined: 29 Dec 2004
Posts: 2381
|
| Posted: Mon Aug 13, 2007 5:26 am Post subject: |
|
|
| Sean wrote: | | Where did you perform the scan from? Looks like from D:\? |
I may have missed a detail somewhere but, out of curiosity, why would you guess D:\ when the screenshot posted looks like it's from XP? |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
