Slashdot Mirror

Sysinternals Freeware is a slick collection of utiltiy software for Windows from tools I use regularly like FileMon, TcpView and Process Explorer to more trivial tools like BGInfo capable of nothing more than stamping a configurable block of system info onto the desktop wallpaper on boot.

Sysinternals Freeware is a slick collection of utiltiy software for Windows from tools I use regularly like FileMon, TcpView and Process Explorer to more trivial tools like BGInfo capable of nothing more than stamping a configurable block of system info onto the desktop wallpaper on boot.

I second Microsoft Power Toys and add some more:

* AutoIt for simple automation tasks and creating small programs with graphical user interfaces

* Firefox, of course. Opera is also a good choice.

* Daemon Tools for mounting ISOs as virtual CD/DVD drives

* Trillian--AIM, ICQ, IRC, MSN, and Yahoo messenger client


* QuickTime Alternative

* RealPlayer Alternative

* IrfanView--small, free, fast image viewer



* SysInternals utilities--useful for admins

* Scanner--shows hard drive usage as stacked pie graph of files/folders

* 7-zip: similar to WinZip or WinRAR or StuffIt

* Foxit [PDF] Reader--a lite alternative to Adobe


Following ones aren't free but are very useful Windows-only programs:

* FinePrint--n up printing, universal print preview, etc.

* MaxiVisa--use a networked computer like a secondary display

* TextPad, though I opt for the open-source and FREE SciTE

It's certainly not trivial to bypass if you set it up right. Assuming the user isn't a member of the local Administrators group (which they would not be on a public machine) and you use the whitelist functionality of software restrictions to allow only exectuables/DLLs with a certain signature or hash to run (filename and path rules aren't strong enough). See here.

You do need to know your system, but...

Three things, first.
a) Monitor your RAM use.
b) Monitor your CPU use.
c) Monitor your bandwidth use.

If I get weird spikes in any/all of the above, my first step is usually to either run task manager or this if it's something which task manager can't detect. If there's something running which I don't recognise, (and yes, I *do* know my system that well, and so should you) my next step is to run msconfig and check the startup section there. 99% of bugs will show up there as having some kind of startup entry, and from there it's a simple process of deleting the bug executable and its' registry entries. One other thing which people might not know about though is to also scan the prefetch directory, (c:\windows\prefetch) as backup copies of bugs generally land in there as well.

If, and only if, that process does not work, (and again, in 99.5% of cases it will) I then head onto the Web and look for answers.

Generally speaking if the above process doesn't work, what you're looking for is an alien dll which is being injected into a system executable. (Ususually svchost.exe because of how opaque that generally is anywayz.) I'm not good enough to be able to do manual stack traces, but what I can do is watch the CPU usage meter in procexp.exe (mentioned above) and the process shown as using the large amount of CPU time/ram will be the one the dll is hiding in. From there, the only thing you really need from the web is the specific name of the dll that's being injected, and once you've got that, you're clean.

The other big thing is, don't use Internet Explorer. Yes, I have it installed, but I generally only use it as a backup for very limited periods if I'm wanting to look at a single page that Firefox isn't rendering correctly. (Doesn't happen all the time, but more often than you'd think.)

XP is surprisingly easy to keep clean, IMHO. The main reason being that, despite what people claim, there really only are a few different ways in which a bug can operate on the system. They all need startup access, (and there are only really two ways that they can get that, one being a standard location in the registry) and they're all going to leave a RAM/CPU footprint.

So I don't buy what people say about XP being indefensible. You have to be proactive, and you have to know your box on an intuitive level...but it's completely doable.

Hooking is a pretty common way of doing certain things. You can even use them to fight malware.

Take these guys, a startup in Oakland. They made an anti-spyware program that keeps track of every file creation on the system. This is a really good way to verify that yes, these eight programs were, in fact, installed by Kazaa or that these 15 were smushed on there by Dot Com Toolbar. It also puts them in a position to kill processes easily so that locked files can be deleted, or kill all non-essential processes instantly. A lot of the sysinternals tools use hooking as well.

Fortunately, it appears that in Vista Microsoft is disabling hooking entirely for all unsigned drivers (which is the real culprit, if you ask me). In many ways using techniques like this to fight malware is fighting fire with fire, but at least people are starting to think outside of the "pattern recognition file search" box. And yeah, it is possible to do this without becoming bloatware like Symantec.

I just did a cursory search and found this:

    http://www.sysinternals.com/Utilities/RootkitRevea ler.html

The sysinternals guys seem to know Windows better than MS. Cool people to know if you are forced to use MS operating systems.

SysInternals' free program RootkitRevealer is the best way I know to reveal the presence of rootkits.

In general, any program SysInternals provides is the best in its field, I've found.

Try the just updated (March 7, 2006) version of Autoruns to find nasty stuff running under Windows.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

SysInternals' free program RootkitRevealer is the best way I know to reveal the presence of rootkits.

In general, any program SysInternals provides is the best in its field, I've found.

Try the just updated (March 7, 2006) version of Autoruns to find nasty stuff running under Windows.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

Most small company sysadmins need to at least occasionally deal with Windows. I prefer to do so without leaving my desk. I also ensure cygwin and sshd are on Windows boxes, so that I don't always need rdesktop or vnc. ...

My windows list would look something like

• uptime.exe
• cygwin with sshd, exim, and cron installed as services
• PuTTYcyg, which is PuTTY with the ability to run bash shells locally (i.e. xterm)
• SysInternals Junction, directory symlinks in NTFS
• StartupCPL, monitor everything that starts up when Windows does
• 7-zip
• WinSCP
• KNOPPIX for when shit hits the fan
• Debian for when it won't come off the fan
• One antivirus (any, I prefer PC-Cillin) and two anti-spyware agents (any two with different engines)

AFAIK, a program like TCPView will show all incoming and outgoing connections to your windows box.

I pop it up from time to time just to make sure nothing odd is going on.

It's also handy because it allows you to close the connection any malicious program is making. Very very useful when the program is stealthed & won't show up in the task manager.

Use regmon and filemon from http://sysinternals.com/. Export log to CVS and use a spreadsheet to sort the far column and check out any ACCESS DENIED errors.

All of these are open source, built on LAMP, and run great on Windows.

HW & SW inventory: Winventory (http://winventory.sourceforge.net./
Trouble ticketing: Eventum (http://eventum.mysql.org/wiki/index.php/Main_Page ). The Anonymous Reporting Form is a time saver.
Cacti (http://www.cacti.net./ Graphs all parameters on your servers and routers.
Documentation: TikiWiki (http://tikiwiki.org/tiki-index.php). It has articles, FAQs and LDAP integration.
FreeMind (http://freemind.sourceforge.net/wiki/index.php/Ma in_Page). Mind maps are a FANTASTIC tool for documentation and you can publish them easily on a web server (get 0.8.1 beta3).

These are free, and get the job done.
SysInternals's tools (http://www.sysinternals.com./ Process Explorer and TCPView are the most useful, and there are many other great utils.
KiXtart (http://www.kixtart.org./ The best language for login scripts, and just about all your scripting needs on Windows.
Network Notepad (http://www.networknotepad.com./ Draw your nework diagrams here, and then publish them on your web server.

Actually, at the kernel level, almost everything that is a file in UNIX is also a file in Windows NT. Disk files, sockets, serial ports, pipes, raw devices and busses, the display (see \Device\Video0), serial and parallel ports, USB devices, network disk files, the null device, etc. Look in the \Device directory with WinObj or WinObjEx. All of the Device objects dispense File objects to represent connections.

There are some things that aren't files, like process information and configuration information (registry key values). One thing that Windows does more consistently than UNIX is to have a single namespace for all named objects, instead of having different ones for files, events, mutexes, etc.

At higher levels, I'd have to agree that Microsoft's consistency drops off considerably.

Thanks for the info. I have not tried GoBack, but do have some experience with Norton Ghost. After my Dad's PC got infested with malware, and we finally got it cleaned up, I picked up a copy of ghost and an extra hard drive and periodically backed up his entire disk.

But this solution is not ideal. I'm cautious about installing new software on my PC, but once in a great while, I find something is broken and it could have happened weeks/months ago. Everything seemed to be okay (at the time), but then I discover that it is not. For example, I can no longer write to my CD drive. The last time I tried, successfully, was 2 months ago, and then had a period where I did not try to write anything to CD. (I've got a spare 300GB USB Maxtor Onetouch drive on which I do my backups).

So, now, I need to be able to backtrack:

1. Find out which one of the umpteen applications I've installed since then caused the problem.
2. Back out just that one application.

If I were to roll back my entire system to where it was 2 months ago (say using a Ghost image), I'd still have a boat load of applications to re-install, program defaults to establish, and the like. :/

In my original post Rolling back - what do YOU do? I suggested it would be helpful if there were a log, in human-readable form, which listed all things that are Created, Read, Updated, or Deleted. That, in concert with SysInternals Filemon, Regmon, and Process Monitors, I can find out what's going wrong NOW, and identify which application bolixed things up. Then, using Windows' Add/Remove programs, I should be able to yank just THAT application.

Does anyone have a file logging tool like this for windows? If so, what has your real-world experience been with it? After this McAfee fiasco, I'm not interested in marketing fluff and instead want info from "down in the trenches!"

So, again I ask: how do you backtrack?

To find the intrusive Starforce device, look in Windows Device Manager, select Show Hidden Devices, and look for Starforce in the Non-Plug and Play tree.

Now that's something an application program should not be doing.

There's a StarForce removal tool, but it's from the Starforce people, and probably should not be trusted.

Starforce is threatening to sue Cory Doctorow for calling their product "malware". That would be amusing if they went through with it.

My first Dell issue happened within hours of turning it on. Some application, that I have yet to isolate, insists on trying to load (twice a day) a non-existent file called "Timer.txt".

Windows is no Linux, even with a sizeable collection of free utilities, but you can at least make it palatable.

Use filemon to find the offending process.

My second Dell issue concerns the USB ports. 5 USB 2 ports on the back and 2 on the front, and I normally use most of them -- (1) USB hub for wireless keyboard, (2) USB mouse, (3) USB wireless LAN, (4) USB 3-speakers system, (5) external USB DVD+RW drive (as Dell wanted too much for the internal one, so I went for internal DVD-ROM), and (6) USB hard drive.

You may be simply drawing too much power. Try purchasing an inexpensive *powered* USB hub. Plug that into the computer and plug some of the devices into it (as a bonus, this provides a rather more conveniently locatable thing to plug things into).

The problem is that hard drive failure is so serious an issue that operating systems will understandably make it priority number one and other programs/operations will suffer performance problems or worse (or even worse).

It's not the priority, but the fact that things like the pagefile being on the hard drive and executable code being on the hard drive causes some operations (like memory accesses or simply trying to execute a chunk of code) to take incredibly long.

Computers normally do a good job of faking "multi tasking" but NMI (non-maskable interrupts) rain on that parade.

I could be wrong, but I don't think that a media read error will produce an NMI.

: As opposed to authorized programs, like the Sony backdoor, which used Microsoft-supplied methods to create the program to hide from the users

it's a tad worse than that: microsoft appears to directly support malware by certifying them safe under it's designed for microsoft logo program.

for example: sunncomm's mediamax rookit software carries microsoft's designed for microsoft windows xp logo, which states:

    * the product will be stable when running windows xp.
    * the related software or driver components can be installed or removed easily.
    * the basic experience with the product and the operating system will be the same or better after upgrading to future versions of windows.

each claim is pointedly debunked by reading mark russinovich in sony, rootkits and digital rights management gone too far (october 31, 2005).

even if you do trust microsoft, i would suggest caution in trusting software carrying a microsoft certified logo.

- p

Ah, but those are DEVICE names, that correspond to actual devices - not mount points... Windows has device names too in the kernel's namespace, take a look at WinObj.

Old DOS treated drive letters like mount points. That is easily visible if you use the subst command. Of course, Windows does have mount points (created by using mountvol) - but Windows doesn't make it easy to use them. e.g. try moving the profile (Documents and Settings) directory to another volume.

Last time I tried to do that, I had to install Windows, make C:\Home a mount point, and then reinstall Windows with an unattended response file that specified C:\Home as the user profile directory. Not fun.

Windows (NT) has its advantages like compatibility, a better (more flexible and more complicated) security system, the pluggable kernel subsystems, ... But drive letters aren't one of them. On the command line, I now always use cd/d so drive differences don't matter if I use cd.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

Do you have anything other than Microsoft's own FUD to back this up? We all know how reliable their Linux benchmarks are and what an incentive they have to get us to "upgrade."

I do; however, shouldn't you rethink this a bit? It is their OS, and their kernel technologies, who do you think would know them better than MS? Why would MS even put time into 'changing' what was in Win2K if it wasn't to improve it?

Secondly, the facts Microsoft present, like "Larger Device Drivers and System Space" are facts that any geek can check to see works in XP and will fail in Win2k as there is limited space.

As for the non-Microsoft FUD, the first link I posted was from a MS site, however the article was written by Mark Russinovich and David Solomon, and Mark is of SysInternals, a company that has been both assistive and quick to point out truths of flaws in NT over the years. You can find their site at:
http://www.sysinternals.com/

So unless they were just being paid to say what MS wanted them to say and risk their credibility with items that could easily be proven wrong if they were wrong, then ya, all I have is MS FUD.

If you don't believe the links I posted, go freaking test it yourself, try to break XP and prove to the world that MS has been lying about XP for 5 years and no one else but you were smart enough to find it. Prove that the Registry Limits are the same as Win2k, pick anything.

There are also a lot of other system changes that are only casually mentioned or skipped in these articles. For example, did you know that in WindowsXP if an application makes a very bad call, instead of just shutting down the offending application as Win2k would do to protect the OS, XP will try to figure out what the application was trying to do, and fix the call and pass back the correct information, address, etc in real-time, so the application doesn't fail and the user never even notices. All for compatibility to correct mistakes of 3rd party programmers that were idiots to keep the 'software' running as expected. That is enough of change in the OS between Win2k and XP to warrant the upgrade alone, let alone the performance, stability, and other improvements.

Does anyone here even think anymore, or does the Microsoft name invoke a knee-jerk reaction and bring out the 'idealistic anti-MS ignorance'?

Why can't I enable networking and disable the filesharing by stopping the service that makes the SMB ports listen?

Actually, you can. The listen service is called "server" and the client is called "workstation" (you might also need "computer browser" and "tcp/ip netbios helper" and "print spooler").

Stop telling me "access denied" when I'm the fracking system admin. I really hate that. Processes can't be killed, services can't be stopped, files can't be deleted, etc because "Access denied". Kill the damn process if I tell you to.

You can mark unkillable services as "disabled", that way at least they won't come up after a reboot. I find sysinternals' tools to be very helpful in killing processes and handles.

Still sucks, but at least you have a workaround (sometimes)

By their very nature geeks (true geeks) will shovel every bell and whistle into a device they can get away with because that is what they do.

That's only the yang of geek.

There are plenty of geeks out there refining their yin.

Mark Russinovich of sysinternals has an interesting experiment here.

Whoops, I read the title as "Sony to bundle UXBs with DVDs". My bad.

The Sony DRM rootkit. I should have just said rootkit, but I forgot what it was called because I'm not really following the story because I'm not on Windows.

Now maybe there are in fact problems with the StarForce software, but there is nothing other than unproven statements on BoingBoing.

So my point of view is merely unbiased: Until BoingBoing posts something in the way of proof, it's open season for the lawyers.

The company has long maintained that the source code to Windows and other products are its crown jewels, and that making the code public could cause serious harm by stripping it of trade-secret status, and allowing competitors to duplicate the functionality of Microsoft software.

Come on - anybody can code up a BSOD if they really want to.

Should Mark from sysinternals be worried?

It's never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory.

I've used many tools before but I always seem to go back to using the good old dos prompt even on xp. Everday I remove malware from clients systems and find a lot get past ad-aware/spy-bot/anti-virus so I have to remove many by hand.

If you have something hiding in the windows\system32 folder the "dir /od /a-d" command shows the last added/changed files. Then if your unshore about a small file I use "edit" to open a file and look for clues in the file. If it has UPX or FSG inthe header I delete the file, other clues are things strings that refer to website I don't like or encryption that hides string tables.

But if I can't delete the file I'll reboot using BartPE and then delete the files. In BartPE you can use the regedit mount a registry hive then edit a registy file offline.

But remember some malware have deadman switches so if you remove it your system won't boot. ie NewDotNet puts its self in the LSP (Winsock stack) so if you delete the files winsock stops working :(

The tools I would not leave home are:
http://www.sysinternals.com/Utilities/Autoruns.htm l
http://www.sysinternals.com/Utilities/ProcessExplo rer.html
http://www.nu2.nu/pebuilder (bartPE)
then
hijackthis,ad-aware(www.lavasoft.de),spybot,avg(gr isoft.com)
and not to forget those builtin tools:
msconfig, cmd, regedit, "sfc /scannow", edit, "shutdown -a".

happy hunting [sVen]

I've used many tools before but I always seem to go back to using the good old dos prompt even on xp. Everday I remove malware from clients systems and find a lot get past ad-aware/spy-bot/anti-virus so I have to remove many by hand.

If you have something hiding in the windows\system32 folder the "dir /od /a-d" command shows the last added/changed files. Then if your unshore about a small file I use "edit" to open a file and look for clues in the file. If it has UPX or FSG inthe header I delete the file, other clues are things strings that refer to website I don't like or encryption that hides string tables.

But if I can't delete the file I'll reboot using BartPE and then delete the files. In BartPE you can use the regedit mount a registry hive then edit a registy file offline.

But remember some malware have deadman switches so if you remove it your system won't boot. ie NewDotNet puts its self in the LSP (Winsock stack) so if you delete the files winsock stops working :(

The tools I would not leave home are:
http://www.sysinternals.com/Utilities/Autoruns.htm l
http://www.sysinternals.com/Utilities/ProcessExplo rer.html
http://www.nu2.nu/pebuilder (bartPE)
then
hijackthis,ad-aware(www.lavasoft.de),spybot,avg(gr isoft.com)
and not to forget those builtin tools:
msconfig, cmd, regedit, "sfc /scannow", edit, "shutdown -a".

happy hunting [sVen]

There are different requirements for enterprise use than for personal use. I will try to help out a bit for those in the corporate world. For example, SpyBot and Ad-Aware are only free for personal use. Because of this, IT shops are not supposed to use this without buying a license. So what should an underfunded IT department use?

Anti-Virus: Yeah, it's usually not great for catching spyware, but the latest versions of all vendors should at least slow down some of it. In our organization, we have several different versions of Norton Anti-Virus, from 7.x to 10.0. So if one PC has lots of problems with spyware, putting version 10.0 on there helps fight it automatically.

Microsoft Anti-Spyware: This is a pretty good tool for unmanaged environments. It is better than Ad-Aware or SpyBot, from my experience. I am not sure of the licensing, however, since we don't use it here.

Autoruns and Process Explorer: These are fantastic products that you can use at work for free, as long as you always download it from www.sysinternals.com when you put them on a PC. Autoruns will give way too much information about what starts up and what has hooks into the OS. To the average user, this can be overwhelming and even dangerous, so make sure you know what you're doing when you remove something. Process Explorer is a great tool for seeing what is running. It is miles better than Task Manager that ships with Windows. It shows you what hooks into what processes and will even allow you to pause a running application!

StartupList and HijackThis: These two programs will help you figure out what kind of nasty stuff you might have running. I am not aware of the licensing issues with these, as I usually use Autoruns instead.

APT, APM, and TaskMan+: These three tools are process explorer type utilities. However, with APT and APM, you can unload a certain DLL file. This is very useful if you have a dll that you can't delete and that keeps regenerating all of the other junk you just removed. Simply unload the DLL from anything it is hooked into and then you can delete everything. TaskMan+ lets you kill almost any process, including services. Best of all, these products are licensed without restriction.

I hope these help. Sorry I can't write more but I'm at work fighting off the bad stuff myself ;)

There are different requirements for enterprise use than for personal use. I will try to help out a bit for those in the corporate world. For example, SpyBot and Ad-Aware are only free for personal use. Because of this, IT shops are not supposed to use this without buying a license. So what should an underfunded IT department use?

Anti-Virus: Yeah, it's usually not great for catching spyware, but the latest versions of all vendors should at least slow down some of it. In our organization, we have several different versions of Norton Anti-Virus, from 7.x to 10.0. So if one PC has lots of problems with spyware, putting version 10.0 on there helps fight it automatically.

Microsoft Anti-Spyware: This is a pretty good tool for unmanaged environments. It is better than Ad-Aware or SpyBot, from my experience. I am not sure of the licensing, however, since we don't use it here.

Autoruns and Process Explorer: These are fantastic products that you can use at work for free, as long as you always download it from www.sysinternals.com when you put them on a PC. Autoruns will give way too much information about what starts up and what has hooks into the OS. To the average user, this can be overwhelming and even dangerous, so make sure you know what you're doing when you remove something. Process Explorer is a great tool for seeing what is running. It is miles better than Task Manager that ships with Windows. It shows you what hooks into what processes and will even allow you to pause a running application!

StartupList and HijackThis: These two programs will help you figure out what kind of nasty stuff you might have running. I am not aware of the licensing issues with these, as I usually use Autoruns instead.

APT, APM, and TaskMan+: These three tools are process explorer type utilities. However, with APT and APM, you can unload a certain DLL file. This is very useful if you have a dll that you can't delete and that keeps regenerating all of the other junk you just removed. Simply unload the DLL from anything it is hooked into and then you can delete everything. TaskMan+ lets you kill almost any process, including services. Best of all, these products are licensed without restriction.

I hope these help. Sorry I can't write more but I'm at work fighting off the bad stuff myself ;)

It also shows you the full path to the program. If you are running the NTFS file system you can set that file to have no access for Everybody and the file will not load on startup.

Of course if you want to be 100% sure a format would work. DO NOT RUN A LOW LEVEL FORMAT! I seen it recommended it's just wrong... Low-level Formatting creates the Tracks and Sectors on a blank hard drive. The drives you buy today are Low-level Formatted at the factory. Low-level Formatting these hard drives yourself is not recommended.

But not everyone can or wants to go trough the trouble of formatting so what can we do next?

My standard way to get spyware of a box:

run crapcleaner this will remove a lot of useless files just make sure you only select the sections you want deleted. Don't use the reg clean unless you know what you're doing.

Next up would be the running the standard anti virus programs I personally use hitmanpro the site is dutch but the program is English it includes most trusted anti-spyware products and runs them all in a row and automatically removes anything and makes up a html page of what it did.

Still not gone?

- If you know the name of the spyware it might be worth googling chances are you find a special removal tool.

- In my case I can spot bad programma's and spyware as a process with the use of HijackThis and sysinternals process explorer. But be sure to google all the processes you don't trust before deleting them. This way of deleting is not recommended for your average computer user (then again you post on slashdot so your probably fine..)

- Some times it's required to boot in to safemode to remove some files

Ok now that you're cleaned you don't want this sort of thing to happen again there are a few common practices:

- Don't be YES man don't just click YES and NEXT on every box that pops-up also instruct any family members to do the same.

- Run as a normal user instead of administrator

- Make sure windows is up to date

- Some browsers such as firefox make it easier to avoid spyware though this requires some plugins. recommended are adblock + gblocklist

Useful links:

google: http://justfuckinggoogleit.com/
;)
crapcleaner: http://ccleaner.com/

hitmanPro: http://hitmanpro.nl/

HijackThis: http://www.spywareinfo.com/~merijn/

Process explorer: http://www.sysinternals.com/Utilities/ProcessExplo rer.html

Firefox browser: http://www.mozilla.com/firefox/

adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=10&application=firefox

gblock list for adblock: https://addons.mozilla.org/extensions/moreinfo.php ?id=1136&application=firefox

hope it helps...

Written by Mark Russinovich, the guy who blew the lid on the sony rootkit debacle (and author of other indispensible free windows utils like process explorer, filemon, regmon and many, many others)

His site is http://www.sysinternals.com and autoruns can be downloaded from here.

Autoruns shows EVERYTHING that is started on your pc at boot & logon etc, including device drivers, services... everything. It can even filter out binaries not signed by microsoft, to make third party stuff stand out like dogs balls.

Use process explorer to find and kill the spyware processes - you may have to google processes to identify them, but that function is built in. Here is a tip - look for anything that doesn't have a company name of "microsoft"

Some really stubborn spyware has more than one process running, watching each other and restarting each other if you kill them. Use PSKill (command-line process killer) to kill multiple processes at once, so they can't restart.

Once you have cleaned out the running junk, use autoruns to identify where it started from and kill it.

Its never failed for me, and you learn a whole lot about the internals of windows in the process.

Written by Mark Russinovich, the guy who blew the lid on the sony rootkit debacle (and author of other indispensible free windows utils like process explorer, filemon, regmon and many, many others)

His site is http://www.sysinternals.com and autoruns can be downloaded from here.

Autoruns shows EVERYTHING that is started on your pc at boot & logon etc, including device drivers, services... everything. It can even filter out binaries not signed by microsoft, to make third party stuff stand out like dogs balls.

Use process explorer to find and kill the spyware processes - you may have to google processes to identify them, but that function is built in. Here is a tip - look for anything that doesn't have a company name of "microsoft"

Some really stubborn spyware has more than one process running, watching each other and restarting each other if you kill them. Use PSKill (command-line process killer) to kill multiple processes at once, so they can't restart.

Once you have cleaned out the running junk, use autoruns to identify where it started from and kill it.

Its never failed for me, and you learn a whole lot about the internals of windows in the process.

Process Explorer and Autoruns from Sysinternals.

PE: identify, investigate, and kill processes you don't know to be safe. Turn on the Image Path column, use the built-in google and strings searches. Worst outcome from over-aggression here is the system crashes. Restart and try again.

Mercilessly delete the directories that hosted the spyware, if you can, or just the apparently related files if you can't delete the directory.

Oops, some of those files were in use. Figure out what's using them (PE's dll/handle search), kill it, then try the deletion again. And again, and again. Why do those files keep coming back? ;-)

* EXPERT LEVEL TRICK: NTFS Permissions. Apply as appropriate and repeate above as needed.

* WEENIE LEVEL TRICK: WinZip anything you're unsure about deleting into an archive with full path info.

Got 'em all? Use Autoruns to clean up the startup triggers.

When I got back into day-to-day admin work a couple years ago, it would take me a couple of hours to work through this, starting with AdAware and Spybot S&D, doing full scans, rebooting when prompted, etc. Now, using just those two utils, I can get a system to be functionally spyware-free in about half an hour. I use AdAware and Spybot only to clean up the non-functional traces, after the utility approach has successfully stopped the live malware.

http://www.sysinternals.com/Utilities/Autoruns.htm l and http://www.sysinternals.com/Utilities/ProcessExplo rer.html are the greatest tools to fight adware/spyware/viruses/worms. Trusting scans that may or may not find it cannot be trustworthy.

http://www.sysinternals.com/Utilities/Autoruns.htm l and http://www.sysinternals.com/Utilities/ProcessExplo rer.html are the greatest tools to fight adware/spyware/viruses/worms. Trusting scans that may or may not find it cannot be trustworthy.

I second the Sysinternals recommendation. Specifically, Sysinternals Process Explorer is a wonderful tool. Generally I browse through all running processes with it, kill anything suspicious, then run Ad-Aware. It also lets you kill programs that have themselves re-executed seconds later as drivers and "vital windows services". Some adware loads itself into memory (and which windows will refuse to delete); kill with PE, then delete. Problem Solved.

Adaware and Spybot Search and destroy are your best place to start, but I understand your frustration. Probably three out of the last four times I've dealt with a Spyware infested machine they didn't completely do the trick on their own.

Install and run Adaware and Spybot S&D, making sure you update the programs and select to perform deep scans (within archives, etc) in the custom scan options. This will probably most of the easiest and most common exploits. Reboot.

Go through your Add/Remove programs menu and try removing any programs you can identify as spware. If the programs didn't come with an uninstaller, I would have to officially recommend you do not go through any of their steps to download one and run it. I have tried this in the past with mixed results. Some of these programs truly were just severely annoying adware that actually removed themselves at the end of this lengthy process, but some were truly malicious that simply installed MORE spyware after running the uninstaller. I recommend you don't risk this.

Open up the task manager and go through each and every process, reseaching in if need be. I use groups.google.au to get the older version which seems to provide more relavent results. Kill any processes that you find are suspiscious. Hell, kill any processes you can't identify as normal Windows OS or application processes. I dealt with a instance of spyware once that executed two randomly named processes that protected the spyware from removal. If you killed one process, the other would immediately respawn it.

Go through all of your startup locations: C:\WINDOWS\Start Menu\Programs\StartUp C:\WINDOWS\All Users\Start Menu\Programs\StartUp HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run Start --> Run --> msconfig --> Startup tab

Once again, go through each and every item and delete or disable everything that you can identify as malicious. It's likely that when searching you will run across others who have dealt with the same spyware issues in the past and have had to figure out how to remove them.

Run your Adaware and Spybot S&D scans again. Reboot. Test your machine to see if the spyware is still there. Still have problems?

Download and run Hijack This Pour through your log once more, or alternatively post it to one of the many forums where professionals are willing to lend you a helping hand. At this point, you may also want to consider downloading and running Rootkit Revealer.

Also, try rebooting into safe mode and running your scans. Even though you are in safe mode, you should still monitor and kill processes that are suspicious. Remember, Sony's Rootkit came complete with a safe mode driver.

If all of this hasn't worked, then I suggest you back up your data, scan it for viruses, and do a low level format with a utility such as Killdisk. Now that you have to reinstall your OS, perhaps now is the prefect time to make the Linux switch.

The sociology of this is more interesting than the programming details, in my opinion. It often happens that one person in the computer industry analyzes an abuse, and another person, who is competing for attention, attacks the first person. Admittedly, Steve Gibson of grc.com has a flawed, exaggerated manner of communicating. But many abuses never are fully recognized because technical people attack each other, rather than analyze carefully how they are being abused.

As others have mentioned in comments I have excerpted below, the U.S. government stated clearly and for the record that it wanted access to all computers. It appears that the government got what it wanted in what I think I can show logically is the only way possible.

Mark Russinovich of SysInternals is an extremely competent programmer. His utilities for Windows are the best available. Even Microsoft recommends using them, to supplement the limited and unfinished and flawed utilities supplied with Windows. However, Mark Russinovich is not a sociologist, so his comments may not take into account the complexities of the social issues.

The main issue seems to be, not that graphics files have the ability to execute code, but why was there inadequate testing in the code to prevent security vulnerabilities?

Here are quotes from Mark's article:

"The actual reason is lost with the original developer of the API, but my guess is that he or she was being as flexible as possible."

And: "... given a choice of believing there was malicious intent or poor design behind this implementation, I'll pick poor design. After all, there are plenty of such examples all throughout the Windows API, especially in the part of the API that has its roots in Windows 3.1. The bottom line is that I'm convinced that this behavior, while intentional, is not a secret backdoor."

Mark's perception of Microsoft's sloppiness seems correct to me. I coded a program for Windows 3.1 using the Windows 3.1 API that dialed to a bulletin board and downloaded stock quotes. I was amazed at the extreme sloppiness and bad design of the Com port API. The actual code that Microsoft shipped had the quality of code that I would expect from an overtired programmer's first draft. A rested programmer would not have been so sloppy, even in his first proof-of-concept code.

Quotes from the comments:

"Thanks for this excellent analysis! Steve Gibson certainly does not deserver to be taken seriously by anyone, but unfortunately he is :-("

This is a reference to the fact that Gibson's language often contains a hysterical, exaggerated quality.

Another comment -- This commenter makes the point that Microsoft had hired a technically knowledgeable top manager, who would certainly demand that programmers check the security of any code that is supplied by a user:

"Q: When was this backdoor coded?
A: About 1992.
Q: How old was VMS at that time?
A: 15 years.
Q: Who directed the development of Windows NT?
A: Dave Cutler.
Q: What's Cutler's background.
A: Directed VMS at DEC.
Q: On who's watch was this security lapse ported into the Windows NT stream.
A: Presumably Cutler's.

While anything's possible, it's hard to imagine how a security lapse of this magnitude (trusting user-written code) could have made its way into VMS code.

"The point is that Stephen Toulouse's "the security landscape in the early 1990's was very different than today" is, well, self-serving. Only in MS's myoptic view is this the case."

Another comment:

"Now that I think about it, even Mark has to guess at what some coder was thinking when she wrote this, and maybe she did it intentionally. You'll never know will you? Maybe somebody's been watching all of us for years, and it ends up in some massive NSA database."

An

I didn't even knew who Steven Gibson was before this post. Russinovich's site (sysinternals.com) is one of the sites you can't stop visiting if you're doing anything with windows, even NT programmers at Microsoft use it, and Microsoft talks about those programs in several support articles. Just because people has know him after he discovered and analized the sony rootkit doesn't means he has never had a "reputation" as an expert.

I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it's displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.

I have posted a reply that will do to you here

Why do you think that those sneaky DRM programs never did it to OSX or Linux?, it is because Windows gives its users ADMINISTRATOR rights by default.

If, lets pretend, the program was written in Java, and when you inserted the Get right with the man cd on your linux and OSX machine, the "YOU MUST INSTALL SONY PLAYER TO PLAY THIS CD ON YOUR COMPUTER... OR DIE" screen appeared, then, you may have chose to do it, or you may have NOT, in that case, the program would attempt to install the nasty rootkit, and baaaazooom, after you clicked "CANCEL" a root password prompt would have appeared in your window... capish?

Come on, the Sony "rootkit" didn't just happened to any Joe Six... Dr. Mark Freaking Russinovich found it hidden IN HIS COMPUTER. Do not come to tell me it was because the user was incompetent... lol

I have posted a reply that will do to you here

Why do you think that those sneaky DRM programs never did it to OSX or Linux?, it is because Windows gives its users ADMINISTRATOR rights by default.

If, lets pretend, the program was written in Java, and when you inserted the Get right with the man cd on your linux and OSX machine, the "YOU MUST INSTALL SONY PLAYER TO PLAY THIS CD ON YOUR COMPUTER... OR DIE" screen appeared, then, you may have chose to do it, or you may have NOT, in that case, the program would attempt to install the nasty rootkit, and baaaazooom, after you clicked "CANCEL" a root password prompt would have appeared in your window... capish?

Come on, the Sony "rootkit" didn't just happened to any Joe Six... Dr. Mark Freaking Russinovich found it hidden IN HIS COMPUTER. Do not come to tell me it was because the user was incompetent... lol

I have posted a reply that will do to you here

Why do you think that those sneaky DRM programs never did it to OSX or Linux?, it is because Windows gives its users ADMINISTRATOR rights by default.

If, lets pretend, the program was written in Java, and when you inserted the Get right with the man cd on your linux and OSX machine, the "YOU MUST INSTALL SONY PLAYER TO PLAY THIS CD ON YOUR COMPUTER... OR DIE" screen appeared, then, you may have chose to do it, or you may have NOT, in that case, the program would attempt to install the nasty rootkit, and baaaazooom, after you clicked "CANCEL" a root password prompt would have appeared in your window... capish?

Come on, the Sony "rootkit" didn't just happened to any Joe Six... Dr. Mark Freaking Russinovich found it hidden IN HIS COMPUTER. Do not come to tell me it was because the user was incompetent... lol

I have posted a reply that will do to you here

Why do you think that those sneaky DRM programs never did it to OSX or Linux?, it is because Windows gives its users ADMINISTRATOR rights by default.

If, lets pretend, the program was written in Java, and when you inserted the Get right with the man cd on your linux and OSX machine, the "YOU MUST INSTALL SONY PLAYER TO PLAY THIS CD ON YOUR COMPUTER... OR DIE" screen appeared, then, you may have chose to do it, or you may have NOT, in that case, the program would attempt to install the nasty rootkit, and baaaazooom, after you clicked "CANCEL" a root password prompt would have appeared in your window... capish?

Come on, the Sony "rootkit" didn't just happened to any Joe Six... Dr. Mark Freaking Russinovich found it hidden IN HIS COMPUTER. Do not come to tell me it was because the user was incompetent... lol