Re: spyware, malware, popups


[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ] [ Home ]

Subject: Re: spyware, malware, popups
Name: admin
Date: 10/6/2007 5:16:31 PM (GMT-7)
IP Address: 216.113.195.154
In Reply to: Re: spyware, malware, popups posted by TheZodiac
Message:

Well if it is fairly random, not triggered by specific action on your part, it may be that you have a rogue process, or sub-process. Time to do a process audit.

For main processes you can just look in your task manager, and end processes trail and error, or look them up at a site like http://www.answersthatwork.com/Tasklist_pages/tasklist.htm.

The main places in the registry to look for auto started processes are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

But the process could also be installed as a service or sub-process. Services always show in the task manager, so it is just a matter of recognizing them during a process audit to catch them. The problem is they can be named the same as or similar to real processes. On several occasions I've had to resort to searching the harddrive for the process executable name then look at the timestamp and version of the matching files. For version info right click and click properties on the file. Malware almost never has the version tab, and would have too recent a timestamp. Keep in mind that some real files may not have the version tab either.

Sub-processes are the worst. I once had a machine infected this way, that no scanner could detect, and I saw nothing in the Task Manager. I was only able to detect it by running some software that listed the whole process tree, I can't remember the name of the software though.

Once you ID the executable name of the malware you can just do a find in your registry to see where it is being launched, and remove it.

Hope this helps.

Dennis

[ View FollowUps | Post Followup | E-Mail Sender | Main ]


[No follow-ups for this posting]

Post a Followup

Name:
E-Mail:

Subject:

Comments:

Optional Link URL:
Link Title:
Optional Image URL:
Upload some images for this post


[ Follow Ups ] [ Post Followup ] [ CPU-Central Message Board ]