It could happen to you. Your corporate PCs could be infested with spyware or adware. The key is to know where to look and what to record as spyware digs through your hard disk, memory and Windows registry. I recently dug into several machines on my primary network to look for spyware or adware infestation. I recommend going through the following process regularly in order to detect spyware on corporate PCs, using one of many available...
commercial and freeware tools:
- Before using a commercial or freeware tool, do as much cleanup as possible. Run antivirus and antispyware scans and clean up any unruly items that might be discovered. There are several tutorials on the Web on this subject. Note that experts strongly recommend that you use and run more than one anti-adware/antispyware scan and clean up thoroughly before proceeding any further.
- Create a checkpoint or a backup of your system. If you are running Windows XP, it's a good idea to create a System Restore point (Start, Help and Support, Undo changes to your system with System Restore, then click the Create a restore point radio button) at a minimum. A more paranoid approach (and the only one available to those running other Windows operating systems) is to create a full system backup, including system state information (you can always use NTBackup.exe if nothing else is available; it's included with all modern versions of Windows). That way, if anything goes awry through the remaining steps, you can always return your system to its former state.
- Shut down all nonessential applications. Some antispyware programs pick up traces from all processes running on your PC, including your Windows Registry. Exiting all applications before running the antispyware program saves time.
- Run your antispyware program. For the purpose of this tip, I used Hijack This. Find the directory where you unpacked the Zip file for the program, then double-click on the file named HijackThis.exe. The opening screen includes a button labeled "Do a system scan and save a logfile." By default, the log file goes to your My Documents folder; I find it helpful to add the date and time to the filename so that hijackthis.log becomes hijackthis-yymmdd:hh.mm.log. (The hh.mm are hours and minutes on a 24-hour clock.) Since you'll typically run Hijack This twice on any given day (once to get started, then again to see what's left following cleanup), the time stamp is a good idea -- plus, you'll have records for later if you help interpreting the log files.
- Look at the scan results in the Hijack This results window. This is the same information that's written to the log file, but you'll find a check box to the left of each entry. If you check any box, you can then click the Fix Checked button and have Hijack This remove all traces of its existence. There's a lot of cryptic-looking text in there. You can scan through it quickly and decide not to take any action at this time. The real problem is recognizing what's potentially bad, what's needed, and what doesn't matter. Analysis tools come in handy here. Don't close the Hijack This results window, because you may return to it again in a later step.
- Run your log through a Hijack This log analysis program. You can use either the Help2Go Detective or the Hijack This Analysis tool. After numerous encounters with both, I preferred the Help2Go Detective, but both are worth a try. You'll find specific information and recommendations about nearly every entry in the Hijack This log, including suggestions as to what should stay, what can go (but is benign), what is suspicious (which may have to go, but will require further research on your part) and what must go (because it's malign). At this point you can check all the boxes for items that are known to be malign or associated with known spyware or adware.
- Check suspicious items (includes optional activity). Sometimes you can look at the Registry Key name or the associated file and folder information and see that even though the analysis program (and obviously, Hijack This) doesn't recognize the item, it's part of a program you've installed deliberately and use at your discretion. Such items can usually be left alone. If neither you nor any of these programs recognize the item, the safest choice is to back it up and then remove it. (If you take this step, however, the only way to get things back is to restore a backup or return to an earlier Restore Point.) If you want to actually understand what you're seeing, take the extra step of searching by name on the item in Google or another search engine. In 99% of cases, I was able to approve or disapprove what was found in two minutes or less. Only a few items -- most notably, DLLs, required more than a quick check by name to identify and rule on.
- Click the checkbox on bad and unrecognizable suspicious items, then push the "Fix checked" button inside the Hijack This results window. You can also highlight individual items by clicking on them in the scrollable results window, then request additional information about them by clicking the "Info on selected item…." It's better to do this now rather than during the previous step, because the analysis tools are quicker and more user-friendly.
- Reboot your system and see how things work. This is where you'll determine if you need to roll back to your Restore Point or restore your backup, which you'll do if things don't work properly, applications quit working or get flaky, or things don't seem quite right. If Windows won't boot completely, hold the F8 key down during initial boot-up, boot into the Safe Boot menu, then click the Last Known Good Configuration selection. This will boot OK, after which you should roll back to the Restore Point or restore the backup you took in Step 2. If you take this option, you can skip step 10 because no changes will remain.
- Run a final Hijack This scan: Repeat step 4 but remember to change the time stamp on your log file. You can scan the results to make sure removed items cleaned up fine, or you can just save this as a snapshot of your PC's condition, post clean-up (it may make an interesting point of comparison the next time you walk through this exercise).
I recommend making this spyware detection process a part of regular system maintenance, which may be performed as frequently as once or twice a month, and no less than once every three months.
Ed Tittel is a full-time freelance writer, trainer and consultant who specializes in matters related to information security, markup languages and networking technologies. He's a regular contributor to numerous TechTarget websites and technology editor for Certification Magazine, and he writes an email newsletter for CramSession called "Must Know News."
USER FEEDBACK TO THIS TIP
- I suggest you clean out all your Temporary Internet Files before running any spyware programs. Using msconfig.exe can also help aid people in stopping processes that look "suspicious." Julie Rowe
Do you have comments on this tip? Let us know.