Thursday, January 3, 2008

Are you Infected Spyware?

If you notice more than 1 or 2 popups per 5 minutes, you likely have an infection of some type. Slow computer response is also a sign of infection. If you are able to get popups, but cannot get onto the Internet normally, this is a sure sign of infection. If you have any of these symptoms you can rest assured that it is an infection which is easily cured and prevented by following the intstructions in these pages. We will show you how to investigate further to verify that you are infected and to see exactly what kind of trojan or spyware has its evil grasp on you!
Find the Type of Infection


www.google.com is a great way to find details once you find clues about what is infecting your computer system. Use any clues you acquire to learn more about how you were infected, which program it was bundled with and so on. Read more to learn how to get these clues.
Investigate All Open Ports

For Windows XP - click start, run, and type "cmd", click ok. A DOS prompt will show up ( black screen ). At this prompt, type "netstat -ano" to get a list of all open ports. There will be quite a bit of information, but if you look at the diagram below we'll explain it:

For 98/ME - click start, run, and type "command", click ok. A DOS prompt will show up ( black screen ). At this prompt, type "netstat -an"

For NT/2k - click start, run, and type "cmd", click ok. A DOS prompt will show up ( black screen ). At this prompt, type "netstat -an"

Proto: There are 2 main Protocols, TCP and UDP. TCP is basically a 2 way link, while UDP is a broadcast without error checking.
Local Address: this is which port on your computer is actually open. In general you want as few of these as possible open
Foreign Address: where your local connection is connected to. An address of 127.0.0.1 your local computer ( a loopback ) and 0.0.0.0 is disconnected.
State: What is the port doing. It will either be Listening, Established, or in a Timeout status.

Realize that this is an advanced tool, and especially at first, this will not make much sense to the average user. If you see that you have 15 or more connections though, likely you have some type of trojan. You can further investigate the connections by using the NSLOOKUP tool to determine where you are actually connecting to.

At the DOS prompt type "nslookup 123.123.123.123" where the 123 number is the number listed in the Foreign address column. If it is from a site that you recognize, such as mcafee or norton, or yahoo, then it is probably safe to ignore that item in the list. However, if it is connected to a DSL or Cable Customer, it is likely a trojan reporting back to the owner. A good firewall will halt all of this activity in its tracks. ( Most people do not have a firewall, and that is why they have these infections ).
Investigate the Task List

Windows 98/ME does not truly report all of the running processes. So you may need a third party software to help you identify processes if you have these operating systems. Tlist.exe, which comes with the windows 98 reseoruce kit from microsoft can help you see running processes, if not there is likely shareware or freeware available from nonags.com that will help

If you have XP/2K/NT you can simply hit ctrl + alt + delete keys at the same time to bring up the task manager. Click on the "processes" tab and also click "view", "select columns", "PID", "OK". This will show you a list of processes. Some users have as many as 50 or 60 processes running, which of course slows down your computer. You can use google to look up the names of programs and shut them down one by one.
What the Heck is a PID?

The PID column is useful for matching the list from netstat to the list of programs. Netstat does not tell you which programs are running, only which PID has open ports. The default view of Task Manager does not show PIDs and that is the reason why previously you were instructed to enable this view.
Cannot Get Rid of A Program?

Any program that repeatedly comes back, after you "End Process" on it is likely a trojan or some form of malware. Also, programs that have odd names like "afa76j.exe" are likely generated names, you will not find any information in google on programs like these.
Common Sense Optimization

On a side note, you can also see how much memory your favorite programs use too. Norton for example uses up to 46 MB of ram, while Mcafee only uses 13 MB of ram. This tells me that if you want to run your computer faster, you will need to uninstall the applications that eat up your RAM and install better versions of them.
You Are Infected, Now What?

Now that you know you are infected, it is time to banish these vile creatures back from whence they came! ... Read the next chapter to see how to get rid of them and get control of your computer back!

Artikel yang Berkaitan

0 komentar:

Post a Comment