Examining a system for malware or spyware - my preferred programmes
There's been a discussion going on in a list I am subscribed to about HijackThis, and whether it should or shouldn't be used for malware diagnosis. The discussion brought to mind a concern of mine that well known, traditional procedures used to fight spyware are not progressing with the times. New products are released, yet we continue to use old favorites even when they are getting a little long in the tooth and are no longer as effective as they once were.
AdAware is one programme that comes to mind. Its days of glory are well and truly over, although I admit that I have not tried the very latest version that is, I think, not yet released to the public. Spybot Search and Destroy is another old favorite that has perhaps seen better days.
Malware has progressed and matured. Rootkits have become more common. The way that malware gets into a system, how and where it hides and how it loads has changed. It has become more subtle, more intricate and more sophisticated.
Personally, I rarely use HJT any more. My preferred analytical tools at the moment are AutoRuns for Windows v8.60 (from the guys behind Sysinternals) and TrendMicro's System Information Collector Tool, both of which work well with Vista.
AutoRuns provides a very comprehensive analysis of a system's state, as you can see from the screenshot at the end of this article. TrendMicro's System Information Collector Tool creates a very beefy log file that is also very comprehensive and detailed, and includes information about network status and current connections. Not only does it include active processes with PIDs but also provides information about the associated DLLs, a full process tree and comprehensive file version information including SHA-1 and MD5 (useful for spotting malware files masquerading as legitimate files).
System Information Collector Tool can be downloaded here:
AutoRuns can be downloaded here:
Both programs require a good understanding of Windows, and System Information Collector Tools is so detailed the information is of most use to high-level professionals.
One problem with HijackThis under Windows Vista (and sometimes under XP) is aberrant "file missing" entries about files that are actually there. If a user deletes such an entry because a file is noted as "missing", he or she can do serious damage to a system. Also, HijackThis will throw an error if it is not run with Administrator privileges in Vista (that is, if we do not right click the HJT executable and choose the option to Run as Administrator), unlike Autoruns and System Information Collector Tool. We need to get out of the habit of running software with administrator privileges, and need to push software vendors to make their products more security friendly.
In addition to the above snapshot and analytic tools, I also use products such as GMER (which includes a rootkit scanner) and dedicated rootkit scanners.
My long-standing advice for home users faced with having to clean up malware (with a section at the end for advanced users) can be found at the URL below. Yes, I know, it mentions HijackThis. I'm planning to update the article to address the problems I am seeing with Vista and so that it reflects my current thinking about malware removal, and mentioning the new products that I have discussed above:
This is a screenshot of the very detailed AutoRuns results window taken on my Windows Vista system with Windows Glass (Aero) enabled.