Anti-"Bad Stuff"

Home Notes Contact Me

Anti-"Bad Stuff"

Local

Disabling System Restore
Microsoft AntiSpyware
Rootkit Detection
Startup Info

External

Javacool [spyware preventer] http://www.javacoolsoftware.com/spywareblaster.html
Spam Assassin http://wiki.apache.org/spamassassin
Startup Control Panel http://www.mlin.net/StartupCPL.shtml
Stinger http://download.nai.com/products/mcafee-avert/stinger.exe
Various Anti utils Merijn

Rootkit Detection

Check out http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Article about rootkits and detection http://redmondmag.com/columns/article.asp?EditorialsID=1164

Microsoft AntiSpyware

Download it here

Startup Info

Windows XP Professional

Safe?	Item	Path Description
yes	IMJPMIG8.1	"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
yes	IMJPMIG8.1	Has to do with foriegn language support (like japanese)
yes	MSPY2002	C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
yes	MSPY2002	Translation component
yes	PHIME2002ASync	C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
yes	PHIME2002ASync	Translation component
yes	ctfmon.exe	C:\WINDOWS\System32\ctfmon.exe
yes	ctfmon.exe	[Microsoft] Alternate Language User Input Text Processor
yes	devldr32.exe	C:\WINDOWS\System32\devldr32.exe
yes	devldr32.exe	Creative Labs component

Dump of my startups stuff at Work

StartupList report, 6/29/2004, 10:02:25 AM
StartupList version: 1.52
Started from : C:\Install\StartupList\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\scthemes\scthemes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\COMPUW~1\DEVPAR~1\Analysis\NCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\cygwin\usr\sbin\sshd.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\MKS\IntegrityClient\bin\IntegrityClient.exe
C:\Program Files\Microsoft Visual Studio .NET\Common7\IDE\devenv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Visual Studio .NET\Common7\tools\vcspawn.exe
C:\Program Files\Microsoft Visual Studio .NET\Vc7\bin\cl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Install\StartupList\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jpetritis\Start Menu\Programs\Startup]
Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
ScreenThemes.lnk = C:\Program Files\scthemes\scthemes.exe
Shortcut to taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
POINTER = point32.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
IMEKRMIG6.1 = C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
WinVNC = "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\stsaver.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
Devpartner Analysis Common BHO - C:\Program Files\Compuware\DevPartner Studio\Analysis\NMIEHELP.dll - {CE92F0E4-87AD-11D3-B713-00C04F8F6C86}

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 10\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[CheckNDownload Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\TEInstallPlugIn.ocx
CODEBASE = http://www.terraexplorer.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
OSD = C:\WINDOWS\Downloaded Program Files\TEInstallPlugIn.osd

[ChainCast VMR Client Proxy]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ccpm_0237.dll
CODEBASE = http://www.streamaudio.com/download/ccpm_0237.cab

[OSGAx Control]
InProcServer32 = C:\PROGRA~1\OSGAx\bin\OSGAx.ocx
CODEBASE = http://osgax.vr-c.dk/download/OSGAx.exe

[G-Vista ActiveX]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gvista3.dll
CODEBASE = http://www.dilas.ch/plugin/gvista30/gvista30.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[PjAdoInfo3 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pjquery11.ocx
CODEBASE = http://atlisg01/projectserver/objects/pjclient.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

[DLC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\grTransferCtrl.dll
CODEBASE = http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

[Pj11enuC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Pj11enuC.dll
CODEBASE = http://atlisg01/projectserver/objects/1033/pjcintl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,295 bytes
Report generated in 1.182 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Disabling System Restore

Windows XP

Find the settings at My Computer | Properties | System Restore
Check the box labeled Turn off System Restore you may have to reboot
This prevents system restore from putting a virus back
Or maybe it just allows a virus hidden in the restore folder to be deleted.

Windows ME

Find the settings at My Computer | Properties | Performance | File System | Troubleshooting