- The Birth of Spyware
- How Can I Tell If I Have Spyware?
- How Do I Choose a Spyware Scanner?
- Sites to Avoid
- System Admin Information
- Detecting Spyware Processes In MS Windows-Based Machines
- Detecting Spyware Autostart Methods in MS Windows-based Machines
- Configuring Internet Explorer for Network Users
- Using a Hosts File to Block Spyware-Infected Hosts
- Spyware and Security Resources
Detecting Spyware Processes In MS Windows-Based Machines
It is important to use a good process monitor. Windows 9x machines do not come with any process-monitoring software as such, and I recommend using a third-party application on all Windows operating systems to manage system processes (these include XP/NT/2000, and so on). Wintasks Pro is probably one of the best process monitors available today. The makers of Wintasks Pro have set up a process library that enables system admins to make informed decisions when ascertaining whether a process is malicious or not. This process library can be viewed here.
Malware will often inject itself into legitimate processes. It is an advanced infection technique and is very difficult, but not impossible, to remove. Process injection has become very popular in the malware world. Many remote access trojans use this form of infection because it can evade rule-based firewalls. Spyware makers also have begun to use this technique. Injecting into the Internet Explorer process will often allow the spyware Internet access; a lot of rule-based firewall applications will not see the malware; they will see the trusted application Internet Explorer and will allow communication.
System Safety Monitor is a freeware program that helps system admins protect against malware code injection.
"System Safety Monitor (SSM) is an application-firewalling tool (it is not a 'firewall' in traditional understanding, so there shouldn't be any conflicts with your network firewalls). SSM controls which programs are running on your computer and what they are doing. For example, SSM can prevent so-called 'DLL Injection'. Also, SSM will notify you whenever a program you want to start was modified. In addition, SSM can constantly check your registry and alert you, when an important modification was made."