Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Identifying Spyware Processes on a Windows PC

By Dave Piscitello, President, Core Competence

Spyware can be downloaded from many locations, delivered in many packages, and installed in many locations on your PC. Spyware developers distribute new spyware and alter existing spyware constantly to evade your desktop and gateway antispyware defenses. No matter how many countermeasures you put in place, you can still fall victim to spyware.

If you notice common spyware symptoms on your PC, don't be afraid to investigate. In some cases, you may conclude you can tweak performance and solve the problem yourself; in others, you may be able to identify spyware and remove it manually. Or you may find a "never before seen" spyware and be in a position to help eradicate it. All you need to join the ranks of spyware hunters are some tools, tips and time.

Before you begin

Examining your PC for evidence of spyware is educational and rewarding. Manual removal, however, is an advanced skill and a black art. While many antispyware forums provide accurate removal instructions, you should not approach removal lightly. Done incorrectly or incompletely, manual removal of spyware can render your Windows OS inoperable. This is especially true if you encounter "removal resistant" spyware that inflicts damage on your system if you try to eradicate it.

Manual spyware removal should be your last alternative: Do it only when all other alternatives have failed (or if you are trying to become a spyware expert). Try commercial spyware removers first. If none are available, Googling the spyware you've identified often reveals a freeware removal tool. If you have any intention of removing spyware manually, I urge you to provide a recovery path by doing the following:

  • Archive important files, documents, configuration information, and software licenses on a removable media or partition so you can restore these data if you hammer your Windows installation.
  • Back up your Windows Registry, and know how to restore it.
  • Create a Windows XP system restore point and learn how to use it. System restore will help you in situations where your removal efforts fail, by providing you the ability to restore Windows XP to its last working configuration.
  • Have your OEM or retail license copy of Windows XP, or a recent image of your XP installation, handy.

If you choose to remove spyware manually, obey the Carpenter's Golden Rule: Measure twice, cut once. Remove no Windows component and change no configuration until you are certain you're doing no harm (or you can restore your last working configuration).

What am I looking for?

A single spyware installer package may have many components. A component may be an executable file, a Windows registry item, an Object Linking and Embedding (OLE) Control Extension or a Dynamic Link Library, and even plain text or HTML files. For example, a look at the removal instructions for ClearSearch in the eTrust PestPatrol encyclopedia shows that components associated with this "browser hijacker" register 23 dynamic link libraries, create 67 registry items, and include 15 run-time executable files.

A good place to begin your search for suspected spyware is to identify processes, the programs that are executing in your PC's RAM and consuming CPU. All applications and Windows services, including many forms of spyware, run as processes. Spyware programs are basically processes you didn't choose to install that hide in the shadowy corners of your RAM so you can't easily find them.

To see all the processes running in memory, you can use the Windows Task Manager, accessible via the Windows Task Bar. Task Manager identifies every active process by name -- winlogon.exe, svchost.exe, jusched.exe, gator.exe, buddy.exe -- but tells you little beyond helping you identify processes that are CPU and memory hogs. For process hunting in search of spyware, use the same tools professionals do: Process Explorer from Sysinternals, Process Viewer, by Igor Nys, and msinfo32.exe. In addition to all the information Task Manager provides, these tools provide essential information for spyware hunters, including:

  • The relationships between processes. Called process trees, this information helps you identify all the processes associated with an application or a spyware program. In many cases, you'll need to kill all associated or child processes of a spyware application.
  • Program properties. Many reputable software companies take the time to provide company identification, version information, and a text description of executable programs. Use this information as your first-order filter to distinguish goodware from badware.
  • Program location. Knowing where a program is stored on disk is very helpful in identifying potential spyware. (What's that program doing installed in C:\temp\?) Of course, knowing where a file is located makes it easier to remove it, too.
  • Process priority. Few programs are run at any priority other than Normal.
  • The Command line and Startup Informationused to spawn execution of the program can be helpful in identifying spyware components that are started or auto-installed by other spyware components.
  • Module (DLL) usage identifies libraries used by active processes and their locations. This information helps you build a picture of all the components of a spyware package.

Process View and Process Explorer have many other nifty features. If you become a process hunter, you will probably find some use for them all.

How do I distinguish a useful process from spyware?

Many Web sites provide lists and descriptions of Windows processes. WinTasks Process Library categorizes processes as security risk, system resource, and commonly encountered applications. Enter a name and What Process.com's search engine will return a description along with user comments regarding use or misuse associated with that process. AnswersThatWork offers the most detailed information I've found on processes (tasks). For every task, the site identifies the program, developer, "What it is and what you can do," and a recommendation for how to treat it. If you don't find a process after visiting all these resources, try Googling the process name. If someone's seen the process before, chances are they've described it or discussed it somewhere on the Web.

A Sample Removal

Suppose you discover that the process is a spyware component. To remove spyware manually, visit an antispyware advocacy site like spywarewarrior.com, or a pest ware encyclopedia (eTrust, Bazooka). Such sites provide detailed manual removal instructions. An encyclopedia will identify the processes, libraries, and registry items associated with specific spyware, and Process Explorer and Process View will prove invaluable in locating those components on your PC.

Let's suppose you find a suspicious process called dmserver.exe on your PC. You visit WinTasks Process Library and discover this process is an advertising downloader, W32.Comet. Now search the PestPatrol Spyware Encyclopedia for manual removal instructions:

  • Use Process Explorer, Task Manager, or Process View to "kill" dmserver.exe.
  • Launch the Regedit32 program from your Start menu (Run regedit). If you find the Autorun reference "dm_server" in the following Registry Key, remove it and reboot your PC: HKEY_LOCAL_MACHINE\software\microsoft\
    windows\currentversion\run\
  • Unregister these DLLs: cssecure.dll, dmproxy.dll
  • Delete the files dmserver.exe, cssecure.dll, and dmproxy.dll (Use Process Explorer or Process View to locate them on your PC)
  • Remove the comets~1 directory.

Step 1 removes the active spyware component from memory. Steps 2 - 5 remove the spyware components from memory and disk.

If something goes wrong, use your backups and restore your system (unfortunately, the spyware will remain). Caution: manual removal instructions you find online are not guaranteed to be complete or current. The spyware developer may have altered his footprint; this is, in fact, a common practice. Use manual removal as a last resort or on a system where you are willing to rebuild the OS from scratch.

What if I find "never before seen" spyware?

If you find processes that you suspect are spyware programs, try suspending and resuming the processes to observe their behavior and perhaps identify related processes (BeyondLogic's command line utility process can help you). Search for the process by name in your Registry to see if you can identify any Autorun or other Registry settings associated with the "spyware package." Don't try manual removal, but do send your findings to the pros. Some antispyware companies and communities (F-Secure, SecurityWonks, Aluria Software...) encourage you to submit spyware samples. They use your samples to create new antispyware definitions (signatures), and to confirm that signatures they already use are complete and accurate. You won't receive a medal or money, but you'll have done a service to the Internet community at large.

Conclusion

Researchers at all the reputable antispyware companies routinely practice process hunting. It's not always easy, and you won't succeed 100 percent of the time, but it's always educational. Process hunting is a reasonably painless way to launch your career in CSI -- that is, Computer Spyware Investigation. ##

References


      Copyrightę 2005, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.