Re: CRIME Monitoring software removal

From: Crispin Cowan (crispin@private)
Date: Fri Apr 12 2002 - 14:31:47 PDT

  • Next message: Crispin Cowan: "Re: CRIME Perspective on Criticisms leveled at Microsoft"

    Re-install the OS.
    
    It is possible to detect and remove such programs, but it is generally 
    only practical if:
    
        * You know *exactly* what the program does, i.e. all the various
          places it hides itself. You clearly don't know all those places,
          and the program is working hard to hide itself.
        * You have previously regularly run something like Tripwire, which
          would highlight all of the files that the program changed when it
          isntalled itself.
    
    If you haven't done either of these things, then the amount of work you 
    are facing to successfully remove the little bugger is astronomical. 
    Just re-install Windws from the original CD, as recomended.
    
    Crispin
    
    Heidi Henry wrote:
    
    > Does anyone have any tips on how to locate and completely remove 
    > monitoring software that has been installed in a stealth 
    > configuration?  I was able to locate the program once, and thought I 
    > had deleted it from the registry, however, after a number of reboots, 
    > the program has shown itself again, but it cannot be located in the 
    > registry as before.  After further research, the program is designed 
    > to change its name/extensions, so it is difficult to identify.  I did 
    > a search using $, which evidently is used for hiding the program, but 
    > I could not locate it a second time.  I have contacted the software 
    > vendor as I originally I was able to identify the software 
    > manufacture, but have not heard back from them yet.  The vendor FAQ 
    > states it cannot be removed without the originating computer or CD, 
    > i.e., the target computer cannot remove it.  The program  is 
    > Winwhatwhere.  If this were placed on a computer legally, wouldn't it 
    > have to be done with a search warrant? This is a private PC, not on a 
    > network or in a work place.  Thanks for any suggestions you might 
    > have, Heidi e-mail: mcps@private <mailto:mcps@private>
    >
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:30 PDT