Re: CRIME Monitoring software removal

From: Crispin Cowan (crispin@private)
Date: Fri Apr 12 2002 - 14:31:47 PDT

Next message: Crispin Cowan: "Re: CRIME Perspective on Criticisms leveled at Microsoft"

Previous message: Heidi Henry: "CRIME Re: Monitoring software removal"
In reply to: Heidi Henry: "CRIME Monitoring software removal"
Next in thread: Lyle Leavitt: "Re: CRIME Monitoring software removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re-install the OS.

It is possible to detect and remove such programs, but it is generally 
only practical if:

    * You know *exactly* what the program does, i.e. all the various
      places it hides itself. You clearly don't know all those places,
      and the program is working hard to hide itself.
    * You have previously regularly run something like Tripwire, which
      would highlight all of the files that the program changed when it
      isntalled itself.

If you haven't done either of these things, then the amount of work you 
are facing to successfully remove the little bugger is astronomical. 
Just re-install Windws from the original CD, as recomended.

Crispin

Heidi Henry wrote:

> Does anyone have any tips on how to locate and completely remove 
> monitoring software that has been installed in a stealth 
> configuration?  I was able to locate the program once, and thought I 
> had deleted it from the registry, however, after a number of reboots, 
> the program has shown itself again, but it cannot be located in the 
> registry as before.  After further research, the program is designed 
> to change its name/extensions, so it is difficult to identify.  I did 
> a search using $, which evidently is used for hiding the program, but 
> I could not locate it a second time.  I have contacted the software 
> vendor as I originally I was able to identify the software 
> manufacture, but have not heard back from them yet.  The vendor FAQ 
> states it cannot be removed without the originating computer or CD, 
> i.e., the target computer cannot remove it.  The program  is 
> Winwhatwhere.  If this were placed on a computer legally, wouldn't it 
> have to be done with a search warrant? This is a private PC, not on a 
> network or in a work place.  Thanks for any suggestions you might 
> have, Heidi e-mail: mcps@private <mailto:mcps@private>
>

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Crispin Cowan: "Re: CRIME Perspective on Criticisms leveled at Microsoft"
Previous message: Heidi Henry: "CRIME Re: Monitoring software removal"
In reply to: Heidi Henry: "CRIME Monitoring software removal"
Next in thread: Lyle Leavitt: "Re: CRIME Monitoring software removal"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:30 PDT