Now, let’s assume you have a suspicion. Stuff has been acting weird, you think you might be hacked. These tools can give you a better grip of what’s going on:
AVG Anti Rootkit – what is a rootkit you ask? Well, in just a few words, once someone gets access to your computer they want to make sure they have full control and that they can keep having control no matter what you do. So they install a rootkit on your system. This is a program that won’t show up in your process list in task manager, won’t be detected by antiviruses, is very difficult to remove (sometimes impossible without a complete reformat) and gives the one who installed it full, unrestricted access to your computer (also known as root access, which is where the term got its name). Fortunately, not all hackers are also good coders, so they use rootkits that are out there rather than writing their own. AVG Anti-Rootkit is a simple tool to scan for common rootkits. Runs pretty much like an antivirus scan, does its job.
This time though, simple also means not all that good. So this is where Hijackthis comes into play. Hijackthis is a small tool that is very useful for finding rootkits. Unfortunately this is not for the average user. Even security experts sometimes don’t know what all the stuff in that list stand for, simply because unlike any of the previous tools, hijackthis doesn’t really tell the difference between good stuff and bad (it doesn’t pretend to either). It just brings out a list of stuff that’s suspicious. Most of that stuff is good. Some of it might be bad. How do you know? Well… one way you can get an idea is to run it when you’re sure your computer is CLEAN (say a new installation of an operating system) and save the log file. Then run it whenever you have your doubts and compare the two log files. If you can’t really make sense of some of the new stuff out there, you should give the log file to someone more specialized to examine it.
Wireshark and Nmap – these tools are useful for monitoring your own system. Nmap will tell you what ports you have open (if you know they shouldn’t be, take another look at those firewall settings) and wireshark will capture traffic, which means it will show you EVERYTHING that goes in or out through your network card. Both of these tools are very powerful and if you want to use them you either learn how to use them yourself or you save the results they give you and give them to someone that knows what they’re doing. Also, a side note: do NOT scan anything else other than yourself (localhost) with Nmap or capture packets on an open network with Wireshark. These actions can be ILLEGAL and can get you into trouble. Use them just for getting information about your own system, nothing more. Ok?
Sysinternals suite – this pack of tools is so good, Microsoft bought it. And it’s so loved that even after they bought it, it’s still free. These are all the best tools to figure out what is really going on with your system. What processes are running, what goes on at startup, what connections are active, another tool for finding rootkits and much much more.
Finally, again, just use your wits. Do you get pop-ups when you start your computer or when you open your browser? Is your computer or network connection slow? That’s a pretty good guess that you’ve got some malware on your system. Another thing you can look at is startup programs. Either use the tools in sysinternals (generally better), or go to Start -> Run, type in msconfig and click ok. The last two tabs are what you really care about… you can take down services (make sure you tick Hide Microsoft Services first, so you don’t mess you operating system up) that seem suspicious, as well as startup programs. This doesn’t remove anything, it just keeps them from starting up, which may then help you to remove them.
There’s also a chance that your problems are not virus related and there will be some future articles relating to that.