I have an aversion to win98/ME, so I'm not as familiar with those as I am with Win2k and WinXP.
tool of the trade: HijackThis!
Freeware - all versions of Windows - download
HijackThis! will list a lot of items - also on uninfected computers. Experienced users will be able to spot spyware entries right away. If there is something you have no idea what is, try searching for it on google. Google is your friend.
BHO - Browser Helper Objects - are particularly dangerous. Make sure that all BHOs you have are from sources you trust. Legit BHOs include google toolbar, Adobe AcrobatIEHelper, and BHOs from your anti-virus.
O4 entries - items that run at startup. If you are infected with viruses or other malware, you will most likely find them here. Familiarize yourself with your normal startup items.
Especially suspicious are .exe files located in C:\windows\ and gibberish filenames such as "yakkvfob.exe" - if a googled filename gives you zero hits, it is probably a randomly generated filename, and therefore malware. Legit programs don't try to hide what they are.
Some forms of malware simply refuse to be removed. You remove them, re-scan, and they're still there. This is because they are currently in use and are protecting themselves from being removed. Sometimes, even using the delete on startup option will fail. Usually, the file in question is a dll file.
This is where HijackThis!'s processes manager comes into play. Click the config button, Misc tools, open processes manager. Check on "Show DLLs"
Check explorer.exe first - this is where they usually hide. If you see your malware dll on explorer's list, kill explorer, delete the offending file and use HijackThis! to remove the entries related to it. Respawn explorer.exe (windows key+r, type in explorer)
Some viruses and malware may register themselves as services, making them harder to detect. You can access your services management by running services.msc
On Windows XP Pro, you can also type tasklist /svc
in the command prompt (cmd) for a list of all running processes and which services run under each. This also works on XP Home Edition once the tasklist.exe file from Pro is copied (should be put in C:\Windows\system32\ - you might want to grab its companion, taskkill.exe too). Tasklist and Taskkill provide a command-line substitute for Task Manager. Fall back on these if you have a virus disabling your Task Manager.
To save on system resources, you should stop and disable useless services such as Remote Registry and Messenger. If you don't know what they do, you don't need them.Task Manager
is one of the most useful tools included in windows. The main reason I hate Win98/ME is because of the lack of a proper Task Manager.
The processes tab is the main attraction of Task Manager - these are your running processes. Their number should range from around 10 (extremely minimalistic tweaked system with all non-essential services disabled) to around 40 (running a lot of stuff..) The lowest I've been able to go on a Win2k computer is 12. Take note of what is normal for your computer so you'll notice right away if there are more processes running than normal. If your computer is being sluggish, look for a process that takes a large amount of CPU usage and/or memory.
Sometimes a crashed program will fail to be removed from memory, and it'll leave a ghost process. You can kill these from task manager. You may also want to kill non-responding programs.
You should never attempt to kill svchost.exe
- it is normal to have more than one of these. Three, four, even five is not unusual. One of these is the RCP service. If it is shut down, your computer will give you 60 seconds to save your work before it reboots - the blaster virus took advantage of this. If you've been stupid enough to kill the wrong svchost, or have a virus that does this, don't panic. Open your command prompt (run cmd) and type in shutdown -a
- the shutdown will be aborted.
The best thing you can do to avoid getting spyware is to use a different browser than Microsoft's Internet Explorer. I recommend Mozilla Firefox