Saturday, October 22, 2011

Adware/spyware infested computer, Baitisj style

The following article will probably frighten many of you, but hopefully this is helpful to folks who have gone through this kind of frustration.

A friend of mine had infested computer. Her Windows XP computer had slowed to a crawl, and I offered to help take a look. Process Explorer showed me some very suspicious process names. Poking around, I found a directory named "C:\Program Files\Invisible Keylogger."

The first thing I did was to install wonderful extension called "Folder Size for Windows"
I noticed that her hard drive had very little free space, and I wanted to figure out where all the space had gone.

Using Folder SIze for Windows, I discovered a HUGE temporary internet files directory
(C:\Documents and Setting\Owner\Local Settings\Temporary Internet Files)

I deleted all files out of this folder, but Folder Size was still showing that there was 22 GB of data inside. Even with hiding system files disabled, looking inside of this folder showed nothing in Windows. Creepy.

I Did some online research, and noticed that previous versions of Windows XP use a file named "content.ie5" for cached data. Interesting.

I ran cmd and cd'd into the Temporary Internet Files directory. After I "cd content.ie5" and executed dir to list the files in the directory. Nine directories with cryptic file names like
3CNW8S1M were finally exposed.

I typed "explorer 3CNW8S1M", and found a LOT of files inside of these hidden directories.

A couple of takeaways:
  • Windows XP hides files inside of the Temporary Internet Files directory, even if the Explorer shell is configured to show system files and folders. cmd or Cygwin are your friends.

  • A password manager that saves your usernames and passwords to various websites protects you from screenshot and keylogger attacks. I really suggest setting up a password manager with a password that is sufficiently different from the password patterns that you use to log into Internet websites or whatnot.