1) Boot SAFE Mode or with a Floppy if possible. NTFS Read-only floppies work fine.
2) In C:\WINDOWS, run "DIR /O-D /P" and check all the file names and DATES. If you are on XP SP2, no EXE or DLL should be newer than 2004, unless you put it there. Delete all suspect barnicles. Same for SYSTEM32 folder. You can even do this in Explorer, sort by Date, and scroll thru the list via mouse or keyboard. Check Explorer's status line or turn on Column "Manufacturer" in Details view. Chumps usually DONT fill in "Joe Hacker Company" etc in the EXEs.
3) Google/Get/Run Hijackthis or a better GUI version at
4) Check all the items suggested in the a2squared tool above. Remove barnicles.
5) Run at least the FREE online checks from Norton, McAfee, TrendMicro, Stinger, NOD32, etc.
5) STOP Running 24/7 as an Admin on your own box dummy.
6) Check your Control-Panel Services for foreign invaders.
7) Check your fonts folder for anything strange (like a 5MB font)
8) Newer nasties are installing themselves as PRINT DRIVERS or NETWORK PROVIDERS. Not nice. Even the big AV players are too dumb to scan these places.
9) Get Mark Russinovich's excellent tools at TCPVIEW and PROCESS VIEWER.
10) Process Viewer, there is a Menu Option called Replace Task Manager. Do it. Every Time you press CTRL-ALT-DEL Mark's Tool comes up. One of the only TOOLS where you can actually SUSPEND a task. Cant do that with MS Tools. Check the processes. Check the DLLS and handles open.
11) TCPVIEW.EXE: watch all your outbound connections while running nothing else. This is how I caught a keylogger called WINMOTEL.EXE sending Syn packets to a PPP dialup account in Italy.
12) Only install apps as Joe User, not Admin.
George Walkey
Senior Geek in charge
2) In C:\WINDOWS, run "DIR /O-D /P" and check all the file names and DATES. If you are on XP SP2, no EXE or DLL should be newer than 2004, unless you put it there. Delete all suspect barnicles. Same for SYSTEM32 folder. You can even do this in Explorer, sort by Date, and scroll thru the list via mouse or keyboard. Check Explorer's status line or turn on Column "Manufacturer" in Details view. Chumps usually DONT fill in "Joe Hacker Company" etc in the EXEs.
3) Google/Get/Run Hijackthis or a better GUI version at
4) Check all the items suggested in the a2squared tool above. Remove barnicles.
5) Run at least the FREE online checks from Norton, McAfee, TrendMicro, Stinger, NOD32, etc.
5) STOP Running 24/7 as an Admin on your own box dummy.
6) Check your Control-Panel Services for foreign invaders.
7) Check your fonts folder for anything strange (like a 5MB font)
8) Newer nasties are installing themselves as PRINT DRIVERS or NETWORK PROVIDERS. Not nice. Even the big AV players are too dumb to scan these places.
9) Get Mark Russinovich's excellent tools at TCPVIEW and PROCESS VIEWER.
10) Process Viewer, there is a Menu Option called Replace Task Manager. Do it. Every Time you press CTRL-ALT-DEL Mark's Tool comes up. One of the only TOOLS where you can actually SUSPEND a task. Cant do that with MS Tools. Check the processes. Check the DLLS and handles open.
11) TCPVIEW.EXE: watch all your outbound connections while running nothing else. This is how I caught a keylogger called WINMOTEL.EXE sending Syn packets to a PPP dialup account in Italy.
12) Only install apps as Joe User, not Admin.
George Walkey
Senior Geek in charge
