Process-Thread Tool is designed to show you all running processes along with all threads (dependency files) for each program. Process-Thread Tool will compare each of these to known spyware in an attempt to help you keep your system clean. You can save a list of all processes and threads for future comparison. A port sniffer is also included to allow you to see all active ports, both TCPIP and UDP. When Process-Thread Tool starts, it will scan your system memory for all running processes (.exe, .com, .drv) then find each thread or dependency file attached to this program (usually a .dll). Process-Thread Tool will then compare each process and thread against known spyware/ad-ware file names. (Just because a file receives a hit as spyware does not mean it is, it† just means the filename is commonly used).
Spyware usually gets on your system from the internet or via email. It imbeds itself in your system and often does not show itself for days or weeks in an attempt to get into your backups. It will often name itself after well know programs or write itself into windows executables or dynamic libraries to make them harder to start. So finding them may be hard and in most of the time an active spyware cannot be removed by an anti-virus or spyware program.
If your system seems to be infected, you can use Process-Thread Tool to search through all of your processes and threads looking for anything out of place. Process-Thread Tool will attempt to look for known names that spyware often utilizes, but if flagged it does not mean it is spyware, it just identifies a name that may be spyware. Then starts the investigating, is a flagged program valid or spyware.
Letís say AOL.exe is flagged. First, do you have AOL installed. If not remove the suspect file. If you do have AOL installed, is the AOL.exe flagged in the proper directory. If you installed AOL to C:\Program Files\AOL, and this is the path of the active AOL, then it is more than likely valid. If the path for the active AOL is C:\Windows\System32 then the AOL running is spyware and needs dealt with immediately.
Most spyware will put itself in one of three places, the Windows Folder, Program Files Folder, or Documents and Settings Folders, and only in sub folders that are created by default when windows is initially installed. It should also be noted that 99% of the spyware out there is going to be activated by writing itself in 1 or 4 started locations on your computer (methods designed to start a program when your computer starts). A program like StopIt Jr can watch all of these locations and warn you when a program is set to run on boot.
Removal can be difficult in some situations, to the point of requiring a reformat and re-installation; however, if you watch for changes in how your computer runs and read the signs, it can be done without loosing data and valuable time.
First, as mentioned earlier, as much as anti-virus and spyware programs boost, when a spyware is active, they just cannot remove most of them. So this is where education on how things work is so valuable.
Lets use the example from earlier, your system appears infected and the program C:\Windows\System32\AOL.exe is flagged by Process/Thread Tool. You may head to the task manager and end task on it but it comes right back. This is because most of the spyware will have two or even three programs running, all watching each other and restarting when one is stopped. So you need to look over all the running processes, checking for ones out of place or unrecognized (A good practice is to run Process/Thread Tool on your system when first setup then create a file listing all processes and threads, this can be used for comparison.) Stopping all of the programs is hard, you can try and end task on them one at a time and try and catch them all, or use StopIt Jr to end task on as many programs desired instantly. If you succeed in stopping the AOL, then go and delete the file C:\Windows\System32\AOL.exe, and if you are sure of the others, delete them.
If you cannot stop the program, then you need to stop it from starting when your computer does. You can check the multiple sections in the registry, your startup folder, documents and settings, and finally the windows ini files, or again let StopIt Jr search these areas and show you all of the entries. Remove the required entries, reboot and see if the program fails to start. If it does not start, then delete the files and all should be well.
You are also going to run into spyware that is not so obvious, ones that write themselves into windows dll (dynamic library) files that run when windows start. These are not easy to fix, as the dll files are loaded and you just cannot delete or replace them. In this situation you can do a reformat and re-install or you can run Windows Repair (if windows version is XP) and let it restore a the original dll files (the XP install disk is needed)
Protection is always the best front line defense, but when you go looking there are so many things out there, which anti-virus do you select, should your run an adaware program, will you be safer if you run multiple anti-virus programs?
First, I have never been a fan of anti virus programs. I tried one on my first computer, with only windows 3.1 and not modem connections I was periodically told of a virus I had that it fixed and I should upgrade for better protection. I believe the best protection is this:
1. A good backup utility, not just windows system restore which is worthless, but a good program that makes easy full and protected backups of your drive then daily incrementals. The best one I have seen is by Farstone (www.farstone.com) called RestoreIt.
2. Use a program like StopIt Jr to monitor the four areas where programs can be set to run when your computer boots. If you want to manually check some of the areas, Click START, then RUN, enter REGEDIT then click OK. Browse and check these areas for a start:
3. Make a RAMDrive and set all the internet files to the RAMDrive. You can find free RamDrive programs that make up to 128 Meg in size or purchase ones that will use all of the memory available (www.cenatek.com and www.farstone.com). The idea behind a RAMDrive is the creation of a virtual drive out of system RAM. The main benefit is incredible speed, you will see increased performance when surfing; however, the benefit we are looking at is that when you re-boot everything on the drive is gone. Imagine you are doing a search that takes you to a porn page that will dump spyware on your computer. Instead of disaster, you just reach down and hit your reset button; all is wiped out before it can do any damage.
4. Know your programs. As mentioned earlier it is an excellent idea to make a list of all your active (running) programs when you setup your system. When you notice a new program that you did not install, you can take immediate action.
5. Use a good registry tool such as RegHealer (http://www.zoneutils.com/regheal/index.htm) to keep your registry clean and to maintain regular backups.
There is not need for expensive anti-virus program or ad-ware programs that will not get rid of the really bad programs out there, instead invest your money where it will do the best for you. What good is an anti-virus when you install a new program, re-boot and windows will not start. With a program like RestoreIt you can be back up and running in minutes (even with a full hard drive failure) like nothing happened. You can also use this powerful tool to wipe out the spyware you just got on your computer. Any time I go to a site that looks questionable, I will immediately reboot and restore my computer to the point it was that morning, thus avoiding any issues.
Another utility which comes with Process-Thread Tools is a Network Connection and Activity tool. This utility will show you any active ports on your system, if they are connected and what IP or location they are connected to. You can then determine if these connections or active ports are valid and take action is they are not.
For example, you can compare the ports that are active against know hacked ports (ports hackers or spyware like to use). You can also validate the remote address and determine if this is something you initiated or someone else. If some one initiated a connection to you, their IP will show under the Remote Address Column.
Current Version is 1.00