Unhacking yourself

There is a lot of information on this site with regards to different types of software protection for your PC and how its used.

How do you guys periodically, other than a regular virus/spyware scan, check that you haven't already been hacked . What if something has already made its way through your security software and you haven't picked up on it ?

What steps do you take that will definetly determine 100% (or close to it) that you are hack free ?

 

well i check to see if any odd processes are running and check services.
lodore

 

RootKit Detectors on the order of RKUnhooker to mention one examines many deep areas where malicious or intruding code/files could hide.
For simple file changes or attributes i use a series of Hash Sum generators, SHA1, CRC and along those lines. If you're hacked beyond those which is unlikely but NOT impossible, you could use a CD with BartPE for instance or a Linux Distro to make another comparison. These are some of mine.

 

I would run Autoruns to research and scope auto loading process and services, BHO's etc... and use Process Explorer to research the functioning process in more dept and see their actual resource use and impact... You can find those tools free from www.sysinternals.com.

I would use Rootkit hook analyzer 2.00 from www.resplendence.com (It's quick and shows most kernel hooks.) You can then go back to process explorer to continue digging.

Then you want to make a backup of your registry with a tool that can do a registry comparative later and immediately pinpoint hostile modifications as well as restore previous registry entries (If you have backups).
You can use Advanced Registry Tracer for this from http://www.elcomsoft.com/art.html

You also want to monitor anything using any kind of network resources from or to your host pc since trojans and rootkits love using the network to bring in more viruses or phone home and open a doorway to the hackers. You can use TCPView for this also from www.Sysinternals.com
I favour PortExplorer from www.DiamondCS.com since it provides far more powerful tools as well as being able to capture transactions for later analysis. It is also easier to quickly pinpoint suspicious activity with PE.

Also you should clean the registry of all clutter and empty all temp folders and directories on your PC. (A great many viruses and spyware hide in Temp folders so cleaning them daily greatly reduces problems with many minor infections...)

Word for the Wise "Defragment Daily!!!"

This should keep you busy learning for a while!!!

 

on my box I too employ a network of tripwires (checksums on security aps and critical OS files in the assumption that malware will attempt to subvert them) a HIPS (which I consider a tripwire) object auditing and other security logs. As well as maintain updated security benchmarks (rootkit detector logs, patch verification, registry entries) I do keep an eye on unusual traffic when there shouldnt be any, but have yet to settup an actual traffic packet sniffer like Snort

 

Hello,

Already mentioned:

Scan with Live CD, comparison of system files normal vs. live.
Full reformat.
General feel of the system.

Mrk

 

Yeah, all thats been said already really.
Look at your traffic.
Live CD.
Free and paid utilities.
Mark Russinovich and malware detection and removal video (Sysinternals) which has been posted before is a good watch for those wanting learn about detection and removal. Some tools used are Autoruns and ProcessExplorer. Another one of of their tools is the already stated above TCPView. I also use Administrator's Pak from the same authors but from Winternals.
Antirootkit.
DeviceTree.