Spyware in the System32 folder

[NADIAZIPPER]

I see more and more that a majority of spyware is now being stored in the system 32 directory, several are marked as system files and by default hidden from view from a lot of programs. My question is this: Do all real files (.exe, .dll, etc) in that folder have a version tab with a proper description, or at least some description somewhere? I noticed a lot of files with no description, version...anything that tells me what it is. And just from experience I know that most are spyware related, but would it be safe to delete an exe file, that has nothing identifying what it is.

 

[pchartwell]

I would say it's not safe. And I agree with you that no self-respecting application has any business dropping files into the System32 folder (without identification if indeed at all). But it's not a 1:1 correlation and you'll probably pull the wrong thread and unravel something useful going about it that way unfortunately.

 

[linney]

What do the antivirus and antispyware programs tell you?

Removing adware & spyware
faq608-4650

Microsoft (GIANT Antispyware) Beta available
Thread779-979113

These sort of programs will help take the guess work out of the equation.

Most Microsoft files will tell you they are just that. Similarly reputable third party files will carry this information but there may be exceptions. So relying on this lack of file version details may be risky as a reason to delete them.

Further information may be obtainable just by reading the file in Notepad or Word, more might be discovered via a Hex Editor.

Any exe or dll you may delete will be saved in System Restore. My advice is to use the already available anti-malware programs to do the job.

 

[NADIAZIPPER]

I am not looking for programs to remove any spyware, although thank you Linney. I find just understanding where to look for spyware progarms and there exe files is far better and more comprensive than having to use several different programs. I am just curious if all MS system files are marked so that they can be identified.

 

[jimp56]

I have read (and used) a tip to sort the files by date. If you see any abnormal files/DLLS date-stamped all for the current day within a small amount of time of each other, chances are those files were created by your malware (if you have active malware).

In my experience, MOST programs leave the files in that folder untouched on a daily basis(except for log files), thus it is relatively safe to infer that the recent files belong to the baddies. I usually do this when the drive is mounted as a secondary in another computer to prevent the trojans, etc from locking the files from being deleted and from perpetuating any other polymorphic behavior (i.e. hiding copies of itself from you).

of course, however, you must realize that naturally its a dangerous practice to remove any files from that folder.

Most legitimate windows system files will be date stamped in the same brackets and usually remain unchaged save for patches and updates. in other words, many of the XP(non sp2) files will be in the 7/xx/03 range but with many variances (at least according to my pc). nearly none should be stamped '05 except for maybe the latest patches.

If in doubt, use the SFC file checker. it will identify improper versions of legitimate system files.

 

[linney]

See if the Help topics lead anywhere?


Using File Signature Verification

To check the digital signatures for system or non-system files