While the preceding apps are examples of preventative measures, the reality is someone or something is likely to get through. And if they do, it isn't a bad idea to have a handy toolkit of utilities to use to detect problems and deal with them on the user's machine. Some utilities will say they catch everything but personally, I've never seen anything as thorough as three products from one software developer: CWShredder, HiJackThis! and StartupList.

What I have found with these three tools is that they often find items that many of the spyware products leave behind. They have a nice "Info" feature that allows an admin/tech support person to check the status of the Registry or system status. As an example, below I've done a CWShredder check first on my system:

CWShredder v1.47.3 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\fac3\Application Data
Username: lyne.bourque

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
CWS.Vrape/CWS.Addclass Registry value: DefaultPrefix [] http://
CWS.Vrape/CWS.Addclass Registry value: WWW Prefix [www] http://
Registry value: Mosaic Prefix [mosaic] http://
Registry value: Home Prefix [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (1053 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)


Looks like my system is ok. Let's check HiJackThis!

Click to enlarge.

Overall nothing serious, but if I'm feeling suspicious I can check items by selecting them and getting information as to the risk they may carry. Configuration options allow me to ignore specific enterprise implemented tasks, creating a startup log (so I can check for any potential "nasties" there) and creating backups.

The last tool, StartupList, is a simple little program that generates a notepad listing of what things begin on a Windows machine. Very handy for troubleshooting.

Now while these tools are often targeted to the home user, administrators in enterprise environments shouldn't shy away from them. Remember that attackers often don't make distinctions between home and enterprise users. All they see is a victim. These three tools can be found at Merijn.org. An interesting side note, the site has been victim of a massive DDoS, perhaps a testament to the effectiveness of the tools finding the results of bad activity?

We have to realize that protecting privacy extends beyond individual end users. Our employees might inadvertently be putting the company at risk by simply performing research for a project or receiving what seems like work-related emails. While education is an excellent method of dealing with these threats, using technology as a backup helps to keep all the bases covered.