Who installed the program?

[Guest]

I was wondering if there is a way to find out what user was the one who
installed certain application (spyware), the system is running Win Xp pro,
that is going to be the first question, the second is if the procedure will
be the same on Win Xp Home or at least if it's possible.

Thanks for the help.

H

 

[Malke]

I was wondering if there is a way to find out what user was the one who
installed certain application (spyware), the system is running Win Xp pro,
that is going to be the first question, the second is if the procedure
will be the same on Win Xp Home or at least if it's possible.

You can enable auditing on XP Pro, but you would have needed to this
beforehand. Auditing isn't available on XP Home.

Sometimes it is possible to determine where the spyware originated by
examining the files in each user's profile (Documents and
Settings/username) but you would need to be skilled in malware removal to
know what you're looking for.

If you want more help, you'll need to post back with a better description of
the computer, the user accounts, what the spyware is, and whether this is a
business or home computer, standalone, peer-to-peer, or domain.

Malke

 

[Guest]

Is just a home pc, running Xp Pro, and I was aware of the audit but I was
just wondering if there was another option, besides I'm actually not
surprised about the lack of information under Xp Home, still I was wondering
if there is another way, I will try checking for the owner of the folders
still sometimes the option doesn't appear, why?

Thanks anyway for ur help and concern

H

 

[Malke]

Is just a home pc, running Xp Pro, and I was aware of the audit but I was
just wondering if there was another option, besides I'm actually not
surprised about the lack of information under Xp Home, still I was
wondering if there is another way, I will try checking for the owner of
the folders still sometimes the option doesn't appear, why?

AFAIK, the only way to find out where spyware originated is to examine all
its files, look through all users' accounts in Temporary and Temporary
Internet Files, view each user's browser history (not forgetting search
engine history), etc. Depending on the users involved, it may be very easy
to tell. Or not. A lot depends on your skill level. What might be obvious
to me might not be obvious to you. I'm not dissing your skills - I have no
idea what they are and I wouldn't be insulting anyway. We all have our
areas of expertise.

A better approach might be to clean up the machine and then set it up so
users can't install software. Since you have Pro, you can use Group Policy
for this or even the MS Shared Computer Toolkit if you're not too familiar
with GP (which can be tricksy).

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx
microsoft.public.windows.group_policy - GP newsgroup

If this is a family, in addition to the above having a discussion about
practicing "Safe Hex" and what the consequences are for not doing so might
be useful. Naturally, there are no real technical solutions to
inter-family/parent-child issues.

Cleaning up:
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Staying safe:
http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on Rogue
Antispyware Programs

Malke

 

[Guest]

Hmmm...That seems like a good solution I'll take it and I will try it, still
I used the owner option under security, I got the culprit still I like the
tool you suggest, is simple, bad thing is that there is no screens on how it
looks neither info that actually people can be aware of it's existance.

Thx very much for all the help.

HG