Problem solve Get help with specific problems with your technologies, process and projects.

Identifying malicious code in Win98

I recently had to add a Win98SE drive to my server, because my IBM ViaVoice software and others wouldn't install in Win2K. Eventually, I intend to go to a UNIX system, but for now, I am stuck with what I've got. My question is, how can I get a list of active processes or memory residents in Windows 98 so I can see for myself whether I have any active Trojans or other tomfoolery happening? After all, the best defense is regular monitoring and awareness.

Depending on your experience with MS-DOS and Windows 98, you can use the following:

First, try the Microsoft Article Q184075 that explains how to use the Win98se tool Microsoft System Information tool.

Second, try this Microsoft Article Q181966 that explains the use of the Microsoft Config program.

Third, if you feel you need greater detail, try the DLL tree walker. Remember, DLL's in the Microsoft world are library files (a.k.a. compiled code), thus walking the DLLs may also provide some assistance.

Use of these should provide some assistance in your quest. If these fail or you do not have access to the resources I mentioned, try the old standby "MEM" command with the "/C" for Classify and "/D" for debug information contained in memory. This last option is limited, for it will only show memory use up to the first megabyte(old EMS, now XMS RAM). Examples from the command prompt:

mem /c /d
mem /d
mem /c

Although MEM is not the greatest tool, it will sometimes provide assistance.

With a combination of the Microsoft solutions, DLL tree walker and the "MEM" command from the command prompt, you should be able to determine most applications located in system memory (RAM).

Finally, after verifying the applications loaded in memory try these checks:

1. Check all active connections using the "nbtstat -c" and "netstat -a" commands from the DOS command prompt.

2. Check all systems logs if they are enabled.

3. Check the "startup folders" folders, C:config.sys and c:autoexec.bat for any strange applications.

4. Check for hidden files using the "dir /ah" command at the DOS command prompt.

5. Last, compare the original OS files to the install media (if possible).

Checking active system memory with the Microsoft tools and use of the privious checklist should provide good starting points to determine if your system has been compromised by a Trojan or other malicious attack.

This was last published in September 2001

Dig Deeper on Emerging cyberattacks and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.