Windows Security Clinic: Clear Spyware

Everyone faces the threat of spyware, especially for ordinary internet users. These web users are always quick to click on the pop-up dialog box, follow the prompts to install the software, accept spam gifts or visit malicious websites. The best precaution is to educate end users. But for most people, it's too late for spyware to spread wildly through windows workstations. To help you identify and fix all types of spyware infections, you can look at the following. After making a diagnosis and introducing a course from three Windows security experts, we will also introduce some user complaints. You will find that every expert has a unique solution to a problem. So, when solving your own spyware problems, you must consider all these solutions. User problem: I provide technical support for more than 300 users. These users have a home or office computer with Windows XP or Windows 2000 operating systems. Some users reported the following issues. Pop-up ads appear when the browser is closed (and sometimes not even connected to the Internet). When you open the browser, a website like hotoffers.com appears, not the home page of our intranet. A search Toolbar named "Viewpoint" appears on the browser, and the toolbar is searched regardless of what we enter in the address bar. I have the latest antivirus software and I don't see any viruses. After scanning using the tool "SpyBot Search & Destroy" for spyware, I found some unfamiliar files and I will delete them. However, this does not solve these problems. What's that file? How do I delete these files? Please help. Remedial measures provided by experts: Clear Spyware First step: Diagnostic security expert Kevin Beaver: The problem you have here is the combination of human problems and technological limitations. Spyware and Adware startup is caused by the user's blind click of the mouse. When Ie browser pops up a dialog box that requires you to install an ActiveX control in IE or download other seemingly secure games, screen saver programs, and so on to the user's computer, users often click "OK" at random. That's the question I'm talking about. This problem often happens because users just want to install software, and pop-up ads take the opportunity to avoid checking what they want to do. Once your users allow the software to be installed on their systems, depending on the nature of the software, the software can control certain aspects of the Windows computer, regardless of whether the user starts IE or if the system is connected to the Internet. This includes starting pop-up ads, modifying the default home page, and so on. The limitations of technology are related to the tools for killing spyware. "Spybot Search & DestRoy "is not a panacea for protecting desktop computers, even though this is the best software tool I've used." Security expert Tony Bradley: from the point of view, there may be two different problems. Pop-up ads appear when the computer is not even connected to the Internet, which can be used to access a user's computer through the Windows Messenger service. Modifying the browser home page and search Toolbar is most likely caused by a problem with the browser helper object (BHO). Spyware is a drive-by downloads software. When a user visits a malicious Web site, spyware uses a vulnerability in the browser to install it on the user's computer without the user's consent. Security expert Lawrence Abrams: When the search function and homepage in the browser are modified, there is usually a hijacking browser, just like the Viewpoint Manager software hijacking browser. Browser hijacking is generally divided into two main categories, active hijacking and passive hijacking. An active hijacker is a program that is transferred when the computer is started. This program continuously monitors the specific settings of the computer and ensures that these settings conform to the wishes of the hijackers. Passive hijacking is a program that starts running when the computer starts. This program modifies certain settings and uploads them. Once you've identified the hijacking process, these problems are easy to fix. First, you have to be sure what kind of hijacking you're dealing with. I use the HijackThis software to find it. If you are familiar with the location of the program entry (entry) or compare the software program to the startup database, you can find the hijacking software. As we run the HijackThis tool software, we notice the entry of the Viewpoint tool bar and the viewpoint manager. This is the evidence of viewpoint spyware. We also see that the entry for the start page has been modified. As for the thermal recommendation (Hotoffers), fixing the portal does not seem to work. They continue to appear, and none of the things mentioned above seem to be the cause of the problem. The fact that the start page was changed back to Hotoffers shows that the problem we are dealing with is active hijacking. In this case, we need to use another tool software called "Silentrunners". This tool allows us to drill down into programs that are running automatically. Silentrunners will generate a registration list of registry settings to find out which programs are not Windows default settings. Run this program, I will see the following results: Hklm\software\microsoft\windows\currentversion\explorer\sharedtaskschedulerinfection WARNING! "{d56a1203-1452-eba1-7294-ee3377770000} "=" interlinking Memory Support "-> {clsid}inprocserver32 (Default) =" C:\ Windows\system32\param32.dll "[null data] This tells me a file named C:\windows\system32\param32.dll is started on the computer. The Param32.dll file is not the default Windows configuration. To determine if this file is the culprit, I use the Strings.exe program in the Sysinternal software to view the ASCII string inside the file. When we see the strings listed in the executable, we see a hotoffers, and we now know that we have identified the problem. Clear Spyware Step two: Immediate action security expert Kevin Beaver: In this case, you should run one or two other Anti-spyware scanning tools to see if you can clear the spyware infection. Unfortunately, the defense of spyware and adware requires multi-level safeguards to work. Security expert Tony Bradley: to prevent any Windows Messenger service from spamming the system with pop-up messages, you need to turn off Windows Messenger Service (not to be confused with the MSN Messenger Instant Messaging tool software) or block traffic into UDP ports 135, 137, and 138 and TCP ports 135, 139, and 445. The user has verified that antivirus software is up to date and is using the "Spybot-search & Destroy", one of the best anti-spyware tools available. However, these anti-spyware tools are not 100% effective. Do not rely simply on the S&D software's inspection results. Users should also try using other anti-spyware tools, such as Lavasoft's Ad-aware, Microsoft Beta's Windows AntiSpyware and Webroot software company Spy Sweeper. Security expert Lawrence Abrams: Although hijacking software does not propagate to other computers, this software in many cases can severely degrade the security settings of IE browsers. Therefore, it is important to prevent users from using infected computers before removing the infection to prevent further infection. Responsible Editor: Snowflake (TEL: (010) 68476636-8008) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) Original: WIndows Security Clinic: Clear spyware on back to network security home