Clean up spyware-infected PCs: Stage one -- Diagnosis

Given the information in the scenario, has this person's computer been infected with spyware or not?

Given the information in the scenario, what are the problems infecting these workstations? Read what the experts have to say, or click here to go back to the scenario.

Kevin Beaver: What you're encountering here is a combination of people problems and technical limitations. All it takes to start the spyware and adware ball rolling is for a user to blindly click "yes" when prompted to install a rogue ActiveX object in Internet Explorer or by downloading an otherwise safe-looking game, screensaver, etc.

This is the people problem I'm referring to. This issue occurs often because users just want to get installation prompts and pop-up ads out of their way and will do whatever it takes to clear their screen. Once your users have allowed such code to be installed on their systems, depending on what it's written to do, the software can potentially control any aspect of the Windows OS regardless of whether IE is loaded or the system is connected to the Internet. This includes launching pop-up ads, changing default home pages and more.

The technical limitation is related to the fact that Spybot - Search & Destroy isn't the silver bullet solution for desktop protection -- although it's a great overall program that I use myself.

Tony Bradley: From the scenario given, it appears that there are possibly two separate issues. Pop-up ads that occur when the computer is not even connected to the Internet are most likely getting into the system via the Windows Messenger Service. The changes to the Internet browser home page and search toolbar are most likely the work of a browser helper object (BHO). These insidious spyware pests, also called "drive-by downloads," typically install themselves without the user's knowledge by exploiting vulnerabilities in the Web browser when users visit malicious web sites.

Lawrence Abrams: When search functions and start pages in Internet Explorer are changed, a browser hijacker is usually to blame, as is the case with the Viewpoint Manager. Browser hijackers can be classified into two broad categories: active and passive.

An active hijacker is a program that loads when your computer starts and constantly monitors specific settings, making sure they are set to the hijacker's liking. Passive hijackers are programs that start when your computer starts, change some settings and unload. These tend to be easy to fix once you determine the hijacker program.

First, you must determine which type of hijacker you're dealing with. I run HijackThis, an application that enumerates a myriad of startup entries in the Windows operating system. You should be able to spot the hijacker if you familiarize yourself with the entries that should be there or by comparing the programs running against a startup database.

When running HijackThis, we notice that there is an entry for the Viewpoint Toolbar and Viewpoint Manager, which is the culprit for the Viewpoint searches. We also see that the Start Page entries have been changed.

As for the HotOffers problem, fixing the entries does not seem to work. They just keep reappearing, and nothing else listed would cause that. The fact that the start page reverts back to HotOffers almost immediately tells us that we are dealing with an active hijacker.

In this case, we would use another program called SilentRunners, which gives you a deeper level of insight into the programs that are running automatically. SilentRunners will produce a log listing various settings in the Registry and spot ones for you that are not part of the default configuration for Windows.

Running this program, I see the following:


INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

-> {CLSID}InProcServer32(Default) = "C:\WINDOWS\System32\param32.dll" [null data]

This tells me there is a file called c:\windows\system32\param32.dll that starts on the computer, which is not part of the default Windows configuration. ITo determine if this file is the culprit, I use Sysinternal's strings.exe program to see the ASCII strings inside the file.

When viewing the strings listed in the executable, we see a reference to HotOffers and now know that we identified the problem.

Stage two: Immediate actions

About the experts: More information about our experts is available on the scenario page.

This was last published in June 2005

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.