What actions should you take get a spyware-infected workstation back on track? Read what the experts have to say, or click here to go back to the scenario.
Kevin Beaver: If at all possible, run more than one antispyware program, such as Spybot - Search & Destroy in conjunction with Computer Associates International Inc.'s eTrust PestPatrol Anti-Spyware or Microsoft Windows AntiSpyware combined with tightened-down IE security settings and personal firewall protection. You can also consider behavior-based protection software from vendors such as Sana Security Inc. and Finjan Software Ltd. for a really secure environment.
Tony Bradley: If running other spyware scanners proves ineffective at completely removing the pesky software, move on to more manual methods to determine what the spyware is doing and how you can kill it. Sysinternals Freeware offers a variety of free tools that can investigate what is going on behind the scenes. Process Explorer helps you look for suspicious processes that might be running. Spyware processes are often named something similar to other standard Windows processes so they don't stand out too much. If you look at the file path information, though, you can find the processes that have unusual paths and verify that the file version and copyright information of the file running seems legitimate. Other Sysinternals tools, such as Autoruns and ListDLLs, may also be very effective at helping you investigate what is going on.
Another very powerful tool for identifying components of spyware and helping to eradicate them is Merijn.org's HijackThis. HijackThis examines key areas of the Windows registry and hard drive and provides a detailed list of their contents. You must exercise extreme caution using HijackThis or seek professional guidance. It is up to you to choose which files should be removed and which should stay. Some of the items identified by HijackThis are legitimate, and removing them may have an adverse impact on the system or even render it inoperable.
Lawrence Abrams: Now that culprits have been found we need to devise a cleanup routine that is easily used by the staff, who will be cleaning work computers, and the home users. You can easily remove Viewpoint Toolbar and Viewpoint Manager by uninstalling the program via the Add/Remove programs control panel.
In order to fix the HotOffers infection, delete the param32.dll file. The problem is that this file is continuously running. You need to reboot the computers into safe mode and delete the file from there when it will not be running. If that still does not work, use a program called KillBox to delete the file during a reboot.
Then you can fix the remaining entries via HijackThis to return control of the start page and search functions to the user.
Then write these steps in a formal removal document that is easily understood by both the staff and home users.
Stage four: Preventative measures
About the experts: More information about the experts is available on the scenario page.