Safe Mode and Internet Explorer Cleanup
|
Remove Spyware
Resolutions:237 |
Views:51313
Comments [29]
|
Let's review what was done up to this point and also watch what happened on our lab computer.
We went into Safe mode with networking where spyware is "asleep" and won't fight back. We'll see that although 99% percent of the spyware programs are disabled one of them is still running in safe mode and it's spawning pop-ups from time to time. That program managed to stay active in safe mode by infecting components of the Winlogon process. Winlogon is a critical part of the operating system and because Winlogon is active all the time we cannot heal it with conventional methods. From time to time the malware will spawn pop-ups which are located in a random named dll file. The name of the file looks like this: asd57hva.dll and changes at each reboot.
In order to execute these pop-ups the virus will use a system application called rundll32.exe which is also used to run harmless Control Panel components.You will notice the presence of this rundll32.exe application in the task manager list even when we're not running Control Panel applets.
After we booted in safe mode we executed the task manager and launched the Internet Options to clean-up the Internet Explorer. We performed this action in order to be able to download the Ad-Aware antispyware program (subject covered on the next page) and to disable all the toolbars and add-ons that attached to the browser.
 
|
|
Submitted by Paul Ionescu
Last modified 2007-09-30 | |
|
|