I am trying to get a better understanding as to how these spywares manage to get onto a system. All my searches only found ways to clean up after they get in, but has anyone ran across a thread discussing ways to stop/prevent them from getting on a system to begin with?

I am faced with helping someone clean up a system. Found on the box are: clrschp070.exe, msbb.exe, slmss.exe. And two other questionable processes which I can't find any info on: ucaa.exe and wtssvsu.exe.

The box has never been use on any free ISP, therefore ruling out supporting free service ads. One other assumptions can be made to guide this discussion: the box has never been used to surf a porn site, ruling out a dialer being planted by one of those sites.

Having said that, does anyone have some ideas as to how they are getting on this, and other, victim PCs?
- Are legit sites being hijacked and planted?
- Are they using some OS vulnerability?
- Are they using some browser vulnerability?

I realize that jacking up the browser security settings can prevent some of these infestations to begin with, but let's assume the PC is only use to access legitimate sites where they don't try to plant stuff like this on you.

Any thoughts or feedbacks are greatly appreciated. Please advise if I am should be posting this at a more relevant thread.

Thanks!

Loose security settings in the browser is probably the most common entry method for any spyware. It's certainly the easiest way in. Allowing active scripting and ActiveX to run unchecked is where the majority would come from. Then after that it's most likely browser exploits and then work your way down from there (to the more obscure and complex).

Even "legitimate" sites (and that term may be broadly interpreted by what different people think are legitimate sites) may very well have some forms of mild spyware on them. There are a couple entertainment and informational sites I use that work best if I make them trusted sites in IE, and I do get some alerts about home page hijacks and a few of the milder forms of spyware. :-\

Just lost a long response when the thread was moved. >:( LWM is just too darn quick. ;)

In short, the assumption that the only way to get such spyware, etc is by surfing known dubious sites (like porn sites for example) is simply wrong.

Legit sites run ads supplied by ad suppliers who get them from the vendors/outfits peddling their wares. Often there is a rotation of various ads. Often the site owner hasn't a clue what ads might be running in the rotation and what practices the ads (popups and banners) and the ad makers use. (Perhaps some site owners might know but not care since it's revenue.) But there are various ways things can be downloaded. For example, a mere click to close an annoying popup ad for some sleazoid product might result in a "stealth" download if the user's browser settings are lax enough. (That's just one example. A technique similar to one previously used by at least one self-proclaimed "security product" that I'm aware of. That's a new market for the sleazoids, peddling dubious security, antispyware products with sleazy practices and unwanted spyware included.)

Which is why people are repeatedly told that if they use IE (or an IE shell), do not allow ActiveX, scripting and download on demand to be enabled for every site on the Internet (aka the general Internet Zone in IE's security settings). Reserve ActiveX and scripting for only the most trusted sites that require them (one can put those sites in IE's trusted zone.)

For preventative measures, many recommend Javacool's apps SpywareBlaster and SpywareGuard. They don't cover everything, but they certainly do help against most known common spyware pests.

I've used Proxomitron for years to block ads, pop ups, scripts and provide other filtering or page enhancements. (I use JD 5000's filter set.) Proxo has turned out to be effective in blocking a good deal of nonsense and pests on the net while providing some additional features I like.

At any rate, hope this somewhat clears up what is one of the myths of the internet, that you can only get crud on your machine if you go to known dubious sites.

(This doesn't include spyware that is bundled with "free" software. While at times there may even be a license or terms of use that mention that tracking software is bundled with the app, most inattentive users won't bother to read that info if it is available.)