This text file is for a server administrator to be able to determain whether or not there is an attempted break-in or intruder, and what the approproate steps are.
This information was provided and written by OptikNerve. This text file is for a server administrator to be able to determain whether or not there is an attempted break-in or intruder, and what the approproate steps are.
Conducting the Investigation
Appropriate policies should be put in place to cover privacy issues and security incident handling before beginning an investigation. If you are intending to prosecute, or press charges against the intruder, then steps must be taken to protect the evidence that you have collected.
When activity occurs that you think could be intruders, there are 4 steps you can take to see if this is an attempted break-in or not.
* Log additional traffic between the source and the destination.
* Log all traffic from the source.
* Identify the system(s).
* Log all the contents of packets form the source.
Fallowing all four of the previous steps, you should make a determination as to wheather this is a attempted break-in or not.
Step 1: Identifing the System(s)
The first step that you would need to take to identify an attempted break-in would be to identify the the system(s) that the user(s) are using. With RealSecure, this could be as easy as just resolving the user's IP address and converting it into a hostname. If you configured the RealSecure console to use DNS, then click on the resolve host name button that is on the display screen. In rare occasions the host name cannot be found. If the DNS look-up fails, then try converting the IP address into a host name other ways (nslookup, dnsquery etc..).
You can use ARIN (www.arin.net) to convert IP addresses into host names, and NetSol (www.networksolutions.com) to lookup the address owner's contact/technical information.
If you cannot retrieve the user's information, it doesn't mean that he or she is attempted or has broken into your system. Successful identification of the host name or IP address doesn't prove that the activity is not an attempted break-in.
The source of this suspicious attack or traffic, may not be the best source of an attempted break-in. Denial of Service attacks (or DoS) attempts usually have spoofed addresses and unauthorized access attempts or probes may come from another system the user has already penatrated (someways like a Proxy).
Step 2: Traffic between source and destination
Seeing an event such as an IP violation or an overflow attack, might not provide the complete evidence of traffic between the destination and the source. It's also important to understand the context of the activity. A good example of this would be the Sendmail WIZ signature. RealSecure has an event that will identify an attempt to exploit the WIZ command in Sendmail. This event identifies any instance of WIZ in a mail message. If the WIZ occurs in the body of the e-mail/message, then it is clearly not an attempted intrusion.
Using RealSecure, a connection event is added to the policy for all traffic between the source and the "suspicious activity" and the destination (see table 01).
These logs will first give you an idea of what traffic is occuring between the source and destination. If the WIZ packet is the only traffic between the two systems, this tells you that it was most likely an attempted break-in. If you find a lot of SMPT/mail traffic between the two systems, you're most likely looking at normal mail traffic.
Step3: Logging traffic from the source
Assuming that the data collected in Step 2 was really unable to determine if the attempted break-in or attack was legitimate or not, you should begin collecting traffic from the source. The data collected might be somewhat limited, but that is expected. If the "attack" is comming from a remote network, you will only be able to view the traffic comming to your system. If the attack is local, you should be able to collect all traffic from the machine and be able to get a better view point on what is really happening or going on. To begin to collect all the traffic from the source, add your connection event (see table 02), to your RealSecure policy.
The connection event is likely to produce information that isn't at any value to the investigation that you are conducting. If you can view the traffic objectively, then this log will be of use to you to give you a good picture of the interactions that sre going on between the source and your system. You must look at the types and the ammount of each type of traffic without the preconception of an attack. Try to understand the traffic or activity that you are seeing. Is it mail traffic? Is it ping traffic? Is it web traffic? Does the traffic probe or come from the suspicious intruder on your system?
Hopefully at this point in time, you have collected the fallowing information:
* The name of the source system.
* The type and frequency of traffic exchanged between or from the source and your system.
* The type and frequency of traffic exchanged between or from the source and destination.
Table 01: RealSecure connection event example: Added to the policy to log attacker's activity. (see step 2)
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUS_ACT Notify, Log Source of activity Destination of activity UDP, TCP, and/or ICMP ANY ANY
Table 02: RealSecure connection event example: Added to log all traffic from the attacker's source. (see step 3)
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUB_SRC Notify, Log Source of activity ANY UDMP, TCP, and/or ICMP ANY ANY
Table 03: RealSecure connection event example: Added to log packet payloads. (see step 4)
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUB_ACT Notify, Log, Log Raw, View Session Source of activity Destination of activity UDP or TCP ANY Port where the traffic is
SUS_ACT Notify, Log, Log Raw, View Session Destination of activity Source of activity UDP or TCP Port where the traffic is ANY
This information will give you a good idea as to the nature of this attack or attempt, but once again, this may not be enough information to prove that this is, or is not an attempted attack.
Step 4: Log packets from the source
The last thing you need to do is to log the contents of packets from the source. To be able to do this, modify your RealSecure policy as shown in table 03 above.
Logging the data raw and viewing their session, you can gather a completed record of the contents of the packets. Using ViewSession allows you to view the contents of packets without waiting for the database to be uploaded to the console. Logging the data raw allows you to create a permanent record.
There should be 2 connection events in the policy, one for every direction of traffic. This allows you to capture both ends of the connection. Try to limit the traffic capture to just one single port for each pair(s) of connection events, thus, letting you view the imformation more easily. If there are multiple targeted ports, then just add additional connection events.
After you have captured the data, trye and exime it. The information you just collected combined with all the other information and logs, should provide the answer to: Does the information that you have collected indicate that an attack is or was being made? If for some reason, you still cannot answer that question, do your best to find someone with past or present knowledge of protocol under investigation.
Examples
The examples that you are about to see will illustrate how these steps have been used in past (real) investigations. The IP and host names have been changed for privacy reasons.
Table 04: Medium-risk event: While installing RealSecure, this information became avialible when suspicious activity occured.
Event Risk Level Source Address Source Port Destination Address Destination Port Protocol Information
IP Protocol Violation Medium 10.10.2.20 80 192.102.2.1 1009 TCP Flags=21
Table 05: RealSecure connection events example: Four policies were added to the log between the source & destination.
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUS_TCP Notify, Log 10.10.2.20 192.102.2.1 TCP ANY ANY
SUS_TCP Notify, Log 192.102.2.1 10.10.2.20 TCP ANY ANY
SUS_UDP Notify, Log 10.10.2.20 192.102.2.1 UPD ANY ANY
SUS_UDP Notify, Log 192.102.2.1 10.10.2.20 UDP ANY ANY
Table 06: High-risk event: While installing RealSecure, this information became avialible when suspicious activity occured.
Event Risk Level Source Address Source Post Destination Address Destination Port Protocol
Qmail Buffer Overflow High 172.39.2.1 123 192.102.3.1 25 TCP
Example 1: IP protocol violation
An IP protocol violation is when a packet that has a strange combination of TCP flags, and thats how RealSecure will trigger the event; so then we began our investigation. See table 04 for more details.
From the information that is provided, you can see that the source port implies the Web traffic, and that the source of the undefined traffic is a Web server (or httpd). The problem is that a new network reconnaisssance technique is to use the packets with multiple flags to identify the Operating System of the systems that are on the network.
Step 1
Next we began to try and find out the host name for the source, in which it was a host in Germany:
someone.somewhere.gr
Then, the destination was resolved as a client system:
name.our.url.org
The host name of the source didn't immediatly imply that it was a Web server (or httpd). Since there was no evidence that this was badly formatted Web traffic, we continued the investigation.
Step 2
To identify traffic that is passing between the source and destination, we added four rules to RealSecure (see table 05). We then decided to capture the UDP and TCP traffic between the two systems. If it were true, reconnaissance probe, we figured we'd only see misconfigured packets, but instead the results showed much more. They showed the Web traffic between 2 systems, so clearly, the origional destination was a Web server being accessed by a client browser. At this point, we were determined that we had sufficient evidance to indentify the event as a misconfigured server or a protocol stack producing badly formatted packets. Thus, meaning that steps 3 and 4 were totally unecassary.
Example 2: Qmail Buffer Overflow
We recieved this High-Risk event that was defined or indicated as a Qmail Buffer Overflow. See table 06 for a diagraph.
From the information that was gathered, you can see that the destination port is the SMPT or mail port. This implies that there is an attack against your mail server or mail daemon. Since the system wasn't running Qmail at the time, so we decided to look into this attack a little further.
Step 1
We then attempted to resolve the host names that were involved. The source would resolve and of course we already knew the destination's was the system's firewall. We then went to ARIN and Network Solutions told us that the source was a client system on an ISP (Internet Service Provider). We then of course continued the investigation.
Step 2
We identified the traffic passing from the source and destination by adding our policies that are shown in table 07. The only traffic that was logged, was mail traffic. We began to believe that this was just "normal" or legit mail traffic except with exceptionally long lines of data. We still didn't have any proof that was worth the while, so we had to continue the investigation.
Step 3
We then decided to modify the rules to collect all the traffic from the suspicious source to our network or system (see table 08).
The change we made provided nothing we didn't know already, or nothing useful. The source of the suspicious activity was only making connections to the out-going mail port or firewall on port 25.
Table 07: RealSecure connection events example: Four rules were added to the log activity between the source and destination.
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUS_TCP Notify, Log 172.39.2.1 192.102.3.1 TCP ANY ANY
SUS_TCP Notify, Log 192.102.3.1 172.39.2.1 TCP ANY ANY
SUS_UDP Notify, Log 172.39.2.1 192.102.3.1 UDP ANY ANY
SUS_UDP Notify, Log 192.102.3.1 172.39.2.1 UDP ANY ANY
Table 08: RealSecure connection events example: These events were added to log all activity from the source
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUS_TCP Notify, Log 172.39.2.1 ANY TCP ANY ANY
SUS_UDP Notify, Log 172.39.2.1 ANY UDP ANY ANY
Table 09: RealSecure connection events example: This change was made last to gather packet contents, which makes the final decision
Event Name Action Source IP Destination IP Protocol Source Port Destination Port
SUS_TCP Notify, Log, Log Raw, View Session 172.39.2.1 192.102.3.1 TCP ANY 25
SUS_TCP Notify, Log, Log Raw, View Session 192.102.3.1 TCP 25 ANY
Step 4
In order to make the final decision as to wheather this was an attempted break in or just normal traffic, we began to gather the packet contents that were causing the Security Event to trigger. We added then added the Log Raw and View Session to the Qmail Buffer Overflow signature, thus, the suspicious activity continued. Then we were able to gather serveral attack packets, and when we viewed the session, there were very long lines of data with a single repeating patteren which was "&pmca".
We believed that this was a case of a very long message line at that point. However, to make the final determination, we made one last rule change that can be viewed at table 09 above.
Soon after making the rule change, we gathered several connections that also set off the Qmail Buffer Overflow Security Event. We inspected the sessions and determined that it was in fact an e-mail message, and not an attack. The messages were still suspicious as they were chain letters with BADLY formatted MIME encapsulation, but it was not an attempted break-in or intrusion.
Conclusion
Intrusion Detection systems today, provide strong and many capabilities to detect suspicious activity and attempted break-ins. By fallowing the four steps that I have provided, one, should be able to determine the true nature of the activity and take the approproate steps torward what the attacker is doing.
Copyright Secure System Administrating Research, 1999 all rights reserved.
Article source : http://www.windowsecurity.com/whitepapers/Investigating_an_Attempted_Intrusion.html
Friday, April 27, 2007
Investigating an Attempted Intrusion
How to Set Up, Secure and Maintain a New Computer
When you get a new computer, there are some important things you should do to give it a good, safe start. Setting up and configuring your new PC correctly from the start will help ensure you get many years of satisfaction from it.
After unpacking it and cranking your new Windows computer up for the first time, you will likely be greeted with a “wizard” that will walk you through some basic configuration settings. You’ll be guided through setting up a user name and password, configuration of automatic updates, and some basic security settings like turning on Windows firewall. After doing these things, you’re up and running; but you’ll still want to take care of a few things on your own.
Below are the steps I take when setting up a new computer. Follow these tips and you’ll have a secure PC that’s ready to serve you well for years.
1. Configure your security software and install updates - Once Windows is up and running, the first thing you should do is open your computer security software and configure/install updates. New viruses and spyware are introduced onto the net every day, and you need to make sure you have the most recent protection possible. Set your security software to check for updates on a daily basis.
2. Install every available Windows update - Don't wait for "automatic updates" to take care of you. By downloading and installing all of the possible updates before jumping into surfing the web, you'll add a lot more protection to your PC, which will help you avoid problems caused by spyware and Trojans that are designed to take advantage of "unpatched" computers.
3. If using Microsoft Office, install all the Office updates. Go to the Microsoft Office Update site and click the button that says “Check for Microsoft Office Updates”, check “yes” to allow Microsoft to install applications and scan your system, and you’re on your way.
4. Uninstall any programs you don’t need - Go into Windows control panel and then to Add and Remove Programs. Look for any applications that came preinstalled on your computer that you don’t want, and click “uninstall” to safely remove them. Most new computers come with a lot of “trial” software and internet service software (like AOL or Earthlink) that you won’t ever use. Removing all the unwanted programs now will free up disk space and eliminate aggravation later, when these programs start bugging you to update them or switch to a full “paid” version.
5. Install any programs you have - Now is the time to install any software you presently own, and want to use on your new computer. After installing, it’s a good idea to check and see if any updates are needed. Just go to the vendors website and look for “downloads”. Find your product and see if there are any updates available. Download and install.
6. Download and install helpful utilities and applications - Some commonly used applications you might need are Adobe Acrobat Reader, Apple Quick Time, Macromedia Flash Player, and an unzipping utility such as WinZip. Go directly to the vendors website and download/install these applications. Be careful about allowing the installation of additional “toolbars” and “search utilities” though. Many of these application types are known as a source of spyware and irritating adware.
7. Avoid downloading any file sharing “P2P” applications - If at all possible, never download and install common file sharing applications like Kazaa, Limewire, BearShare, etc… Using these applications can get you in trouble for sharing illegal/pirated material and are also known to pose a huge personal security risk. P2P applications themselves are not infested with dangerous spyware, but the applications that must be installed in order to allow services like Kazaa and Morpheus to run are loaded with spyware that can steal your identity and personal information.
8. Clean up your hard drive - Now that you’re new PC is up to date and fully installed, and you’ve removed all the “junk” applications, you should clean up all the old and temporary files that are no longer needed. Click on Start, then Programs > Accessories > System Tools. Select “Clean up Drive C, and your PC will rid itself of all it’s “bloat”.
9. Defragment your hard drive - Also located among the Windows System Tools is a disk defragmenter. This will reconcile all the files on your hard drive and rearrange them in order to make your hard drive run more efficiently. It may take a little while for Windows defragmenter to complete this task, depending on how large your hard drive is. Just let it run until complete, and your computer will run faster. Perform “Disk Cleanup” and “Defragmenter” activities every couple of months to keep your new computer performing at its best.
For more information on computer security and safety, see this Home Computer Security Checklist. Here is some useful information on computer security threats and what you can do to protect yourself online.
Article Source: http://EzineArticles.com/?expert=Debbie_Jacobsen
How to Make Free Internet Phone Calls From Your Computer
If you have a computer, a headset, and an internet connection, you can make free PC to PC phone calls to anyone in the world! The only catch is that the person you are calling must also have an active account with the same VoIP service provider, and must be online to get the call. With any VoIP service, "in-network" calling (all callers subscribing to the same carrier) is always free, but most providers require that you pay a small monthly fee which allows you to make "out-of-network" calls as well. Since this article is about making totally FREE internet phone calls, only the VoIP providers that offer 100% free calling will be mentioned.
There are several internet phone service providers that offer PC based phone calling, but only a few do not require a monthly service fee when you register. Because the PC to PC calling service is free, you may have to put up with ads on your dial pad or be limited to a certain call length, but for a free long distance call this is probably acceptable to most people. If you want to make calls to a landline phone, you can do so by paying a low cost per minute (much less than traditional long distance).
So here's how to make free PC to PC phone calls:
---------------------------------------------------
# Choose a provider, then download and install their free software (the software is a "dial pad" that you use to make calls).
# Register and get an account (you need to have a valid email address).
# Make sure the people you want to call install the software and register with the same VoIP provider.
# Enter your friends usernames into your contact list, and ask that they do the same (this allows you to see that they are online and able to accept calls).
# Plug your headset (with microphone) into the appropriate in/out audio jacks on your computer (or USB port if applicable).
# Click on your contact and make a call - that's all there is to it!
Since PC to PC calling uses a technology similar to instant messaging, most VoIP provider's software allows you to text message the person you are talking to. Conference calling is also possible - just click on another active user and they can join in the call!
As of this writing, here are some VoIP providers I found that offer free PC to PC internet phone calls with no monthly fees. Because services can change from time to time, make sure you agree with the terms and conditions before creating an account. Skype is the largest and most well known provider with over 190 million downloads to date.
* www.skype.com
* www.google.com/talk
* www.earthlink.net/software/nmfree/onlinecalling
* www.voipbuster.com
* www.inphonex.com
* www.pc-telephone.com/free-phone.htm
As with any software, your computer must meet certain requirements in order for the installation to succeed. As a general rule, your computer should have at minimum a 400 MHz processor, 10 MB of free disk space and 128 MB of RAM. You also need a sound card, and either a headset with microphone or speakers and a microphone. Of course, you need an internet connection as well. Software is available for PC, Mac and Linux platforms. Skype has software for Pocket PC as well.
PC based VoIP will work fine over a dial up connection of at least 33.6 Kbps, but be sure to close all email applications and don't do any web surfing while talking because these processes will degrade performance. For the absolute best internet phone calling experience, broadband is the way to go.
Free software-based PC to PC internet phone service is a great way to "test the waters" if you are interested in trying VoIP before jumping into a paid service. It's also perfect if you're on a tight budget and want to make some free long distance calls. Anyone in the world can use VoIP as long as they have an internet connection; just make sure all your friends and relatives use the same carrier if you want to keep the calls free.
This type of VoIP service is not compatible with 911, so it should not be used as your one and only phone. If you want save a lot of money on your phone bill and use VoIP as your primary phone, consider subscribing to a hardware-based VoIP carrier like Packet8, Vonage, Lingo or Voip.net.
© Copyright 2005, Debbie Jacobsen. All rights reserved.
This article may be used without special permission as long as it remains intact, including live links.
For more information on VoIP, visit my blog: Internet Phone Service - The Future is Here!.
Article Source: http://EzineArticles.com/?expert=Debbie_Jacobsen
Viruses, Worms and Trojans - What is the Difference and How to Protect Yourself From Them
Anyone who uses a computer has undoubtedly heard the terms "computer virus", "worm", and "Trojan". Most use these terms interchangeably to describe a virus. What you may not realize though, is that computer worms and Trojan horses are not computer viruses at all.
While each of these three computer security threats shares some common characteristics, there are some distinct differences between viruses, worms, and Trojans that cause them to stand on their own as a category of malicious software. The main similarity is that all are bad, and can potentially cause you, your computer, or your network a great deal of harm.
Common Characteristics of Viruses, Worms, and Trojans
All computer viruses, worms, and Trojan horses are considered to be "malware", also commonly referred to as malicious software. Spyware and adware also fall into the category of malware, as is any other type of software that is designed to perform malicious and/or unwanted activity.
Viruses, worms, and Trojans have been around for awhile, and are often packaged together (i.e. a virus that launches a worm when executed, a worm that plants a Trojan, etc...). Because of their longstanding use as a means of performing disruptive and destructive tasks, anti virus software developers include protection against Trojans and worms in their antivirus applications.
Anti virus software (if updated regularly) will help protect you from all three dangers.
Differences Between Computer Viruses, Worms, and Trojan Horses
A Computer Virus is attached to a program or file, and is designed to spread from one computer to another. It infects the computer it is installed on, and is usually spreads when the infected file (usually an .exe file) is shared with others via email, disk, USB drive, or CD. A virus has to have human action in order to launch and deliver its "payload".
The file that the virus is attached to cannot open itself; a user has to open it in order to execute the virus. Viruses have many symptoms, depending on the intent. Computer viruses can erase or corrupt files and applications, crash your system by making so many copies of files that the hard drive fills up, or make a computer inoperable by altering critical system files.
A Computer Worm is like a virus in that it is also attached to a file, and the file has to be opened before infection can take place. Unlike a virus, that is passed from computer to computer via user action; worms are designed to self-replicate and spread without any effort on the user's part. When you open a file that contains a worm, it starts spreading through networks and emails immediately. The main purpose of a worm attack is to bring down systems and networks by consuming great amounts of bandwidth and memory.
Worms are also used as a means for a remote attacker to tunnel into your system. Many worms will replicate themselves by sending "clones" to everyone in your email address book. These emails are sent out immediately upon opening the infected file.
A Trojan Horse is also included in a file, and like a virus, does not propagate itself. Trojans are tricky, in that they are often disguised as some type of useful or interesting software. When the software is installed (Trojans are normally embedded in .exe files), the Trojan is activated, and sometimes you don't even realize its there.
Trojans can do many things, and while some are designed to be dangerous, others are just annoying. A Trojan might destroy files, change your desktop icons, or plant a "backdoor" on your system that can be used by a hacker or cyber criminal at a later date. Trojans are usually passed from PC to PC by email or disk file transfer, because the sender doesn't know that the file carries a harmful Trojan.
Protection from Viruses, Worms, and Trojans
The good news is that Antivirus software will provide a great deal of protection against known computer viruses as well as worms and Trojan horses. The bad news is that antivirus software won't necessarily provide total protection. You still need a good firewall to keep cyber criminals out, and you need anti spyware to protect against the other types of malware that antivirus software isn't so good at catching. For the absolute best protection, use a Computer Security Suite.
Be sure to get the most recent updates for your operating system and all applications installed on your PC. This is especially important for Windows users, as the majority of malware is designed to work on the world's most popular operating system. Updates will patch newly discovered "security holes" and will help prevent many viruses, worms and Trojans from completing their "mission".
For more information on computer viruses and antivirus software. More information on computer security threats and what you can do to protect yourself online.
Article Source: http://EzineArticles.com/?expert=Debbie_Jacobsen
How to Detect and Remove Spyware and Adware
Spyware and Adware Facts:
· Of the more than one billion computers on the internet today, 80% are not protected against spyware and adware.
· Spyware is the most common and most dangerous internet security threat today.
· Spyware is designed to steal our personal information so it can be used for illegal purposes.
· It is estimated that 60% of computers are infected with spyware and/or adware.
· Spyware is usually installed on our computers without our knowledge. We are usually ?tricked? into installing adware by failing to read lengthy license agreements.
· Free software and cheap software usually contains spyware and/or adware.
· Free adware removers and free anti spyware software usually contains spyware.
· You can get spyware simply by browsing to an unscrupulous website.
· The amount of spyware on the internet has doubled within the past year, and will continue to grow significantly.
· Anti Spyware software is necessary to remove adware and spyware, and prevent you from getting it again. Antivirus software is not capable of removing all spyware and adware.
Spyware
Spyware is a small program or piece of code that is secretly installed on your computer and designed to ?spy? on your online activity and/or personal information. Although not all spyware is used for illegal purposes, most of it can be very dangerous due of its ability to record keystrokes, take snapshots of our PC screen, and monitor everything we do online. Spyware that is used to commit crimes is called crime-ware.
Spyware gathers information and transmits it to the person who planted it. This person may use it himself or sell it to others. If the stolen data includes bank account or credit card information, you can be certain it will be used for a criminal?s personal gain. Other stolen information such as social security numbers, drivers license numbers, addresses, etc?, is often used in identity theft.
Symptoms of Spyware
Spyware is designed to run quietly in the background of our PC, and is normally not detectable unless you have a lot of it. The most common signs that your computer is infested with spyware is:
· Your computer is running much slower than usual.
· Your computer takes a lot longer to boot up than it used to.
· You see a lot of activity on your network connection.
Spyware?s Close Cousin - Adware
A close relative of spyware is commonly known as adware. Adware intrudes on your privacy much like spyware does, but unlike spyware which is designed to steal confidential information, adware?s purpose is usually related to marketing. In its most innocent form, adware tracks your browsing habits, the type of ads you click on, bookmarks you make and other similar online activities. A more dangerous and unsavory form of adware is designed to force you to look at certain advertisements or websites. This type of adware is often used to lure you to a place where spyware can be installed. Because adware?s purpose is designed to get you to perform an action, it is much easier to recognize than spyware.
Some common symptoms of adware:
· A hijacked browser home page. When you open your browser you see a different website.
· Pop-up ads that won?t quit.
· New icons or shortcuts on your desktop or new items in your favorites.
· New web pages keep opening by themselves.
· Search results that make no sense. Clicking on the links here will install spyware on your PC.
How to Detect and Remove Spyware and Adware:
Obviously, spyware and adware are NOT something you want to have on your computer. The only way to detect and remove all the spyware and adware on your PC is to use anti-spyware software. There are many good anti spyware products on the market, and many are available to try for free before you buy. Because free adware removers and free anti-spyware software is often designed to trick you into installing more adware and spyware on your computer, it is best to stay away from this. For the best protection and peace of mind, purchase good anti spyware software from a reputable internet security software company.
Debbie is a corporate IT Manager and author of the following sites covering computer security topics: Computer Security for Everyone, and Antivirus, Firewall and Spyware Resources.
For more information on adware removers and anti spyware software, visit her page on Spyware Removers and Anti Spyware.
Article Source: http://EzineArticles.com/?expert=Debbie_Jacobsen