Spyware and IE

Today, on one of the computers at home, Meenakshi accidentally installed one of the spy-wares (via a popup – which interestingly was not blocked). This changed the search engine used by IE, installed some toolsbars and opened a whole bunch of popup windows. Also disabled some of the other legit toolbars that were running (MSN, Yahoo, Google, etc.) Anyways, it took me a good 3+ hours to track the bugger down and clean up the whole machine. What a pain and waste of time. But it got me the opportunity to document what I did and hopefully you can benefit from it.

I would like to also point out that an 1+ hours was taken by the two anti-spy-ware software that I use (Adware and Spybot – if you have not heard of them, I highly recommend download and using both of them). Though neither of them cleaned this particular one. :'(

Well how do you find out what is installed? First of all try and find the name of the “thing” running. Right-click on the toolbar and since that toolbar would be checked, you can find out the name. The first and foremost you should do is run your anti-spywares (make sure you update them). If they do find anything I would recommend rebooting your machine ASAP, after cleaning it. If the problem is solved, you got lucky (and you can stop Reading now :)). If not then goto your Add/Remove and see if you find something there that you don’t recognise if you find something uninstall and check if the problem has done. When uninstalling try and find the location of where it was installed and delete that as most uninstall programs keep something lingering (hopefully you are a geek like me and are not required to be told how to this).

If you still have the spyware, then you got more trouble (like I had). Next steps would be to poke in the (dreaded) registry and see what you can find there. To start, run Regedit (Start => Run => regedit.exe). Next goto HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar where you would see a list of entries. Now I don’t presume you would know the GUIDs for the toolbars *grin*, so you would need to find everyone and see if they are legit or not. Here is the list of the ones I found in this computer (and what they meant):

  • {2318C2B1-4965-11d4-9B18-009027A5CD4F} – Google
  • {47833539-D0C5-4125-9FA8-0819E2EAAC93} – Acrobat (6)
  • {79FFEBC8-745B-AFDE-82E6-14ACEDC16E19} – This was the CLUPRIT!
  • {8E718888-423F-11D2-876E-00A0C9082467} – Mmedia Radioband
  • {EF99BD32-C1FB-11D2-892F-0090271D4F88} – Yahoo

Well the second one in the list above was the culprit called SLOW.Citydent, and was installed at “C:\Program Files\Settings Book”.

To find the right or wrong guid, you need to search the registry for each of the GUID and traverse it (i.e. that GUID (or CLSID) might point to another one – so keep following the rabbit trail and at the end of it you would see a COM entry (InProc32) that would point to the execuatable (dll/exe) and also a class name (e.g. SLOW.Citydent.1 in my example). Make sure you search for the GUID from the root in Regedit and delete all entries you find – as always be very careful when modifying anything related to the registry.

Also search using the ClassName in addition to the GUID, as you could potentially find entries realted to this also. Before deleteing the hives/keys make sure you find out the path in the InProc to find out where this is installed in the system. In my case this was at C:\Program Files\Settings Book (which would look like C:\progra~1\settin~1 – the 8 characters from the old DOS days). Make sure you go to this directory and inspect all files and folders – once you are found all other COM entries, you can delete all these files and folders.

Also search for the path in addition to the ClassName and GUID as that would ensure you caught all missed spywares.

You also should clear the similar entries from the following hives:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions

Lastly, also check for the programs you may not recognise in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Make sure you reload regedit after you delete some key as it still would show it in its cache, which is not flushed till its loaded.

So, after a long number of hours I was able to clean the machine. The moral of the story is, be careful, if you don’t trust something, don’t open it or run it, no matter how convincing it might seem no matter how trustworthy the person sending it is. As more applications move to .NET this would be eliminated because of the security features built in the framework (and CAS – code access security), but till then, we all need to use our common sense.

Published by

Amit Bahree

This blog is my personal blog and while it does reflect my experiences in my professional life, this is just my thoughts. Most of the entries are technical though sometimes they can vary from the wacky to even political – however that is quite rare. Quite often, I have been asked what’s up with the “gibberish” and the funny title of the blog? Some people even going the extra step to say that, this is a virus that infected their system (ahem) well. [:D] It actually is quite simple, and if you have still not figured out then check out this link – whats in a name?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.