Crossroad >> Science >> Article
Google
 
Web akhilesh.in
Home

 » Remove Spyware
 » Find Yahoo Status
 » Secondary Storage
 » PC Turns 25

 » Fibonacci Puzzle


Removing Malware, Spyware, Home Page Highjack
From Your IE When Nothing Else Works

Disclaimer
The method described here is not for novice user but for them who understand what’s going on. You are also advised to backup up every change you make so that if needed you can roll back. I take no responsibility of any damage by following the steps given here.


Is your system infected? You surf the Internet. After surfing close your browser. Next time you open it find that the home page is something that you never find. You try to change it by Internet Setting, but it stubbornly remains the same. At times you also find that when you exit a site, you land up on a unintended site instead of the one you wanted to go. You try all the methods (Spyware Removal/Anti Virus and so on) to correct this but the problem persists.

How does it get infected? Well, Microsoft has come up with a mammoth product that is widely used. But they have also left many bugs in their code that leads to various vulnerability. These malware authors exploit them to gain access to your PC.

While surfing certain sites it uploads a small program to your PC and executes them without any visual indication. This program installs itself on your Windows PC and start making your browser go crazy. It integrates itself with the IE and loads when IE loads and then does what its author wanted it to do.

Now the key to getting rid of this application is to find the installed thing on your PC. This will be generally a dll file, but exe can also used. It will be a small file, so that it gets uploaded easily to your PC. There will be generally no icons for the exe file. Also mostly the version property sheet will either be blank or missing. (File Property -> Version).

Since this file is to be hidden on your PC, it normally gets installed in Windows System32 directory.
And its date will be of the day your PC got infected.

Now you need to identify the dll/exe. The easiest way to do is use Process Explorer.

(You'll need Process Explorer from http://www.sysinternals.com/ This is a nifty utility that is a freeware and great a Task Manager replacement. I'll recommend using it as a general replacement also with the shortcut "Ctrl - Shift - ~".)

Run Process Explorer and start IE. Now open the list all the loaded dlls in the IE process. Note down the dlls locations, specifically if anyone of them looks suspicious. Now apply the criteria written above to them to see if it fits.
- Small Size
- Location
- Date
- Version Information




Now if you think that it is one of the culprit, rename it so that it cannot be located and loaded. Then restart the IE. See if your problem is gone. If it has gone and there's no adverse side effect then you can get rid of the dll.

Also either you can search for the name of the dll in the registry to see where it is used, and then delete it if you feel OK.

Or use RegClean from Microsoft to automatically clean your registry.

Also note, the malware might also employing some technique to start an exe at the start of the Windows, and at that time install its dll if not installed. In that case after reboot the problem will surface again. You will have to find that exe also that runs at the startup.

For this look at the list of processes running. Many times you'll find it running over there. Just confirm it is the malware and then get rid of it. If it is not running then you will have to check the startup.
1. See all the programs to run in Program Files --> Startup
2. See the listed programs in registry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Hope it helps.

And yes, if you are sick of these kinds of issues then checkout Firefox.



Any comments, suggestions, please mail me.

Akhilesh Singh
15 July 2004



Crossroad | About Me | Science | Life | Code | Contact | Site Map | Search
Copyright © 2006 - 2009 akhilesh.in