Friday, September 24, 2004

pesky adware/spyware

don't you just hate them pesky little things? hijacking your browser's homepage, or launching those darn ad pages at random times. i'm usually very careful about installing stuff on my machine. plus, i use firefox as my browser so have even more protection! but just recently, i slipped. i wasn't as careful as i should have been and got hit.

using firefox, i went to download.35mb.com to check it out. it said i needed to use ie to access the site. i didn't think and immediately, right clicked on the page and selected 'View The Page in IE' (a firefox plugin that automatically opens the current page in ie). it then launched some active x stuff, and even told me to please click yes to install the app. this was when i realized my mistake. i immediately said no and closed the browser. unfortunately, the damage has already been done. i don't know exactly what the site did but after that visit, i started to get random popups ads.

after banging my head on the wall for a few minutes, i decided to remedy the problem. i launched ad-aware and scanned my system. it found some of the usual stuff (tracker cookies) but it didn't find what i was looking for. next, i tried spybot but still no luck. i decided time to get my hands dirty and go fiddling around the registry.

i knew there were only a few places where it could hide:
  1. the most obvious one is of course the startup folder in the start menu.
  2. in the registry, it could be in one of the Run keys
    e.g.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    [HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run]
  3. in the win.ini file: in the lines containing RUN= and LOAD=
  4. and of course in the task scheduler
this is by no means an exhaustive list but more often than not these are the areas exploited (except maybe the task scheduler, i've yet to encounter something that automatically attaches itself to the scheduler)

after some digging, i found it in one of the Run entries in my registery. there was an entry that launches internet explorer. i just deleted the line and voila, goodbye popups =)

lesson learned? don't trust sites that require you to use a particular browser =) i already knew that but i guess experience is still the best teacher =D

0 Comments:

Post a Comment

<< Home