Alistair Maclean's Web Site
Spyware & Pop-up program Removal
Back

Phlugg!!!

If there is one thing that leaves a nasty bad taste in my mouth it is Spyware and those pop-up advertising programs. We talk of trust in normal life, but for some reason all sense leaves our heads when it comes to allowing companies to infest our computers with scum that claims to give us advantage in some odd way. Normally, this software seems to be a vehicle for the least trust-worthy advertisers and porn merchants. Great!! Just what we wanted.

Heck, I didn't even get a chance to read the license agreement before this trash is loaded on my system!

What is it and what to do about it?

Most of this junk comes to us via an email. The email is formatted in HTML and has a built in link that causes a web site page to be hit and the download to commence. The download happens fast. I have noticed it once. You may not immediately see anything happen, often things happen only after a reboot. Then you might see several things occur: A new desktop icon with a simple name; Pop-up windows mysteriously appearing for all manner of products.

Removal

You would think this should be easy, but in fact the people that write this stuff have become quite canny at making it very difficult. They rely on the fact that they put stuff in so many places and not always with the expected names.

Structure

Let's look a moment at the structure these guys tend to use.

1. There is the desktop icon that points to a small program. This program is the item that kicks off the various advert pop-ups and monitoring. It uses the default browser and just starts the thing with a specified URL.

2. There is the main downloader. This is the program that initially caused the program to be loaded in the first place. If it doesn't find the pop-up or monitoring application, it causes it to be downloaded again, or to be unpacked from a local copy of the entire application system that was downloaded to a relatively secure location on your disk.

3. There is a chunk of code that is really some sort of cache of all the code that the system needs to run with, in this way the program can be auto repaired.

4. There are several sets of Registry entries. The first are related to the pop-up and monitoring program. These launch the main program when the system starts. There are settings for the pop-up and monitoring program itself, and for the loader to make sure it can check to make sure that all is present, and I have even seen some settings that would cause a program like MS-IE to go out to a website and load the mess again.

Squash this beast

There are several things you can do to manage the situation:

Determine where the initial desktop icon is pointing - write it down. Take the critical letters of this name (say STC) and go into Windows Explorer and do a complete system search for these letters (something like "*stc*.*".) Note all the files found. You should have something in C:\Program Files, and something in C:\windows\system32 (or whatever you main OS directory is called).

For each file found, check the date it was created on. Now using Windows Explorer, search for ALL files created on the same date (Search Options, followed by checking the Date checkbox, then select either "In last 1 Day" or "between this-date and that-date".) This leads to a LOT of files being listed, but you should also find any DLL's or JAR files that the system uses as auxiliary code or its recovery cache. You will also possibly find other directory names that look suspicious. Record all!

The Registry is not a place for the faint of heart, but with care you can wield a pretty nasty BFG here and not suffer any consequences. Launch Regedit by whatever means you find comfortable. Go into the HKEY_Local_Machine hive, then Software. You are looking for tree nodes with names similar to that we already recorded (STC in my case). Open them and check the content. If anything points back to our files then we have a culprit! Delete these nodes. I have also been know to delete nodes that are empty or don't seem to have any good reason for being there, but then I wander the corners of my registry frequently so strangers are easily spotted. The keys that we have deleted are used by the various parts of the pop-up system to allow it to work out what it is to do, and what parts it consists of. The bit that kicks it all off is tucked away in HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/run. You may find multiple items here. Typically, I have found one item to launch the Pop-up program and one to launch the pop-up downloader program (which checks to make sure the pop-up program is all present and correct.) Delete the individual keys in this case not the whole node (ie, DO NOT DELETE "run", just the xxxloader line.) Exit the registry editor.

In theory just deleting the Run keys will disable the program the next time round, but then you may just get stupid and click on that desktop icon again...

Back to the file system. In Windows Explorer, delete the files in C:\Program Files and in C:\Windows\System32. Make sure you get those DLL's or JAR files.

Reboot your computer.

If the Icon returns or the pop-ups persist, you missed something. You will have to go back and do the various searches again. One thing I find handy is that when you logon (in Win NT, Win2K and WinXP) you can quickly bring up the Task manager and display the list of Processes that are running. If you see another loader running and then disappearing, try to track it down. There are many reasons for programs to start and stop on initial logon (virus checkers do this a lot) but see if this helps in narrowing things down. Bear in mind that if the stuff returns, you will have to do all the searching again and then repeat all the deletes - as that loader makes sure the application is all present and accounted for, including the registry stuff.

A colleague recently had to clean up a system and found the following files, if you found the page useful and have examples of files you as a consequence found, send on their names (I would prefer you didn't send me the files!)

  Files in /Program Files/ dirs Files in Winnt/Windows dirs Items in Registry  
 1    stcloader.exe See above Moi
 2  rcprograms\rcsync.exe
rcprograms\v2\prizesurfer.exe
mfin32.exe
snfin32.exe
VBouncerOuter150103086.exe
See above Sandeep
 3  srng\srng.exe
srng\SNHelper.dll
None that I found search for "SNHelper.dll" in registry, delete all entries. (I found 3)

Also has a software\ microsoft\ windows\ currentversion\ run\ entry for srng.exe, delete it
Moi
 4  \Inet Delivery\intdel.exe, intdel_2.exe None that I found Uninstall "Inet Delivery" through Add/Remove Programs (!), then delete directory. Moi

 

So what of the future?

You have now spent a fair time reading this, mangling your computer, swearing loudly, and generally raising your blood pressure, all because you managed to open an email that caused this thing to be loaded. You probably don't want to do it too frequently. One option is just to be very careful with what you open. This is not always possible, and has a lot in common with the Rhythm method (if you need to ask, ask your parents!) Alternatively you can force all email to be read only as text. This trashs much of the message formatting, making those picture / story emails from Aunt Cecile look terrible, but once checked you can work out ways to view non-offensive emails as the author intended. Ways of doing this vary by email client. Not all email clients allow viewing messages in pure text, but those that do will protect the unwary.

In Outlook Express, right click the message, select properties, then details, then Message Source.

In Eudora, and Outlook, I don't think you have much choice.

In Mozilla Thunderbird (a new email client), go to the View menu and specify Message Body as Simple Text.

Other email clients may, or may not be able to help you.

Also, for Outlook Express is the NoHTML add-in, which converts all HTML to text and stops these messages.

AdWare Innoculation?

Faced with machines getting repeated infections from AdWare and SpyWare, primarily because the users didn't want to practice safe browsing, I have been trying another tack. It is not entirely successful, but it does seem to stop some of the AdWare programs installing - the user will however keep popping up those stupid dialog boxes that, irrespective of the button you press, will try to install the AdWare.

All this junk software writes stuff in the Program Files directory and into the registry. You need to destroy enough of the program code that it will attempt to re-install (delete all the DLL's and exe's in the Program Files Directories) then you need to edit the registry. Each of these things creates its own registry entry, typically in HKEY_CURRENT_MACHINE\Software. You need to delete everything under the key that the AdWare program created, but not it's root. So for instance SRNG might be the root node and have several sub-nodes for information the SRNG Adware program needs. Delete all the sub-nodes and any keys in the root node. (In XP) Right click on the SRNG node, select Permissions, and remove your own user permissions from the node. This should mean that if the AdWare runs as you it will be disallowed from creating the registry entry, and will always pop up the install dialog but not do anything.

Editing the Registry

In XP this modification of the permissions is simple, and goes as above, using RegEdit.exe as the registry editor program. In Windows 2000 you need to use RegEdt32.exe, go down to the node, highlight or select the node, then from the menu bar select permissions.

Prevention

There is nothing like prevention to save your neck. Adware and Spyware is pernicious stuff. Once you have it, it is hard to remove. There are several tools in the market place that partially help, though some are no better than doing it yourself. I have outlined ways to protect you from email that comes in and sends you to web pages and loads up AdWare, but you also have to consider your browser. Internet Explorer is an accident waiting to happen. It has no means of stopping the type of activities that cause AdWare to appear on your computer, particularly through JavaScript Pop-ups.

I have been using Mozilla FireFox for some time now, setting it to accept pop-ups from a very select few sites. This has really helped, and has reduced the incidence of infection by this type software on other peoples computers, where I have set them up to use it. FireFox can be downloaded from Mozilla by following this link :

Get Firefox!


© Copyright A. Maclean 2003 -
[Compute home]
[page index]