This bit of adware made itself just a touch obvious, as it announced its presense on my mothers machine by (1) sneezing links all over her desktop (2) screaming about the absence of WinSock2 during startup, and (3) blinking up a new add every two minutes. Dadmin took the workstation off the network, and hollered for help.
Bleah, what a mess. There were probably four or five different species of adware on the machine (not all from the recent infection), so my Dad and I went on a tour of all the places I knew to look, taking notes and removing things the hard way (because if you installed your software on my machine without my consent, I'm sure as hell not going to trust your code to be friendly during an uninstall).
Reboot, launch the browser... and we still have problems. Shit - maybe there is an IE plugin as well. Go back to the trojan reports, review the RegKey changes... AHA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects is filled with suspicious looking junk, which is identified as spyware when I go a Googling, and directs me to a few more files that we had missed on the first pass.
[BTW: while we did everything by hand, I don't recommend that. Especially since, everywhere I searched, HijackThis had gotten there first. The tool produces useful diagnostics (they matched mine) and seems to have a population of friendly translators willing to help.]
Come home, check my own machine - whew, all the entries there are deliberate.
So what did I accomplish this afternoon? I think I sold a Mac.
April 3, 2004 8:31 PM
| TrackBack