Spyware/Adware Tricks....

by sircles on Jan 10, 2017
Spyware/Adware Tricks....   Your PC is running Windows which means that there are a number of p

Spyware/Adware Tricks....

 

Your PC is running Windows which means that there are a number of processes running at any one time which are loaded into RAM. It also means that the Operating System (XP, Vista or whatever) is customised in a way to suit you and is not quite the same as any other installation of Windows. The information that these customisations are made up from is held in something called the 'registry' which is basically a map of all the software you have installed, what colour and background preferences you have and what hardware has been installed etc. The registry is held on the disk of your computer and can be edited using 'regedit' like you would a giant text document. Additionally you have a Hard Disk itself which hold all of the system files and application files that Windows is made up of. Spyware/Adware uses these tools to make sure that it is extremely difficult to remove.

The latest incarnations of Antivirus 2017/VirusResponse 2017/Windows 10 Antivirus etc are truly designed around Windows and being a continual pain in the neck. One could liken them to a Fungus that lives on trees in the way that they have evolved as a pest to Windows. Once one of these pests is either in RAM as a process or in the registry or on the disk, it can repeatedly reload itself from the Internet and re-materialise in RAM and the Registry. These latest version attach themselves to Internet Explorer as an 'add-on' that always takes you back to the same page where you are told you must buy yet more anti-spyware to clean your computer.

Most of these applications descend from Eastern Block countries and Russia. The example I was looking at the other day was from Russia. How do I know this? Well when the pestware takes you to a site to download itself again the domain name was http://startedwebsite.com/ which is registered to a gentleman (I think it's a he) in Russia. The website gives the impression that the user has already shut down but if you go to the full FQDN the pestware is still downloaded so they are simply pretending to have been shut down - they have literally thougth of everything -. They have also thought of everything when it comes to the design of the software. Let us talk about how to remove it in all of it's forms.

1. Close the Scanner application and delete c:\program files\vir* folder. The folder is not called vir* but virlib or virdub or something similar - it has a few varieties so delete the folder that starts with vir which contains the scanner and hold down [SHIFT] key as you press delete so that the pestware doesn't go into the recycle bin.

2. Start task manager [Ctrl+Alt+Del] and right click on any processes that resemble iebt.exe (i.e. iedbt.exe and the like) and choose 'end process tree' which are the processes that make the pop-up appear bottom right; make sure they are not re-appearing in the list then delete the c:\programs\application folder.

3. Go to the Control Panel and double click Internet Options and go along the top to the 'Programs' page. Click on the button that says manage add-ons. Highlight the add-on iebt.dll and then at the bottom of the applet move the blob into the disabled position. Also find 'Internet Services' in the list and disable this also.

4. Go to Control Panel and make a note of the names of the new programs that have appeared such as IEBrowse and Internet Explore. Make a note of these names exactly as they appear. Open the registry editor (Start=>run and type regedit and click OK or start=>all programs=>accessories=>run and type regedit and click OK if youre on Vista.)

!BEWARE! Editing the registry is dangerous and can render you system un-bootable or even unrecoverable!! ReadAllAboutIT or sircles.net take no responsibility for what may happen even if you follow these instructions correctly!

Browse to HKEY_LOCAL_MACHINE > Software > and find the entries with the names you noted (or just do a search for them.) Delete these entries from the registry. (Any software that is installed makes an entry here in the registry so that it appears in Control Panel under the add/remove programs list. It also adds a filed that shows Windows where the executable .exe file is which will remove that software which is what is triggered when you choose to add or remove applications.

5. Go to start=>run=> and type msconfig. Go to 'startup' at the top and remove anything to do with 'Virus Scanning' or 'Antivirus' that you have not purchased. (This software pretends to be an antivirus application and so Windows will actually warn you that it is out-of-date. Microsoft need to address this problem immediately as it one of the most emabarassing things i have ever seen befall a software company!)

Now restart your PC.

If all goes well you will not have the scanner restart, you will not go to the infected websites webpage when you open Internet Explorer and you will not receive a pop-up from the Notification Bar about having viruses.

Add comment