Jun 09 2004
Spyware Removal
There is apparently a variant of IEPlugin making its way around
that Lavasoft Adaware doesn’t
remove properly, and since I couldn’t find anything on the mass that
was Google, I had to track it down.
The symptom were the following lines being inserted into multiple
locations in the registry (and always being flagged by
Adaware, despite having them removed every time):
http://websearch.drsnsrch.com/sidesearch.cgi?id=
Obviously, some piece of spyware was changing the registry every
time, so it was time for me to use Process Explorer from
sysinternals.com, one of those utilities that are so ridiculously
good that I chortle with delight whenever I start it up. Okay, maybe
that’s a bit of hyperbole, but at any rate I do enjoy using it.
At any rate, a quick look at the process list revealed a suspect
process:
That’s right, what was that process doing in the middle of there?
Opening up the process in a hex editor revealed that it did in fact
have the “websearch.drsnsrch” string. Since Process Explorer will
tell you the original file for the .DLL, all I needed to do was delete
the SYSTB.DLL file in the Windows directory, and the spyware was
gone.