There is apparently a variant of IEPlugin making its way around that Lavasoft Adaware doesn’t remove properly, and since I couldn’t find anything on the mass that was Google, I had to track it down.
The symptom were the following lines being inserted into multiple locations in the registry (and always being flagged by Adaware, despite having them removed every time):
Obviously, some piece of spyware was changing the registry every time, so it was time for me to use Process Explorer from sysinternals.com, one of those utilities that are so ridiculously good that I chortle with delight whenever I start it up. Okay, maybe that’s a bit of hyperbole, but at any rate I do enjoy using it. At any rate, a quick look at the process list revealed a suspect process:
That’s right, what was that process doing in the middle of there? Opening up the process in a hex editor revealed that it did in fact have the “websearch.drsnsrch” string. Since Process Explorer will tell you the original file for the .DLL, all I needed to do was delete the SYSTB.DLL file in the Windows directory, and the spyware was gone.
Comments are moderated whenever I remember that I have a blog.
There are no comments on this article.