Several years back the industry went through what I can only call a "Spyware Explosion". All of the Spyware companies were exploiting the weak security present in the Internet browsing software of the time, resulting in massively compounded and ubiquitous Spyware infections. I felt like every other PC I worked on, I was removing Spyware. As Microsoft and Security Software companies wised-up to this onslaught and improved their software, I began to notice such problems less and less. Any tech that has spent 4 – 5 hours removing Spyware will tell you that is not a fun task, so this evolution (so-to-speak) was a welcome one.

Nowadays I certainly don’t spend nearly as much time on Spyware-related issues -but when I do, it seems like we have made a trade-off of sorts. What I mean is -sure we see less Spyware, but when we do see it, they seem to be much more sophisticated.  I can honestly say I enjoy the challenge of removing some of the trickier ones because this can truly test the skills of any experienced technician.

Case in point, I thought I’d share a recent experience:

I received a call from a remote office of one of my customers complaining that when they started their computer, all they would get is a blank blue-screen. They would get no icons, no start menu, nothing.  Luckily I was able to remote into this system using the Teklogic management software and I was then able to start Task Manager and attempted to launch ‘Explorer.exe’ which is the "Shell" in Windows that gives you your desktop and Start menu (among other things). I found that Explorer.exe would not start complaining that "Windows Could not find the file". I then proceeded to open a Command Prompt and drill down to where the actual Executable lives (‘C:windowsExplorer.exe") and I noted that it was there and it had the appropriate permissions to launch… I checked that the environment path was correct and that the Shell key (HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonShell) did indeed contain the appropriate text for launching Explorer upon startup. At this point I went ahead and extracted another copy of the Explorer.exe executable from the original installation media, finding that this did not solve the problem either. I was quite perplexed.

After some digging around, I found some references to a "feature" of the NT family of Windows Operating systems that was meant for developers to use when debugging applications. This feature is called "Image File Execution options" and lives at ‘HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options’. If you want to know more about this feature read here. One of the things you can do with this is to essentially tell Windows that every time XYZ process is attempting to launch, to launch ABC process instead. This is a perfect example of how a very useful feature can be turned against us (as the computer users) by ill-intentioned Spyware. The Spyware had used this feature of Windows to configure the machine so that every time the process, Explorer.exe was launched, it instead launched something else altogether. This, I thought, was a very clever way to utilize a relatively unknown feature and turn it against the user. Once I removed the entry for Explorer.exe, we were then able to get to the Windows Shell and proceed removing the Spyware entirely.  A fun one indeed!!

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogosphere News
  • email
  • Furl
  • LinkedIn
  • Live
  • MySpace
  • Slashdot
  • StumbleUpon
  • Technorati