Behind A Windows Process.
A bit much to fit into one line. I'm going through a tutorial on using Sysinternals to troubleshoot my WMC issue and discovered a very interesting way to detect mal/ad/junkware that can hide from anti-virus scans. This would explain why you've run an AV utility, yet still get infected.
It also explains how web browsers can get their search prefs hi-jacked. When dwnld'ng anything, including updates, more & more are checking-by-default when "easy install" is selected instead of "custom", to change your search prefs, install an AV you didn't ask for, or ad/malware you definitely didn't ask for.
You can also quickly figure out who/what is locking some folder you want to access.
Read up on how to do this using Process Explorer here.
Quote:
As we mentioned, the Conduit search hijacker is one of the most persistent, awful, and terrible things that nearly every one of your relatives probably has on their computer. They bundle their software in shady ways with any freeware they can, and in many instances, even if you select to opt-out, the hijacker will still be installed.
Conduit installs what they call “Search Protect”, which they claim prevents malware from making changes to your browser. What they don’t mention is that it also prevents you from making any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since it’s buried in the system tray.
Not only will Conduit redirect all of your searches to their own custom Bing page, it will set that as your home page. One would have to assume that Microsoft is paying them for all this traffic to Bing, since they are also passing some ?pc=conduit type of arguments in the query string.
Fun fact: the company behind this piece of garbage is worth 1.5 Billion dollars and JP Morgan invested $100 million into them. Being evil is profitable.
Quote:
The problem is the Windows rundll32.exe utility, which can be used to arbitrarily run functions from DLL files. Since this utility is signed by Microsoft it shows up as a completely legit process in the list, but in reality what they are doing is just moving all of their malware / adware code into a .DLL file instead of a .EXE file, and then loading up the malware with rundll32.exe instead. In fact, if you see rundll32.exe running as an “own process” in the light blue color shown below, it’s nearly always something that shouldn’t be running.
In the example below, you can see that even though we used the Verified Signer feature to validate that item, when we hover over it and look at the full path, it is actually loading up a DLL that turns out to be part of an adware product.
Note: before you start screaming about running an anti-virus scan, we’ll note that we did, and it didn’t come back with anything. Much of this ^%$#@ adware, and spyware is ignored by anti-virus utilities.
As always, Caveat Emptor...
A bit much to fit into one line. I'm going through a tutorial on using Sysinternals to troubleshoot my WMC issue and discovered a very interesting way to detect mal/ad/junkware that can hide from anti-virus scans. This would explain why you've run an AV utility, yet still get infected.
It also explains how web browsers can get their search prefs hi-jacked. When dwnld'ng anything, including updates, more & more are checking-by-default when "easy install" is selected instead of "custom", to change your search prefs, install an AV you didn't ask for, or ad/malware you definitely didn't ask for.
You can also quickly figure out who/what is locking some folder you want to access.
Read up on how to do this using Process Explorer here.
Quote:
As we mentioned, the Conduit search hijacker is one of the most persistent, awful, and terrible things that nearly every one of your relatives probably has on their computer. They bundle their software in shady ways with any freeware they can, and in many instances, even if you select to opt-out, the hijacker will still be installed.
Conduit installs what they call “Search Protect”, which they claim prevents malware from making changes to your browser. What they don’t mention is that it also prevents you from making any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since it’s buried in the system tray.
Not only will Conduit redirect all of your searches to their own custom Bing page, it will set that as your home page. One would have to assume that Microsoft is paying them for all this traffic to Bing, since they are also passing some ?pc=conduit type of arguments in the query string.
Fun fact: the company behind this piece of garbage is worth 1.5 Billion dollars and JP Morgan invested $100 million into them. Being evil is profitable.
Quote:
The problem is the Windows rundll32.exe utility, which can be used to arbitrarily run functions from DLL files. Since this utility is signed by Microsoft it shows up as a completely legit process in the list, but in reality what they are doing is just moving all of their malware / adware code into a .DLL file instead of a .EXE file, and then loading up the malware with rundll32.exe instead. In fact, if you see rundll32.exe running as an “own process” in the light blue color shown below, it’s nearly always something that shouldn’t be running.
In the example below, you can see that even though we used the Verified Signer feature to validate that item, when we hover over it and look at the full path, it is actually loading up a DLL that turns out to be part of an adware product.
Note: before you start screaming about running an anti-virus scan, we’ll note that we did, and it didn’t come back with anything. Much of this ^%$#@ adware, and spyware is ignored by anti-virus utilities.
As always, Caveat Emptor...
