Cleaning up those Random Popups.

 

You are working on your MS Word document. The deadline for submission is approaching fast, you have half an hour left. You are focused on your screen and pasting those graphs in. Suddenly out of nowhere a small Internet Explorer Screen comes up. Before your could say ‘What the F***’, the screen expands itself and your entire screen is a potrait of some porn star boobs. Sounds familiar ? You my friend have a few pesky programs in your computer. These smart programs wont even go away by programs like Spybot Search & destroy. I decided to get to the bottom of this and here are the steps I took. All you need is access to your registry. Note if you are not comfortable with this don’t do it. If you are not careful it can effect workings of your normal programs.  If you are ok, then fire up regedit and follow the instructions given below :

 

1)      Most of these program secretly launch themselves when your computer boots up

 

To look at the programs starting up  secretly look for the key

HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

 

Look for names that sound cryptic or you don’t recall installing. Check the exe name and the folder it is installed. If you don’t recall anything  then delete the key. Make sure you delete the keys to all these unfamiliar programs as they usually spawn multiple processes. A sister process launches the other one if either one is killed.

 

2)      Some of these programs also use the Active Desktop. Active Desktop can display websites. The punks who wrote these programs put an Active Desktop Key in your registry and created an HTML file which resides in a normal folder like that of Windows Media Player or MSN Messenger ( SMART !!). However go into this area of the registry

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\

 

For every component there will be a source key. Check the HTML file this loads. The full path of the HTML file is given. Open the HTML in Notepad or something and you will know if it is a URL that should not be loaded. Double click on Source Key in regedit and set it to About: Home. You can also delete the Entire root inside Components.

 

3)      If the programs still linger you will have to check all the processes, and kill those which don’t look familiar. Look for their EXE’s and note them down. Then start Windows in Safe Mode and delete all those EXE’s.

 

4)       Sometimes the malicious EXEs are created by other programs which are difficult to find. To compensate for this compile a dummy EXE file in C or VB and rename it to the filename of the malicious file and copy it in the same location overwriting the original file. The parent program will think the EXE is still there and won’t do anything.

 

 

Comments etc. mailto:cbelwal@yahoo.com