I had to remove a few more spyware infections this week, and I actually learned a couple of more tricks in the process. On one machine, something called “WINLOGON.EXE” was started from the little known registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run. This process seemed to be moving the focus from the currently selected application to itself periodically, perhaps as a method to gather passwords and account numbers. It seems that most spyware masks it’s invocation by adding a subkey to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, or, when it’s really being tricky, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Recently, it appears that some spyware authors have discovered how to use this Explorer policy key as well as registering their malware as a service and using the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices key as a way to conceal itself from the user.

Of course, in addition to the obligatory registry key deletions, I employed the usual cadre of tools to scan and delete various files and registry keys off the system. Typically, I use Ad Aware, Spybot, and HiJack This! before and after I go in and insure that the Registry run keys have been eliminated.

In addition, I use Sysinternals’ Process Explorer to profile the running process list. Sysinternals haven’t seemed to update their tool in a long time, but it’s still useful to see what’s known to be good versus what’s unknown. The only problem is that dll’s registered as services are run by svchost which is a harmless Windows executable, but it can be running a malevolent dll. So, Process Explorer’s assessment is slowly becoming useless as a way to profile your process list.

At any rate, by brute force or removal applications, I was able to fix two machines. I’ve been saying it for a long time, the best way to prevent these sort of infections is use Internet Explorer’s Security Zones, Proximitron, and, when possible, Firefox.