Understanding how Process Explorer’s dialogs and options work is all well and good, but how about using it to do some actual troubleshooting or to diagnose a problem? Today’s Geek School tutorial will help you learn how to do just that.
Not so long ago, we began to investigate all kinds of malware and software that gets installed automatically every time you don’t pay attention when installing software. Almost all free software products on the market, including «authoritative» ones, include toolbars, terrible search or adware, and some of them are difficult to eliminate.
We have seen many computers from people who we know have installed so much spyware and adware that the PC barely even boots up. In particular, trying to load a web browser is next to impossible as all adware and tracking software compete for resources to steal your personal information and sell it to the highest bidder.
Naturally, we wanted to do a little research on how some of them work, and there’s no better place to start than the Conduit Search malware that has claimed hundreds of millions of computers around the world. This nefarious horror hijacks your search engine in your browser, changes your home page, and worst of all, it hijacks your new tab page no matter what browser you have.
We’ll start by looking at that and then show you how to use Process Explorer to troubleshoot locked files and folders errors that are in use.
And then we’ll end up with another look at how some adware hides behind Microsoft processes these days so they look legitimate in Process Explorer or Task Manager when they’re actually not.
Investigation of malware to search the conduit
As we have already mentioned, the Conduit search engine hijacker is one of the most persistent, nasty, and terrible things that almost every one of your relatives probably has on their computer. They bundle their software in obscure ways with whatever free software they can, and in many cases, even if you choose not to, the hijacker will still get installed.
Conduit installs what they call «Search Protect» which they claim prevents malware from making changes to your browser. What they don’t mention is that it also doesn’t let you make any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since they’re in the system tray.
Conduit will not only redirect all your searches to Bing’s own page, it will also make it your home page. It can be assumed that Microsoft is paying them for all this Bing traffic, since they also pass arguments like ?
Fun fact: The company behind this piece of junk is worth $1.5 billion and JP Morgan has invested $100 million in them. It pays to be evil.
Conduit takes over a new tab… But how?
Hacking your search and home page is trivial for any malware. This is where Conduit amplifies the evil and somehow rewrites the New Tab page to make it show Conduit even if you change all the settings.
You can uninstall all your browsers, or even install a browser you haven’t installed before, like Firefox or Chrome, and Conduit will still be able to grab the New Tab page.
It doesn’t take much effort from a geek’s skill point of view to ultimately conclude that the problem lies with the Search Protect application running in the system tray. Complete this process and all of a sudden your new tabs will open exactly as the browser creator intended.
But how exactly does this happen? No add-ons or extensions installed on any of the browsers. There are no plugins. Register is clean. How do they do it?
Here we turn to Process Explorer to do some research. First, we’ll find the Search Protect process in the list, which is simple enough because it has the correct name, but if you’re not sure, you can always open a window and use the little bull’s eye icon next to binoculars to figure out which one. the process belongs to the window.
Now you can simply select the appropriate process, which in this case was one of three that are automatically started by the Windows service that Conduit installs. How did I know that the windows service is restarting it? Because the color of this line is pink, of course. Armed with this knowledge, I could always stop or uninstall the service (although in this particular case, you can simply uninstall it from the Uninstall Programs section of the Control Panel).
Now that you’ve selected a process, you can use the keyboard shortcuts CTRL+H or CTRL+D to open the Pens view or DLL view, or you can use the View menu -> Bottom Bar View to do so.
Note: in the Windows world, a «handle» is an integer value that is used to uniquely identify a resource in memory, such as a window, an open file, a process, or many other things. Each open application window on your computer has, for example, a unique «window handle» that you can use to refer to it.
DLLs, or Dynamic Link Libraries, are shared pieces of compiled code that are stored in a single file to be shared between multiple applications. For example, instead of each application writing its own file open/save dialogs, all applications can simply use the common dialog code provided by Windows in the comdlg32.dll file.
Looking through the list of markers for a few minutes got us closer to what was going on because we found markers for Internet Explorer and Chrome that are currently open on the test system. We’ve definitely confirmed that Search Protect does something with our open browser windows, but we need to explore a little more to figure out exactly what.
The next thing to do is double-click on a process in the list to open the details view and then go to the Image tab, which will give you information about the full path to the executable, the command line, and even the working folder. We’ll click on the «Explore» button to take a look at the installation folder and see what else is lurking there.
Interesting! We found several DLLs here, but for some odd reason none of those DLLs were listed in the DLL view for the Search Protect process when we reviewed it earlier. This might be a problem.
Anytime you want to know if a DLL file is currently being used by any application on your system, you can open the search bar by going to the Search menu, pressing the keyboard shortcut CTRL+F, or simply clicking on the binoculars icon on the bar tools. Now enter part of the DLL name, or even the full name if you like.
We decided to only look for the beginning, «SPVC», as that was the common link between the two, and of course it looks like these DLLs are loaded directly into each of the browser processes running on our computer.
By clicking on one of the items in the list and switching to the «Themes» page, we confirmed what was bothering us. Both Chrome and Internet Explorer launched streams using the SPVC32.dll or SPVC64.dll files from the Search Protect malware, and that’s how they hijacked our new tab — not by changing settings, but by hijacking the browser from within.
Note. In Windows, a thread is what the operating system allocates to load processor time. A process in Windows is what we used to think of as geeks and sysadmins, but threads are technically the only thing running in Windows, not processes. Some processes may have only one thread of execution, but others may have many threads that all work separately from each other, usually interacting with some kind of in-process communication mechanism.
You can also double click on any of the threads to see the full execution stack, which can be useful to see what functions are being called and try to figure out what the problem is.
You might be wondering how Search Protect was able to get Google Chrome to load this DLL, and the answer is that Windows provides a feature called DLL Injection. A process can inject a DLL into another process and then intercept certain API functions. This is how certain apps override Windows features or features of other apps. This is a very complex topic that we definitely can’t get into in this tutorial, but if you really want to read more, you can check out this guide.