Hacker News new | past | comments | ask | show | jobs | submit login

Ah, this explains what happened to my girlfriend who was using bittorrent to download bundles of academic papers.

I couldn't figure out why all of her search and homepage settings had changed, and how they were so resilient that they were re-applied.

I did find SearchProtect, and eventually managed to remove it (uninstalls, + registry hacking, + force deleting files, + nuking the browser installs and re-installing).

But I hadn't figured out where it had come from as my girlfriend didn't believe that she'd installed anything and although I saw uTorrent I thought nothing of that since I didn't believe it installed such `add-ons`.

For those who encounter this, SearchProtect is really nasty. Really hard to remove.




Currently have the same problem on one of my machines. Luckily, I knew already about the culprit.

Really nasty stuff -- never using uTorrent again. Was already getting annoyed by latest updates and ads anyway/

To save me (still have to remove SearchProtect) and others here some time... any pointers to website or other reference on how to really remove this thing?


I'm afraid I can't help a great deal as it was a one-off brute force effort.

Most Googling finds pages telling you to download this or that scan and remove tools. But I'm wary of doing that.

What I manually did was roughly:

1) Use SysInternals Process Explorer to check for and kill any monitoring process

2) Use SysInternals Autoruns to find and remove all autorun info that I didn't recognise and to identify which executables may be doing it

3) Uninstall component through control panel

4) Restart

5) Change home page settings in browsers (restart, and observed that it only worked until the browser restarted)

6) Removed all browser plugins and extensions on all browsers, where I didn't recognise the extension

7) Repeat #5

8) Viewed source of Firefox browser config and still couldn't find it, but found Chrome had some crappy values referring to this stuff

9) Downloaded Chrome and Firefox, then uninstalled Chrome and Firefox. Deleted all local profile folders from %APP_DATA% and other hidden locations.

10) Manually entered the registry and deleted anything I identified as Search Protect, conduit, Firefox, and Chrome.

11) Manually delete any files identified by anything in the registry or earlier steps

12) Reboot

14) Install Chrome and Firefox

Thankfully my girlfriend doesn't use IE, so aside from purging all extensions and resetting all defaults, I didn't have to concentrate on that.

Interestingly, Chrome proved more susceptible to this than Firefox. Firefox scrubbed clean fairly quickly, but it was Chrome that really seemed determined to change search provider and home page. We chose to nuke her sync'd profile and the local copy entirely, and then install everything from fresh.

This was a huge time-suck, and it's been years since I wandered through the registry... not fun.

PS: And yes, I've told my girlfriend to organise her backups, ensure she's got everything and in a week or two we'll do the full reinstall thing. Sucks that she has to use Windows, but that's academia in the UK for you.


Once "they've" run malware on your machine it's no longer your machine and nothing can be trusted.

Wipe and re-install, then very carefully restore backups of data.


> Once "they've" run malware on your machine it's no longer your machine and nothing can be trusted. Wipe and re-install, then very carefully restore backups of data.

That is a general rule for malware that you do not know anything about.

However, the SearchProtect install bundled with µTorrent is only malware to the extent that it prevents you from changing your browser defaults. It is not believed to exhibit the other characteristics of malware. It is annoying, scammy, scummy, evil, etc. -- but it does not appear to compromise your system badly enough to require a reformat and clean install.

It's just one step beyond accidentally installing the Ask Toolbar with a new Java install. Yes, it is theoretically possible that it could've taken over your machine. But most likely not.

P.S. Take a look at the Wikipedia page for SearchProtect. Specifically, History and Talk. There's one high-up editor who's been stonewalling any attempt to add a Criticism section, on the basis that Wikipedia cannot link to user posts.


When it comes to what you should use as a replacement, I highly recommend Deluge as a replacement. It's totally open source, really well architected, has tons of adding for power users, and has a slick interface.

It's super robust. I have a server that's currently seeding 200+ torrents (all Linux distros and other freely available material) at a constant 80mbps+ and it is still very snappy, even on the very under powered machine that it's running on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: