A pleasant walk through computing

Comment for me? Send an email. I might even update the post!

How to remove Savernet (and similar) Chrome extension

2014-11-16 11:24

My wife has had several incidents of extensions being installed in Google Chrome that serve up popup ads. One common installation is “savernet.” She’s a careful computer user not given to just answering “yes” to installing anything. We have a working hypothesis: at her school, she sometimes lets students log into their Chrome accounts to access documents. It’s possible those students have bad extensions, which then get installed on her computer in such a way that they load when she logs back in with her own account.
We’ve set her Chrome profile to not synchronize extensions (shown later). Here’s how I fully removed the bad extension from her home machine. There are three sections: Discovery, Removal, and Extra Info.

Discovery

Before removal, there are several places to check for the extension and its impact. But first, here’s an example of the lovely popups. My wife’s not, to my knowledge, interested in Asian beauties.

Opening the Extensions page via the URL Chrome://extensions will not show any previous extensions. There’ll be an oddly named one, though. Enable Developer mode to see the extension’s unique identifier, which we might need later.
image
Checking About Google Chrome, the extension also prevents auto-updating Chrome!
image
From Windows Control Panel, open Add/Remove programs, sort by date, you’ll see savernet installed.
image
I found the extension’s executable files in in c:\ProgramData, which is hidden by default. To view hidden folders:

  1. Open Windows Explorer
  2. Choose View > Options > Change folder and search options
  3. In the View tab, select “Show hidden files, folders, and drives”

image
This is what I found.
image
In Windows Explorer, with the C: drive selected, Search for *.crx. This may take a few minutes. Be sure you’re showing hidden files/folders. These are extension installation files, and it’s normal to have some. We’re looking for something out of place. For example, I once found one in C:\ProgramData\Local\Google\Drive. Any matches to the extension’s unique identifier from above? (In my case, everything was fine.)
image
Advanced Users!: Open regedit. From the keyboard, you can do this using the WIN-R keyboard shortcut and typing “regedit”. You may be prompted for Administrator privileges.
image
In regedit, select “Computer” at the top of the tree, then Edit > Find, and search for “savenet”.  You might elect to remove some keys later, but it’s not necessary since the executables will be gone.
image
Finally, in regedit, open the following key: HKEY_LOCAL_MACHINE\SOFTARE\Policies. You’ll find a Google policy. That’s what’s preventing the automatic updates.
image

Removal

Uninstall the Savernet application.
image

Delete the C:\ProgramData\Savernet folder (and any other bad ones).

Uninstall the Chrome extension.
image

Close Chrome using CTRL-Q or from the menu. DON’T just click the window’s “x”.
image

Open Control Panel > Internet Options and, ideally, reset all. If you use IE a lot, this may be a problem. I don’t know how to just uninstall an IE addin. If you use Firefox, you need to remove the extension in that browser, too.
imageimage

Delete the Policies\Google registry key. Be careful! Only select the “Google” key, then press delete. Selecting/deleting the wrong thing can cause serious problems!

Advanced: I found an entry for “savernet” in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations, which I deleted.
image
image

Reopen Chrome. Open About Google Chrome page. If asked to update, go ahead.

Advanced: If desired, delete savernet-related registry keys.

Empty your Windows Recycle Bin, just to be on the safe side.

Here’s the Extensions page after clean up, showing the expected extensions.
image

Extra Info

Don’t Sync Extensions

You can prevent Chrome from synchronizing certain items. Open Chrome Settings > Advanced sync settings and uncheck as desired.
image

Incognito Mode

This might help my wife stay safe, and yet allow her students to retrieve work in an emergency. To open Chrome in Incognito mode, which prevents loading extensions:
If pinned to the task bar, right-click and choose Open New Incognito Window
image
Otherwise, Win-R to open run dialog, and enter:
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --incognito
image
The little spy guy shows you’re incognito.
image

Prevent Word from Restoring Minimized Documents

2014-09-29 15:53

This has been bugging me, and today I finally researched a solution. When using Word (and, possibly, other Office apps), if one or more documents are minimized and then a new document is opened, the minimized documents are restored. You can easily imagine how irritating this is. I’ve seen this behavior in SQL Management Studio as well.

There are two solutions (with attribution links) below, depending on your version of Word. As far as I can tell, these are independent of which Windows version is installed. Note that it’s important to update the registry keys for both docx and doc file types.

Word 2010 and later

http://answers.microsoft.com/en-us/office/forum/office_2007-word/how-do-i-prevent-word-from-redisplaying-multiple/3b7594f1-0c1e-4108-9d5f-ced532781812?page=12

(The encoded command value may differ depending on your installation.)

My registry had these settings under HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command:

Default: "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" /n "%1" /o "%u"

Command: yh1BV5!!!!!!!!!MKKSkWORDFiles>!2-1&m&8y@Nmo2r)^f-C /n "%1" /o "%u"

I changed them to this (removing the, "/o "%u"" and adding "/q" before "/n" to remove the splash screen :

Default: "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" /q /n "%1"

Command: yh1BV5!!!!!!!!!MKKSkWORDFiles>!2-1&m&8y@Nmo2r)^f-C /q /n "%1"

I did the same for HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\command, and am now able to open other files without restoring or maxmizing other minimized Word .doc or .docx files.

Word 2007 and earlier

http://superuser.com/a/118967

You can fix this problem by blocking Word from using DDE to open files.

In the HKEY_CLASSES_ROOT\Word.Document.12\shell\Open key:

  • Delete or rename the ddeexec sub-key

In the HKEY_CLASSES_ROOT\Word.Document.12\shell\Open\command key:

  • Delete or rename the command value (not to be confused with the command key.)
  • Edit the (Default) value and add "%1" (including quotes) at the end

[clf note: some authors recommend changing /n /dde to /q /n “%1”  I think the /q might make a difference in Win7+.]

This solves the problem for .docx files. If you also want to solve it for .doc files, do the same thing for Word.Document.8

Thanks to: Rafael's Within Windows which has detailed instructions.

Clever Phish

2014-09-25 06:33

I received this email yesterday (links altered for safety).

From: info@gruppobertoli.it
Thanks for shopping with us today! Your purchase will be processed shortly.
BILLING DETAILS
Purchase Number: SGF578308436
Order Date: 7.46 Thu, Sep 18, 2014
Customer Email: charles@example.com
Outright Purchase: 4687 USD
Get details
Please click the link provided at the top to get more info about this issue.

Of course, I checked the domain and I'd never heard of it. But nothing came up immediately when searching "gruppo bertoli spam". I was pretty sure it was a phishing email, but it was possible someone stole my identity. Unlikely, though, given the weirdness of the email.

Next, I hovered over link to see source. It's a DropBox location. I opened IE in InPrivate Browsing mode for some added safety. Next, I copied the link and pasted into the URL. (I've obfuscated the link so it doesn't work anymore.)

https://www.dropbox.com/s/XXXXXzddrc2a4k/Order_AA9883.zip?dl=1

I removed the file part of the path, just to see if the DropBox folder would open. Nope. So, I can see they want me to download a zip file. I'm OK with that, because I won't open it yet.

I downloaded the zip file, then opened—but didn’t extract!—it using 7-zip. Huh. At first glance it's a PDF—with a funny extension. Also, the packed size is the same as the file size. But this might be true for a PDF since they’re binary files, and besides most people won't open in 7-zip, they’ll use Windows Explorer.

image

OK. I extracted the file but, of course, didn’t double click it to open.

Now, I looked at the file in Windows Explorer and it really does look like a PDF. 

image

Why? Because the clever bastards have added a bunch of spaces to hide the real extension. Here's the real file name.

"PAYMENT DETAILS.PDF                                                                                _27102.scr"

Windows (and Mac) by default don't show extensions, anyway, so many will be fooled by a file that advertises itself as a PDF. What's worse, most people don't show their file listings in Detail view, so they wouldn't see the Type, which is the giveaway.

What is it really? It's a screen saver. If I'd launched it...well, who knows? A screensaver can install trojan viruses. Hopefully my Windows Defender would have kicked in, but no guarantee.

This was a good reminder lesson to me. These jerks used the psychology of stage magic: misdirection and plausibility. It looks real, until it's not.

Newer   Older