Removing SearchProtect32.dll malware the hard way

The days when you could install some software by just clicking the Next button like a madman are long gone. Back in the days, software programs were simple, you would download their setup, install it, and happily use it afterwards. Today, installing a piece of software is the most attention demanding thing in the world, you have to carefully read every step, make sure you opt out of all the additional programs/malware/toolbars/atomic bombs they are trying to shovel on your throat (what, you don’t believe me? try downloading and installing java, you are in for an extra toolbar in your favorite browser).

In most of the cases, even if you accidentally install one of these extra goodies, you can uninstall them via the windows uninstaller, or from the browsers extension page. However, I stumbled upon a browser extension which actively refused my efforts to make it go away.

Initial symptoms:

  • My browser start page was always
  • Starting the browser in incognito mode was no longer possible
  • When trying to start the browser in incognito mode, it would always open a new tab pointing to
  • Some websites started displaying obtrusive ads, sometime overlaying the content of the page

Initial countermeasures:

  • Went through the browser extension page and removed the Quick Start extension (as it was the only one I didn’t knew)
  • Went through the windows uninstaller but couldn’t find any suspicious programs (some people were able to find a program called RSHP which when uninstalled fixes the issue)
  • Went to the browser settings and reset the start page and search provider

After this first round of countermeasures, I managed to get rid of the initial browser page, however opening an incognito window would still open a new tab pointed to The obtrusive ads were still showing up, thus I concluded my job was not done.

Second wave of countermeasures:

At this point I tried all the easy ways out of the problem, and it was time to dive a little bit deeper.

Started Process Monitor and pointed it to the chrome.exe processes. After scanning through the generated activity, I encountered something out of the ordinary:

Suspicious activity

Suspicious activity


 SearchProtect32.dll is being loaded into memory, and since I don’t use protection when I search, I figured this is a promising lead to follow. Going to the C:\Program Files (x86)\SupTab I could find a file called RSHP.exe, now I was convinced I found the criminal.

Why does it get loaded into memory?

Started looking around the LoadImage operation to get some context, and I found a registry query for AppInit_DLLs, opening the registry value I found it contains “C:\PROGRA~2\SupTab\SEARCH~1.DLL“. This is what causes the SearchProtect32.dll to be loaded,  but, why?

After doing some reading about AppInit_DLLs everything made sense. The official Microsoft description for AppInit_DLLs states: “All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session“, wait, what have I just read? cannot comprehend…

Why would you provide such a functionality, why call it AppInit_DLLs when you can more intuitively call it MalwareWithoutBorders or PleaseInsertPathToMalware?

Relax they said, “Typically, only the Administrators group and the LocalSystem account have write access to the key that contains the AppInit_DLLs value. “, BUT, what if I told you that most installer software requires administrator privileges to run??

Cleaning up

Searched for some more documentation and found this description of the whole process.

At this point, my mind is blown and I just want to get this over with, and this is what I’ve done:

  • Disabled dll loading by setting LoadAppInit_DLLs to 0 (zero)
  • Required the potentially future loaded dlls to be signed with a digital certificate, by creating a value of type DWORD, naming it RequireSignedAppInit_DLLs and set it to 1 (one)
  • Cleared the value of AppInit_DLLs
  • I did this with a bitter taste in my mouth, as I know that any program running under admin privileges (e.g.:  malware installer) can change them as they desire, rendering my efforts futile
  • Removed the C:\Program Files (x86)\SupTab directory
  • Of course I couldn’t remove the SupTab directory as the damn dll is contained in … … probably most of the processes I have running at the moment (thanks M$), therefore I had to schedule the deletion of the file on the next boot (I used this to schedule the deletion, you can read more about removing locked files here).
  • Reboot

Who is responsible for this great peace of software you might ask, as it turns out, all the files were digitally signed and here’s a print screen of the digital signature information

Digital signature information

Digital signature information


If you feel like writing an email to and thank the very author of this rubbish piece of software, I won’t judge…

2 comments on “Removing SearchProtect32.dll malware the hard way

  1. Christian Holm Maagaard August 7, 2014 07:28

    You for sure knows how to have fun! ;-)
    I don’t think it would be a good idea to write to Zhang with your everyday email .. just a tip :-)
    (Cosmin, your “read more” link need to be fixed)

  2. Cosmin Lazar August 7, 2014 08:33

    Several antiviruses weren’t detecting the malware, then I tried some malware removal tools, and eventually I had to take matters in my own hands. But, can’t really say I didn’t had fun while doing it :)
    (fixed the read more link)

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>