• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Malicious Internet Explorer plugin

Paul C. Anagnostopoulos

Nap, interrupted.
Paul C. Anagnostopoulos
Joined
Aug 3, 2001
Messages
19,141
I visited some site yesterday that dropped all sorts of crap onto my machine as plugins to Internet Explorer. Ad-Aware has eradicated everything, I think, except for some plugin that finds interesting words on pages (e.g., sex, popup) and puts links behind them to things like dating services. Has anyone seen this and can you help me get rid of it?

Why would people do stuff like this? Do they think I'll be happy with it and follow the links?

~~ Paul
 
I checked all recently installed DLLs and found all sorts of junk, but renaming them didn't solve the problem. Where can malware be ensconced besides .dll files?

~~ Paul
 
I agree with SpaceFluffer. Unless you plan to become a malware expert, then Ad-aware, SpyBot, and HijackThis! are the 3 tools to use when dealing with malware. (and I use them in the order I just listed them, too)


Luceiia
 
Paul C. Anagnostopoulos said:
I checked all recently installed DLLs and found all sorts of junk, but renaming them didn't solve the problem. Where can malware be ensconced besides .dll files?

~~ Paul
Click to expand...
Well, Shockwave files (.swf) would be the next place to look. Allowing your browser to download and execute DLLs is nuts, you really should disable ActiveX and Java in IE.
 
Preventing this is easy without disabling ActiveX of Java.

1) Set your Advanced stuff properly. Disable install on demand. Disable third party browser extensions, unless youreally wnat to use one.

2) Disable all third party cookies.

3) Download SpywareBlaster. It's free, it's not a background task. It killbits spyware in the registry. The spyware never gets near your system. The only thing is that you should check for updates regularly, and rerun it when it is updated.

4) Download .SpywareGuard. This is also free. It provides real time protection against spyware, but doesn't hog a lot of resources to do so.

5) AdAware, Spybot S&D, and HijackThis are worthy programs. I recommend then highly. The problem is that they (well, the free versions) don't protect you from getting this crap in the first place. They are scanners. That's fine, every anti-spyware proggie occassionally misses some things. But it is a lot of work, especially if you aren't a geek, to go through those logs and figure out what is legit and what you should remove. AdAware is the most user friendly, but isn't the most robust.

Don't get me wrong, I run these programs occassionally, too. But SB and SG have kept my machine pretty clean, they hardly ever find anything when I do run them
 
Luceiia said:
I agree with SpaceFluffer. Unless you plan to become a malware expert, then Ad-aware, SpyBot, and HijackThis! are the 3 tools to use when dealing with malware. (and I use them in the order I just listed them, too)
Click to expand...

I agree. The Holy Trinity, so to speak... :)
 
Graculus,

Enable install on demand (IE) was disabled.

Enable install on demand (Other) was enabled; now disabled.

Enable third-party browser extensions was enabled; now disabled. Will this screw up the Google toolbar?

Why doesn't IE prompt whenever it installs an extension? Isn't that obvious?

I'll check out SpywareBlaster.

~~ Paul
 
Graculus, that fixed it. Unfortunately, so much for the Google toolbar. Now I'll get SpywareBlaster and see if it can find the plugin.

~~ Paul
 
Well, SpywareBlaster didn't turn it off, so I still have disable third-party extensions. That's really annoying, because I'm addicted to the Google extension.

I'll try Spybot.

Where could this thing be lurking except in a DLL?

~~ Paul
 
A *partial* list of extensions
http://antivirus.about.com/library/blext.htm

A .dll does not have to even have a .dll extension to be loaded. Many Windows file formats, including .AVI have well-known buffer underrun/overrun exploits in the Windows handlers. AVI and other Windows Media files can internally specify CODECs that end up executing payloads instead. Any MS office format document potentially contains script code that can install and run executable content as well.

My recommendation would be to use Mozilla/Firefox or Opera to do your web browsing.

The JAVA runtime from SUN is just fine. Javascript is a BIG TIME security nightmare.

For NT, Win2000, or XP:
NEVER browse the web with Administrator privileges. This is a little inconvenient when you want to do a virus scan or run many other tools, as you'll have to log off and log on as 'Administrator' and give it a password to do it. It also means that most kinds of security exploits that seek to install software will also fail.

For Win95/98/ME: You're screwed.
 
Paul Do you have a recent restore point? If nothing else you could compare the registry with what you have now. Might show something significant.

To the holy trinity of spyware scanners might I add "Pestpatrol?"
 
Now I think I've got it. It's a remnant of the damn Begin2Search toolbar that was installed on my system: winb2s32.dll. HijackThis helped me find it.

Thanks, folks!

~~ Paul
 
I have fun with them at work all the time. You can find a lot of them loading in the registry

HKEy_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
\CURRENT VERSION\RUN

This is what loads when your computer starts. It's common to all Windows Operating System.

In addition to that there is also these locations

HKEy_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS
\CURRENT VERSION\RUNONCE

HKEy_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS
\CURRENT VERSION\RUN

HKEy_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS
\CURRENT VERSION\RUNONCE

Some of these SPYWare must be removed manually. HiJack provides a nice user interface for it.
 
Paul C. Anagnostopoulos said:
Graculus, that fixed it. Unfortunately, so much for the Google toolbar. Now I'll get SpywareBlaster and see if it can find the plugin.

~~ Paul
Click to expand...
Sorry if I didn't make this clearer. SpywareBlaster and SpywareGuard *prevent* installation. They cannot remove something that is already there. I posted the links so that you could avoid this in future.

If you are really addicted to the Google toolbar, then turn extensions back on. Just remember to always have SpywareGuard on when you cruise the net. Spyware browser plugins, although sometimes annoying, aren't that bad a pest.

Now, let's try to deal with your problem.

First of all, what processes are running?

Second & thirdlly, run Hijack This and/or S&D and post the logs here. I'll give them a once over.
 
The number one solution to stop dealing with this crap?

Download Firefox, install it, and use it.

After I did that: no more problems with ad/mal/spamware ever again.
 
bignickel said:
The number one solution to stop dealing with this crap?

Download Firefox, install it, and use it.

After I did that: no more problems with ad/mal/spamware ever again.
Click to expand...

You can also install the latest version of Norton AntiVirus.
 
You must log in or register to reply here.

Back
Top Bottom