[THIN] Re: Ad Ware

IE BHO, or Browser Helper Object Exploit.  Currently IE is vulnerable to
an unpatched exploit that many seedy websites are using to install
whatever code they want on your system without user knowledge.

This could cost you a great deal of money if you have a modem hooked to
a phone line.  Many websites are installing an auto-dialer to connect
long distance to small countries with extremely high long distance
rates.  These countries then send a portion of what they make from the
phone call to the virus writers.

Currently the exploits are too varied and unique for anti-virus
companies to deal with. Firewall software is generally ineffective
because this is the normal operation of IE installing 3rd party
components through standard ports.

Usually the trojan will hook into the TCP/IP stack, so you will need to
repair the stack after manually ripping out the trojan components.

To troubleshoot the problem go to: www.sysinternals.com and download the
following free utilities:

TCPView
This will allow you to see what programs are connecting to what ports
and services. This will allow you to see most common worm variants very
easily since they open a great deal network connections.

Process Explorer
This will allow you to kill processes that Taskmanager will not kill.
You can also pause processes to see if it has an effect on the problem
you are having. You can also search for handles to files and close these
handles and kill the process with these handles. This tool is useful in
combination with Filemon.

Filemon
This will allow you to see if your computer is a zombie, or a computer
under someone else's control and being used as an upload server for
illegal materials and content.  Typically you will see a hidden
directory under System Volume Information directory which is hidden by
default.  Under this directory you will probably have multiple
subdirectories with multiple subdirectories, in all you may have several
thousand directories.  In order to clean this off you will need to use a
RD /s to kill the whole tree.  There is a bug in explorer which will
probably prevent you from deleting the tree because of illegal
characters in the filename.  You need to keep your command prompt open
and kill the explorer process to be able to delete the all the
directories.


If you want to avoid this I would recommend using a Mozilla or Mozilla
Firefox as your main browser.  Launch IE when you need to use a site
that doesn't work with either.

Trevor.


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Turman, David C.
Sent: Wednesday, June 30, 2004 5:25 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Ad Ware

Got a wierd one. A friend has a Windows XP non-SP1
computer and he is getting Pop-Ups even when Internet
Explorer is not open. I added Google pop-up stopper and
ran Spybot and AdAware. No Help. Anyideas which damn
spyware or virus he's got?

********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities
Using the latest software, hardware, networking technologies, proven technical 
expertise, proprietary software and best practices, EOL provides 
custom-tailored solutions for each client?s mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: