Re: js.seeker and browser 'screw up'

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 16:15:10 +1200

"Mat" <buffaloesinc@hotmail.com> wrote:

> I'm running Win98, IE 6 (SP1), ZoneAlarm and Norton SystemWorks 2003
> (including Anti Virus)...
>
> The other day while using IE my AV told me it had repaired a JS.Seeker
> infection. ...

Unfortunately, that is a _VERY_ generic detectio. _Almost anything_
can be done to your system by code exploiting the bug JS.Seeker uses.
However, IE 6.0 should be immune to that vulnerability (even without
SP1 installed).

> ... A new toolbar flashed up briefly and then disappeared. ...

You weren't asked for permission to initialize/run/script an ActiveX
control too?

> ... When I
> clicked on the View / Toolbars menu a blank entry was near the bottom of the
> list. ...

Yes -- there seems to be a bug in IE that sometimes (at least if IE is
running when the toolbar is installed) it does not properly display newly
added ttolbars on the first run (restarting IE usually fixes this, but
ocassionally a system restart seems necessary...).

> ... Clicking on this entry placed a tick next to it ...

Given its installer had already been run, potentially anything could already
have been done to your machine... Still, not exactly a clever idea.

> ... and I noticed in the
> status bar at the bottom of the screen was displayed 'applet initialized'
> and then a website was accessed 'ourlinkslist.com'. ...

FWIW, I suspect that was "ourlinklist.com"...

> ... This seems to have
> altered the registry somewhat to change the search engine in IE. ...

ourlinklist.com redirects to dafinder.com and on their pages is a link to
"your own DaFinder.com tool" which is actually a registry settings file
containing:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.dafinder.com/iesearch.html"
"Search Bar"="http://www.dafinder.com/iesearch.html"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="http://www.dafinder.com/iesearch.html%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.dafinder.com/iesearch.html"

Are they the changes you see?

If all the toolbar (or its installer) did was change those settings then
you will have to know th original ones to get them back. Some of these
things are "nice" and save your orignal settings which you may be able to
find by carefully poking round the registry.. That is not possible simply
from a .REG file as per above though...

> ... I can
> untick the toolbar but I can't recover my original settings, and I'm sure my
> browser has slowed also.

Well, the toolbar is a program and it had to be initialized which would
have required an installation program to run also. Either you have your
IE security zone settings set way too liberally for the Internet Zone (i.e.
even more liberally than MS defaults) or you have neglected to tell us
something (such as you clicked on an ActiveX warning and allowed the
control to download and run...). If you can tell me where the toolbar's
installer came from I can probably make time to work out what you need to
do to get rid of it...

> Can anyone tell me why Norton AV + Zonealarm didn't stop this from happening

NAV -- because it is not a virus or Trojan.

ZoneAlarm -- probably because the toolbar "integrates into" IE and thus is
not seen by (most) PFW s/w as a separate process and few people prevent IE
from accessing the Internet).

> and what I can do in the future to stop such invasions? Is it a Java problem
> and should I disable Java (if so how and what functionality will I lose)? Is
> it preventable by downloading a MS patch?

Check your security zone settings in IE very carefully. For the Internet
Zone consider disabling or setting to "prompt" all settings that relate to
downloading, scripting or initializing remotely sourced "programs (scripts,
ActiveX Controls, etc). Most people find setting scripting outright to
"prompt" too annoying, but certainly set all the "advanced" otions such as
scripting ActiveX to prompt. Combined with preventing the download of
ActiveX it is then relatively "safe" to allow ActiveX actions as only those
controls already on your machine will be accessible. Of course, if this is
a family computer, training people to say "no" to the prompts will be very
difficult... 

--
Nick FitzGerald

Relevant Pages

  • Re: Quick test for ActiveX?
    ... use of ADO objects in client-side code ("Client-side use of Stream ... Recordset operations work properly without activex and some other ... differently dependent upon activex settings. ...
    (microsoft.public.inetserver.asp.general)
  • Re: page errors
    ... i've alway had my settings for internet and intranet set at ... Try temporarily disabling your firewall to see if HTTPS then works ... You may have other software installed that is blocking ActiveX content. ... > Disable the McAfee ActiveX controls Applet filters in the Internet Filter ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • RE: Active X error attempting to connect to RDP through RWW
    ... message about IE not allowing the installation of Activex and shows a problem ... Remote Web Workplace requires the Microsoft Remote Desktop ActiveX control. ... Your browser's security settings may be preventing you from downloading the ... Please note that you need to be a local admin to install Active X controls. ...
    (microsoft.public.windows.server.sbs)
  • Re: Quick test for ActiveX?
    ... use of ADO objects in client-side code ("Client-side use of Stream ... behave differently dependent upon activex settings. ... affected by client browser settings. ...
    (microsoft.public.inetserver.asp.general)
  • Re: Error 0x800A0046
    ... the "change settings" option was ... the Fix It tool came up and said that some windows installer ... [CallerId = AutomaticUpdates] ...
    (microsoft.public.windowsupdate)
Loading