timothyfryer
asked on
ActiveX Driveby Installs with ActiveX Permissions Disabled in Internet Zone Why?
Following is the last part of my Setupapi.log. I caught an ActiveX driveby download at a website and it appears to have installed due possibly to (Policy=Ignore). I intentionally set all my ActiveX permissions to Disabled in the Internet Security Zone in Internet Options. Does anyone know why this was allowed to install. I think my settings stuck although its hard to tell because the selector defaults to Medium and it becomes confusing sometimes as to whether its set to medium or wants to reset to medium. But I'm reasonably confident they were all Disabled. Anybody want a new start pagehijacker. I have one I'll give you.
[2004/08/01 12:50:37 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:38 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:52 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:53 1748.2]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 13:46:13 456.118]
#-199 Executing "\??\C:\WINDOWS\system32\w
#-336 Copying file "D:\i386\ctfmon.ex_" to "c:\windows\system32\ctfmo
No signature was present in the subject.
#W187 Install failed, attempting to restore original files.
[2004/08/01 17:49:34 1512.2]
#-199 Executing "C:\WINDOWS\System32\rundl
#-147 Loading class installer module for "Imaging devices".
#W239 The driver signing class list "C:\WINDOWS\INF\certclas.i
#E360 An unsigned or incorrectly signed file "C:\WINDOWS\System32\sti_c
[2004/08/01 12:50:37 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:38 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:52 1748.1]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 12:50:53 1748.2]
#-198 Command line processed: "C:\msinfo.exe"
#-024 Copying file "C:\DOCUME~1\no\LOCALS~1\T
#E361 An unsigned or incorrectly signed file "C:\DOCUME~1\no\LOCALS~1\T
[2004/08/01 13:46:13 456.118]
#-199 Executing "\??\C:\WINDOWS\system32\w
#-336 Copying file "D:\i386\ctfmon.ex_" to "c:\windows\system32\ctfmo
No signature was present in the subject.
#W187 Install failed, attempting to restore original files.
[2004/08/01 17:49:34 1512.2]
#-199 Executing "C:\WINDOWS\System32\rundl
#-147 Loading class installer module for "Imaging devices".
#W239 The driver signing class list "C:\WINDOWS\INF\certclas.i
#E360 An unsigned or incorrectly signed file "C:\WINDOWS\System32\sti_c
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some of the virii were running under the browser process. No idea how they managed to do that but a good idea. Hijacker only runs when browser is running. Also found that unchecking hijacker entries in msconfig doesn't remove the corresponding entry in the run keys or possibly it does and then they are immediately rewritten without changing the checkbox in msconfig. Smart virii.
the virus writers are the ones getting smart, eh?
ASKER
Did you have any luck with your friend Fatal? I went to vanderwee's link and while I didn't find anything specifically addressing this issue, I may have missed it. It's still a good resource though. If you had time to email your buddy, let me know and I'll hold off on awarding points.
Have not heard back yet, so.... He might be out on a MS Technet tour, as he speaks at many of these events...
BTW: I have found that file to be curiously the same in all my XP Pro boxes, so this may be a default behavior...
ASKER
If your talking about the Policy=Ignore then I'm not sure thats good. One thought I had was that it might be related to the same policy you set when installing non WHQL certified devices though it doesn't make since that it would. The other thing I noticed was that when I check my Advanced tab in Internet Options, both Install on Demands were checked which I don't think I checked. Either I overlooked it, or possibly i invoked Reset Web Settings under programs and thats the default position. What I don't know is which takes precedence over the other. Would having Install on Demand active in the Advanced tab override any restrictions in the Internet Zone. Kind of like power options, too many places to set the same thing.
Hmm. I would think the opposite to be true, that your security zones would take precedence.. a good question though...
ASKER
Well, SP2 is supposed to hit this week so maybe all my ms paranoia will be proven wrong, I hope. I probably won't upgrade right away though, I'm not running sp1 right now but if sp2 turns out to be something, I might go for it. Every time I put on sp1, the comp runs terrible and while there are patches down the road that fix it, it seems comp runs best right from the install disk. I know I don't have all the security patches but I kind of doubt any would cover something like this anyway. Most of the patches seem to address buffer overflows in various programs. Funny, every time I run regmon, I see buffer overflows. Comforting thought.
ha... I have a quick tour of what SP2 will break and what it contains.. not lengthy, but you are welcome to read it:
http://65.24.134.81/KipSolutions/SP2/SP2.htm
http://65.24.134.81/KipSolutions/SP2/SP2.htm
ASKER
Oh Goody, WHQL for applications with buffer overflows. I'm sure it will include my favorite apps. Well, maybe I won't put it on. Is KipSolutions your outfit? I checked the web page, looks good.
I am one of the principals in KIP, and acting CIO. It is primarily an educational company, but we also offer support services too.
The website is mine along with all the content, and as you can tell, it is running out of my house on a W2K3 server, using only my ipaddress. (too cheap to go with a static address, even though I do have several domainnames registered with my various companies) I am putting up the content to help our KIP endusers, although my counterparts at KIP think that I am writing over our customer's heads.. lol, eh? How can you dumb it down any further, I ask? Sometimes I wonder... :)
FE
The website is mine along with all the content, and as you can tell, it is running out of my house on a W2K3 server, using only my ipaddress. (too cheap to go with a static address, even though I do have several domainnames registered with my various companies) I am putting up the content to help our KIP endusers, although my counterparts at KIP think that I am writing over our customer's heads.. lol, eh? How can you dumb it down any further, I ask? Sometimes I wonder... :)
FE
ASKER
Looks good. Maybe you should do a daily editorial to get a reader following. Might help expand business.
haha... Maybe I should hire you to do it for me, eh? Do any of us really have the time? :)
Thanks Tim.. If I ever get that email response, I will post back here with it.. In fact, I will just email it to you also.. Going to send it off again, in the hopes that they get a chance to read and respond.
FE
FE
ASKER