Lee.org

The short form:
2_0_1browserhelper2.dll is a nasty adware toolbar with no UI. See my 3-19-04 journal article at http://lee.org/journal. It took me 2 friggin hours to figure this one out. It mangles Google search results in IE and sticks ads for the “websearch toolbar” in the results.

Kill it by removing the BHO 2_0_1browserhelper2.dll

——————
I was at a client’s house cleaning off spyware and I came across some particularly insidious malware. I’d do a Google search and the results would take a long time to come back. But more importantly, half of the search results were crap. They were ads for some “websearch toolbar”, directing me to www.websearch.com and such. The worst thing was that the Google results page looked almost normal. It almost looked like Google had sold out to these Websearch people.. allowing them to flop 1/2 of their content toward Websearch.com.

So I downloaded Netscape and made sure that Google hadn’t sold out. a search for “Prussian medals” on Internet Explorer returned about 50% junk while the same search in Netscape looked just fine. IE was being hijacked.

Now I just had to find what was doing it…. 2 hours later, bull’s-eye. Here’s the low-down:

The www.websearch.com toolbar is bad news.

Here’s an excerpt from their Terms of Use:

By installing the Service you understand and agree that the following changes may be made to your Internet Explorer browser and that the following functions may be performed by the Service: install a Search Toolbar in your browser which may (i) block certain pop-up ads and pages; (ii) display links to related websites and keywords based on the information you view and the websites you visit; (iii) store non-personally identifiable statistics of the websites you have visited; (iv) redirect certain URL’s including your browser default address bar search, DNS error page and Search Button page to or through the Service and; (v) automatically update the Service and install added features or functionality conveniently without your input or interaction unless you have chose to be notified of such update in advance.

The Terms of Use also says how to uninstall the software. (“When the Add/Remove Programs Properties window opens, locate the listing for ‘Search Toolbar’ that you would like to uninstall from the list of installed programs.”) But, like any good malware, the uninstallation instructions didn’t work.

Spybot Search and Destroy shows this software as a BHO

Spybot-S&D Browser helper object report, 3/18/2004 9:26:07 PM

{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
Class file: 2_0_1browserhelper2.dll
Path: C:\WINDOWS\

One reason it took so long to figure this out was that this BHO, which normally shows up as an IE toolbar has no visible user interface… Jerks.

All you have to do is disable that BHO in Spybot and you’re good to go. Another way is to rename c:\windows\2_0_1browserhelper2.dll. You might have to reboot into Safe mode to rename the file.

I’ve got another client with the same malware. It’ll take 5 minutes to get rid of her Websearch malbar (to coin a term).

I found this at http://www.chratnox.de/swf/bubble.swf Thanks to http://keithdevens.com/weblog/archive/2004/Mar/14/bubbles for the reference.

And now on to the game!

Play me!

This happened last month, on 2-13-04 but I thought it was funny enough to mention….

You remember that last month, I flooded the boys room… Well, this month, I got suspension at the middle school. I had to sit in the library with my desk facing the wall all day long. There was nothing to do but some stupid homework and a test that was really easy. And you know why I got suspension? Because I didn’t go to detention. Stupid. And I didn’t go to detention because my mom couldn’t pick me up after school. (Of course, in retrospect, I should have tried to work this detention thing out with school and my mom but hey…) And I got a detention because I wrote “Suck” on some kid’s notebook. I guess I shouldn’t have done that.

Well, actually you should replace “I” in that last paragraph with “my student”. But it was almost as awful for me. I had to sit there and watch him all day, making sure he wasn’t going to get in any trouble and that he didn’t talk to anyone and stuff. Bleck.

So, I got suspension.

Outlook 2000 had a tiny little feature whereby when your mouse hovered over a web link, the target would appear in the status bar down at the bottom of the window. Outlook 2002 eliminated this feature, making forged emails like this (at right. Click
to enlarge) possible.

The link on that email takes you to this web page (at left). Everything appears to be all on the up and up, right? Wrong. Look closely at that web page… at the top of the email. The address is “http://63.203.30.222/registration/Verify.htm” That isn’t a Paypal address. It’s a thief’s address.

If Outlook hadn’t gotten rid of that little feature, it would have been harder to pull the wool over people’s eyes on this kind of scam. Hmmm…. I’ve been hearing how Microsoft is pushing for an email postage/verification/something system lately. Am I just a wacky conspiracy theorist by suggesting that Microsoft is crippling their own program in order to make their new email verification system more necessary? No, that’s crazy.

TJIC told me “the timestamps in your blog kinda freak me out. They look like small hovering clues, as if I’d moused over something…and am being given suplimentary info…”

That didn’t jibe with any of my style sheets so I looked into it. Apparently, Netscape and IE treat the Float: tag differently. Here’s examples:

Internet Explorer 6.0
Netscape 7.1

(note: the date is an <H2> tag, the text that begins "Outloo.."  is an <H3> tag)

I’ve since tweaked it a bit so it doesn’t look so terribly noticeable. The problem seems to lie in how the two browsers let CSS margins affect floated text. They do it just a little bit differently. They still don’t look perfectly the same, but they’re good enough.

Internet Explorer 6.0
Netscape 7.1

Ok, this is cool. From here and here.

I’m chasing my tail spamwise. SpamAssassin kinda works but at a conservative setting (I have it at ‘8’) it doesn’t block enough spam to make it worth me having to scan two spam folders, one for Cloudmark and one for SpamAssassin. I’d love to try CRM114 but even if I got it going well, it has to live on a Unix box, which makes it a slight pain for me (having succumbed to the succor of Windows). But if any friend of mine wants to set up CRM114 and let me filter my mail through them, I’d shower them with gifts and Jean Nate after-bath splash. Do you remember those commercials? I do. Oh yeah…

So, I’m going to try and push all my mail through my optonline.net account. It occurs to me that they run Brightmail. We’ll see how that goes. But just to be pesky, optonline just put up notices saying that their spam-buckets won’t be available for some unspecified amount of time. That means that mail counted as spam gets immediately deleted. Hurumph. that’s no way for me to do a test! I’ll wait.

Oh and it’s cool to note that CRM114 is built by a friend of mine. Hi Crash!

I haven’t used Perl in a long while. But it can be fun! I scripted up a tiny little RSync script to backup the important parts of my hard drive to another drive. Trouble is… my script sucks. But that’s ok. A rudimentary BASH script works better. RIBS is supposed to be this snazzy backup helper but it’s just a no-UI front end for a command line… I suppose it could save me some keystrokes but I’ll play with my own command-line scripts for a while.

I tried in vain for weeks to get the Dynamic DNS system on my D-Link DI-624 router to work with Dyndns.org. I gave up and decided to use DynSite instead. It does the job nicely.

Spamnet isn’t perfect. It correctly blocks about 40 spams a day of mine. But it also incorrectly blocks about 1 non-spam per day. That’s a big pain because it means I have to sift through my spam list every week or so looking for mistakes.

I’m going to try using dual filtering. I’ll set my ISP’s SpamAssassin to a conservative setting and keep Spamnet. The idea being that SpamAssassin won’t have any accidental hits. That will reduce the number of emails I’ll have to sift through.

As a side note, I just found out that Spamnet uses the same spam identification network that SpamAssassin does. SpamAssassin uses Vipul’s Razor for fingerprinting spams.