Sunday, January 28, 2007

Google Ads Have Nudity?

For a while now I have noticed a growing trend of pornography advertisements. I will be surfing along, visiting web sites that I have been on and off of for several years and then *boom* - you've got bare chested ladies down the side of your screen.

It wasn't until a month or so ago that I realized something was wrong. I was downloading chipset drivers for a friend of mine from VIA's website, www.viatech.com. There in the right margin was a couple sets of naked breasts. This really bothered me. Would a reputable company like this really stoop to that level for revenue? Looking at the page source it appeared that what I should have been seeing was Google Ad's, but they had been replaced somehow. Was this some sort of cookie hijacking? I got busy working on the project at hand and never investigated it further.

Today my browser crashed. The error message indicated that some awkwardly named dll had gone south, and the browser had to shut down. I have seen this before in earlier weeks and I just wrote it off to a bad component in Internet Explorer 7. But this was the second time today and I intended to get to the bottom of it. The object was called ~DP1C9.dll and when I performed a search on my hard drive for it - I turned up nothing. Next I went into the browser settings starting with "managed add-on's".



Oh, this was not good. Here I had somehow installed a "browser helper object" without a name. Surely if this was legitimate it would have been branded by the publisher. I disabled it immediately, and restarted Internet Explorer.



I was sure that I had somehow installed something nasty. What bothered me is that I have had this for probably a few months and nothing stopped it from installing. For that matter nothing ever caught it and told me about it! I checked my Symantec Antivirus definitions. They were up to date. But this seemed more like spyware, and Symantec has never been really good with detecting and removing that. More likely, this is something that Windows Defender should have stopped. For the sake of finding a cure, I went out and downloaded the latest and greatest copy of Windows Defeneder from Microsoft. I let it update to it's latest definitions and then performed a full scan.



Right now I am wondering why I waste the system resources on this product when it obviously doesn't work. I would have to take the law into my own hands.

First I would have to figure out where this little devil was hiding on my system. That ugly and awkward "manage add-on's" window was of no help to me. I ran reg-edit and searched for this object by it's object name.



Here it is, so that you won't have to retype it like I did. By the way, I would like to thank the engineers of Internet Explorer 7, for not allowing me to copy and paste anything from that window.

{598F4775-6FB6-477B-9842-E0426824E077}

Incidentally, if you came to this posting because you found the above object ID on your system, you are infected. Read the rest of this for removal instructions.

I found a couple of keys right away. This one told me exactly where the bad dll file was hiding out. Notice that this is in a location that normal users like you and I are not supposed to tread. Therefore to find it with a "Search" I would have had to of performed an advanced search and looked for "hidden files", "system files", etc.

Heading out to that location on my drive I found the dll file(s). Even with the browser shut down, and the objects disabled I was not allowed to remove these. I'm betting I would have to boot into safe mode. They are welcome to stay I suppose since they will no longer have any attachments to the browser when I get done.



Next I got to work on removing all of the registry keys that involved this string. That was actually pretty easy. I just ran "regedit" and did a "Find". For every key I found with the above mentioned object ID, I deleted it. Then, I reopened Internet Explorer and made sure that the "browser helper" object no longer appeared in my "manage add on's" list.

Now I just needed to prove my theory. Was this little dll file what was actually turning all my Google Ads into pornography? It wouldn't take much to find out. I went out and visited the site that I last remember seeing this problem with. YOu might try this too. Below is the URL to a VIA Forum. Scroll over to the right corner, and check the Ad in the top right. You *should* see Google Ad text (not bare chested ladies).

http://www.viaarena.com/default.aspx?PageID=5&ArticleID=497&P=6

To really make my point, I hopped onto my wifes computer. She has had this problem too. First we brought up the VIA Forum with the object enabled. She saw the pornography. Next we disabled the object, restarted the browser, and reloaded the page. Now she was seeing the Google Ads as they were meant to be.

I have no idea how this object got installed, but I have heard from other folks that they had this same problem. If you have a story to tell, drop me a comment.

-Steve Ballantyne