Understanding how website's infect your system.

Hi.
First off I apologize if this is in the wrong place, it's been a while since i've been on sevenforums, and the site layout has changed abit.

I should start by explaining why i'm asking this question and abit about me i guess. I would describe myself as maybe a novice who wants to understand more. And like most people i have at some time or another had the occasional bothersome nasty stuff manage to get on my system. In each of the case's i was lucky enough to be able to deal with the nasty's by using the rudimentary knowledge i've picked up over time, and a few simple tools like hijackthis, process explore, malwarebytes, hitman pro, ccleaner etc and task manager/registry editor and the system config utility in windows. But i'm only a novcie still and whilst i can usually muddle my way through problems, and know enough to kind of fix them, i don't know enough about what the underlying series of events are that happed in the background, that allow infections to get onto your system in the first place.

Let me give an example of one recent instance, and what i did. Ok so i always have task manager open, at all times, so i can just keep an eye on everything thats running. This probably sounds odd to most of you, but it was a habit i was taught very early on, and it's just something i do without even thinking now. So i noticed in task manager that a "RUNDLL32.exe" process was active, i've seen an entry name similar to this before, and my understanding is that most of the time it's a legitimate process. But it caught my eye because it wasn't going away. So i did abit of digging and saw that it pointed to this path: "C:\...\ AppData\ Local\ Electronic Arts\ mbrovemr.dll*, InjectDll" So i checked on the "RUNDLL32.exe" process in process exploer, looked at all the dll's in the process and sure enough i saw the mbrovemr.dll in amongst a load of microsoft entrys. The mbrovemr.dll didn't have a version or company name by it so i got concerned. However i didn't know what to do. But i knew somthing was wrong becasue the file descrition for the mbrovemr.dll was that is was a "eset application extension for out look express and windows live mail" (or something along those lines, i can't recall the exact wording of it) it sounded like part of a peice of security software, but since i didn't have any such programs installed by that security vendor and the fact that this file was in a Electronic Arts folder didn't make sense. So i did a quick sacn with hitman pro, and it found a suspected trojan callled "1jfuweif. exe" in my C:\...\AppData\ Local\ Temp folder. Which over the years i've noticed is a place that alot of nasty suff likes to put malicious files/applications. Also virustotal flagged it as a trojan aswell. So i compared the "date created" entrys in windows for both files, and sure enough both the "1jfuweif. exe" file and the mbrovemr.dll had been created at exactly the same moment. This linked the already suspicious mbrovemr.dll to the known trojan file "1jfuweif. exe". Then i checked my startup entry's in windows, and there was a new one called "Electronic Arts" and it's path lead to the mbrovemr.dll. So at this point what i knew was that i had a startup entry that would intiate a process with a suspicious dll, a dll file that was connected to a known trojan. Since this "1jfuweif" trojan file was an application, i made the asumption that the purpose of the startup entry was to run/execute the "1jfuweif" application silently at logon. So i made the decision to just delete all the file's includeing another appliaction file called "2jfuweif", and all other temps files that were created at the same moment as the "1jfuweif" & "mbrovemr.dll". Then i also disabled the "Electronic Arts" startup entry and killed the "RUNDLL32.exe" process in task manager so i could then delete the "mbrovemr.dll" in the Electronic Arts folder. I then checked the Run, Runonce, RunServices etc etc in the registry under both hkey current user and hkey local machine, as well as checking that task manger hadn't been disabled in the registry and that it was still accessible by ctrl+alt+del by checking that it's policy hadn't been changed in windows group policy editor. Then i scanned the system again with hitman pro and malwarebytes, which came back clean. Then i opened up process explorer and proceeded to work my way down the list of all processes listed checking all the dll's associated with each of them to see if they had version numbers and a company names, because i was worried that a malicious dll might have been injected into one of the legitimate windows process, although i don't know if such a thing is possible (thats somthing i'd like to know) But i checked anyway just to be on the safe side. Then just to be extra safe i added process explorer as program to run at user logon in windows group policy editor. Just encase task manager was made inaccessible by some other means upon reboot. Then i did a quick check of all the entry's in services.msc to make sure there was no backup means anything malicious could be initiated at logon. Then i crossed my fingers, and re-booted...

All seemed well. No sighs of anything suspicious. Did some more scans with hitman pro, hijackthis, and malwarebytes, came back clean. The reason i explained all that was because in the course of all that i found out the time that all the malicious files were created on my system. So i just opened up firefox history and checked if i had visited any websites at that time and date. And there were a few sites listed as visited within that time frame. And as i recall they were just normal sites, like a blog site or a forum etc. My theory is that it must have been one of the sites i accessed that was the cause of the trojan, since i don't recall installing any programs at the time or opening any suspicious emails or anything.

My question is, how do websites, even seemingly innocuous ones, manage to 1) add startup entry's to windows 2) initiate process's slilently without your consent, as well as 3) download malicious applications onto your system ?? How does one website do all that ?? I would really like to understand the mechanics of how it's all done, because it's something i've always wondered about.

Thank you.

OS : Windows 7

Welcome to the windows 7 forums Prenum

FWIW: your message was very difficult to read as you did not paragraph most of it.

"My question is, how do websites, even seemingly innocuous ones, manage to 1) add startup entry's to windows 2) initiate process's slilently without your consent, as well as 3) download malicious applications onto your system ?? How does one website do all that ?? I would really like to understand the mechanics of how it's all done, because it's something i've always wondered about."

From my experience, malicious sites have either a JavaScript icon or a single pixel that runs a script and then downloads the bad guys to your computer. I have a paid version of malwarebytes and it catch's any strange behavior from web pages.

Rich

Make sure Java is always updated, and delete the oldest version. Also, make sure Adobe is updated.

If you run Firefox, there is a Plug In available called NoScript. This does a good job of stopping most Drive-By malware/viruses.