HELP! DLL's being replaced and added without permission

Do you have Windows Update running in the background?

Does your Antivirus software auto-update?

Do you have any applications that "Check for Updates" when connected?

On Thu, 09 Dec 2004 08:58:59 -0500, Hal spoketh

I think you have misunderstood what "DLL Authentication" is... It has nothing to do with downloading DLLs, it has to do which DLLs are used when your applications are connected to the internet.

Various features in a browser may be tucked away in a DLL rather than in the executable itself. Whenever such a feature is used, it'll show up in your firewall as this DLL attempting to connect to the internet. These are merely sub-programs to the actual program in use. So, that's what your firewall is freaking out over. There are no DLLs being transmitted to or from your computer, and no DLLs are being replaced.

Unless you have reason to believe that you have obtained some spyware or other malware that's hiding as a DLL, then turn it off or you'll go nuts worrying over all those files...

Lars M. Hansen

'badnews' with 'news' in e-mail address)

A new dll can be uploaded because it is not yet in use, and the others are probley treated like upgrades. Nevertheless, I'm not trying to figure out how they are doing it, I'm just trying to find a way to stop it.

Below are examples of what is happening.

I just downloaded my email, and Sygate displayed the warning "A new DLL has been loaded by McAfee VirusScan Scan E-mail Module"

The DLL uploaded is called: mcscan32.dll

I do not have Mcafee set for upgards!

At the bottom of the warning was a "Binary dump of the packet" which contained detailed information of the messages I just received. For each message the binary information in this DLL contains:

My account address, Sender address, Message ID, Date, and

other code for which I have of idea what it is.

As another example: When I go to web sites, Sygate gives me warnings of "A new DLL has been loaded by Internet Explorer" And this does not only happen with Internet Explorer, but also Netscape and Firefox.

I'll give you two examples:

1st, The following DLL's have been uploaded by Name: track.pointroll.com Port: 80 (HTTP - World Wide Web)

cfgmgr32.dll GdiPlus.dll wiashext.dll winsta.dll msgina.dll drprov.dll

2nd. My Discount broker web site uploaded the following dll. ccmsghk.dll

And this is only two examples of many. As you can see. The uploading can come from anywhere.

This is very troubling to me. The DLL's appear to be uploaded as tracking cookies or might be called on later by a program. Web sites used to use tracking cookies but I seldom receive cookies any more. What I am receiving is DLL's that according to the Binary dumps of the uploaded, contain similar information to cookies.

I have been saving the Binary dumps and if the same dll is uploaded more than once, I make a comparison of the dumps and I have found that in each case the upload is different. And it is not an upgrade because some dll's are being replaced more than once a day.

I believe that DLL's are now being used to track computer use and information we receive over the internet. This can be a serious security threat to our privacy, and I can not find any way to stop it.

Windows update is turned off

I am using Mcafee, but the auto-update is also turned off

I don't believe so, but it is possible that something is on my computer causing this, but I don't know what. I've checked using Ad-Aware, Spybot and McAfee.

Maybe something that I have already cleaned off my system had changed some setting that alow this to happen.

Any idea's please.

On Thu, 09 Dec 2004 20:47:37 -0500, Hal spoketh

mcscan32.dll is a dll used by your McAfee software to scan your e-mail. It is loaded into memory from _your_ computer. It is not downloaded from the internet and installed on your computer. Nothing sinister is going on here. Please re-read my previous post.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

First of all, I want to thank you for assistance, I did read your previous post, but I want to make a couple points clear.

I download my email using Eudora Mail Reader, I do not use a browser for email. McAfee VirusScan E-mail Module scans all incoming mail. As soon as Eudora finished uploading my email I the got the Sygate warning.

Can you explain why the Binary dump in that warning contained all the header information from the emails I just received and stated the dll that was uploaded is mcscan32.dll

I know that this dll is used by McAfee, what Sygate is saying in its warning, is that the information displayed in the Binary dump is associated with that dll.

The question is for what purpose, and how do I stop it. I do not like any program to gather information on my emails or computer use!

Secondly, I mentioned web sites that are also sending dll's. I have not recently upgraded any program on my computer but my computer now contains over 3000 dll's and growing every day.

Can you also explain why the number of dll's on my computer are increasing each day. I have turned off Auto-upgrades for windows and in any program that has a check box for that purpose.

If you can come up with a acceptable reason why I keep getting more and more dll's each day, other than they are being used for spying, I would be grateful.

But my main reason for my original post is to stop anything from automatically installing onto my computer, be it dll's or anything else.

Hal wrote in news:ihjgr0dtan1j6ahr1ifqubohnbms7gljs4@

4ax.com:

No, this cannot happen while the dll is in use. If a dll is in use by an application/program that is running, then some kind of an *access denied* situation would occur if something was trying to replace the dll while it's in use. At least that be my experience with trying to replace a dll that was in use.

You know this for a fact and how do you know it?

I don't fully know your situation, but I kind of doubt that this is really happening at the alarming rate you say it is happening.

What dll(s) are you talking about and what O/S is this?

And it could be the fact that you have enabled that option that is causing you grief. It could be that you may have to approve every dll that a host program is calling until you have approved them all.

It's the same kind of thing with BlackIce and its authentication process for exe(s), dll(s), etc, ect. If Blackice has never had the authentication process enabled and it was enabled, then it would *bark* at everything that started up and ran until I approved everything one by one.

That's what I think is happening to you and I don't know that much about Sygate. The out for me with BlackIce is that I can tell BI to do a Baseline scan *authentication* process of all executables on the machine and it will stop barking. Maybe, Sygate has something like what BI has for a baseline authentication process. It could be that you don't fully understand Sygate's Application Control.

Duane :)

This sounds like you may have a unique problem in Windows (or the Sygate install).

However, this is also interesting to me because I recently became aware of a possible variant of Domwis having a similar behaviour.

On an outside chance, could you post the contents of the startup registry keys:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices

and (depending on which flavour of Windows you have) the "Ex" versions of these keys.

On Thu, 09 Dec 2004 23:04:18 -0500, Hal spoketh

Doesn't matter if you use a browser or not. Most larger applications today uses DLLs and many uses the same DLLs. That's where a huge number of system functions are stored, and there's little point in re-inventing the wheel, so they use what's already there. My browser reference earlier was merely meant as an example.

Because the DLL in question is the "program" that scanned the e-mail for viruses.

It isn't. It's scanning your e-mail for viruses.

Welcome to the club. I have 7561 DLLs on this workstation.

DLLS should only be added to your system when you install something, intentional or unintentional. Where does it all come from? Video codex, toolbars for your browser, audio decoders, video drivers, audio drivers, nic drivers, USB device drivers; virtually any new or enhanced feature added to your browser, e-mail software, banking software, firewall, anti-virus software or any other software or hardware that you may have updated may come in the form of a DLL. Even if you have turned of some updates (which is a BAD idea), there may still be other programs that are updating in the background.

If you are noticing a significant increase in the number of DLLs on your system on a daily basis, then I would be worried about you perhaps having a trojan that lets other people put more crapware on your computer. Check your system thoroughly with Spybot S&D and HiJackThis, and

If you want to stop anything from being installed on your computer, then disable these features in the programs. The biggest sinner in this respect would be Internet Explorer, but that can be stopped by, first, updating the browser, then configuring it in such a way that it won't download any and all activeX component it finds...

Lars M. Hansen

'badnews' with 'news' in e-mail address)

I think Lars has pretty much covered it -- ditto.

Duane :)