Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spy-Malware Opens 2nd Internet Browser Window


  • This topic is locked This topic is locked
46 replies to this topic

#1 Mickey Sabbath

Mickey Sabbath

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 13 August 2009 - 04:43 PM

Recently, I discovered that when connected to the internet via Microsoft Internet Explorer or Firefox, the following phenomenon plagues my computer.

Upon visiting an internet site, as you know, a window pane on the task bar encapsulates or describes the site. (For example, as I write this, the task bar's window pane below reads "BleepingComput".)

Each time I connect to a site-- any site-- and linger there, a second pane sporadically and spontaneously appears and then quickly disappears. It's difficult to detect because no new window accompanies the window pane and because it disappears so quickly. Furthermore, this phantom second pane doesn't contain any text. Although it's approximately the same size as the ordinary window pane, only a small white square, approximately a third of the pane's size, identifies it.

The secondary pane suggests some trojan's partially thwarted effort to establish a full, complete connection to a site and to open the accompanying window. Alternatively, it suggests some spyware recording my internet history.

I attach the requisite logs below. Any help you can offer would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 20 August 2009 - 04:18 PM

By the way, I neglected to add to my first post, I cannot run RootRepeal.exe on my computer. Each time I run it I receive a "Intializing, please wait" message in a gray box and the program remains frozen at that stage indefinitely. I've let it run for hours and it never proceeds beyond that stage.

Moreover, it consume the entirety of my computer's available memory and precludes me from using it for any other purpose.

Can I add any additional information-- perhaps, a combofix log-- to clarify my problem or to assist a tech person in addressing my problem?

If I just need to wait for someone to get around to it, I apologize for the impatience.

===========

Hello

Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 21 August 2009 - 11:12 PM.


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 AM

Posted 24 August 2009 - 08:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 25 August 2009 - 11:43 AM

I enclose below the two new DDS attachments, as you've requested. I have not been able to run rootrepeal however. The latter freezes my machine once I start it. The program opens a gray box titled "initializing your computer. Please wait" and never advances beyond that point.


I would describe my problem as follows:

Every 5-10 minutes or so, a window pane containing a small white square (devoid otherwise of identifying text) spontaneously opens on the task bar and immediately disappears. (I believe it's called a window pane. It's the area, for example, at the bottom of this window that reads "BleepingComputer" describing or encapsulating the site.) If other window panes are open because I'm browsing the web, the phantom window pane opens to the right of them. If no windows are open, the phantom window pane opens to the right of the start menu.

The interval between the opening and closing of the window pane last no more than 2-3 seconds. The intervals between one phantom window pane opening and closing and its successor ranges anywhere from 5 to 10 minutes.

I would guess that the secondary pane suggests some trojan's partially thwarted effort to establish a full, complete connection to a site and to open the accompanying window.

I'd appreciate any help you can offer in eradicting it.

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 31 August 2009 - 05:31 PM

Hi Mickey Sabbath,

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Please post the log though as it may shed some light on what has happened to your PC.


If RootRepeal won't run then try Gmer.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop, please rename it as gamer.exe.
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 01 September 2009 - 01:16 PM

Thanks m0le for attending to my problem. As you requested, I attach a log, copy and pasted into Notepad, from GMER below.

I'd appreciate any help you can offer because the afffliction, described above, that has contaminated my computer persists.

Incidentally, to amend my earlier post, the phantom window pane with the white square no longer seems to require me to be connected to the internet, via Internet Explorer or Mozilla, in order to open. My computer can lie dormant, without a single program running for example, and the phantom pane will materialize nonetheless.

Thanks again.

Attached Files

  • Attached File  GMR.txt   9.23KB   10 downloads


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 01 September 2009 - 01:20 PM

Nothing showing on Gmer.

Can you post the Combofix log for the run that you have already done. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 01 September 2009 - 04:00 PM

Here you go, as you requested, I attach the combofix log.

Please let me know if there's any additional information I can provide that will help you.

Attached Files

  • Attached File  log.txt   12.71KB   2 downloads


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 01 September 2009 - 04:25 PM

According to the log you posted you have run Combofix a number of times.

I'm starting to suspect that these windows that are opening are not malware-related so I need to see what else Combofix removed on the first run.

Please post the first Combofix log that was run.


Then we need to make sure that your version is up to date.

Could you please do the following.

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 02 September 2009 - 08:08 AM

I apologize for running Combofix without a Bleeping Computer IT person's recommendation. I didn't read the advisory against doing so until very recently.

Nonetheless, I followed your recent instructions, and below, I attach the two logs you requested.

The first log, titled "1stComblog.txt" was the archived on my computer as "Combofix.txt," so I assumed that it corresponds to what you mean, by 'first'.

The log from the new Combofix I downloaded and saved as Combo-Fix.exe is the second file annexed below is titled, "NewComboFix_log.txt".

Thanks again.

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 02 September 2009 - 01:17 PM

No malware is showing on your initial run or on the new log so this is not a malware issue.

I would like to just run two more scans to see if there are any remnants of malware left over. It is possible that there was activity previously and I want to rule it out before I give the all clear and send you over to another forum for advice.


Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 05 September 2009 - 09:31 AM

Sorry for the delay, but I had to run BitDefender multiple times before I could complete a scan without the program causeing my computer to freeze.

After protracted trial and error, I selected the option that confines the scan to identifying and to reporting malware without quarantining it or deleting it. Accordingly, the seven corrupted files it identified, provided below in the attached doument, still infect my computer. I don't know whether any of them are responsible for the problem that precipitated my post, but as always, I would appreciate your assistance in removing them.

The Anti-Malware Bytes program didn't detect any problems, but I annex its log as well.

(For your convenience, I attach the Bit Defender program's results as both an .html file and a Wordpad .rtf file.)

Thanks again.

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 05 September 2009 - 02:32 PM

The BitDefender scan isn't all that bad, Mickey Sabbath. All of the entries except one are either quarantined or removable when I give my last instructions to you. :)


Use Windows Explorer to find and delete this file (if it is still present):

C:\WINDOWS\system32\ActiveScan\PSKAVS.0LL

As an example:
To delete C:\WINDOWS\badfile.dll
Double click the My Computer icon on your Desktop. Or click on the Windows KEY + E.
Double click on Local Disc (C:\)
Double click on the Windows folder,
Right click on badfile.dll and then from the menu that appears, click on Delete



Next please run ATF

Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Let's also have a new DDS log and if there are still any problems then let me know what they are.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 AM

Posted 08 September 2009 - 05:52 PM

Are you still there Mickey Sabbath?

There are still important steps to carry out.
Posted Image
m0le is a proud member of UNITE

#15 Mickey Sabbath

Mickey Sabbath
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:07:22 AM

Posted 09 September 2009 - 10:05 AM

Sorry for the delay, but I was out of town for the Labor Day weekend.

Alas, I'm still having the same problem with the computer. As you requested, I attach the DDS logs.

Once again, I'm grateful for whatever assistance you can offer.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users