Author Topic: In search of ... assistance with a tenacious BHO ... (Read 13382 times)

barney · « **on:** December 16, 2013, 03:01 PM »

... which may not even be a true BHO.

At some point in the last month or two (2), a sneaky little bit of ware installed itself on my system. It likely came, unheralded, with some installation package. Part - evidently not all - of the package was ScorpionSaver, which I [thought I] managed to eradicate. However, something is still here and I'm unable to find it. It slows things terribly, almost to the point of making a browser useless.

Symptoms:

5-6 line banner ad at top of page
~3"x3" ad block, usually lower left corner, sometimes titled Ad not from this page
Small banner, usually below a site graphic, usually with left-right scroll arrows and clickable graphics, usually hardware
Transparent graphic covering the entire page such that any click on that page will load a new Web page (sometimes even on my Gmail page)

Not all symptoms are displayed on every page, but I can tell when something is coming because of the slow loading of the page. Each of the ads is more-or-less relevant to the page being loaded. I've tried several cleaners, but all that accomplished was to completely wipe my Firefox configuration(s). Search (Google, DuckDuckGo) has yielded naught but the ScorpionSaver removal process - which may have been somewhat less than completely effective.

Primary browser is Firefox. IE doesn't seem to show the ads, but has the same slowdown problem, as does Chrome.

This little beastie also seems to slow the whole system, but I cannot find it in memory with any of the tools available - might not be able to recognize if if I did $:-\$ .

40hz · « **Reply #1 on:** December 16, 2013, 04:42 PM »

If it is being caused by Scorpion Saver (boy do I hate that thing!) try the steps here if you haven't already. Possibly you missed a step or only got an incomplete uninstall?

Worked for the two clients I have that got bit by it. YMMV.

Luck!

tomos · « **Reply #2 on:** December 16, 2013, 04:51 PM »

I got rid of that for a relative - but with the help of a german language forum, but this post may help:
https://www.donation....msg341593#msg341593

Took a long time, but it worked...

barney · « **Reply #3 on:** January 04, 2014, 12:07 AM »

Just to close this, nothing worked. Wasn't really optimistic, but there's always a chance. Yes, I did pay attention to detail, did not skip any [known] steps, got response(s) indicating success, all to no avail. So I restored a backup that wasn't, lost a pregnancy worth of data, but did get rid of the problem. 'Course, I still don't know the cause, so still subject to reinfection. Pretty much a worse end to a bad situation

$:-\$ .

Innuendo · « **Reply #4 on:** January 04, 2014, 12:11 PM »

barney, if I may ask, what security software are you using that let this thing slip through?

Might be time to start looking for a replacement.

TaoPhoenix · « **Reply #5 on:** January 04, 2014, 01:55 PM »

Just to close this, nothing worked. Wasn't really optimistic, but there's always a chance. Yes, I did pay attention to detail, did not skip any [known] steps, got response(s) indicating success, all to no avail. So I restored a backup that wasn't, lost a pregnancy worth of data, but did get rid of the problem. 'Course, I still don't know the cause, so still subject to reinfection. Pretty much a worse end to a bad situation $:-\$ .
-barney (January 04, 2014, 12:07 AM)

Yikes Barney!

I've grown lazy in my old age, but this is the type of thing I used to have a special "radioactive" machine to test low level stuff on. Did you ever figure out the source so that "for next time" we can apply (as someone said) "the hive mind" at it?

tomos · « **Reply #6 on:** January 04, 2014, 02:26 PM »

barney, if I may ask, what security software are you using that let this thing slip through?

Might be time to start looking for a replacement.
-Innuendo (January 04, 2014, 12:11 PM)

It would be interesting to hear which anti-virus programmes *are* good against this type of thing -- I wonder if any are?
The laptop I cleaned was using avira pro which has a very good reputation - used use it myself but gave up on it cause it got too many false positives and didnt make it particularly easy to report.

TaoPhoenix · « **Reply #7 on:** January 04, 2014, 03:33 PM »

barney, if I may ask, what security software are you using that let this thing slip through?

Might be time to start looking for a replacement.
-Innuendo (January 04, 2014, 12:11 PM)

It would be interesting to hear which anti-virus programmes *are* good against this type of thing -- I wonder if any are?
The laptop I cleaned was using avira pro which has a very good reputation - used use it myself but gave up on it cause it got too many false positives and didnt make it particularly easy to report.
-tomos (January 04, 2014, 02:26 PM)

I'm finding the "Anti-Virus" programs are terrible at this kind of thing. The toolbars/BHO/etc get there as "authorized installs" because the AV programs see them as "agreed to by that byzantine EULA" and therefore OK.

The types of approaches that work for me the few times I've had to deal with this stuff are much more low level and/or left-field.

barney · « **Reply #8 on:** January 04, 2014, 03:33 PM »

Well, since this wasn't technically a virus, not certain any AV solution would have caught it. Using Comodo firewall and Malwarebytes (paid version). However, I suspect this was crapware attached to another install that did not mention it was to be installed. I watch that pretty closely, but not all install systems announce themselves. And there is a possibility that I didn't install it, a neighbor did. I'm doing some Web work for her and her family, but some of what they want is on Facebook, so she has logged in several times to grab some photos she wants. I suspect she may have installed a Firefox extension to assist her

.

The thing that aroused my curiosity initially was the discovery of a recent temp directory on the root of C:\ with only two (2) files in it. When I searched on the files, I discovered - and eradicated - part of the problem. Just couldn't get rid of the whole famned damily, as it were.

As to the recovery aspect, one (1) of the onsite drives I was using for recovery purposes failed physically. So the inability to recover was due, in part, to mechanical failure. Appears that I'll have to - again! - rethink my storage/recovery scenario. Lost my off-site storage - she got married and moved away

- and don't have anything to replace that as yet.

So, a significant part of this was happenstance and timing, you might say Chance - with a capital SEE?.

Been trying out Sterjo NetStalker lately. It provides alerts for every outbound communication attempt, but only on the first try unless you deny permission. And it doesn't seem to work for subcommunications, e.g., once ya give Firefox outbound permission, anything under Firefox inherits that permission. So, even it it were a standalone program, since it was communicating via browser, it was using that browser's permissions and was not detected.

IainB · « **Reply #9 on:** January 05, 2014, 05:50 AM »

Benjamin Franklin once said that "an ounce of prevention is better than a pound of cure", but this can prevent and cure stuff as well - I've used it to clean malware (e.g., hijack trojans) off clients' hard drives: Malwarebytes FREE and PRO - Mini-Review.
It certainly works to prevent things as well, especially malware trying to sneak in down Internet links.

So, I'd love to know how it got past MBAM. Did you have it running with Realtime Protection ON?
I read that there is one malware that turns MBAM off, and there is a fix for that.

Shades · « **Reply #10 on:** January 05, 2014, 09:20 AM »

I couldn't agree more with the quote above "an ounce of prevention is better than a pound of cure" and apply this wherever I can, including my computing.

Sometimes it can be useful to take a look with the SysInternal tools Process Explorer and Process Monitor to take a look at what is actually happening when an application such as a BHO/virus/malware runs. One can even create and apply specific security rules in Windows itself that essentially block the execution of software. As you are already infected once, there is a good chance you will not be infected twice (with the same virus/malware).

Ok, remaining infected isn't a great strategy, but it does give you the resources of your PC back in almost all cases. I have successfully applied this on several occasions on different computers. Unfortunately, it is a lot of work and there is virus/malware code that can circumvent this. Although you are infected, you do disable the functionality of this code, rendering it (almost) useless.

However, in all cases this made the owner of the computer think they were "invincible" on the web as the method does allow for even more "adventurous" behavior.

Be warned though: this kind of thing does require that you have to know what you are doing, as you can seriously limit the functionality of your PC or even make it completely unusable.

Innuendo · « **Reply #11 on:** January 05, 2014, 10:40 PM »

Yes, AV programs are horrible at this kind of thing. That's why when I asked my question I specifically asked what *security* software you are running.

Barney, regarding software that can detect outbound communications & the like, I suggest you take a look at Agnitum's offerings. Their security suite offers granular controls that you can enable so that you are alerted any time a component is changed/added to a trusted program (like an extension for Firefox) and other things. The 'leak' tests you hear about on the internet are designed to catch this 'piggy-backing' onto trusted programs and Agnitum's products always score highly.

I'd also be curious what version of Windows was infected and what level to which you had UAC set.

barney · « **Reply #12 on:** January 06, 2014, 12:00 AM »

I'd also be curious what version of Windows was infected and what level to which you had UAC set.
-Innuendo (January 05, 2014, 10:40 PM)

Sorry, thought (erroneously) that was known. Win7 Ultimate, UAC maxed - inconvenient, but seems to be worth the inconvenience.

Agnitum is not something I've tried (that I recall, anyway) - way too many offerings - but I'll check it out.

Actually, I'm pretty miffed at most of the security software I've experienced. Most are all past tense, in that they work against known malware, but don't provide much protection against anything new. MalwareBytes seems to obviate that condition, at least so far, and a properly configured firewall helps. Right now I'm working with Comodo's product, but I'll change in a heartbeat if something better comes along.

Used to use Norton's products - actually had a few conversations with him on CompuServe - but stopped that when Symantec stepped in and bloated it. Also knew/conversed with Ron McAfee at the same time, but eschewed his product because of his attitude. I'd love to find some equivalent to the old Norton Utilities toolkit, but that seems unlikely.

All told, I'm pretty much a belt-and-suspenders type when it comes to security. My basic security mantra is that you never know how good your security is until it fails and you know that it failed!

tomos · « **Reply #13 on:** January 06, 2014, 04:48 AM »

RE security - removing Java makes PC a lot more secure - but not everyone can do that (I've missed it once or twice in six months since I uninstalled, but it wasnt anything important).
Also a couple of good tips in this thread: CryptoLocker and CryptoPrevent.
May be other tips here Does anyone know how I may remove Trojan Dropper:MSIL/Livate.A ?.
Both those are more to do with trojans though, I've no idea about BHO's.

joiwind · « **Reply #14 on:** January 06, 2014, 05:31 AM »

There is this, but I know nothing about it !!!

BHO Remover

Innuendo · « **Reply #15 on:** January 07, 2014, 08:48 PM »

RE security - removing Java makes PC a lot more secure - but not everyone can do that (I've missed it once or twice in six months since I uninstalled, but it wasnt anything important).
-tomos (January 06, 2014, 04:48 AM)

You can eliminate nearly all of the attack vectors that affect Java by just disabling Java in the web browsers you use. You can then use it for desktop applications while nothing 'evil' from the net can slip in through a Java vulnerability.

tomos · « **Reply #16 on:** January 08, 2014, 04:37 AM »

RE security - removing Java makes PC a lot more secure - but not everyone can do that (I've missed it once or twice in six months since I uninstalled, but it wasnt anything important).
-tomos (January 06, 2014, 04:48 AM)

You can eliminate nearly all of the attack vectors that affect Java by just disabling Java in the web browsers you use. You can then use it for desktop applications while nothing 'evil' from the net can slip in through a Java vulnerability.
-Innuendo (January 07, 2014, 08:48 PM)

good to know, thanks Innuendo

kilele · « **Reply #17 on:** January 08, 2014, 04:58 AM »

kaspersky rescue disk saved me a few times, I have a cd to reboot the pc with this software to check the system regularly

Innuendo · « **Reply #18 on:** January 10, 2014, 07:24 AM »

Gone are the days when you could just run an AV scan once a month and you'd be good. The savvy internet user uses a multi-layer defense to protect their computer.

Of course, there are some people who'll click the 'Yes/OK' button on any darn dialog box that pops up on their screen. There's no helping those people.

TaoPhoenix · « **Reply #19 on:** January 10, 2014, 07:56 AM »

You can eliminate nearly all of the attack vectors that affect Java by just disabling Java in the web browsers you use. You can then use it for desktop applications while nothing 'evil' from the net can slip in through a Java vulnerability.
-Innuendo (January 07, 2014, 08:48 PM)

good to know, thanks Innuendo
-tomos (January 08, 2014, 04:37 AM)

Just find a way to remember you did this. For all of these security reasons, I did this once last year. Then months later, some random website mysteriously wasn't working. Came to find out, it had a Java component call. But that didn't exactly throw a specific error. All we saw was "website cannot log in."

That's basically why I like a lot of low tech tricks. I used to keep trying about every two years to install NoScript. But I like to roam the web rather far and wide, and I just got more upset than benefit out of every single site not behaving right. Instead, I have a simple 1-click toggle that nukes all Javascript upon a re-load of a page. So I click that, then I load the *next* page (sometimes on the same site domain!), where I *want* the Javascript on, and toggle it back on. So sure, a few things slip by.

In contrast, Adblock seems to have a much better middle ground of nuking the worst ads, and leaving a lot of everything else alone.