Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The case of the mysterious colour changing, bouncing box

February 26th 2007 in Uncategorized

The PC on which the mysterious bouncing box appears is a brand new Compaq.


The bouncing box, which is translucent, is not clickable.  It seems to have no purpose other than to exasperate and confuse and encourage victims to “look here”.


A short video of the mysterious bouncing box is here:
http://msmvps.com/files/folders/spywaresucks/entry619001.aspx


Here is a PDF copy of a comparison between two HJT logs – one taken when there was no bouncing window, one when the window was active. You will see there are only a few new processes:
http://msmvps.com/files/folders/spywaresucks/entry623616.aspx


The existence of the additional entries is not conclusive proof that the processes are causing the bouncing window.


There is a picture of the box at the end of this article:


Here is the story of the mysterious box in the words of the PC’s owner – note that despite the steps taken the bouncing box reappeared.


“History:
My Wife’s machine had suddenly got a “java coffee cup in a colored box” floating horizontally across her screen continually after some time online.  No scans for virii or spyware showed anything, no processes that looked unusual, etc. and it persisted for a few years. It finally disappeared some months ago. I had blamed it on her opening some website with some graphic/media/joke sent by a computer-illiterate friend. Last night I had to eat crow and apologize to my Wife! ;-)


Current Events:
I bought a “Black Friday” special (day after US Thanksgiving dealers sell stuff for ridiculous prices), a Compaq Presario SR2039X Media Center 2005 machine for $389.00 (with LCD, printer and free Vista upgrade)! Yesterday I took it out of the box and spent part of the day running Windows and other updates. NOTHING personal on the machine and only AIDA32 added for a baseline inventory, ZoneAlarm and AVG AV added. I did NOT enable Symantec’s integrated protection junk! I just DL’d and installed Adobe Reader 8, walked away and came back to that infamous “java coffee cup in a colored box” floating across the screen! [I don't know if I had installed ZA and AVG before or after this happened.]


I did look thru Msconfig and Add/Remove Programs and found lots of junk I’d never let near a machine (WeatherBug, Wild Tangent, AOHell, Symantec, RealPlayer, etc.). Late in the day I did go about disabling and then uninstalling this junkware (as well as Java, just in case).”


So, gentle reader, do you have any idea what the mysterious bouncing box may be?  Have you seen it before?



8 comments to...
“The case of the mysterious colour changing, bouncing box”

Andy

an autoruns/hijackthis output would be nice to see what is installed and running on the machine.



Sandi

Hi Andy,

The guy who owns the charming little PC is watching this thread and has provided some HJT logs.  I’m also planning to remote in and have a look for myself.

Here is a PDF copy of a comparison between two HJT logs – one taken when there was no bouncing window, one when the window was active. You will see there are only a few new processes:
http://msmvps.com/files/folders/spywaresucks/entry623616.aspx

The existence of the additional entries is not conclusive proof that the processes are causing the bouncing window.

The next step is to wait for the bouncing window to appear and then immediately kill discstreamhub.exe.  If the window then disappears we have found our culprit. If it doesn’t then we’re going to have to dig deeper using a program such as Trend Micro’s System Information Collector, which is far superior to HJT for gathering information about what is running on a system.



sandi

test



Rob Nicholls

Based in Long Beach, CA, DISCover is a premier provider of on-demand video content and technology products that enable consumers to centralize their PC games, easily load games with their proprietary Drop ‘n’ Play technology, purchase new games via the internet, and limit access for younger players. Companies leveraging DISCover’s technologies and services include: HP, Sony, Intel Viiv, Microsoft, Alienware, GameTap and EB Games. http://www.discoverconsole.com/

So those processes could be legitimate.

Just because you can’t always see the malware on screen, it doesn’t mean it isn’t running. I suspect that’s why there are few differences between the logs.

There appears to be a few references to Norton (comHost is running as a service, some Norton stuff is running as a BHO). It could simply be legacy stuff left behind after uninstalling “Symantec’s integrated protection junk”, but it might be worth a look/manual deletion. Especially if they’re vulnerable versions that aren’t being updated properly, but are still sitting in the browser waiting to be exploited. Does the PC catch viruses properly? i.e. can AVG detect the EICAR test string okay?

Otherwise it’s quite possibly one of those svchost.exe entries (or perhaps rundll32). Process Explorer might be more helpful to diagnose what’s going on there, as it should list the associated service(s) for each svchost.exe process and any child processes (and allow you to kill process trees). The rest of the items listed in the PDF look – at first glance – quite legitimate to me though, which is a bit annoying.



Frank Zaber- elcon10342@gmail.com

Try a Yahoo search for Computer Pranks. One of these sites pranked me, but explained the Delete button is a 4 pixel square at the top left corner of the screen (hidden by frame). Worth a shot?

       FrankZ



T Man

I don’t see too much going wrong here, except I see a lot of conflicts between various software apps. I see AVG on it, but I also still see some Norton stuff, and see ZoneAlarm, SiteAdvisor, and Windows Defender. Seems a little overkill, and there may be some overlap. I know Norton is notorious for not deleting stuff, so I can see that happening. I’d clean all of this up just from a speed perspective.

I’d really like to see what is running with Autoruns from Sysinternals (now MS of course). I’d also keep a copy of Process Explorer ready to run when it appears again.

Something that hasn’t been mentioned is the monitor itself. Is this some sort of OSD control going haywire? If you go in to the OSD, does the fonts and style look the same as the bouncing box? I looked up info on that monitor, and it is an off brand with a high failure rate.



SlickRick

I agree with T-Man, that was what I was thinking. It does look a lot like a screen settings overlay. Maybe it is some sort of self starting diagnostics, or a failure of the monitor?

I think Process Explorer is your friend on this one. That and Process Monitor. I couldn’t live without them!



Hunter

I thnk it is legit..might even be from these guy

http://weblogs.java.net/blog/campbell/archive/2007/02/orange_box_new.html

Or since it is a compaq..they claimed to have Extreme Java technology.
Might even be part of their package installed.

maintenance and support for Compaq products
http://www1.itrc.hp.com/service/home/compaqMain.do?admit=-682735245+1173111793650+28353475


The stuff of nightmares…. of course, y’all know NOT to go out and buy IWRS, yes?

Previous Entry

***WARNING – DO NOT GO TO THE MUNGED URLS IN THIS ARTICLE***
First I see a sudden jump in emails and comments asking for help to get rid of Winfixer popups – three comments asking for help with winfixer in the space of just 12 hours:http://msmvps.com/blogs/spywaresucks/archive/2006/12/20/433987.aspx
Then I get this email today asking for help:
“i’m being bombarded [...]

Next Entry