Thursday, December 13, 2012

Recommended for you popup

Had this malwareinfection recently. User a get a ad in lower left corner of Internet Explorer.  Funny thing is, when installing firefox instead, the issue was the same!


  • Ad shows i lower left corner, can be using Flash or not.image
  • Sometimes clicking a link redirects to a completly different page.


  • Malwarebytes found malware, cleaned out. Kept coming back. Ran it and rebooted 3 times. Quick and Full. No fix seemed to do any good.
  • Ran Roguekiller, did nothing for the problem.
  • Controlled unknown processes with ProcessExplorer
  • Checked all Internet Explorer addins using Sysinternals autoruns

I finally found that the Hosts file had been tampered with. Those sneaky bastards had put the extra lines in the bottom end of the host-file. No edits could be done. Took ownership, removed write-protection with attrib but still I couldn’t edit the file.

The Fix

I ran Microsoft FixIt50267, which is supposed to reset the hosts-file, but this didn’t work either. Finally created a new host-file with the standard content and copied over the orginal location. This solved the problem. No more malware-ads while surfing.

Final thoughts

The following lines were added to the hosts-file

What they probably do is redirect “real ads” to malwareads-servers instead. The tricky part is that this isn’t something the malwarescanners, autoruns or proccessexplorer will pick up. Since is isn’t malware causing it. Just a few extra lines in the hosts-file.



No comments: