Thursday, December 13, 2012

Recommended for you popup

Had this malwareinfection recently. User a get a ad in lower left corner of Internet Explorer.  Funny thing is, when installing firefox instead, the issue was the same!

Symptoms:

  • Ad shows i lower left corner, can be using Flash or not.image
  • Sometimes clicking a link redirects to a completly different page.

Actions:

  • Malwarebytes found malware, cleaned out. Kept coming back. Ran it and rebooted 3 times. Quick and Full. No fix seemed to do any good.
  • Ran Roguekiller, did nothing for the problem.
  • Controlled unknown processes with ProcessExplorer
  • Checked all Internet Explorer addins using Sysinternals autoruns

I finally found that the Hosts file had been tampered with. Those sneaky bastards had put the extra lines in the bottom end of the host-file. No edits could be done. Took ownership, removed write-protection with attrib but still I couldn’t edit the file.

The Fix

I ran Microsoft FixIt50267, which is supposed to reset the hosts-file, but this didn’t work either. Finally created a new host-file with the standard content and copied over the orginal location. This solved the problem. No more malware-ads while surfing.

Final thoughts

The following lines were added to the hosts-file

87.236.195.128 www.google-analytics.com.

87.236.195.128 ad-emea.doubleclick.net.

87.236.195.128 www.statcounter.com.

87.236.195.128 connect.facebook.net.

93.115.241.27 www.google-analytics.com.

93.115.241.27 ad-emea.doubleclick.net.

93.115.241.27 www.statcounter.com.

93.115.241.27 connect.facebook.net.

What they probably do is redirect “real ads” to malwareads-servers instead. The tricky part is that this isn’t something the malwarescanners, autoruns or proccessexplorer will pick up. Since is isn’t malware causing it. Just a few extra lines in the hosts-file.

image

References:

http://forums.malwarebytes.org/index.php?showtopic=116126

http://support.microsoft.com/kb/972034

No comments: