Had this malwareinfection recently. User a get a ad in lower left corner of Internet Explorer. Funny thing is, when installing firefox instead, the issue was the same!
Symptoms:
- Ad shows i lower left corner, can be using Flash or not.
- Sometimes clicking a link redirects to a completly different page.
Actions:
- Malwarebytes found malware, cleaned out. Kept coming back. Ran it and rebooted 3 times. Quick and Full. No fix seemed to do any good.
- Ran Roguekiller, did nothing for the problem.
- Controlled unknown processes with ProcessExplorer
- Checked all Internet Explorer addins using Sysinternals autoruns
I finally found that the Hosts file had been tampered with. Those sneaky bastards had put the extra lines in the bottom end of the host-file. No edits could be done. Took ownership, removed write-protection with attrib but still I couldn’t edit the file.
The Fix
I ran Microsoft FixIt50267, which is supposed to reset the hosts-file, but this didn’t work either. Finally created a new host-file with the standard content and copied over the orginal location. This solved the problem. No more malware-ads while surfing.
Final thoughts
The following lines were added to the hosts-file
87.236.195.128 www.google-analytics.com.
87.236.195.128 ad-emea.doubleclick.net.
87.236.195.128 www.statcounter.com.
87.236.195.128 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.
What they probably do is redirect “real ads” to malwareads-servers instead. The tricky part is that this isn’t something the malwarescanners, autoruns or proccessexplorer will pick up. Since is isn’t malware causing it. Just a few extra lines in the hosts-file.
References:
No comments:
Post a Comment