2 years, 12 months ago
Steps to eliminate browser hijacking adware?
My wife recently encountered what appears to be a new piece of adware.
She got a message via her Facebook account from someone among her friends saying she needed to update her Adobe Flash player to view certain content, and not expecting anything bad she clicked. Thing is, the update wasn't Flash but turned out to be related to a family of malware dubbed "Adware-Memwatcher".
This appears to hang out in memory (both IE 8 and the latest Firefox are affected), and when you query a search engine (Google, Ask, etc), clicking any of the returned links will cause it to hijack the session and divert you first to the domain "wa-search.com", and then to various advertising links which may also include popups.
The latest Trend Micro appeared to recognize parts of it but wasn't able to remove it, and the "fix" clobbered winsock, requiring me to run a fix from Microsoft to be able to browse again (that fix described at this link: http://support.microsoft.com/kb/811259). I scanned using Malwarebytes and SpyBot with the latest available definitions, but no traces were found. Also tried a product SUPERAntiSpyware and a product Browser Hijack Recover, to no avail.
Assuming this is a brand new variant which these scanners can't recognize, I'm hoping someone can help me determine how to remove this adware's hooks into the system, so that I can track it down manually and remove it. Running Windows XP with service pack 2 installed, IE8 and Firefox 3.0.9 browsers.
She got a message via her Facebook account from someone among her friends saying she needed to update her Adobe Flash player to view certain content, and not expecting anything bad she clicked. Thing is, the update wasn't Flash but turned out to be related to a family of malware dubbed "Adware-Memwatcher".
This appears to hang out in memory (both IE 8 and the latest Firefox are affected), and when you query a search engine (Google, Ask, etc), clicking any of the returned links will cause it to hijack the session and divert you first to the domain "wa-search.com", and then to various advertising links which may also include popups.
The latest Trend Micro appeared to recognize parts of it but wasn't able to remove it, and the "fix" clobbered winsock, requiring me to run a fix from Microsoft to be able to browse again (that fix described at this link: http://support.microsoft.com/kb/811259). I scanned using Malwarebytes and SpyBot with the latest available definitions, but no traces were found. Also tried a product SUPERAntiSpyware and a product Browser Hijack Recover, to no avail.
Assuming this is a brand new variant which these scanners can't recognize, I'm hoping someone can help me determine how to remove this adware's hooks into the system, so that I can track it down manually and remove it. Running Windows XP with service pack 2 installed, IE8 and Firefox 3.0.9 browsers.
Separate topics with commas, or by pressing return. Use the delete or backspace key to edit or remove existing topics.
You can leave an optional "tip" with Mahalo's virtual currency, Mahalo Dollars. If you are asking a difficult question that might require some research, or if you'd like a wide variety of feedback, a higher tip often leads to more answers to your question.
M$
I'm not sure I like the looks of that scanner. There are a couple of well-known free products that might be better like AVG or Avast Home Edition. Also, once you have malware on your system these days, its hard to ever trust it again. If your malware installed what is known as a rootkit (http://en.wikipedia.org/wiki/Rootkit) it might be able to effectively hide itself even from virus scanners. The only way I would really trust this computer again is to do this:
1. Boot from a cd like an OS install cd, export all the important files to another location.
2. Scan them with a well-known tool to make sure they're clean.
3. Reformat the hard drive of the infected machine and reinstall the operating system.
I know this sounds over-the-top. However, if this machine has additional spyware or a keylogger on it that you still don't know about, it could become a serious inconvenience by sending important personal information to a third party.