BleepingComputer.com: Unknown Malware ... random links inserted in web page

Web pages show up on my computer with random text turned into links (bright green with double underline). These links are advertisements for products that are related to the word - the word "sports" may may be converted to a link that searches for sporting goods.

Sometimes the links "pop up" when moused over, sometimes not.

I don't know what this is. Whether it is a virus or is merely irritating, I would like to be rid of it.

Neither ESET NOD32 antivirus or the free version of Ad-aware found anything on full system scans.

See attached DDS and Ark files.

Thanks in advance for any help you can provide.

Petal

Hi,

What you are talking about is IntelliTxt.
http://en.wikipedia.org/wiki/IntelliTXT
It's on the webpages itself, not because you are infected. Many sites have IntelliTxt implemented. If I would go to the same sites where you get those advertisements, I would get them as well.
If it annoys you, just don't visit those sites which have these ads implemented.
There are ways to block them on pages though. See here:
http://www.spamchronicles.com/2007/04/01/block-intellitxt-ads/ <== for firefox
http://www.ie7pro.com/ad-blocker-intellitxt.html <== For IE (with the use of IE7 pro).
There are also some other ways/methods, just google "Block IntelliTxt" - but above 2 are the most common methods being used.
But in general, I wouldn't really bother to block them as they are harmless and only appear on the sites who have them implemented.

On another note, I see you have the Facetheme toolbar installed - or had it installed as I can't really see in your log here if the browser addon is an orphaned registry leftover or not. The FaceTheme toolbar is not recomended, so I suggest you uninstall it in case you have not uninstalled it already.
Windows Defender should have deleted it already as well though, since I know it detects it and you have Windows Defender installed.
Or you can download and install Malwarebytes since Malwarebytes also deals with this + its leftovers.

This post has been edited by miekiemoes: 17 October 2011 - 01:18 AM

Thanks a bunch for your quick response!

This thing shows up on websites where I would not expect to find it, such as Wikipedia and Bleepingcomputer.com. i.e. it shows up in my original email copied below. Does Bleepingcomputer allow IntelliTxt?

I went to Wikipedia.com and Bleepingcomputer.com on my wife's computer and neither had the links I see on my computer.

The description on Wikipedia does fit what I see on my computer, so maybe it is merely irritating. Are there other keyword advertisers that are malware? Today I am seeing pop-ups that have a picture of a man with no advertisement and a note at the top that says "text Enhance"

By the way, none of the ads are by companies I have ever heard of, which makes me think it may not be legit.

Thanks
Petal

Hi,

Yes, Bleeping computers has Ads too - you mainly see them when you're noty logged in. Once you log in, they are not there anymore.

Have you run Malwarebytes to delete the leftover related with the FaceTheme toolbar? Because some of these toolbars are responsible for implementing extra ads (Text Enhance) as well.

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  
• Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Can you also create a HijackThis log instead of a DDS log? As this is easier to delete orphaned entries if needed.

This post has been edited by miekiemoes: 18 October 2011 - 12:33 AM

See attached mbam log.

Malware bytes found some things to remove, but did not eliminate keyword ads. I don't know if it got rid of facetheme or not so I'm also running windows defender full scan right now.

I looked on bleeping computer for hijack this and could not locate it. I've had it in the past but not on this computer. Could you link a place to download, plus instructions?

Thanks again for your help
Petal

Hi,

I assume you have rebooted already?

For HijackThis,

* Download HijackThis from here:
http://www.trendmicro.com/ftp/products/hijackthis/HijackThis.exe
Place it on your desktop.
RIGHTCLICK HijackThis and select to run as administrator.
Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Also, in what browser are you mainly having this problem. Internet Explorer? Firefox, Google Chrome?

Edited to add, please update Malwarebytes (via Update, check for updates). Make sure you have at least database version 7979, because I added additional detection for this FaceTheme Plugin which will be available since database version 7979. It will also be detected as PUP.FCTPlugin.
Then post the updated Malwarebytes log in your next reply as well.

This post has been edited by miekiemoes: 18 October 2011 - 11:50 PM

Thanks for the link ....

See attached HijackThis and Malwarebytes logs. I ran HijackThis before Malwarebytes. The latter identified a bunch of files as malicious. One was Facetheme, which I thought I had checked to be removed. But when I looked at the attached log it shows I did not remove it. There is one it shows as removed - I don't know if I inadvertently picked it instead of Facetheme, or if the software automatically removed it. Should I remove them all?

Your question about which browser I was using prompted me to try a different one. I use Google Chrome which still exhibits the problem (sampled two websites). Then I tried Internet Explorer (same two websites) which does not exhibit the problem!!

Several of the files Malwarebytes identified as malicious are Chrome extensions - maybe they are infected?

See attached HijackThis and Malwarebytes logs.

Thanks a lot for your help

Petal

Hi,

Yes, looks like Malwarebytes found the responsible files. Please run Malwarebytes again and this time, select/check the entries in Malwarebytes it has found - then click to remove.
That should solve your problem with Chrome. Let me know afterwards

Looks like I'm clear .... no more random links!!!!

THANK YOU so much for your help

Petal

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.