Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AddeYaw Malware - how to remove


  • Please log in to reply
7 replies to this topic

#1 kevincol

kevincol

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 April 2012 - 10:43 AM

My computer has an irritating virus that causes a "recommended for you" icon to appear on all my searches. There is no info about where this "recommendation" is coming from, but I am able to copy the source code which includes a reference to Google Analytics.

I'm on Windows 7 64bit with the latest updates.

<div id="0.8347876411422958" style="cursor: pointer; position: fixed; right: 0pt; width: 200px; border: 2px solid black; background-color: white; text-align: center; padding: 5px; bottom: 2px; display: none;"><div onclick="kdfjunfldi_minimizeBanner();" style="background: url("http://www.google-analytics.com/img/close-btn.png") no-repeat scroll 1px 1px transparent; position: absolute; top: -17px; right: 0pt; height: 13px; width: 13px; margin: 0pt; padding: 0pt;"></div><div onclick="kdfjunfldi_goByBanner();" style="margin: 0pt; padding: 0pt;"><h5 style="font-size: 10px; font-weight: normal; margin: -5px 0pt; padding-bottom: 5px; text-align: right;">Sponsored ads</h5><h1 style="font-size: 24px; border-bottom: 2px dotted blue;"><a style="font-size: 24px; line-height: 24px; color: black; text-decoration: underline;" onclick="return false;" class="addeyaw" href="#">Find Apartments for Rent Today</a></h1><br><p style="font-size: 16px;">Browse 1000's of Apartments for Rent and Find the Perfect Apartment Today!</p></div></div>


It modified the HOSTS file on your computer and then the following malicious entries:

149.5.18.172 www.google-analytics.com.
149.5.18.172 ad-emea.doubleclick.net.
149.5.18.172 www.statcounter.com.
108.163.215.51 www.google-analytics.com.
108.163.215.51 ad-emea.doubleclick.net.
108.163.215.51 www.statcounter.com.

Here's the deal: It's using the HOSTS file to have legitimate sites (which make use of Analytics, as well as other services) to attack the computer. These sites request legitimate files from Google (or elsewhere). However, these requests are redirected by the bogus HOSTS file. Evil files are served in their place.

In my case, the original malware also had changed permissions. I can't delete it as it has some special ownership privilege on the file.
Below is some of the HTML from the "ad" that this pops up in all my browsers.

<div style="z-index: 9999; cursor: pointer; position: fixed ! important; right: 0pt; width: 200px; border: 2px solid black; text-align: center; padding: 5px; margin: 0pt; background: url("http://www.google-analytics.com/img/girls/14.jpg") no-repeat scroll 1px 1px white; bottom: 0px;" id="0.44588109107389806"><div style="background: url(http://www.google-analytics.com/img/close-btn.png) no-repeat 1px 1px transparent; position: absolute;top:-17px;right: 0;height: 13px;width: 13px;margin:0;padding:0;" onclick="kdfjunfldi_minimizeBanner();"></div><div style="margin:0;padding: 0;" onclick="kdfjunfldi_goByBanner();"><h2 style="color: black;width:150px;height:50px;overflow: hidden;margin-left: 50px;margin-top:0;margin-bottom: 2px;"><a href="#" class="addeyaw" onclick="return false;" style="color: black;font-size: 14px;text-decoration: underline;line-height: 1;">Dvd Information</a></h2><p style="font-size: 12px;margin:0; padding:0;max-height: 50px;width:200px;overflow: hidden;color:black;line-height: 1;">Same Day DVD Insert Printing. Order by 10AM PST, Ships Today!</p></div></div></div>

Does anyone have any idea how to get rid of this? I can't figure out how to get rid of the HOSTS file to have a clean on on my machine.

Edited by kevincol, 16 April 2012 - 10:45 AM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:17 AM

Posted 16 April 2012 - 10:51 AM

Before cleaning your hosts file,lets make sure PC is clean

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#3 kevincol

kevincol
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 April 2012 - 01:25 PM

<<
Please download GMER from here(doesnot work on 64 bit OS)
>>

I have 64bit OS. Just do the other steps?

#4 kevincol

kevincol
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 April 2012 - 01:30 PM

<<
Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)
>>

I did this and there it says there is no rootkits.

I have System Center 2012 AV SW installed and have done a full scan on the HDD and nothing is reported.

I also downloaded Norton's AV SW and it said nothing is on the system.

So, the only thing I can detect is that my HOSTS file is mucked with and I can't get the rights on the file to delete it.

#5 Reegun Richard J

Reegun Richard J

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 16 April 2012 - 03:37 PM

*Run a decent Mbam scan Malwarebytes download
*Replace Hosts file from this link Hosts reset
*Do Reseting IE Reseting IE help
*CLear Temp files cmd->%temp% ,delete all
*Reboot and check

#6 kevincol

kevincol
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 April 2012 - 07:08 PM

<<*Replace Hosts file from this link Hosts reset>>

That doesn't work as the malware has put -h -s -r attributes on the file and even as administrator I cannot remove/change those rights. Thus the program that resets the hosts file doesn't work either as it doesn't have access.

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:10:17 AM

Posted 16 April 2012 - 08:52 PM

Ignore GMER and run aswmbr,i still need your logs

good luck

#8 kevincol

kevincol
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 18 April 2012 - 11:24 AM

Finally got rid of the modified and locked down HOSTS file.

http://wangpidong.blogspot.com/2010/06/how-to-delete-files-without-permission.html

I had to do it in SAFE mode.

Stinking thing is gone now!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users