Just solved a v. stubborn malware infestation case. Some might find it of interest.
The situation: when the user went to websites selling stuff, such as SportsAuthority.com, popup ads appeared relentlessly, with links to similar items at other websites.
The computer had been scoured with my usual array of best-of-breed malware cleanup tools. The browsers had been cleansed of extensions and add-ons. The registry and temp file locations had been bleached clean. And that process was repeated many times.
And yet the popups wouldn't go away. Hmmmm ......
Happily, the malware author[s] proudly put a little note at the bottom of some of the popups: "provided by offers4u". Ego, the living planet, oh how you are my unwitting ally in these battles !!
Okay. Google that sucker: "offers4u malware removal". Lots of pages showed up, purporting to show how to easily remove the threat. But they all just repeated the steps I'd already taken.
Except for one. It mentioned setting the computer's network adapter DNS settings back to a known safe spot, the Google public DNS servers at 18.104.22.168 and 22.214.171.124
I examined the network connection for the computer. Aha !! The DNS settings had indeed been changed, to 126.96.36.199 and 188.8.131.52 I set them back to those safe and speedy Google DNS settings, and the popups disappeared.
Fascinating, as Spock might opine. I'd not encountered this attack strategy previously. And neither had the authors of my array of best-of-breed cleanup tools, by demonstration, as they'd failed to find and fix it.
Coda: I went and googled those malicious DNS settings. And it turned out that indeed they are used to inject all sorts of nastiness into browsers. One more item to add to my standard cleanup protocol.
Happy to share this. The things one sees and learns fighting the good fight !!
Edited by Stanley_Krute, 07 June 2015 - 05:26 AM.