Browser Hijack 1

[^rooker]

[PROBLEM]
- Browser displays ad-popups no matter which site opened.
- notepad.exe closes automatically after a few seconds.
- AdAware finds MalWare entries, but symptoms reappear after removal.

[SOLUTION]
This adware produces 3 different kinds of files in the subfolders
of the windows directory, all of them marked "hidden":

- *.exe, or *32.exe with size 26.624 kBytes
- ?????.dll with size 71.168 kBytes
- *.exe, or *32.exe with size 9.216 kBytes

there will be multiple copies of those 3 kinds, but they cannot be deleted, because they're running processes which cannot be killed.

The system needs to be restarted in "Abgesichterter Modus" (translation will follow) to be able to delete all those files. After deleting ALL the files, try to run AdAware AGAIN to remove all possible leftovers.


Good Luck!
(filenames found on our system:
ipib32.exe, d3up32.exe, ipnr.exe, javamx32.exe, mfcgo.exe, mfcnh32.exe, d3wk32.exe, javaef32.exe netao32.exe netky32.exe)

[^rooker]

Sorry, but it seems that this bastard is not THAT easy to remove:

- look for *.dat files in your windows directory with the following sizes:
2.814 kBytes
11.388 kBytes
~89 kBytes (size varies)

...even after deleting ALL those files, this pain in the ass still re-appears after reboot!

[^rooker]

http://www3.ca.com/securityadvisor/viru ... x?id=39520

Looks pretty familiar to me, although they're listing far more files then I've found - but maybe this helps (finally)?

[^rooker]

Seems like I got rid of this evil little menace, but I took some valuable information with me:

1) it seems to be a variant of "Win32.Winshow.N"
2) some files have different filesizes (e.g. 9786, 9788,...)
3) all executeables are compressed, so only parts of strings can be identified.