Symptoms
Unexplained Popups even after all steps in the following FAQ come up "clean"
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
No apparent signs in a HijackThis log.
No entries visibile under "Device Manager" or "Network Places"
This pest is adware that is hidden by a rootkit. It produces various popups from a number of advertisers, all generating from adchannel.contextplus.net
The best way to tell if you've got it is to run this diagnostic tool:
Download Rootkit Revealer (free tool)
»technet.microsoft.com/en-us/sysi···445.aspx
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
We may need to request a copy of it later.
If you see 200-300 or so entries that are similar to the following, you can try running the AproposFix posted further down.
Sample entries in the RootkitRevealer log showing Apropos infections have a random named folder in the Programs Folder and some of the highlighted file names see below for example. The ace.dll file is frequently seen as well.
quote:
C:\Program Files\Holt_old Note: Random Named Folder in Program Files 13/11/2005 17:37 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\ace.dll 26/10/2005 15:46 568.00 KB Hidden from Windows API.
C:\Program Files\Holt_old\AI_07-11-2005.log 07/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_08-11-2005.log 08/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_09-11-2005.log 09/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_10-11-2005.log 10/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_11-11-2005.log 11/11/2005 00:05 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_12-11-2005.log 12/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_13-11-2005.log 13/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache 13/11/2005 17:58 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436ee411_0000b71b 07/11/2005 00:20 3.81 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436fd078_000ec82e 07/11/2005 17:08 5.38 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435febb3_0007270e 26/10/2005 15:48 2 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435fed33_0002dc6c 13/11/2005 19:07 3.54 KB Hidden from Windows API. quote:
etc. The log itself will be very long with lots of entries similar to the above)
The Fix
Please download AproposFix from here:
»Security Cleanup FAQ »Security Clean-Up Approved White List
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the aproposfix folder into a New Topic.
Thanks to Swandog46 for developing this fix tool :)
1/6/07 --- fixed broken link to RootkitRevealer ~lil~
 feedback form
 feedback form
by CalamityJane  edited by lilhurricane
last modified: 2008-01-06 11:18:38 |
