Wolfreak
2006-03-26, 19:16
I'm not going to post the name of the software, since I don't want it showing up in a search if it turns out to be clean, or a glitch, as it didn't show up in any searches I did as being adware. If someone would like to verify my results (and hopefully add them to a definitions release) please email me.
I downloaded video repair software from several places and noticed a little while afterward that the current window I was working in would lose focus. If I hit alt-tab without clicking back on a window, there would be an IE window with an .ru address. Switching to that window, or hitting alt-tab again would make the entry disappear. My default browser is Firefox. If I typed the addresses shown in alt-tab, they usually redirected me to some other .ru site, or gave an error, though if I looked in the browser's cache, I'd find that the site had been accessed, and it existed in my IE history. One in particular pointed to a text file, which just contained a link to one of the packages of video repair software I had tried using. I remember specifically only downloading one package from an .ru site, as I was concerned about where it was coming from (Russia), but a search with google didn't turn up any suggestion of it being adware.
At this point I tried Hijack This, Ad Aware, Spybot SD, Rootkit Revealer, and sfc to remove it, but to no avail. A new account on my system didn't have the same behaviour, so I searched as thoroughly as I could through my account's directories, but except for a few suspicious javascript files couldn't find anything blatently obvious.
Finally I downloaded Total Uninstall 3 to track changes, reinstalled the offending video repair software package (which on inspection of the log contained a file named iexplorer.exe, but that didn't match the one my system was using...), then used Total Uninstall to remove it, and since then, no more entries in the IE history, and no more losing window focus. I've removed a lot of adware from people's systems, but this one really had me stumped! Usually I don't bother to report the stuff I find on other people's machines, however this one really seems worthy of reporting and investigation as a lot of people could be infecting themselves with no warnings posted whatsoever.
I downloaded video repair software from several places and noticed a little while afterward that the current window I was working in would lose focus. If I hit alt-tab without clicking back on a window, there would be an IE window with an .ru address. Switching to that window, or hitting alt-tab again would make the entry disappear. My default browser is Firefox. If I typed the addresses shown in alt-tab, they usually redirected me to some other .ru site, or gave an error, though if I looked in the browser's cache, I'd find that the site had been accessed, and it existed in my IE history. One in particular pointed to a text file, which just contained a link to one of the packages of video repair software I had tried using. I remember specifically only downloading one package from an .ru site, as I was concerned about where it was coming from (Russia), but a search with google didn't turn up any suggestion of it being adware.
At this point I tried Hijack This, Ad Aware, Spybot SD, Rootkit Revealer, and sfc to remove it, but to no avail. A new account on my system didn't have the same behaviour, so I searched as thoroughly as I could through my account's directories, but except for a few suspicious javascript files couldn't find anything blatently obvious.
Finally I downloaded Total Uninstall 3 to track changes, reinstalled the offending video repair software package (which on inspection of the log contained a file named iexplorer.exe, but that didn't match the one my system was using...), then used Total Uninstall to remove it, and since then, no more entries in the IE history, and no more losing window focus. I've removed a lot of adware from people's systems, but this one really had me stumped! Usually I don't bother to report the stuff I find on other people's machines, however this one really seems worthy of reporting and investigation as a lot of people could be infecting themselves with no warnings posted whatsoever.