Oct 3, 2007

My Laptop Was Attacked by AdsandAds.com Malware

Share
Left: My MS-Paint recreation of the attack

I had a strange experience with a malware program that caused dozens of Internet Explorer browsers to simultaneously open. Because of the sudden explosion of browsers mushrooming on my display, I could not get all of the URL information beyond "AdsandAds.com", but there were additional components of the URL before and after this piece.

The browsers did not produce any actual ads, but posted a bunch of DNS errors. To get out of this malicious hijacking, I right-clicked on the taskbar icon for Internet Explorer, highlighted "Close Groups," and waited for my laptop to start shutting down IE.

I then opened Task Manager, looked at the current processes, and manually shut off a process I did not recognize. This had a lengthy numeric name that began with "198." I also ran msconfig and turned off all but the most essential Startup functions that I recognized, to prevent the malware from automatically restarting.

After reclaiming control of my machine, I ran my favorite malware/adware programs: SpyBot Search and Destroy and AdAware. Since that time I have not had a return of the browser-spasms, but I cannot find out anything about Adsandads.com beyond a few help-related posts from people frustrated with this hijacker. I would like to manually scan my registry and programs for any suspicious files, but I have yet to discover anything technical on the Web related to AdsandAds.com beyond some information about a monster cable.

The worst part about this piece of evil programming is the browser-mania forced MS-PowerPoint to close on me, eating about two hours worth of lecture prep for a class I am teaching tonight. So thanks, you conniving bastards and your malicious code featuring AdsandAds.com, for stealing two hours worth of my unrecoverable hard work.

9 comments:

David Stewart said...

It hit me too. Running spybot now.

Mr. Schwartz said...

I wouldn't be too quick to blame adsandads.com, they could be an innocent victim of the malware.

Send an email to the McAfee, Norton, and AVG and see if they are aware of this.

Incognito said...

It just hit me today too (along with a few other annoyances incl. my Symantec going wacko) and I have no idea why. I've had to unistall Symantec and have wasted the past 2 plus hours running Trend Micros House Call.. I wonder if it's some kind of virus/malware.

The way it has manifested itself on my laptop is ... every time I hit the tab or a website url. I get a search popup that says:
The following Website was not found: cpv.adsandads.com

Bloody idiots. They should be all drawn and quartered, in my humble opinion.

I doubt they are innocent victims... but I'm certainly not going to check out their website.

Lisa Renee said...

I've had that happen before, first time I thought one of the kids did something to my computer...

pjpeter said...

I had the same thing happen to me as well. It pops up every few minutes, I'm on XPSP2. It made copies of many different exe files including one of the Norton files and moved them to /bak folders and replaced the original .exes with virus copies of itself. Almost all the exe files were in my startup through msconfig, though a couple extra were replaced while others were untouched so it may have been targetting commonly used startup files rather than my files themselves - just to try to get yout to run it on each Startup.

None of the tool, anti-spyware, antivirus or anything else seem able to detect it though...

pjpeter said...

C:\Program files\WinBudget was added, not someting I ever installed. The /bin/matrix.dll file is adware, dealing with it now...

http://research.sunbelt-software.com/threatdisplay.aspx?name=WinBudget&threatid=123920

Hopefully this wills top all this stuff...
Peter

Anonymous said...

This just started happening to my computer as well...I ran SpyBot and AdWare, but still have a problem with it. Any other suggestions?
Jeff

historymike said...

A couple of additional pieces of information in the adsandads.com problem:

1. Both times when I was infected with this the malware programs yanked a file called Zonebac.d, which is a backdoor Trojan horse. I think this is the means by which the virus gets into your computer.

2. When I was hit again yesterday, it was after I had visited Napster.com. Maybe coincidence, maybe not.

3. Quantcast shows that adsandads.com started getting massive traffic in August, so this is a relatively new phenomenon.

eagre said...

This malware has hit me too in the last couple of days, first when I was accessing TVGuide. I do not use file sharing sites. It seems to be soliciting ads.

eagre