Asklots.com and Bing

[lgbpop]

I'm rusty and looking for answers - not links. Our family-room computer got infected with SecurityTools and after getting rid of it (or so I thought) my wife gets unprompted popups for Asklots.com. Odd thing is, when she now does Google searches and clicks on a link she gets redirected to this Asklots.com, but when she clicks back or double-clicks back on the browser to back out of the suspect site she's redirected to Bing.

I thought I'd looked in all the possible places for this little stinker. Anyone else run into this? Any solutions from the VDr faithful?

[photolady]

Which OS?

[lgbpop]

XP/SP3 using IE7

[photolady]

Where did you look? If I knew where all you looked I might be able to suggest some place else.

[lgbpop]

All Local Settings and Application Data folders in all users; NetHood and PrintHood hiding places; Program Files (any folder/program I don't know well); Favorites and Bookmark folders; Documents and subfolders.

[photolady]

Did you search the registry? Or the computer for Asklots? Did you dump system restore points?

I would also do a Hijackthis log, that should show where this thing is hiding, too.

[lgbpop]

Done, done and done and it eludes HJT. Its effects show up, but they change on each boot so it's not readily evident that the same source is responsible for everything.

I did follow a tip from the MajorGeeks forum, which said this thing hides inside routers and to reset the router. I went one step better and reinstalled the router firmware and the thing was disabled enough for me to get a handle on cleaning it out. More details as I find it all.

[fink]

Worth noting is that our malware experts have lately started changing the recommended scanners to troubleshoot infections.

DDS is preferred over hijackthis and superantispyware is not as popular. There are also some new scanners that I'm not that familiar with.

In any case you might want to start a new thread in the intensive care forum if the infection doesn't want to go away.

[lgbpop]

As some of you may already have seen, it infected our email address book and sent out "love notes" to all and sundry. Anyone know offhand the file extension for a Hotmail address book?

[fink]

I didn't think the hotmail address book was resident on the PC. I assumed it only loaded within the browser and would only be present in the TIF.

You could open hotmail address book and then have a look at the source page to see more details of it though.

Having said that it probably didn't infect the address book so much as use its contents.

[lgbpop]

Further investigation shows you're right, amigo. Even the attachments weren't resident, but URL download links from 65dot55dot39dot119. Tracked that down to Bellevue, WA (kinda funny, right around the corner from Redmond) and couldn't go further. It seems to have been isolated.

[foxy]

DDS is preferred over hijackthis and superantispyware is not as popular. There are also some new scanners that I'm not that familiar with.

I've been watching this with interest. What's DDS?

[lgbpop]

It's one of a handful of pseudo-HJT analyzers out there being used to diagnose and disinfect computers. OTL is another one, which I just used. (Had nothing to lose, since I was prepared to reinstall XP over itself if I had to.) HJT seems to have reached the point of arrested development, and I was pleasantly surprised at how much more comprehensive OTL is.

As with HJT, unless you're familiar with reading the results - or extremely adventurous and don't mind bricking your OS with a wrong move! - it's advised you follow instructions from an experienced user at a reputable forum.

[fink]

It's a program very similar to Hijackthis but comes from a different source.

http://download.bleepingcomputer.com/sUBs/dds.scr

Hijackthis, like many scanners, especially those that have been taken over from their original developers hasn't quite kept up with the malware that's constantly being written faster than it's upgrades.