4 Replies Latest reply on Oct 18, 2012 11:43 AM by Hayton

    Doublee click.net

      I don't know if it's a bad cookie or virus but I'm occasionally having an issue being re-routed when I click on a web site by something called "Doubleeclick.net" ( not double - "doublee"). I've run several virus scans and nothing. I've down loaded stinger and root and it still happens occasionally. I've cleared my cookies routinely. In my opinion it's some sort of virus or malware. I find it annoying that it's the second time in 6 or 7 months I've gotten a virus and McAfee hasn't caught it. The first time I paid for them to clean it out. This time I'm not looking to... Does anyone have a tip? I did a search ( nothing found on this site) and it did come up. Any help would be appreciated.

        • 1. Re: Doublee click.net
          Peter M

          Moved to Malware Discussions.

           

          1st thing to try is to use System Restore to go back to before it happened but if successful don't forget to update everything right afterwards.

           

          If that doesn't work, try rebooting to "Safe Mode with Networking" by tapping F8 repeatedly while booting up.

           

          It's usually the second choice on the menu after Safe Mode.

           

          In that mode download Malwarebytes Free, linked in my signature's last link, update it and run it, all in that mode.  That should get rid of it.

           

          Repeat the scan in regular mode just to be sure.

          • 2. Re: Doublee click.net

            Thanks Peter. One of the things I noticed in doing that and running the malwarebytes is that I kept getting red warnings Mcafee scan was being shut and my computer was at risk. I ended up doing the "restore" thing I noticed on helpful hints and took the date back a couple of weeks before the problem was noticed so the computer was restored/restarted back before the problem. I'm hoping that helps.

            • 3. Re: Doublee click.net
              Peter M

              Well you'd have to run McAfee updater and any Windows  and other updates as necessary to 'carch up'.   Hope that worked for you.

              • 4. Re: Doublee click.net
                Hayton

                System Restore may not work completely - it all depends whether this search results hijacking is part of a more serious infection. Microsoft note the "doubleeclick.net" redirection as more or less an afterthought in their description of Win32/Medfos - see

                http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win 32/Medfos

                 

                 

                Win32/Medfos is a family of trojans that may download additional malware, install malicious extensions for Internet browsers and redirect search engine results.

                 

                In the wild, we have observed variants of Win32/Medfos being distributed by the Blacole exploit kit, bundled with Win32/Sirefef variants and downloaded by TrojanDownloader:Win32/Beebone variants.

                 

                 

                The malware may download and run a DLL file with a random name to the %TEMP% folder, for example:

                %TEMP%\bdylut.dll

                 

                Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Temporary files folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

                 

                This file is detected as Trojan:Win32/Medfos.B, which is a search-engine redirection component of the Win32/Medfos family.

                 

                 

                Win32/Medfos  may install a search-engine hijack extension for Mozilla Firefox. This extension is also part of Trojan:Win32/Medfos.B, and may be detected as Trojan:JS/Medfos.A.

                 

                The extension is installed as %LOCALAPPDATA%\{<random unique identifier>}\chrome\content\browser.xul, for example %LOCALAPPDATA%\{535C840F-E52A-11E1-8270-B8AC6F996F26}\chrome\content\browser.xu l

                 

                In the wild we have observed the Firefox extension with the following names:

                - Mozilla Safe Browsing 2.0.14

                - Translate This! 2.0

                 

                 

                If you use Firefox check for the presence of add-ons with those names.

                 

                And right at the end :

                You could be redirected to advertisements or to the actual search result. In the wild, we observed that search results were redirected to "googleads.l.doubleeclick.net".

                 

                Even after a System Restore you should probably run a full McAfee scan, just in case. If McAfee finds nothing your system may be clean, but in cases of (potentially multiple) infection, especially with Sirefef - otherwise known as ZeroAccess - a second scan with another product is a good idea. Microsoft's Safety Scanner should deal with his and so will MSRT, the Malicious Software Removal Tool.