Windows Down Left Corner ad popup

A friend has been complaining about annoying advert pop-ups on most web-sites. She also noticed they were popping up on alog.ipduh and not popping up on a few large sites and ipduh.com ;).

After looking at her windows system I found a few pieces of malware and deleted them and then I noticed that the popups were still popping up in ~9/10 web-sites showing adverts from many ad networks and google adsense. Nothing weird (that I could see ) was running so I thought of looking at the hosts file before start looking at the system for rootkits and put it in a network that I can look all the traffic from it. The hosts file was --of course-- hidden and had all kinds of annoying attributes.

See and Edit the hosts file
cd C:\WINDOWS\system32\drivers\etc\
cacls.exe hosts /g builtin\users:R
cacls.exe hosts /e /g builtin\administrators:F
cacls.exe hosts /e /g "nt authority\system:F"
attrib.exe -s -h -a -r hosts


This is what I Found at the very bottom of a 20 pages long hosts file
66.185.21.82 www.google-analytics.com.
66.185.21.82 ad-emea.doubleclick.net.
66.185.21.82 www.statcounter.com.
66.185.21.82 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.
funny!

If you are like my friend,
you made it here and you are wondering what to do now ...
delete the lines above and save the hosts file at
C:\WINDOWS\system32\drivers\etc\hosts


66.185.21.82 www.google-analytics.com.
66.185.21.82 ad-emea.doubleclick.net.
66.185.21.82 www.statcounter.com.
66.185.21.82 connect.facebook.net.
93.115.241.27 www.google-analytics.com.
93.115.241.27 ad-emea.doubleclick.net.
93.115.241.27 www.statcounter.com.
93.115.241.27 connect.facebook.net.



Windows Down Left Cornet Popup -- malware hosts anonoyance