Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Bluekai Hijack


23 Mar 2013   #1
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 
Bluekai Hijack

Anyone heard of the bluekai.com hijack? Seems like it a spyware company that tracks your browser habbits or something.
I was on Win8 x64 and restarted. After restart a browser opened and went to this url:



Admuncher blocked it. Even with Admuncher disabled, nothing loaded. And somehow this hijack/spyware/exploit is deleting a exe from a program called Realtime Cookie Cleaner. How is that even possible?

So I boot to Win 7 x64(multiboot). Same behavior. WTF? That url opens on startup. RTCC.exe gets deleted when I try to run it. (I have copies of it).
And the thing is, nothing detects this malware. Avast, Malwarebytes, Super Anti Spyware. MSE, WinPatrol, Malwarebytes Anti Rootkit, online virus scans ect.
Went to and you can "Opt Out". That didn't work.
I have googled this to death. A few fake sites that try to get you to download stuff like spyhunter ect. I have see a few that have had something similiar. Still have no solution.
So I go try my laptop since that should be clean. Nope. Same crap! I don't know how this bluekai is making my browser open on startup and deleting my cookie cleaner. They have my IP or something.
I booted to a partion that has a most clean Win7 install. Have not got it there yet. The windows firewall was on. Maybe that helped.
Oh and I restored an image of Win7 from Feb 27. Booted with the net disconnected, all good. Turn on the net and browser opens on boot. Coookie cleaner deleted. Restore image again. Boot with no net. Turn on firewall. Make 3 entries for bluekai. Do all windows updtates So far no browser on start. Cookie cleaner still gets deleted.

Any ideas?


My System SpecsSystem Spec
23 Mar 2013   #2
Golden

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Hi,

It sounds as if you are experiencing a poisoned DNS cache problem. Try this:

Copy and paste the text below into a new instance of Notepad:

Code:
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save the file as flush.bat to your Desktop. Right-click on the file and choose to 'Run as administrator'. This will flush your DNS cache and restore the Microsoft HOSTS file. Your computer will automatically reboot.

Please report back if this helps.

Regards,
Golden
My System SpecsSystem Spec
23 Mar 2013   #3
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 

Didn't help. Still had that popup on start. Still deleting the RTCC.exe upon execution.
My System SpecsSystem Spec
23 Mar 2013   #4
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 

How can something like this spread to another PC on the lan?
My System SpecsSystem Spec
23 Mar 2013   #5
Golden

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

Mmm. OK, please ignore the cookie cleaner exe you are referring to for now.

Have you run a scan from outside the Windows boot environment yet? If not, please follow this:

Windows Defender Offline

Regards,
Golden
My System SpecsSystem Spec
23 Mar 2013   #6
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 

Keeps crashing. I can select the drive to scan and it start but crashes after about 15 seconds.
My System SpecsSystem Spec
23 Mar 2013   #7
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 

Hmm. I may be on to something.
I noticed that I only get the browser going to that url when the desktop gadgets start. I killed sidebar and started gadgets and the browser poped up to that url. One of the gadgets is active desktop gadget. It connects to a Maryland traffic cam. One of the cams on this site CHART On The Web
So if I start gadgets without that AD gadget, I don't get a popup.
Turns out that even if that gadget opens the default MS page, still get a popup.

And when I disable Aavast, RTCC.exe is no longer deleted. I only used the file sheild.

I just don't understand why this just started happening. I have been using that active desktop gadget a long time. Same with Avast.
This seems like it is not a hijack or malware now.
Getting rid of Avast. Going to try to figure out why that AD gadget causes popup.
I have gadgets on Win 8 too. There is a way to install them.
My System SpecsSystem Spec
23 Mar 2013   #8
cottonball

Windows 7 Home Premium
 
 

Dixon Butz,

In regard to Windows 7 (Windows 8 has its own forum)...

Can you start the computer in Safe Mode with Networking?

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Select: Safe Mode with Networking

Is the issue present in SMwN?

also,

Do you have the Repair your computer option in the Advanced Boot Options menu?
My System SpecsSystem Spec
23 Mar 2013   #9
Dixon Butz

Win7 x64 X2, Win 8.0 x64, Win8.1 x64, Quad Boot
 
 

See my reply. Post #7 above. I think I solved it.
My System SpecsSystem Spec
23 Mar 2013   #10
cottonball

Windows 7 Home Premium
 
 

Good!!

If, for some reason, the issue shows up again, post back.

We'll bring in a guided missile!
My System SpecsSystem Spec
Reply

 Bluekai Hijack




Thread Tools



Similar help and support threads for2: Bluekai Hijack
Thread Forum
Hijack this log Browsers & Mail
Yaa! DLL Hijack Auditor: For Microsoft DLL hijack vulnerability System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:06 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App