Solved Bluekai Hijack

[Dixon Butz]

Anyone heard of the bluekai.com hijack? Seems like it a spyware company that tracks your browser habbits or something.
I was on Win8 x64 and restarted. After restart a browser opened and went to this url:



Admuncher blocked it. Even with Admuncher disabled, nothing loaded. And somehow this hijack/spyware/exploit is deleting a exe from a program called Realtime Cookie Cleaner. How is that even possible?

So I boot to Win 7 x64(multiboot). Same behavior. WTF? That url opens on startup. RTCC.exe gets deleted when I try to run it. (I have copies of it).
And the thing is, nothing detects this malware. Avast, Malwarebytes, Super Anti Spyware. MSE, WinPatrol, Malwarebytes Anti Rootkit, online virus scans ect.
Went to and you can "Opt Out". That didn't work.
I have googled this to death. A few fake sites that try to get you to download stuff like spyhunter ect. I have see a few that have had something similiar. Still have no solution.
So I go try my laptop since that should be clean. Nope. Same crap! I don't know how this bluekai is making my browser open on startup and deleting my cookie cleaner. They have my IP or something.
I booted to a partion that has a most clean Win7 install. Have not got it there yet. The windows firewall was on. Maybe that helped.
Oh and I restored an image of Win7 from Feb 27. Booted with the net disconnected, all good. Turn on the net and browser opens on boot. Coookie cleaner deleted. Restore image again. Boot with no net. Turn on firewall. Make 3 entries for bluekai. Do all windows updtates So far no browser on start. Cookie cleaner still gets deleted.

Any ideas?

 

[Golden]

Hi,

It sounds as if you are experiencing a poisoned DNS cache problem. Try this:

Copy and paste the text below into a new instance of Notepad:

[B]@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0[/B]

Save the file as flush.bat to your Desktop. Right-click on the file and choose to 'Run as administrator'. This will flush your DNS cache and restore the Microsoft HOSTS file. Your computer will automatically reboot.

Please report back if this helps.

Regards,
Golden

 

[Dixon Butz]

Didn't help. Still had that popup on start. Still deleting the RTCC.exe upon execution.

 

[Dixon Butz]

How can something like this spread to another PC on the lan?

 

[Golden]

Mmm. OK, please ignore the cookie cleaner exe you are referring to for now.

Have you run a scan from outside the Windows boot environment yet? If not, please follow this:

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html

Regards,
Golden

 

[Dixon Butz]

Keeps crashing. I can select the drive to scan and it start but crashes after about 15 seconds.

 

[Dixon Butz]

Hmm. I may be on to something.
I noticed that I only get the browser going to that url when the desktop gadgets start. I killed sidebar and started gadgets and the browser poped up to that url. One of the gadgets is active desktop gadget. It connects to a Maryland traffic cam. One of the cams on this site CHART On The Web
So if I start gadgets without that AD gadget, I don't get a popup.
Turns out that even if that gadget opens the default MS page, still get a popup.

And when I disable Aavast, RTCC.exe is no longer deleted. I only used the file sheild.

I just don't understand why this just started happening. I have been using that active desktop gadget a long time. Same with Avast.
This seems like it is not a hijack or malware now.
Getting rid of Avast. Going to try to figure out why that AD gadget causes popup.
I have gadgets on Win 8 too. There is a way to install them.

 

[cottonball]

Dixon Butz,

In regard to Windows 7 (Windows 8 has its own forum)...

Can you start the computer in Safe Mode with Networking?

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Select: Safe Mode with Networking

Is the issue present in SMwN?

also,

Do you have the Repair your computer option in the Advanced Boot Options menu?

 

[Dixon Butz]

See my reply. Post #7 above. I think I solved it.

 

[cottonball]

Good!!

If, for some reason, the issue shows up again, post back.

We'll bring in a guided missile!

 

[Dixon Butz]

The reason Avast was deleting that exe was that I had "Gaming" mode turned on in Avast options. You won't get any popups with that on.
Tested it today with gaming off and got a warning about a suspicious program. I was able to add an exclusion rule and send a false positive report within that popup.