Note that many websites have their own advertising, unrelated to adware.
Appears to use (some) code recycled from a publicly available trojan program. Installs itselfs in the LSP stack of Windows, where it can monitor traffic not just in IE, but in any browser. Depending on configuration, it will send the traffic details to a controling server. Pop-ups always happen in IE. Many versions also install other adware products (although payload appears to differ randomly/geographically).
We have had reports of this being installed via the WMF exploit.
- First make sure your machine has all the latest service packs and hotfixes to prevent reinstallation.
- Make sure all browser windows are closed
- From the registry, remove:
- Do a Windows file find for "phage.vxd". Delete any instances found.
- In some cases an "LSPFix" is needed when network connectivity is broken