popups coming through internet explorer when it is not running...?

Discussion in 'Malware Help (A Specialist Will Reply)' started by the new tech guy, Oct 12, 2005.

  1. Hi guys
    I have a weird problem with popups on my pc. It seems that sometimes while searching the web and i get my usualbombarding of popups somehow the blocker stops it, and then a hidden ie process starts up and and the same popup that got blocked comes through internet explorer when it was completely turned off before. (I use the verizon yahoo browser to surf the web). How does this happen and how can i stop it cause it is really getting on my nerves. I have Ad-Aware SE and before that I had spybot s and d. Plus i currently have ms antispyware as an active gaurd running. Both are up to date completly. But i cant figure out why i keep getting these popups through ie. Could someone help?
    thanks,
    the new tech guy
     
  2. Oh I forgot to mention that I have windows 2k sp4.
     
  3. UPDATE: I found out the name of the server that keeps giveing me these ads. Its ad.yeildmanger.com. It seems that whenever I get this this is the server that i get it from. If anyone out there can help me i would greatly appreciate it.
    thanks
    -the new tech guy.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

    Downloading, Installing, and Running HijackThis

    .
     
  5. Well strangely enough when i came on to get to work on this today, i noticed some windows updates that had just come up on the computer for install. I installed them, restarted the computer to finish up the install and the problem stopped. I guess those updates mustve had something in them to remove it. Tomorrow the computer will be checked again for updates then after updateing ad-aware, cleaning cookies, running ms antispy scan, it will be scanned with ad-aware for its weekly checkup then i will run regisrty mechanic, scandisk, and a boot defrag from diskeeper to finish the job.
    thanks
    -the new tech guy
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
  7. Hey chas just out of curiostiy would there be any reason to that how i was getting that problem in the first place. I know during updateing it downloaded and installed something for the ms malicious software removal tool. Could that be an autoexe.bat file that runs durning update and found the problem?
    -the new tech guy
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Any number of things could have happen! It could have been fixed even by dumb luck! Supposed you had a file that Windows uses and it was infected. Now also suppose the upgrades replace that file with a new version. Boom! No more infection.
     
  9. Good point. Good chance it was an infected overwritten file if i had to restart the system.
    -the new tech guy
     
  10. Dont look now chas, but it started again. Im gonna go ahead and start the run me first sticky and see what comes up then i will post an hjt log.
    -the new tech guy
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Just a couple questions too.

    Do you have Windows Messenger running (this is not MSN Messenger)? If so, do you use it (most people do not)? Do you ever get popups in safe mode?
     
  12. Well I just ran stm on the computer and it says that the messenger is turned off. I use aim for instant messageing. And i dont think i can surf the web in safe mode because the drivers for my wireless pci card are not running in safe mode.
    -the new tech guy
     
  13. Also, should i install spybot to C:/program files or its own folder?
    -the new tec guy
     
  14. Also, another problem with Spybot S & D. I ran the immunization and it said that everything is blocked then when i click to check again, it would always say that six additional items can be immunized and to do it. I noticed it doing this when i had it previously installed on the system a short time ago as well. I am now going to continue with the read me first sticky.
    -the new tech guy
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's own folder in C:\Program Files is the default location and it should be used.

    Immunizing can be a little strange sometimes. I have found that after getting updates, it is sometime necessary to exit Spybot and then run it again and then Immunize. Otherwise the correct counts may not be seen.
     
  16. Ok just finished the bitdefender online scan and nothing found. I am going to continue and do my secind online check with RAV antivirus. (All in normal because i do not think as far as i know, that the drivers for my wireless internet card work in safe mode with networking) Also scince i am useing a wireless connection, Should i boot in safe mode to do te offline read me first stuff so i know the system is not connected to the internet?
    -the new tech guy
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Complete the online scans in normal mode and run the rest of the READ ME in safe mode as specified. If the online scanners find things they cannot remove and the rest of the READ ME does not get them, you could use the below link. You download it, install it, and update it in normal mode. But you run it in safe mode and it does not need a connection.

    Running Ewido Security Suite
     
  18. Ok just finished rav and it found one thing marked as "suspicious". Not sure if its important scince it was in nero anyway. :rolleyes: But that was the only thing i saw in the online scans. Well attached a logfile for the online rav scan anyway so you can check the file out to be sure. Now i will continue with the read me first sticky.
    -the new tech guy
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not a problem! It is part of Nero!
     
  20. Ok finished the read me first with nothing found but the one thing that i showed you. Just some mru stuff was cleaned in ad-aware. I will go see if the problem still persists. If so, i will post a hijack this! log and we will go from there.
    -the new tech guy
     
  21. No luck and the problem still persists. Heres an hjt log for ya to review and i guess we can go from there. Thanks for the help so far.
    -the new tech guy
     

    Attached Files:

    Last edited by a moderator: Oct 15, 2005
  22. I think i am noticeing a pattern on what the malware does. It seems that it causes a popup in ie, then it moves to the verizon yahoo browser and comes as a regular popup in there, and then another day it wont do anything. And it will start the process over again. Could this be the program trying to hide from the anti spy programs running on the computer. Also for the past couple of days, I have received alertsd about internet explrer security levels, and things like that in ms anti spy that i have allowed. Could these new changes be related to it in any way?
    -the new tech guy
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I do not see any apparent problems in your HJT log. However you should check to make sure your Yahoo Parental controls are not broken (if yo use them). HJT indicates a possible internet connection problem because a file for Yahoo is missing.
    O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing

    You may need to either reinstall Yahoo or you will need to fix this broken LSP chain using LSP-fix.

    Some people take the approach of removing all the below lines from Yahoo. Why do they have to go thru redclients first?
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

    If you are sure you are still getting malware popups (not just advertising on the sites you go to), try the below:

    Panda ActiveScan Save the log and attach later

    Running Ewido Security Suite attach this log too.

    Also download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
     
  24. Well these are the sites that i have the problem on:
    www.flashplayer.com
    www.videocodezone.com
    I have tried accessing the site through verizon yahoo on another pc and the problem happend there too. I think matybe you should go and try to access these sites scince more than one pc has been there and may have the same problem. And regarding your questions, i think the redzone thing is part of the parental controls which are used on this system. Now those hjt lines you show, should i fix those lines or just leave them alone? Because i think they are part of the parental controls. And with the broken yahoo parental control, i do not think anything is beroken because even when the system is ok yahoo bugs out for no reason at all. So i was wondering if you can go to those sites for me and let me know if you get the problem as well. Just use a third party browser. Do not use internet explorer. I would reccomend you try videocodezone first scince you get it right at the home page where flashplayer it will happen at times and other times it will come through your current browser or it will not happen at all. But those two are the ones that give the problem. Could you just visit the videocodezone site on another browser like firefox or something and let me know if it happens?
    thanks
    -the new tech guy
     
  25. So what would you recommend i do based on my previous post?
    -the new tech guy
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why do you say do not use Internet Explorer? I thought that is what you had problems with. If you are using Firefox, perhaps that is the reason you are seeing the popups as it is not blocking them.

    I get no popups when using IE. But I have proper protection in place and also have added things those sites are trying to put on your PC into my Restricted Zone. Didn't you use Spybot and Immunize? Did you also install SpywareBlaster and enable all of its protections.

    I saw one popup (only once) use Firefox and it was from mediafastclick which Spybot adds to your Restricted Zone of IE.

    If you are only getting popups on those sites, then the problem is due to those sites. Why do you go to those sites?
     
    Last edited: Oct 16, 2005
  27. Yes internet explorer is where i have the problem. The reason i said not to use that was because if you have a popup blocker installed, it may not let you see the problem. And i do not use ie when surfing those sites. I use the verizon yahoo! internet browser (which i think is based off of ie because of very similar menues that are on it)But the problem kinda occurs in both, when i look at the site in the verizon yahoo i will get a popup ad, which instead of comeing through the verizon yahoo browser, it will come up in an internet explorer window which also has a popup blocker which is part of the verizon yahoo suite. Now, to your notion on useing proper security software, i have proper security software. I have avast! antivirus for antivirus, zone alarm free edition firewall, ms anti spyware, and I have ad-aware for anti spy as well. And i run a boot scan with avast once a month, and i scan ms anti spy and ad aware in safe mode once a week to control spyware. Plus, i use ccleaner once a week on all accounts that are on the computer to clean cookies and other junk out of the computer. So the system is well protected. Also before i run anything at all, while connected to the internet in normal mode, i check all of the programs for updates and install any if found, then i run windows update to make sure the computer is up to date. And to answer the question on why i visit the sites, i use videocodezone to put music videos on myspace, and i go to flashplyer just for enjoyment to watch flash videos. So i would guess i just have a false postive in the computer?
    -the new tech guy
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I used IE and I do not use a popup blocker (don't need it)! And I received no popups! Perhaps you should try not using Yahoo Browser and just try IE directly. Also try FireFox which has built-in popup blocking.

    You did not answer my question about using SpywareBlaster and Spybot.

    What privacy settings do you have in ZoneAlarm for cookies and for AdBlocking?

    What exactly do the popups say in them? Do you see anything related to mediafastclick? Do you get Privacy Reports in the bottom of your IE window (not Yahoo) if you go to those sites?
     
  29. Well i did not see spyware blaster in the read me first sticky. But i did run spybot s & d and ran the immunize function. Should i ditch ad aware and use spybot instead? I just ran ie and i did see a privacy report appear in the interent explorer. The reason i use verizon yahoo is because i also have all my verizon yahoo features come through it and well its my default browser. Plus after my first hit on the website useing ie it added the sites to restricted zone and i clicked refresh and saw no more popups. And with the zone alarm internet security settings, im not quite sure what you are talking about so could you please tell me how to get to them. I also recieved media fastclick. And they are just like normal stupid popup ads that are different every time.
    hope this information is useful,
    -the new tech guy
     
  30. Hang on i think i know what you are talking about. If your talking about my internet security settings in zone alram (correct me and tell me how to get what you need if im wrong) is set to stealth mode on the interenet zone and i am on a lan with two other pcs and a print server for a printer. And they are set on shareing mode which is in trusted zone security. Again, if this is not what your looking for, tell me what you are looking for again and how to get to it.
    hope this is right and thanks for the help
    -the new tech guy
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Both Ad-Aware and Spybot are useful to keep. Don't forget Ad-Aware (the free version) is only a scanner/remover. It provides not blocking and does not use any system resources until you run it to do a scan. Spybot's Immunize helps protect you (and uses no resouces). Spybot's SDhelper protects you and use a little resources. Do not use Spybot's Teatimer. Too many people have had problems with it.

    You statements seem to be contradicting:

    First you say you get no more popups after the first time.
    Then you say you are getting popups and they are always different.
    Please clarify.

    SpywareBlaster is not in the READ ME anymore (I may put it back). I was merely asking if you had used it. If not, I would recommend you do. It's in here: How to Protect yourself from malware!


    You have never tried the last part of message # 23. (The other scanners and Hoster.)
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! See the Privacy Settings tab. Hmmm! I have to check if this is available in the free version. I use the Pro version.
     
  33. Im sorry for the confusion chaslang. I just looked through zone alarm and i see no privacy settings tab. I am useing the free version of zone alarm. Regard the confusing posts, I meant that i get one everytime i go to videocodezone and it is like a normal popup ad. It is the server you mentioned: mediafastclick. And flashplayer.com will give you the ad in a strange matter. Sometimes i get it in internet explorer, then i will get it in verizon yahoo! then i will not get it at all. I will now run hoster, ewido, and panda active scan for you and post log files from all three. And i will run spyware nuker and give you a log from that as well.
    -the new tech guy
     
  34. Umm chasalang, while downloading panda activescan i got an alert from avast about a virus dectection in it. I dunno if this is bad or if this is just a false- positive.
    -the new tech guy
     
  35. I just checked to see if the problem is still occuring. It has stopped and i do not get it useing either browser. Just the usual stuff that comes through as regular advertising on the site. I did not run ewide and i ran part of panda which then i accidentally disconnected verizon yahoo which messed up the scanner but the part that did run did not pick anything up so i think i am in good shape now.
    thanks for all the help
    -the new tech guy
     
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is a false positive!
     
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!
     
  38. Thanks for being patient too because i have pretty much taught myself with computerrs and well still in school and dont have the professional experience you have and well know some stuff with spyware but im no pro. So thanks for being patient because some of that stuff i never heard of before.
    -the new tech guy
     
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! It does get difficult in here sometimes and we can loose are cool! So hopefully everyone is patient with us too! ;)
     
  40. Hey i just tried that suggestion on lsp fix to fix the verizon yahoo chain and i think it fied a small problem that i was having where when i would click something, the browser would just hang and not do anything for a few seconds,then it would go cause now when i click something the browser responds almost immediately. Thanks for the lsp idea.
    -the new tech guy
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    That is why I mentioned it in message # 23. Anytime something is missing in the LSP chain there can be problems. With certain items missing or corrupted in the chain, you will have no internet access at all.
     
  42. Go me im a seargeant :cool:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds