Strange popups problem

Discussion in 'malware problems & news' started by emperordarius, Nov 10, 2008.

Thread Status:
Not open for further replies.
  1. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Very very often, on websites and blogs, I get popups that redirect to

    hxxp://mtn5.goole.ws/ac.php?bannerid=x&zoneid=x&target=_blank&withtext=&source=&timeout=0&ct0=

    hxxp://popup.adv.net/popup2.php?r=xxxx

    I tried many malware scanners but nothing seems to work. Hijackthis log is also clean..:doubt:
     
    Last edited: Nov 10, 2008
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
  3. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Are these just pop up ad's? If so do you use some type of ad blocker?


    Many malware scanners? Which one's exactly have you tried?
     
  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I am Going to Assume its poups with browser being redirected then there is concern.If your using fox does this happen with IE as well. have you ran Superantispyware,spybot,Drweb cureit.I see malwarebytes in sig so I assume you ran that.
     
    Last edited: Nov 11, 2008
  6. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Thank you all.

    I have firefox's popup blocker active, it does notify about the popup being blocked but the popup still appears.

    I have run MBAM, SAS, A2 Free, Spybot, Combofix, SDFix and some other scanners.

    I did a google search and that popups seem not to be detected by any antispyware, other people who had problems didn't solve those.

    BTW:I updated MBAM again and it detected 2 Trojan.DNSChanger, I removed them and rebooted, but as soon as I went to remove-malware.com, for example, I got the popups.

    Now I just went on Av-comparatives and...

    popu.PNG

    Strangely the page didn't load now.
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    emperordarius, I disabled both NoScript and AdBlock Plus add-ons in my Firefox; no pop-ups when visiting remove-malware.com and av-comparatives.org with Firefox pop-up blocker disabled. Just FYI.
     
  8. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I think I have some kind of uknown spyware that displays popups on those and other sites...
     
  9. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    emperordarius, did you post an hjt log at a malware removal forum? I suggest you do so.

    Before going to a malware removal forum, try this,

    Start > Run
    Type "services.msc". Click ok.
    Look for "Windows Tribute Service". Click properties. Get the file and submit to your AV or Malwarebytes. In the meantime, stop the service and set its startup type to disabled, reboot.

    thanatos
     
  10. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I got no Windows tribute service.:doubt:
     
  11. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
  12. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello neighbor emperordarius :)

    I find this a crucial question. Please answer it.

    Also, you never listed your Firefox plugins. Some of them may be doing this, so - which are they?
     
  13. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    It happens with IE too apparently...
    My FF addons are:
    untitled.PNG
    Yes popups is set to BLOCK popups.
    Plugins:
    1.PNG
    2.PNG
     
  14. swami

    swami Registered Member

    Joined:
    Mar 24, 2006
    Posts:
    167
    @ thanatos_theos
    Do you mean the service called Messenger?
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    OK emperordarius, I know you're a fairly advanced user, so I won't recommend anything basic as I suppose you already did your homework.

    Seems this is not related to Firefox at all.

    o_O (Puzzled) o_O

    Actually, the last thing I like to resort to is a possible malware/spyware, but this one here... makes me pretty much clueless.

    More thinking needed. I'll get back to you if I come up with anything.

    Cheers,

    EDIT: OUCH, Silverlight plugin? Hmm....
     
  16. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    @swami
    No, it's not the Messenger service.

    @emperordarius
    It's probably a DNSChanger. Malwarebytes detects the registry changes but not the binary.
    Do you have a router? Check your DNS settings.

    thanatos
     
  17. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Disabled it, but didn't help.
    I guess have to try some more malware scanners..
     
  18. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Well, I was mostly interested with your first link, as this one looked especially suspicious to me. So, at least, here are ping and WHOIS data, for any subsequent readers of this thread -

    Ping:

    Untitled-1.jpg

    WhoIs:


    This does not say much, but doesn't hurt either...

    Cheers,
     
  19. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Interesting, so it's from israel...Wait a minute, I'm using a wireless connection which is not mine, is it possible that the wireless provider is compromised and that problem resides there?o_O
     
  20. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I manually changed my DNS settings. There were some Ukrainian ip-addresses there, supposely changed by some DNS changer. Still, I do get those popups...
     
  21. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Unfortunately, I am not very familiar with these things to give any valid comment. But, yes, it is possible that the ISP DNS servers are compromised.

    fwiw, .ws domain goes to Western Samoa.

    How about that?

    o_O (still puzzled) o_O

    Cheers,

    EDIT: We really miss Stem right now. Stem, where are you?
     
  22. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    :blink:
    No idea of what Western samoa has to do with this.

    The popups "seem" gone in firefox...
     
  23. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    What do you mean? Gone when you changed DNS servers? But still not gone in IE?
     
  24. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    No way. It looked like it was gone, but there's something that is changing those dns server settings again and again.
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    How are your DNS lookups being made? Do you have Windows' DNS Client service enabled, or your net-facing apps do their lookups by themselves?

    EDIT: Please note that I don't have a bright idea here, I am just questioning you so someone more knowledgable can hopefully tie any loose ends.
     
Loading...
Thread Status:
Not open for further replies.