Skip to main content

How to Block popup.adv.net and wtn5.goole.ws

Hello everyone. I have finally found a way to stop this adware/malware without using any third party browser add on. You can find the article I wrote here -> The Final Solution. Please be sure to read it so you can finally rid yourself of this problem. Read also the comments on this post where others have generously shared their solutions. - Temujin

There is something terrible happening on the web today and it has gotten more rampant this week. Unfortunately Microsoft, Mozilla, Google, Opera, Apple, and Adobe has no permanent solution for it at the moment.

If you visited several legitimate website and an ad from popup.adv.net and wtn5.goole.ws keeps popping up when you click on a link or image, then you have been a victim of "Clickjacking".

No anti-adware or malware program can remove this strain because it appears that it isn't actually in your computer. In fact, I have tried using a newly formatted computer and still this illegal advertisements keep popping up. Somehow this strain exploits DHTML and CSS. What It does is inject an illegal website into a perfectly legitimate website you are visiting. And then it renders this illegal website invisible so that when you click a link in the legitimate website, you are actually clicking a link in the illegal website.  

Severity This is a very serious threat because it could make you click a link that executes a code that can steal important information from your computer or install a software without your permission or worse yet a virus. Here is an article that may explain it better.

How to Block The only way to block this exploit right now is to use the NoScript add on in Firefox 3. But the process could appear tedious to casual computer users.
On my next post, I will explain how to install and use this add on.

Related Links:

How to Remove popup.adv.net and mtn5.goole.ws - Final Solution
How to Block Adwares using Firefox NoScript extension

Comments

Seth said…
Please post again, I want to get rid of this crap for real. Thanks.
brokenGear said…
try malwarebytes software. It seems it worked for me. It actually removed lots of entries from registry with DNS redirecting.
brokenGear said…
use the software from malwarebytes to remove it. h**p://www.malwarebytes.org/roguenet.php?id=90
BudOlly said…
I was having same problem. All scans done; everything cleaned. Still getting popups from popup.adv.net. Did some reading and this particular exploit is apparently NOT on the computer. That sort of makes sense as spybot and sophos cannot find anything. Still, how can this be? I was stumped, and frankly, pissed that I could not find any answers. Until I decided to see if there was actually something at "popup.adv.net" Browser does not pull up a page. 'nslookup', however, shed the light. I noticed 'nslookup' was not using the correct DNS (something like 86.255.84.216). DNS server, in fact, is not even part of a valid domain. This sent off a giant flare. Web site requests are being hijacked by some kind of bot on the "DNS" server. I'm guessing, the original infection came from a cookie, or other malware that changed the DNS. Even though that was removed with spybot, the bad DNS entry remained. My fix: after all scans are done and any findings cleaned, open a command prompt and run the following command: netsh int ip reset log

Be sure to reboot afterwards.

This will work on Windows XP and Vista for sure, but not sure about older Windows.
Temujin said…
I suspected as much after I cleaned my PC.

Anyway take a look a these articles.

http://www.securityfocus.com/brief/772

http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html
Patroklos said…
Hello all,

I also got this ware on my WinXP. Unfortunately, I got a barage of attacts from a file I inadvertedly downloaded and executed. There were several attacks bundled into one file:
- virus-1
- virus-2 (tojan)
- keylogger (I think)
- this DNS hijack

A large part of the attack was repelled by real-time virus protection, SpybotS&D (in the log, there was an exe file which tried to put itself into startup for about an hour every second - was denied by SpyBot) and the firewall. However, a smaller part of the attck was successful. The following happened:

1. Virus on each partiton's root (some sort of autorun.inf whic calls a .com file in a hidden "resycled" (not misspelled!) folder in root.

2. An exe file attempting to be put into one of the startup locations.

3. A legitimate csrss.exe file attemting to access the internet (?)

4. The pop-ups mentioned in this blog.

5. Google ads on various pages being redirectred.


I did the following:

1. Ran Norton antivirus - removed virus-1 (on each partition's root)

2. Ran Ad-Aware - removed (tried?) various malware Registry entries and the startup-attemting file (did not do, see next)

3. Ran SpyBot - removed one suspicious registry entry and indeed removed the startup-attempting file

Uptil here, the pop-ups still remained.

4. Opened up the internet network connection's properties and looked at the TCP/IP protocol properties - lo and behold, the DNS server was hijacked. Deleted the address and put back the original.

The pop-ups disapeared at this point. However, my firewall still notifed me that various standard programs (like MSN Messenger) are trying to access an unknown DNS server (recognizet the hijacking address)

5. Finally, followed the instruction in BudOlly's post to execute the command
netsh int ip reset log

(thank you)

1-5 cleaned the computer.

Cheers:

PB
Patroklos said…
I'm afraid I spoke too soon. Two different things:

1. The command suggested:

netsh int ip reset log

creates the new log file on the DESKTOP (or wehreever the command prompt was opened) named "log". Obviously, you don't want it there. Can the original author tell us where this log is supposed to be in the WinXP/Vista environment?

2. Still, my firewall indicates that, for example, Yahoo messenger is trying to access this DNS server. If I deny it, it comes back 2 more times and then it goes to my normal DNS server.
What the heck is this?

PB.
PB said…
Ok, I figured it out: you still need to clean the registry of and "adapter" which contains this DNS server.
SEarch for the first 3 part of the hujacking server (85.255.112.) and delete the adapter instance.

PB
jdbounce said…
It took me three days to find a solution for popup.adv.net and dnschanger trojan. Here's the URL for the only solution that worked: http://forums.whatthetech.com/MY_DNS_Server_overwritten_someone_t97782.html

Combofix did the trick!
Linderry said…
Just try with Trojan Remover (30 days free trial). It did remove the hidden service from my PC and the problem is gone.

You can download it at http://www.simplysup.com/

Popular posts from this blog

GIMP: How to Enable Wacom Pen Tablet

If you are doing digital graphics in Gimp, whether painting or simply drawing, it is best to use a pen tablet. Wacom is a recognized brand when it comes to pen tablets. Gimp does support it but it is not enabled by default.

How to Enable Pen Tablet Support

1. Launch Gimp using your pen tablet. Don't use the mouse to launch Gimp. If you do, Gimp won't detect it.

2. In the menu click Edit>Preference.

3. On the list click "Input Devices".

4. Click "Configure Extended Input Decives". Here is where Gimp gets weird. If you started Gimp for the first time using a mouse, it will say there are no available input device. But if you launched it using the pen tablet, you will see "Wacom Tablet Pressure Stylus" and "Wacom Tablet Eraser".

5. Click the Close Button

6. Click "Save Input Device Settings Now" so that the pen tablet will still be supported when you launch Gimp next time.


LED Monitor Review: LG FLATRON E2041

My Old AOC CRT Monitor began to show signs of dying. It would occasionally black out for a few seconds. Sometimes lightning streaks  would run across the screen.

I bought that monitor way back in 2006. It served me well for 5 years. It was very durable and AOC is a good brand.

And so I had no choice but to buy myself a new monitor. I would have preferred another CRT Monitor but they were no longer available. Even the more recent LCD screens are being phased out in favor a the newer LED monitors.

LG FLATRON E2041

(This was not my first choice but it was the next best thing available in the computer store I visited).



1600 X 900 Resolution (16:9 Aspect Ratio)
Contrast Ratio: 5,000,000:1
Brightness: 250 Cd/m2
Dimensions W/Stand (WHD): 17.44" X 13.78" X 6.54"

My Feedback

This monitor comes with two connectors VGA and DVI.

It comes with a CD that is supposed to contain the manual and monitor drivers. However, when you install the monitor driver contained in the CD it will alway…

Cignal Digital TV Review

For a long time we've contemplated having a cable tv connection. But the problem is we are so far from the street that regular cable companies would usually say that it is impractical because they would need a very long cable to service us and that the quality degrades as the cable gets longer.

So one day someone came along offering Satellite based TV (Cignal) and we decided to subscribe.

Cignal Digital TV

Advantages

1. No more need for long cables because the service is satellite based.

2. Video quality is better than other cable providers. You are only given a few HD channel depending upon your subscription but even the normal channels look so good, you would think they are also HD.

3. Comprehensive Channel Guide that is built into your remote control. You will find a button on your remote that reads “Guide”. After you press it. It will list the current channel you are watching and you will see what program or movie will come next and the hours. You can slide the guide using yo…