Sunday, November 9, 2008

How to Block popup.adv.net and wtn5.goole.ws

Hello everyone. I have finally found a way to stop this adware/malware without using any third party browser add on. You can find the article I wrote here -> The Final Solution. Please be sure to read it so you can finally rid yourself of this problem. Read also the comments on this post where others have generously shared their solutions. - Temujin

There is something terrible happening on the web today and it has gotten more rampant this week. Unfortunately Microsoft, Mozilla, Google, Opera, Apple, and Adobe has no permanent solution for it at the moment.

If you visited several legitimate website and an ad from popup.adv.net and wtn5.goole.ws keeps popping up when you click on a link or image, then you have been a victim of "Clickjacking".

No anti-adware or malware program can remove this strain because it appears that it isn't actually in your computer. In fact, I have tried using a newly formatted computer and still this illegal advertisements keep popping up. Somehow this strain exploits DHTML and CSS. What It does is inject an illegal website into a perfectly legitimate website you are visiting. And then it renders this illegal website invisible so that when you click a link in the legitimate website, you are actually clicking a link in the illegal website.  

Severity This is a very serious threat because it could make you click a link that executes a code that can steal important information from your computer or install a software without your permission or worse yet a virus. Here is an article that may explain it better.

How to Block The only way to block this exploit right now is to use the NoScript add on in Firefox 3. But the process could appear tedious to casual computer users.
On my next post, I will explain how to install and use this add on.

Related Links:

How to Remove popup.adv.net and mtn5.goole.ws - Final Solution
How to Block Adwares using Firefox NoScript extension

10 comments:

Seth said...

Please post again, I want to get rid of this crap for real. Thanks.

brokenGear said...

try malwarebytes software. It seems it worked for me. It actually removed lots of entries from registry with DNS redirecting.

brokenGear said...

use the software from malwarebytes to remove it. h**p://www.malwarebytes.org/roguenet.php?id=90

BudOlly said...

I was having same problem. All scans done; everything cleaned. Still getting popups from popup.adv.net. Did some reading and this particular exploit is apparently NOT on the computer. That sort of makes sense as spybot and sophos cannot find anything. Still, how can this be? I was stumped, and frankly, pissed that I could not find any answers. Until I decided to see if there was actually something at "popup.adv.net" Browser does not pull up a page. 'nslookup', however, shed the light. I noticed 'nslookup' was not using the correct DNS (something like 86.255.84.216). DNS server, in fact, is not even part of a valid domain. This sent off a giant flare. Web site requests are being hijacked by some kind of bot on the "DNS" server. I'm guessing, the original infection came from a cookie, or other malware that changed the DNS. Even though that was removed with spybot, the bad DNS entry remained. My fix: after all scans are done and any findings cleaned, open a command prompt and run the following command: netsh int ip reset log

Be sure to reboot afterwards.

This will work on Windows XP and Vista for sure, but not sure about older Windows.

Temujin said...

I suspected as much after I cleaned my PC.

Anyway take a look a these articles.

http://www.securityfocus.com/brief/772

http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html

Patroklos said...

Hello all,

I also got this ware on my WinXP. Unfortunately, I got a barage of attacts from a file I inadvertedly downloaded and executed. There were several attacks bundled into one file:
- virus-1
- virus-2 (tojan)
- keylogger (I think)
- this DNS hijack

A large part of the attack was repelled by real-time virus protection, SpybotS&D (in the log, there was an exe file which tried to put itself into startup for about an hour every second - was denied by SpyBot) and the firewall. However, a smaller part of the attck was successful. The following happened:

1. Virus on each partiton's root (some sort of autorun.inf whic calls a .com file in a hidden "resycled" (not misspelled!) folder in root.

2. An exe file attempting to be put into one of the startup locations.

3. A legitimate csrss.exe file attemting to access the internet (?)

4. The pop-ups mentioned in this blog.

5. Google ads on various pages being redirectred.


I did the following:

1. Ran Norton antivirus - removed virus-1 (on each partition's root)

2. Ran Ad-Aware - removed (tried?) various malware Registry entries and the startup-attemting file (did not do, see next)

3. Ran SpyBot - removed one suspicious registry entry and indeed removed the startup-attempting file

Uptil here, the pop-ups still remained.

4. Opened up the internet network connection's properties and looked at the TCP/IP protocol properties - lo and behold, the DNS server was hijacked. Deleted the address and put back the original.

The pop-ups disapeared at this point. However, my firewall still notifed me that various standard programs (like MSN Messenger) are trying to access an unknown DNS server (recognizet the hijacking address)

5. Finally, followed the instruction in BudOlly's post to execute the command
netsh int ip reset log

(thank you)

1-5 cleaned the computer.

Cheers:

PB

Patroklos said...

I'm afraid I spoke too soon. Two different things:

1. The command suggested:

netsh int ip reset log

creates the new log file on the DESKTOP (or wehreever the command prompt was opened) named "log". Obviously, you don't want it there. Can the original author tell us where this log is supposed to be in the WinXP/Vista environment?

2. Still, my firewall indicates that, for example, Yahoo messenger is trying to access this DNS server. If I deny it, it comes back 2 more times and then it goes to my normal DNS server.
What the heck is this?

PB.

PB said...

Ok, I figured it out: you still need to clean the registry of and "adapter" which contains this DNS server.
SEarch for the first 3 part of the hujacking server (85.255.112.) and delete the adapter instance.

PB

jdbounce said...

It took me three days to find a solution for popup.adv.net and dnschanger trojan. Here's the URL for the only solution that worked: http://forums.whatthetech.com/MY_DNS_Server_overwritten_someone_t97782.html

Combofix did the trick!

Linderry said...

Just try with Trojan Remover (30 days free trial). It did remove the hidden service from my PC and the problem is gone.

You can download it at http://www.simplysup.com/