Skip to main content

How to Block popup.adv.net and wtn5.goole.ws

Hello everyone. I have finally found a way to stop this adware/malware without using any third party browser add on. You can find the article I wrote here -> The Final Solution. Please be sure to read it so you can finally rid yourself of this problem. Read also the comments on this post where others have generously shared their solutions. - Temujin

There is something terrible happening on the web today and it has gotten more rampant this week. Unfortunately Microsoft, Mozilla, Google, Opera, Apple, and Adobe has no permanent solution for it at the moment.

If you visited several legitimate website and an ad from popup.adv.net and wtn5.goole.ws keeps popping up when you click on a link or image, then you have been a victim of "Clickjacking".

No anti-adware or malware program can remove this strain because it appears that it isn't actually in your computer. In fact, I have tried using a newly formatted computer and still this illegal advertisements keep popping up. Somehow this strain exploits DHTML and CSS. What It does is inject an illegal website into a perfectly legitimate website you are visiting. And then it renders this illegal website invisible so that when you click a link in the legitimate website, you are actually clicking a link in the illegal website.  

Severity This is a very serious threat because it could make you click a link that executes a code that can steal important information from your computer or install a software without your permission or worse yet a virus. Here is an article that may explain it better.

How to Block The only way to block this exploit right now is to use the NoScript add on in Firefox 3. But the process could appear tedious to casual computer users.
On my next post, I will explain how to install and use this add on.

Related Links:

How to Remove popup.adv.net and mtn5.goole.ws - Final Solution
How to Block Adwares using Firefox NoScript extension
Labels:

Comments

seth said…
Please post again, I want to get rid of this crap for real. Thanks.
November 18, 2008 at 5:44 PM
brokenGear said…
try malwarebytes software. It seems it worked for me. It actually removed lots of entries from registry with DNS redirecting.
November 18, 2008 at 9:09 PM
brokenGear said…
use the software from malwarebytes to remove it. h**p://www.malwarebytes.org/roguenet.php?id=90
November 19, 2008 at 10:43 AM
BudOlly said…
I was having same problem. All scans done; everything cleaned. Still getting popups from popup.adv.net. Did some reading and this particular exploit is apparently NOT on the computer. That sort of makes sense as spybot and sophos cannot find anything. Still, how can this be? I was stumped, and frankly, pissed that I could not find any answers. Until I decided to see if there was actually something at "popup.adv.net" Browser does not pull up a page. 'nslookup', however, shed the light. I noticed 'nslookup' was not using the correct DNS (something like 86.255.84.216). DNS server, in fact, is not even part of a valid domain. This sent off a giant flare. Web site requests are being hijacked by some kind of bot on the "DNS" server. I'm guessing, the original infection came from a cookie, or other malware that changed the DNS. Even though that was removed with spybot, the bad DNS entry remained. My fix: after all scans are done and any findings cleaned, open a command prompt and run the following command: netsh int ip reset log

Be sure to reboot afterwards.

This will work on Windows XP and Vista for sure, but not sure about older Windows.
November 20, 2008 at 12:33 PM
Temujin said…
I suspected as much after I cleaned my PC.

Anyway take a look a these articles.

http://www.securityfocus.com/brief/772

http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html
November 20, 2008 at 5:04 PM
PB said…
Hello all,

I also got this ware on my WinXP. Unfortunately, I got a barage of attacts from a file I inadvertedly downloaded and executed. There were several attacks bundled into one file:
- virus-1
- virus-2 (tojan)
- keylogger (I think)
- this DNS hijack

A large part of the attack was repelled by real-time virus protection, SpybotS&D (in the log, there was an exe file which tried to put itself into startup for about an hour every second - was denied by SpyBot) and the firewall. However, a smaller part of the attck was successful. The following happened:

1. Virus on each partiton's root (some sort of autorun.inf whic calls a .com file in a hidden "resycled" (not misspelled!) folder in root.

2. An exe file attempting to be put into one of the startup locations.

3. A legitimate csrss.exe file attemting to access the internet (?)

4. The pop-ups mentioned in this blog.

5. Google ads on various pages being redirectred.


I did the following:

1. Ran Norton antivirus - removed virus-1 (on each partition's root)

2. Ran Ad-Aware - removed (tried?) various malware Registry entries and the startup-attemting file (did not do, see next)

3. Ran SpyBot - removed one suspicious registry entry and indeed removed the startup-attempting file

Uptil here, the pop-ups still remained.

4. Opened up the internet network connection's properties and looked at the TCP/IP protocol properties - lo and behold, the DNS server was hijacked. Deleted the address and put back the original.

The pop-ups disapeared at this point. However, my firewall still notifed me that various standard programs (like MSN Messenger) are trying to access an unknown DNS server (recognizet the hijacking address)

5. Finally, followed the instruction in BudOlly's post to execute the command
netsh int ip reset log

(thank you)

1-5 cleaned the computer.

Cheers:

PB
November 21, 2008 at 6:56 PM
PB said…
I'm afraid I spoke too soon. Two different things:

1. The command suggested:

netsh int ip reset log

creates the new log file on the DESKTOP (or wehreever the command prompt was opened) named "log". Obviously, you don't want it there. Can the original author tell us where this log is supposed to be in the WinXP/Vista environment?

2. Still, my firewall indicates that, for example, Yahoo messenger is trying to access this DNS server. If I deny it, it comes back 2 more times and then it goes to my normal DNS server.
What the heck is this?

PB.
November 22, 2008 at 3:24 PM
PB said…
Ok, I figured it out: you still need to clean the registry of and "adapter" which contains this DNS server.
SEarch for the first 3 part of the hujacking server (85.255.112.) and delete the adapter instance.

PB
November 22, 2008 at 4:02 PM
surfer196 said…
It took me three days to find a solution for popup.adv.net and dnschanger trojan. Here's the URL for the only solution that worked: http://forums.whatthetech.com/MY_DNS_Server_overwritten_someone_t97782.html

Combofix did the trick!
December 19, 2008 at 3:09 PM
Linderry said…
Just try with Trojan Remover (30 days free trial). It did remove the hidden service from my PC and the problem is gone.

You can download it at http://www.simplysup.com/
February 2, 2009 at 7:49 PM
Post a Comment

Popular posts from this blog

LED Monitor Review: LG FLATRON E2041

My Old AOC CRT Monitor began to show signs of dying. It would occasionally black out for a few seconds. Sometimes lightning streaks  would run across the screen. I bought that monitor way back in 2006. It served me well for 5 years. It was very durable and AOC is a good brand. And so I had no choice but to buy myself a new monitor. I would have preferred another CRT Monitor but they were no longer available. Even the more recent LCD screens are being phased out in favor a the newer LED monitors. LG FLATRON E2041 (This was not my first choice but it was the next best thing available in the computer store I visited). 1600 X 900 Resolution (16:9 Aspect Ratio) Contrast Ratio: 5,000,000:1 Brightness: 250 Cd/m2 Dimensions W/Stand (WHD): 17.44" X 13.78" X 6.54" My Feedback This monitor comes with two connectors VGA and DVI. It comes with a CD that is supposed to contain the manual and monitor drivers. However, when you install the monitor driver contain...
3 comments
Read more

GIMP: How to Enable Wacom Pen Tablet

If you are doing digital graphics in Gimp, whether painting or simply drawing, it is best to use a pen tablet. Wacom is a recognized brand when it comes to pen tablets. Gimp does support it but it is not enabled by default. How to Enable Pen Tablet Support 1. Launch Gimp using your pen tablet. Don't use the mouse to launch Gimp. If you do, Gimp won't detect it. 2. In the menu click Edit>Preference. 3. On the list click "Input Devices". 4. Click "Configure Extended Input Decives". Here is where Gimp gets weird. If you started Gimp for the first time using a mouse, it will say there are no available input device. But if you launched it using the pen tablet, you will see "Wacom Tablet Pressure Stylus" and "Wacom Tablet Eraser" . 5. Click the Close Button 6. Click "Save Input Device Settings Now" so that the pen tablet will still be supported when you launch Gimp next time.
6 comments
Read more

The World is Yours

If you were ever a fan of Scarface, the 1983 film starring Al Pacino, you would remember the last scene. Tony was shot on the back by an assassin. He falls down from the balcony into a small pool in the lobby below. He floated face down in the water. Beside him a statue was shown carrying the inscription "The World is Yours". I'm sure most of you find that humorous inspite of the tragic ending. But why did I mention it? Today I was thinking about eCommerce and I can't help but be amazed at the possibilities available to us today. The world is truly ours but only if we got the imagination to seize it. I'm talking about how any individual can be in their pajamas in the comfort of their bedroom and yet be able to sell a product or a service to practically anyone anywhere in the world. All you need really is just a computer and an internet connection and then you are good to go. It is simply amazing especially if you can remember back in the early 1990...
4 comments
Read more