Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Adware Help Needed

  • Please log in to reply
4 replies to this topic

#1 durian123


  • Members
  • 5 posts
  • Local time:07:24 AM

Posted 10 June 2008 - 06:58 PM

Hi, I am a newbie, and so Hi, to everyone, especially those who are hopefully going to help resolve my problem!
My wife has a blog and when she accesses it lately, it has a popunder window from adserving.cpxinteractive.com
Some other people have mentioned this to her as well.
I have tried removing all javascript links from her blog, and it is no good. So, I have guessed that it must be in the PC here using XP.
I have found some older forum posts on this site regarding this, but the removal information links are out of date, or the particular issue is slightly different, although the pesky site is the same.
If I use a spare never really used XP operating system on another partition, all is well, no popunder.
If I use IE instead of firefox, no prob. , even on this main XP partition.
If I disable Javascript in firefox, again, no prob, except that I need it enabled for other websites.
I should explain that I have no idea what a hijackthis log is, so please keep it simple, - thanks.
I have tried running spybot, adaware, SUPERantispyware, Nolop, and have done a Trendmicro scan in both regular and safe mode. I have tried running chkdsk r from the cmd window. My installed antivirus is NOD.
The situation has occurred also on a Sony laptop the wife just bought that unfortunately runs Vista. Also on the spare PC running XP that my son has. All these PC's have been used for blogging, which would presumably mean visiting the same websites. I prefer not to just block it, as I understand that I can do this using something called a hosts file, but I have not followed this up as I prefer to get rid of the issue.
So, does anyone have any ideas where to start? I am thinking a good slug of booze might be a good idea for me, and I do not even drink.
Any suggestions appreciated.
John Nova Scotia

BC AdBot (Login to Remove)


#2 durian123

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:24 AM

Posted 13 June 2008 - 07:33 PM

I have views but no responses, so I guess there are no previous experiences with this one.
Perhaps I can get more basic - how can I be sure, if a popunder happens on a specific webpage and the page has no malicious code (unless I missed something!) that it is a PC infection?
I have to admit, this is a single page situation - it reeks of bad code (javascript?) on the webpage.
But it only happens when I use firefox as a browser.
Anyone got comments or ideas on how to check?
Maybe I can save the favorites in firefox somehow, and then delete and re-install it then reload the faves? Would that help?
I am clutching at straws here, so any ideas welcome.
This is the first time that I have failed to fix issues just by visiting BC. You guys normally have everything already sorted out!

Mod Edit:Topic No Responses So Maybe Some Info? merged. ~TMacK

Edited by TMacK, 13 June 2008 - 07:47 PM.

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,556 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:06:24 AM

Posted 13 June 2008 - 08:05 PM

Please run this sacn and see what it says.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 durian123

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:24 AM

Posted 14 June 2008 - 01:34 PM

Thanks for the response, it is appreciated.
My apologies for the double posting, and thanks to TMack for amalgamating it - I won't do that again!
I ran the scan as you said.
It ended with a message window appearing:
' The scan completed successfully. No malicious items were detected, click 'Main Menu' '

I clicked OK to clear the message window, the following notepad opened automatically:

Database version: 855

3:05:48 PM 14/06/2008
mbam-log-6-14-2008 (15-05-48).txt

Scan type: Quick Scan
Objects scanned: 56684
Time elapsed: 15 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

There is no 'Show Results' Button.
Clicking on the logs tab gives the same notepad info.

I did the 'quick scan' as instructed. I do have multiple partitions. At the time of the issue initially appearing, the operating systems on the other partitions had not been opened for a few weeks.
I have just checked using Internet Explorer, on this same main partition where the Firefox is, and the fault now occurs in that as well.
I believe, but cannot be sure, that when the issue first started in Firefox, it was random, appearing some times but not every time the site was visited.
When I initially tested for it using IE, it did not appear, and I did not try multiple times.
I will run some more tests as now it occurs in both browsers, I cannot be sure it is not code on the webpage.
Might be an idea to wait until I have got together some more info before proceeding with the troubleshooting.
I will post as soon as I have more facts after using other OS's and trying multiple webpage loadings, and maybe a new browser type.


#5 durian123

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:24 AM

Posted 14 June 2008 - 04:13 PM

Ok, I have run some tests.
I really haven't got a firm idea on if it is in my PC, or on the page, so I guess that fits in with the title 'Am I infected? What do I do?'.
I downloaded and set up a fresh Netscape browser, and selected not to import add-ons or faves.
It came up with message that a popup that didn't have permission had been stopped.
So, to recap the browsers and results:

Main partition (this one) running XP home edition SP2 - Firefox allows the popunder.
Internet Explorer allows the popunder.
Netscape stops the popunder and says so.

Partition number two, using XP Pro SP2.
Firefox behaves exactly the same as in main partition.
Internet Explorer shows message window as page loads, saying - Do you want to allow software such as ActiveX controls and plugins to run?
There are two choice buttons, yes and no.
If no is chosen page loads no popunders.
If yes is chosen, another message window opens saying - A script is accessing some software (An ActiveX control) on this page that has been marked safe for scripting. Do you wish to allow this? - When yes is chosen, it loads ok, no popunders.

Partition number 3 XP pro or similar - no service pack as far as I can remember.
Internet explorer loads page ok no popunders and gives small message at bottom saying - page loaded but with errors on page.

The popunder seems also to be connected with a site ad.yieldmanager.com as well as the one previously mentioned.
The previous one is in the title bar of the window, but the popunder occurs directly after/consecutive with ad.yieldmanager loading.
Am I infected, or is it the page? Or maybe both?
If I formatted and reinstalled the XP on partition 3 and it still occurred, would this confirm a webpage script, or can these things cross partitions?
I also get a flash on the desktop the same size as the popunder window as I boot up on the main partition. It can only be seen occasionally.
PC seems a bit slower recently loading all webpages, but I could be imagining it. I seem to be getting slower video when not on internet, but playing some old games.
I guess the main/first thing is, am I wasting time chasing this thing, or is it residing in the PC?

Thanks for any ideas,


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users