A tip on your not allowing other members to post help on others threads. Why don't you make it an option for the author? Also lets say when one of you gets around to checking their thread if you notice some one being mean or rude to the op they be cut off from posting on that thread and temp banned from posting on the site for a period of time? Problems would get solved much quicker and your knowledge base would grow substantially. The op of the last thread didn't know much of the info I listed below which does nothing but add to finding a solution.
All in all this is a very restrictive site with some good info that can usually be found elsewhere. Just not this issue due to it being something new. By new I mean a new way to avoid detection which all the sources and fixes you have listed so far doesn't work. So as long as it remains restrictive I doubt I will be adding much to it or directing people toward it.
Again what is listed below was going to be my response to the other ops thread. There is little to no reason why info like that couldn't be shared between people on the same thread. I am rarely for editing peoples replies or deleting them but I could understand in this type of forum to make it easier for people to find solutions to do so. Like if some one replied lol or whatever then they could be punished in whatever way. If they actually tried to contribute and actually did so I see nothing wrong with doing so and if who ever is in charge actually sat down and thought about it they would come to the same conclusion. That is if they want to help people in a timely productive manner.
I have what you have. I have tried several methods listed above including combofix and nothing has worked yet. I did however find the source or it looks like the source any way. A program called tcpview helped me find it. I waited until the popups would come well I had tcpview open while I did other things and when the popups came I went to tcpview to see the iexplore.exe and what address it was going to. The address it goes to is mediaplex.com I added all the address's I could find linked to them to the hosts file so hopefully that will stop or slow it down some. I also copied the url's from the last few times. The thing with these the popups don't stay open. They open IE for about 10 seconds then load whatever site they want wait about 10 or so seconds then close IE. Then open another one. The rates I have seen are any where from 3 to 6 times probably more. The rates at which this happens is around every 30-60 mins. When this first started happening I would just keep clicking the x and the pages would never even begin to load. Any way here is what I added to hosts
127.0.0.1 NS1.MEDIAPLEX.COM # 220.127.116.11
127.0.0.1 NS2.MEDIAPLEX.COM # 18.104.22.168
They also go by valueclick and fastclick
The links below are from the popups I let load and when I could be fast enough to copy them to a txt file. I don't intend or want any one to go to the sites below I am providing them for diagnostic purposes only.
I have yet to do a system restore due to I find some issues challenging and when I have time I like to try to solve them before I break down and do a system restore or just reinstalling the operating system. Others tend to have traces this doesn't appear to. Be it a simple exe or dll or even a "rootkit" all scanning methods so far has not fixed and or solved the problem. The scanning methods listed in the ops thread found some things but nothing that is involved with this issue.
So far it appears adding those to the host file worked. It hasn't popped up in an hour or so. If it does popup I will either edit this thread if I can or reply to the thread saying it didn't work.
-- Edit/addition --
Ok below here is some log info from tcpview I edited my ip for obvious reasons. The address's that it goes to are not. The changes from resolved to not resolve is from me changing the settings in tcpview. The iexplore.exe:3668 you will notice 2 seperate ones. All of the seperate ones are from seperate saves from tcpview. It gets kinda hectic trying to save them while the info is still there I didn't get all of them this time. The address's I added to host didn't work I am going to try adding some of these primarily media.fastclick.net if that works I will post back here. It didn't popup for nearly 2 hours this time. Oh and if any of you know anything about tcpview or can make a program like it. A good feature would be that every time you click save it saves a seperate copy of the file. Like if it says save as save it as say log. The next time you hit save its log0001, log0002, log0003, etc. I would have been able to get much more detailed info if I didn't have to use the save as feature every single time. media.fastclick.net is added to hosts and I will work on the others some time tomorrow if that doesn't work.
iexplore.exe:4612 UDP 127.0.0.1:4983 *:*
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4984 media.fastclick.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4985 rd.apmebf.com:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4986 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4987 22.214.171.124:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4988 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4612 TCP xxx.xxx.x.xxx:4992 a204-245-162-8.deploy.akamaitechnologies.com:http
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1038 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:3668 UDP 127.0.0.1:1037 *:*
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1041 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1043 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1039 media.fastclick.net:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1040 rd.apmebf.com:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1045 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1038 126.96.36.199:80 ESTABLISHED
iexplore.exe:3668 UDP 127.0.0.1:1037 *:*
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1041 188.8.131.52:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1043 184.108.40.206:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1039 220.127.116.11:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1040 18.104.22.168:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1045 22.214.171.124:80 ESTABLISHED
iexplore.exe:3668 TCP xxx.xxx.x.xxx:1048 126.96.36.199:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1061 188.8.131.52:80 ESTABLISHED
iexplore.exe:3604 UDP 127.0.0.1:1060 *:*
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1063 184.108.40.206:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1064 220.127.116.11:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1068 18.104.22.168:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1065 22.214.171.124:80 ESTABLISHED
iexplore.exe:3604 TCP xxx.xxx.x.xxx:1069 126.96.36.199:80 ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1075 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:4472 UDP 127.0.0.1:1074 *:*
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1078 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1076 media.fastclick.net:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1077 rd.apmebf.com:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1081 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:4472 TCP xxx.xxx.x.xxx:1082 a204-245-162-17.deploy.akamaitechnologies.com:http
iexplore.exe:620 TCP xxx.xxx.x.xxx:1089 9a.49.4f.static.xlhost.com:http ESTABLISHED
iexplore.exe:620 UDP 127.0.0.1:1088 *:*
iexplore.exe:620 TCP xxx.xxx.x.xxx:1092 yx-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1090 media.fastclick.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1091 rd.apmebf.com:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1097 188.8.131.52:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1094 yi-in-f149.1e100.net:http ESTABLISHED
iexplore.exe:620 TCP xxx.xxx.x.xxx:1096 9a.49.4f.static.xlhost.com:http ESTABLISHED
Edited by lxlqlxl, 16 March 2010 - 04:49 AM.