Ad-Aware SE, Spybot S&D, and MS Defender all say my system is fine, yet this continues.
Interesting. After that post (above), I could not get A2K to respond, but I sure got lots of popunders while I waited. Then I cleared my cache and deleted all of my cookies and it started working again.
Timber, I already saw those.
I've run every anti-spy thing I can think of. I have active Symantec AV software with current updates. A full scan shows nothing.
I have two popup blockers enabled (IE and Google).
Still this continues.
I guess my point is that while I can understand Craven's perspective, there is also something enabling about A2K as far as these popunders are concerned. I've done a fairly extensive scan of my PC and nothing is showing up. So, how do I proceed?
How do you proceed? Go to the Computers forum, post a new topic with a copy of your hjt log and we'll proceed from there. There is some sort of spyware going on, and we'll do our best to help you get rid of it.
A couple of days ago I got an automatic Windows Update notice that was a security patch for Adobe Flash (Macromedia) because a flaw allowed the takeover of the computer to display the popunders you describe. The notes on the Windows patch also point to a security update on Adobe's site for a version 9.0 of Adobe Flash that is supposed to also take care of the problem.
I installed both and also disabled Active-X and the running of unsigned scripts and have not had anymore problems with popunders or the numerous McAfee virus warnings for a JS/noclose virus that appeared every time I opened multiple A2K screens to read several threads at the same time.
I too have gone through all the exercises of Hijack This, three or four different anti-spyware scans and online virus scans without success. Oh, I also manually blocked cookies from all the various advertising websites used on A2K that even Spyblaster allowed. That didn't solve the problem until the patch was installed.
Applying those patches and turning off the various scripting is the only thing that has been successful so far. For the first time in months, I've been able to read A2K without having my computer freeze and need rebooting from all the popunders.
Windows Security Update for Flash Player (KB913433)
Security Bulletin from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS06-020.mspx
Security Bulletin from Adobe:
http://www.adobe.com/devnet/security/security_zone/apsb06-03.html
Now this is weird. Today I'm not seeing any popunders.
I haven't done anything new, other than run a full virus scan that found nothing.
WTH?
I'm guessing the "greenies" got turned off. Am I right?
I've been on A2K all day and suddenly it started happening again after several hours of nothing. GRRRRRRRRRRRR!!!
You're describing what I've experienced for a few months almost exactly as it happened. My PC would be fine for a few days and suddenly the virus alert window would pop up and a bunch of file downloads would be attempted, then a persistent and relentless bunch of popunders would appear along with a window insisting I download that version of Flash Player. If I said No, a window would pop up saying I must install that version. Eventually, it would lock up my PC or I'd have to reboot to get rid of the continuous loop of window pop ups. This only occured while I was on the A2K website, no where else, and only occured if I happened to open multiple windows of A2K.
If you haven't already done it, take a look at those security updates at Windows Update and Adobe Flash and install them. Also, under Internet Options->Security disable or change to "prompt" the settings for allowing unsigned scripts and active-x to run.
Also, under Internet Options->Privacy->Edit make sure tribalfusion.com, burstnet.com and fastclick.com are listed as being blocked. If they aren't there, add them to block their cookies. Those are the ad servers that I had to manually block on my computer.
Done. I also changed the IE popup blocker settings to "High" and guess what? With that setting, Able2Know wouldn't refresh!!!
I had to set it back to "Medium" to get it working again. Argh.
Could this have anything to do with it? I have never used Myspace on my work machine though:
More than 1 million users of MySpace.com and other Web sites may have been infected with adware spread by a banner advertisement, according to iDefense, a computer security group.
The advertisement, for a site called deckoutyourdeck.com, appeared in user profiles on MySpace, an online community with at least 70 million users, said Ken Dunham, director of the rapid response team at iDefense, which is owned by VeriSign Inc.
The ad exploits a problem in the way Microsoft Corp.'s Internet Explorer browser handles Windows Metafile (WMF) image files.
The browser vulnerability raised alarms in December after hackers distributed a specially crafted WMF image through e-mail, instant messaging links and Web sites. If the image was opened, it could allow a hacker to gain control over a victim's computer.
There are at least 600 Web sites that take advantage of the WMF vulnerability, Dunham said. Microsoft issued a patch for the problem in January, but many consumer computers may not have applied the patch, leaving them unprotected.
Unpatched machines are particularly vulnerable. Merely visiting a page with the deckoutyourdeck.com banner ad causes a download of a Trojan horse program. Those who have installed the patch see a prompt asking to download a file called "exp.wmf" when visiting a page with the advertisement, Dunham said.
Once it starts to run, the Trojan in the banner ad causes infected machines to contact multiple Web sites and download, among other unwanted programs, advertising software from PurityScan. The PurityScan software can cause unwanted pop-up windows to appear, and also tracks a user's online activity.
Adware can be very difficult to remove, even for technically savvy users.
"The problem is hackers are using a variety of exploits -- especially WMF -- to illegally and silently install this [adware] on users' computers," Dunham said.
MySpace has increasingly been targeted by hackers because of its popularity. MySpace officials contacted in London Thursday afternoon had no immediate comment. iDefense's Dunham was not sure whether the banner advertisement has been taken down yet, but said that it could have been active for weeks.
Web sites that distribute adware are paid based on the number of machines that get infected with the software, and hackers have created ways to spread the adware without user consent, increasing their payments.
iDefense estimated the number of infections caused by the deckoutyourdeck.com ad through a server in Turkey hosting the adware. The server appears to track the number of machines infected with the adware, and indicated that 1.07 million computers had downloaded the program, Dunham said.
A Whois search for deckoutyourdeck.com leads to a winding trail of registrants. Dunham said hackers frequently use false credentials when registering a domain name to cloud inquiries.
If you were not current with updates for your Operating System, Browser(s), eMail and Chat/Messaging clients, Security/Privacy software, and any other apps which can access the 'net, that or something like it very well could have something to do with it.
cj- I upgraded my virus software and firewall. Turns out the version of Norton I had (2003) was no longer supported. That helped a great deal. I also re-downloaded Google toolbar. It didn't get rid of all the pop-unders, but they are rare now.
I've never had a problem yet.
I use the 2006 Norton Personal Firewall (along with the antivirus software), which seems to have a superior ad blocker.
