General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Well, today it was errorsafe popups - on a different computer.
I'm having trouble believing Juno would allow that to happen, but I don't know what other conclusions to make.
I suggest you carefully follow the instructions in Post #2 and Post #3 of this link to help verify the culprit is not lurking in your computer.
I would also scan your computer with several other reputable anti-spyware and anti-virus applications (after installing the applications and then downloading all definitions updates). There are several listed in the "Trustworthy Anti-Spyware Products" section of Spyware Warrior's "List of Rogue/Suspect Anti-Spyware Products & Web Sites" page. (Be sure you do not download any rogue/suspect applications that are listed above the "Trustworthy Anti-Spyware Products" section.)
I would scan with several anti-spyware and anti-virus scanners because probably NO single anti-malware application is capable of detecting all malware.
Please keep in mind you should have only one anti-spyware application resident in memory (as a "guard" performing real-time monitoring/protection) at any one time because running two or more memory-resident anti-spyware applications at the same time may result in the applications "fighting" each other for control of detected malware (and potentially decrease your computer's defenses). Likewise for anti-virus applications. Use your additional anti-spyware and anti-virus applications as "on-demand scanners" only.
After taking these steps to help confirm the culprit is not in your computer, then I would have more reason to suspect Juno's web server and/or Juno's web browser is serving the undesirable ads/pop-ups in your browser window.
If you decide to contact Juno about the undesirable pop-ups, then I suggest you give them details about what you have already done to confirm you do not have malware in your computer. (It would also be a bonus if you could provide them with screen-shots of your browser window too.) Your detailed information should help convince Juno they need to investigate their web server and/or web browser configuration and fix the problem.
Good luck!
Last edited by mailman; 23rd August 2007 at 16:34.
Reason: Fixed typos and clarified.
This could be a situation where Juno has let in an affiliate for Drive Cleaner or one of its sisters such as you mentioned, I would contact Juno and tell them about it.
Since you have identified yourself as a "beginner" and the forum software does not normally display the complete addresses that TeMerc linked, I have displayed the complete addresses below for easy copying and pasting into an email messsage to Juno support.
(The following instructions are written for a right-handed mouse user.)
How to Copy Information to Your "Clipboard":
Place your mouse cursor at the beginning of the addresses I have displayed above.
Hold down your left mouse button while you "drag" your mouse cursor over all the addresses until they are all completely highlighted.
Release your left mouse button.
Move your mouse cursor somewhere over the highlighted text
Then click your right mouse button and select (left-click) "Copy".
(This will place the highlighted text into your "clipboard".)
How to Paste Clipboard Information Into an Email Message:
Open your email program and prepare to type a message.
Place the text entry cursor at the location where you want to paste your clipboard text.
Click your right mouse button and select "Paste".
(Alternatively, you can hold down your Ctrl key and then press your V key.)
(Another possible alternative is to click on "Edit" near the top of your email window and select "Paste".)
I suggest you also include details from the other posts above in your e-mail message to Juno support.
==========
Symantec Information About DriveCleaner:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-062217-0726-99
Symantec Information About ErrorSafe:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-012017-0346-99
==========
Please let us know about any response you may get from Juno support.
Last edited by mailman; 23rd August 2007 at 17:37.
Adding insult to injury, Spysweeper did not detect the errorsafe cookie deposited on my system. I'm thinking that irritates me even more that the popups on Juno in the first place!
I'll see if I continue to have issues next week, if I do I will probably contact Juno about it then.
Spysweeper did not detect the errorsafe cookie deposited on my system.
One cannot expect any single anti-spyware application to detect everything. I'd suggest using at least one other anti-spyware app as an on-demand scanner at least once a week.
Two apps I use that are handy are Grisoft's AVG Anti-Spyware (formerly "ewido") and SUPERAntiSpyware. AVG Anti-Spyware often catches a PayPal tracking cookie on my computer that another app (Spy Sweeper?) misses. Both of these apps can be found via the link I provided earlier.
Quote:
Originally Posted by cghost
I'll see if I continue to have issues next week, if I do I will probably contact Juno about it then.
OK. If you do contact Juno with details about this, you might be helping to prevent unsuspecting people from downloading the rogue applications, spending money needlessly, and most of all giving up credit card information to unscrupulous people.
Glad I uninstalled my Shockwave Flash Player a couple months ago. It's NOT going to be installed for a long time either.
From your first link in your post above (http://msmvps.com/blogs/spywaresucks/archive/2007/08/24/1134527.aspx):
Quote:
I am sure you can understand what sort of problems the trickery I describe can cause. Far too often I have people write to me after getting the brush-off from whatever web site's technical support - invariably the reaction of the technical staff has been "we are unable to reproduce the problem, therefore it is not us - your computer is infected".
Without proof such as an Ethereal (aka Wireshark) or Microsoft Network Monitor capture, or Fiddler data, it can be very difficult for a website to put pressure on it's advertising network (assuming you can get the site to believe that the problem is coming from the ads on their site in the first place), but at the same time, such programmes (except for Fiddler) can expose extremely sensitive information such as email user names and passwords (if you have an email programme running), and other sensitive information. Even Fiddler exposes what can be considered to be sensitive information - server names if you're on a network for example, and your geograpical location and the like, so even Fiddler is not something that I would recommend to the untrained home user. Far better, I think, to refer incidents to people such as myself, or Mike of www.mikeonads.com or Mike Burgess of MVP Hosts file fame so that we can gather the needed data and try to get malicious advertisements shut down.
So do you think cghost would have better luck giving details to Sandi, Mike of www.mikeonads.com, and/or Mike Burgess instead of Juno?
(If I was in cghost's shoes, I would at least contact Juno support with a CC of my email message to one of those experts anyway.)
cghost, for your copy/paste convenience, here are the URLs for the last two links TeMerc provided.
My understanding of web pages and their construction and flash and all of that is non existent.
Comments about timed "attacks" fit my situation perfectly.
Computer which got errorsafe has no macromedia folders.
I don't know exactly what I have just done here, but:
System attacked by drive cleaner has macromedia folders.
Set up icons on desktop for two macromedia folder locations. Set up icon for atf cleaner. Get and install fiddler.
(Know nothing about it, just set it up however it runs by default.)
Open fiddler. Clean macromedia locations. Run ATF cleaner, clean everything.
Open juno, go to email. Fiddle around a bit.
BINGO!!!!!
Here is a little bit of stuff from right before the error message popped up:
(Does it tell anything or is it still too general?)
Host: ad.yieldmanager.com
Host: servedby.advertising.com
Host: spe.atdmt.com
Host: ad.yieldmanager.com
Host: content.yieldmanager.edgesuite.net
GET /bannerfarm/98157/UPC_10767a_STDY_120x60.swf?AceClick=http://servedby.advertising.com/click/site=0000716616/mnum=0000440143&siteValue=0000716616 HTTP/1.1
Host: bannerfarm.ace.advertising.com
GET /statsa.php?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /statsa.php?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /statsg.php?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /statsg.php?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /swf/gnida.swf?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /statss.php?campaign=little50&u=1188225032200 HTTP/1.1
Host: traveltray.com
GET /pages/scanner/index.php?aid=little50&lid=intl&ax=1&ex=1&ed=2 HTTP/1.1
Host:www errorsafe com (edited)
GET /ad/ck/53521?mpt=[CACHEBUSTER]&aid=little50_rdt&lid=intl HTTP/1.1
Host: adfarm.mediaplex.com
GET /.freeware/?p=44&ax=0&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=little50_rdt&lid=intl HTTP/1.1
Host:www drivecleaner com (edited)
GET /.freeware/?p=44&ax=0&ex=1&ed=2&mpt=[CACHEBUSTER]&aid=little50_rdt&lid=intl&z=-5 HTTP/1.1
Host: www drivecleaner com (edited)
I guess I need some education on how to use this tool and how to get information out of it knowing I am not revealing private stuff Sandi was talking about like passwords, net work addresses and so on.
I don't know exactly what I have just done here, but:
System attacked by drive cleaner has macromedia folders.
Set up icons on desktop for two macromedia folder locations. Set up icon for atf cleaner. Get and install fiddler.
(Know nothing about it, just set it up however it runs by default.)
Wow! You're brave!
I like the way you think though. I might DL Fiddler myself just to see what it does.
Good luck!
BTW, when you want to avoid many of the nasty sites (perhaps after resolving this issue), you might want to place the MVPS HOSTS file in the appropriate folder of your computer.
If you do this, I suggest you first rename your current HOSTS (no file extension) file to HOSTS.OLD (and even copy your current HOSTS to another folder for back-up). Then you can swap HOSTS files at will depending on when you want to use Fiddler to capture HTTP packet data.
If you want to see what the HOSTS file contains, you can open it via Notepad.
Last edited by mailman; 27th August 2007 at 16:57.
