Sunday, September 30, 2012

How to remove ad.yieldmanager, ad.doubleclick.net, ad.xtendmedia adware/spyware


This annoying adware somehow seeped into my personal laptop and it was really annoying. While I am positive that it was not a virus, it certainly was showing up popup ads on the bottom left corner of almost ALL websites that I would browse.

I tried numerous things including checking my startup application, services to see if there were anything suspicious that I could stop by myself. Nothing helped. Next I tried deleting cookies, clearing my temporary internet files. Still… nothing.

I then Googled for hours to find a way to remove them and went ahead to try every single suggestion including installing a slew of spyware removal tools. Most of the tools were either not able to even detect these adwares as a threat or even if a few did, they would want you to pay for them to “clean” your PC.

I was not inclined towards paying nor was I willing to put up with the annoying popups. As a matter of fact, since I knew these are adware popups, I became paranoid everytime I saw those stupid ads come up. They were eating up my internet bandwidth and I could do nothing about it.

FINALLY, this is what I did which worked!

On a hunch, I checked the HOSTS file (usually in C:\Windows\System32\drivers\etc folder). The first time I saw the file, it looked clean. I originally wanted to map the ad.yieldmanager to 127.0.0.1, but there was this thing I noticed – the thumb on the scrollbar was too small indicating that there was something I had to scroll down to… And when I scrolled down and further down it was all empty spaces and at the extreme bottom of the file the dirty rascals who had infected my PC had their secret entries made. Each of the websites that the popup links were pointing to had specific IP addresses mapped. I removed them all (after granting necessary permissions on the hosts file because of Windows 7) and as an extra safety measure I went ahead and subscribed for a few TPLs on my Internet Explorer 9.

I then fiddled a few of my browsing sessions and found them to be clean. It was really exalting to fix an issue, completely clean, by yourself!!!

28 comments:

Gerry said...

Thank you, I searched for an hour before I found this.

Debbie said...

I also looked everywhere - ran Malware Bytes etc. This is working so far - Thanks so much for posting it!

Rob said...

Thank you, thank you, thank you. But we need to get this to come up higher in google. :)

The pop ups are gone, but Chrome takes forever to load still.

Thanks!!

Karthik Padmanabhan said...

@ Gerry, Debbie and Bob - Thank you. Glad this post helped you.

Kristi said...

This is exactly what I'm looking for! I'm not quite as advanced as you though. When I get to the host file, I'm asked what program I want to open it with. What do I do with that? I assume that when I'm able to open the file I'll just delete the offending files?

Karthik Padmanabhan said...

@ Kristi,

To open it is simple - You could open the file using notepad or any text editor to first inspect if it contains any offending lines (basically the adware's IP Addresses mapped).

I found them at the very bottom of the file (after a whole bunch of empty line feeds)

To edit the hosts file, it may be a bit trickier IF you are running Windows 7 or higher.

Anyways, I would just list down what you should do just in case you do find some lines to be deleted.

1. You must open Notepad as administrator - Wherever you have your shortcut to open Notepad, right click that and select "Run as Administrator" and click Yes on any subsequent confirmation window

2. You would need to also grant permissions on the actual hosts file. Right click the file and choose properties. Go to the securities tab. You may need to click on edit to temporarily change permissions. It should be on a read only mode. Probably you can grant your id Full Control. Remember - you need to restore it back to how it was after the edit.

3. Go back to your Notepad instance. Click on File --> Open and navigate to the location of your hosts file. Ensure that you have selected All Files at the bottom of your Window Open Dialog so that it would list the hosts file. Select the hosts file

4. Make the necessary edits as explained on the post and save the file.

5. Again right click the hosts file and set the securities back to how it was earlier (must be just the read access)

Just note that you should not delete the hosts file, the system would either not permit that or it will get regenerated anyways. Still, just do not delete the file.

Hope this helps.

Anonymous said...

Thank you Kaarthik, for a great find! I was also searching for it for two days scanning with different useless tools. Of course I also checked hosts file, but I failed to notice the scrollbar...
Grateful,
Marcel

Anonymous said...

Thx for the fix. did you find any other code(javascript or such)

Patric said...

Crap, I hoped this would solve my issue.. The hosts file is clean, no scrollbars, no hidden lines at the end of file. Those annoying ad.xtendmedia popups just keep popping up.

Hime said...

Hi Kaarthink,
Thank you so much. I've been looking for the solution to this annoying pop-ups.
I edited my hosts file before, but I didn't notice the scrollbar.
You helped me.

Jesse said...

Very usefull advice! I followed the instructions and found the malicious code, removed it as per directions, and all is well!!!!!!

Jesse said...

I found two Host files? One had malicous code attached at the bottom! I removed it and I have not had a pop-up yet from adyieldmanager...................

Anonymous said...

What does the malicous code say or look like??

Unknown said...
This comment has been removed by the author.
Anonymous said...

Excellent - THANKS!

Anonymous said...

EXCELLENT, thanks!

Anonymous said...

Don't remove all the lines after the standard
# 127.0.0.1 localhost
# ::1 localhost

My hosts has this added to run windows home server.
192.168.1.17 SERVER #Windows Home Server#

In W7 I used a restore point for the file hosts from before the 'infection'.

Clearest method to fix problem on the web - well done.

Philip
PS you may need to change folder options to see hidden and system files before you start.

Anonymous said...

Thank you so much for this. I was about to rebuild my laptop when I came across this.
I have now blogged about this too and included a link to your page, so more people can find the solution! Once again, thank you!

RachMcCloud said...

Mine is completely clean and the permissions are set they way you said to see everything. What more should I look for?

Anonymous said...

There is a variant to this as well. Although the virus might have edited the hosts file and added a bunch of crap at the end ... it also might have renamed the hosts file to hosts.txt and created a hidden hosts file that has all the bad stuff in it.

Someone else saw this and renamed the etc directory to etc2 and copied all the valid visible file back to etc ... including the hosts file ... but renamed it back to hosts (from hosts.txt).

Anyway ... start by checking to see if the host file is named hosts.txt. It should not be.

Anonymous said...

Check to see of the file is named hosts.txt. It should not be. It should be named hosts. If it is named hosts.txt then a hidden host file is being used and needs to be erased.

Anonymous said...

Brilliant - thanks for this fix. Been suffering with this for over a year. I had fixed it in browsers by installing 'donottrackme' - highly recommended, but that does not work for the Steam store browser. This fix works fully, and no other fiddling necessary unless you have associated infections. Incredible that no AV or AdWare protection picks this up.

Anonymous said...

Thank You Kaarthik! You saved my PC from a reformat. Mike G

Mike G. said...

Please specify in better detail “Windows\System32\Drivers\etc folder”. Im running windows 8, and when I check into those folders I get to “\drivers” and am unsure where to direct next. If “etc.” is meant as a literal folder name, I don’t see one. What I do see is a boatload of files, alphabetized. Maybe the fact that I'm in windows 8 is causing my confusion. If anybody can help, I'd be much obliged to give you an internet-pat-on-the-back. Please and thank you in advance.

Mike G. said...

Addition to my last comment, after further review. My Etc folder contains nothing suspicious discussed above. The hosts file is the same. There is nothing below the normal lines, as you described in your experience with the malware. I just updated to windows 8 2 days ago... I'm considering just doing a system restore to 6 weeks ago, (infection happened around 3 weeks ago).

Do you have any advice on that process? I simply cannot, even with the help of your comments and replies section, get the pop ups in the lower left corner to disappear. I'm curious is windows 8 may have stopped the other malicious activity, but the popups remain as residual. Can I do a system restore from windows 8? If so, to a time when windows 7 was installed? Or do I need to reinstall windows 7, and then do a system restore from there. Also wondering if because I updated OS to 8, if system restore is impossible. All stuff I will google... but if anybody has any advice summed up, I would appreciate it. Mike g.

Karthik Padmanabhan said...

Mike,

Did you try setting your Tracking Protection Lists on your Internet Explorer?

That should at least weed out the ad sites before they get displayed...

Mike G. said...

Kaarthik,

I had not done that yet, no. I will try though. Thanks for the advice.

I'm still mainly concerned about whether I'm being remotely accessed though. If the installation of windows 8 (and subsequent appearance of clean files mentioned in this article) has fixed that problem, then I'm home free just left to deal with the pop-ups in the manner you advised. But If I cure the popups, yet am still in danger of being tracked from some other file within the malware, then I wish to know. I guess time will tell. Thanks for the help!

Karthik Padmanabhan said...

Please do let us know if that works.

Since you mentioned Windows 8, check if the information on this link helps you...

http://www.howtogeek.com/122404/how-to-block-websites-in-windows-8s-hosts-file/