Security Warning with shdoclc.dll

[ky331]

Note: My analysis/response in message #10 was based on the original wording in your message #1:

"The current Web page is trying to open a site on the Internet. Do you want
to allow this?

Current site: ad.yieldmanager.com

Internet site: C:\Windows\system32\shdoclc.dll"

However, I note that in message #3, you referred to the .dll as being a "Trusted site" ---
which is in fact confirmed by the .gif image you included in message #6:

"The current Web page is trying to open a site in your Trusted sites list. Do you want to allow this?

Current site: view.atdmt.com

Trusted site: C:\Windows\system32\shdoclc.dll"

This raises the question (as you already did) why this .dll is in your Trusted zone? I would venture that's a mistake, which should be removed from the Trusted Zone. but if, for whatever reason it belongs there, you might have to adjust the security PROMPT setting under Trusted Zone (rather than under Internet Zone).

[bramweiser]

Dear ky331,

Hello, and thank you for offering me some of your thoughts about this.

Please let me clarify a couple of points, though:

* shdoclc.dll is noted in the "pop-ups" as being a "Trusted Site" but does NOT appear explicitly in the list of Trusted Sites in my IE browser. Also, with these pop-ups, it's been, as far as I can recall, the ONLY "Trusted Site" involved in this whole escapade.

* It's not only yieldmanager.com but a number of ad-sites (including, as I recall, doubleclick.com and, yes, espn.com, too, for the videos on their espnsoccernet.com -- US version -- Home Page) that have been triggering these pop-ups. If they were placed into the Restricted Sites area, then it was Spybot or something similar that did it as I don't remember ever manually placing them there.

As I think(?) I noted previously, I used to get Status bar messages that Spybot, say, was blocking a "bad" site, such as something related to Avenue A or maybe even to one of these ad-sites, and that was just fine. What's "new" is that this has somehow migrated into full-blown "pop-ups" that, as I wrote, also draw "focus" away from whichever other window I'm looking at when they're launched.

May I please ask if this information changes your advice at all?

...and I apologize if I mis-typed the message in post #1. I don't honestly know if I did or not (for all I know now, the messages appeared both ways), but, if so, I surely didn't want to mislead you or anyone else reading it.

I hope this is helpful, and thank you again.

Bram

PS I don't use SpywareBlaster. I DO have Spybot and SuperAntiSpyware installed, however.

[wyrmrider]

after this gets resolved do use spywareblaster
what does SAS say?
update and run a scan
also your AV- full scan
something which may have placed itself and possibly other things in your trusted zone needs a full investigation

BTW
one of the features of spybot is a method to prevent getting to internet explorer features (internet options) FROM WITHIN INTERNET EXPLORER

first go to Control Panel and rt click on Internet Options and create a shortcut on your desktop
then go to Spybot MODE>advanced mode >tools>ie tweeks and click the misc locks
now if you are in IE and click on IE OPTIONS NO WAY
use your new shortcut to get to IE OPTIONS
(and the baddies can't get there either!)
now remember what you did and how you did it

now back to finding out what is going on

you may be looking at posting a HJT in the MAlware removal forum but I'll let one of the other posters make that suggestion
for now keep a list of what you do and what you find

[ky331]

I never assumed that your (mis??)type in message 1 was to mislead anyone. I only pointed out the difference between the post in message 1 vs. message 3, as i was unsure which one was actually the case.

before proceeding, let me point out that I am "just" an individual user of SpyBot (and SpywareBlaster), who has no affiliation whatsoever with SpyBot. So any advice/opinion I offer is purely my own. And anyone reading this has the right to reject (or accept) my "advice". I sincerely don't believe anything bad will happen, but as a formalilty, I guess I have to state that each person who chooses to proceed based on my suggestion is doing so at his/her own risk.

I too recently experienced the Security warning that I believe you did. It first started when SpywareBlaster placed doubleclick.net into my restricted zone, and I was unable to access my Yahoo.com home page without getting the warnings. I "solved" that problem by "instructing" SpywareBlaster NOT to include doubleclick.NET in its restricted immunizations.

A couple of weeks later, I started to recieve the warnings about ads.yieldmanager.com . Like you, it seemed to have ocurred after a SpyBot update. So I thought SpyBot might have been "involved".

But various tests I ran --- removing both the SpyBot and SpywareBlaster immunizations --- convinced me that neither was [currently] responsible. There were a few remaining sites in my restricted zone. But none that were obiously ads.yieldmanager.com ... several were simply in the form of numeric IP addresses, and perhaps one of these might have corresponded to yieldmanager --- but I just didn't know for sure.

By running the DelDomains program, ALL entries in both the restricted zone, as well as trusted zone, are cleared away. By doing so, I knew I'd be starting things completely fresh. You can consider trying this, but I admit this is the more "daring" approach (as you can't "UNDO" it 100%).

In contrast, the first approach that I mentioned... of changing the setting on
Websites in less priviledged web content zone can navigate into this zone
from PROMPT to DISABLE --- for the INTERNET Zone and/or the TRUSTED Zone --- should be both SAFE, and REVERSABLE (if it doesn't work, and/or if you change your mind). On that basis, I'd say it's worth a shot on your part. Change it in the INTERNET Zone. Be sure to close IE and then re-open it. Surf some, and see if it makes a difference. If not, change it in the TRUSTED Zone. again, close and reopen IE, and test things.

Let me know how it goes. If it doesn't "fix" your situation, you can always change the DISABLE setting[s] back to PROMPT --- you'll be no worse off than you are now --- and you can then continue to look for another potential solution.

P.S. I have taken for granted you'll find your setting at PROMPT... if it was already set to DISABLE (or ENABLE) for BOTH the INTERNET as well as TRUSTED Zones, there's really nothing for you to try here.

[bramweiser]

Dear ky331,

Thanks, and, yes, I have my grains of salt at the ready.

At present (because of advice I actually got before you posted yours), that entry in both Internet and Trusted is now set to ENABLE (I recall changing at least one from PROMPT), though Restricted is set to DISABLE.

Since that other person gave me that advice (not too long ago -- maybe several days or so), I don't recall seeing the pop-up. Still, I wonder what caused it in the first place, and, I must admit, the idea of it being from a new release of Spybot seems quite intriguing and appealing.

Also, for the record, the only truly Trusted Sites in my IE are two that relate to mcafee.com (probably because I had its Anti-Virus software on my machine sometime ago) and "about:internet". There is NO entry for shdoclc.dll, which made its appearance in those "pop-ups" curioser and curioser.

Thanks for your advice (same to wyrmrider -- to whom I note that, as I wrote before, I don't have SpywareBlaster and I DO recall publishing a HijackThis log at another Forum, which is where that afore-mentioned advice came from...also, I must admit, I'm not quite clear on some of your steps -- the tweaking IE from within Spybot part -- wyrmrider).

If I need more from either of you beyond what I've written here, and previously, then I'll be back.

Thanks again.

Bram

[cadilllinc]

When using IE7, especially with Yahoo and sometimes eBay, and clicking the back button, nothing would happen. Looking at the dropdown history, there would be 1, 2 or 3 "ad.yieldmanager.com" entries. Finally found that there were 2 "yieldmanager" entries in the HOSTS, apparently put there by Spybot at some time in the past. I edited the HOSTS file (notepad %WINDIR%\system32\drivers\etc\HOSTS) and removed all of the entries added by Spybot. I then re-immunized with with the latest Spybot and checked the HOSTS file again. There were no "yieldmanager" entries. Tried IE7 again and there were no more "back button" problems. Problem solved! Hope this helps someone else.

PS: Don't know if this belongs in this thread. Hope the moderator will put it where it belongs.

[tameraj]

cadilllinc, thank you for your response. I searched all over the internet for an answer to the annoying security warning popup "ad.yieldmanager.com." Voila! Edit the Hosts file, duh! I deleted the two ad.yieldmanager.com entries and breathed a sigh of relief.

I don't think Spybot added the entries as it only occurred on my laptop, not my desktop, and both have the same Spybot updates. Any way, thanks to your simple solution I can put away the aspirin bottle.

tameraj