View Full Version : Security Warning with shdoclc.dll
bramweiser
2008-07-03, 05:07
Hi, Everyone,
The following was posted to Microsoft's Newsgroups for Windows XP. As I'm now experiencing something very similar to this (my release is 1.5.2.20), and this author (who isn't me) thinks that Spybot may be at issue, I'm posting it here in the hopes that you might have insights into this as well.
Could he be right? Might Spybot be causing this? (I looked at the program's settings and couldn't find a way to turn these messages on/off.)
Please respond with any on-topic thoughts, please.
Thanks,
Bram
**********
It may be coincidental, but about the time I downloaded an upgraded Spybot
program, I began to get a Security Warning that oftens reads something like
this:
"The current Web page is trying to open a site on the Internet. Do you want
to allow this?
Current site: ad.yieldmanager.com
Internet site: C:\Windows\system32\shdoclc.dll
Warning: allowing this can expose your computer to security risks. If you
don't trust the current Web page, choose no."
spybotsandra
2008-07-03, 12:34
Hello,
This message is created by the bad download blocker, a tool of Spybot - Search & Destroy.
Yieldmanager, Doubleclick (and others like Advertising.com, Avenue A, Inc, CasaleMedia, Fastclick, Hitbox, Mediaplex etc.) are so-called tracking cookies. It is quite common for popular websites to employ such tracking cookies from third parties. They use them in order to track the users' surfing habits on their websites. As I said, these cookies are from third parties but they are employed by the site. There is a tool in Spybot-S&D: BrowserHelper, i.e. a bad download blocker for Internet Explorer. With this tool enabled such tracking cookies will be blocked. In order to activate this tool, please run Spybot-S&D and go to the "Tools"->"Resident" page. Checking the checkbox in front of SDHelper will enable the BrowserHelper.
Now open the Tools menu in your Internet Explorer and choose 'Spybot - Search Destroy Configuration'.
There you will find a drop down menu which will appear giving you some options.
(3rd picture) (http://www.safer-networking.org/en/spybotsd15/index.html)
You should select "Block all bad pages silently".
With that option set the notifications will no longer come up, but you will still have the protection.
Best regards
Sandra
Team Spybot
bramweiser
2008-07-03, 18:08
Dear spybotsandra,
Hello, and thank you for responding to my thread.
I'm not home right now but will try your advice later tonight when I return.
If I may, though, because I'm presuming that the "Team Spybot" as part of your signature means that you work with/for SaferNetworking and/or the makers of Spybot-S&D...
To NOT have these blocked silently, as happens now, is a feature that needs some work.
Right now, every(!) time one of those sites' tracking cookies is encountered, not only does a "pop-up" message appear which requires my attention, but it also automatically grabs the "focus" from whichever other window I'm currently looking at (not nice).
In addition, nowhere(!) in this window does it indicate that it's Spybot-S&D that's triggering it (I, as would others, have several anti-spyware apps on my PC, and, for all I knew, this was also possibly a result from a Microsoft Windows Update item I'd downloaded), nor is there a link to...something...that'd indicate how to adjust it if one wants to (and I clearly do).
Also, it's peculiar to read that a particular DLL on my hard drive(!) is a "Trusted Site". Go figure about that.
Please encourage your developers to make this feature more user-friendly in future (incremental) releases of Spybot-S&D.
Thanks, and, while I do appreciate your help with this, if, after I try your advice, the issue still happens for some reason, I'll be back to follow up.
Thanks again,
Bram
bramweiser
2008-07-04, 02:22
Dear spybotsandra,
As promised, I did as you asked.
Curiously, I really didn't need to DO anything as:
* The SDHelper was already checked in my Spybot-S&D, and...
* The Configuration in my IE already (and curiously) said "Block all bad pages silently"
...yet, the "pop-ups" are STILL happening, regardless.
Please, what more could you suggest?
Thanks,
Bram
spybotsandra
2008-07-04, 13:03
Hello,
Are you sure that this message comes from Spybot and not from your browser?
Do you have a screenshot of it?
Best regards
Sandra
Team Spybot
bramweiser
2008-07-04, 18:33
Dear spybotsandra,
I don't THINK it's from my browser as I've NEVER seen "pop-ups" like that before (Spybot 1.4 always placed those messages into my Status Bar) and because, when I went to try and configure Spybot via my browser as you asked, it said it found "0" sites, files and cookies...none...so maybe something was amiss with this release of Spybot (or so I was thinking).
Also, those "pop-ups" seemed to act a bit funny as hitting "spacebar", when the "pop-up" was active, would be like pressing its buttons, but hitting "enter" wouldn't...so maybe (dare I say) this could also be something Java-related, as I've seen those applets sometimes act in similar ways?
Attached, hopefully ;), is a GIF of what it looks like. (Thank you, MS Paint :). )
Thanks, again, spybotsandra, and please let me know your thoughts.
Bram
bramweiser
2008-07-04, 20:44
Check that...
Hitting "Enter" WILL work, at least sometimes, but I can't, say, hit "Y" to mean "Yes", or "N" to mean "No" with one of those "pop-ups".
I just wanted to clear that up. :)
Hope this is helpful.
Thanks,
Bram
P.S. FYI -- Since I last wrote to you, the Configuration in IE says Spybot's found & blocked 79 "blacklisted sites & files", yet the "pop-ups" are still showing up at times, and, when I intentionally go to a site where the pop-up's been showing up, it does, without adding to that "79" count.
spybotsandra
2008-07-07, 14:10
Hello,
That message is not from Spybot.
Perhaps it is a security setting from your Internet Explorer.
By the way i do not run this browser as it is too unsafe for me.
There are alternatives to Internet Explorer, which should be considered, as - for example - Firefox (http://www.mozilla.org/) or Opera (http://www.opera.com).
Both of these are supposed to provide faster, safer and more efficient browsing than other browsers.
What is more: they come with an integrated pop-up blocking function, which means they stop annoying pop-up ads automatically. And, of course, Firefox as well as Opera are freeware.
Best regards
Sandra
Team Spybot
bramweiser
2008-07-07, 17:51
Dear spybotsandra,
Hello again, and thank you for writing back to me.
I'm perplexed, then, as IE 6 SP 2 (the version I use, and which also has a pop-up blocker, BTW, as does the Google Toolbar that I use) has never shown me these messages until recently, and only does so on my home computer (where Spybot is installed) but not at work (where it isn't).
(True, that's not definitive causality, but it's at least circumstantial.)
Also, I only get them, and only get this kind of behavior (i.e., annoyingly redirecting "focus" to the window where the "Warning" appears, etc.) when shdoclc.dll and, usually but not always, adsites are involved and cited, which is what led me to Spybot as a possible "culprit".
I'd looked in IE's security settings but didn't see what would be applicable. Do you have any ideas, please, about a specific one to examine?
Also, since I don't ever remember seeing this with 1.4 (again, messages there often appeared unobtrusively in my Status bar), what if I totally uninstalled 1.5.2.20 and either (a) installed 1.4 (if I can), or (b) reinstalled 1.5.2.20 fresh? Could this all be a sign of a bad installation/upgrade to 1.5.2.20? (I'm brainstorming here.)
What other thoughts might you have, please?
Thanks again.
Sincerely,
Bram Weiser
the message is being generated by an IE setting:
under tools / internet options / security
for the INTERNET zone, click on CUSTOM level,
scroll down, under Miscellaneous settings, to
Websites in less priviledged web content zone can navigate into this zone
I believe you'll find this set to PROMPT.
If you change it to DISABLE, you will no longer get the security message, and the advertisments from ad.yieldmanager.com will be suppressed --- you might see some red X's on the page, as a "placeholder" for the missing picture[s].
--------------------------------------------
As best as I can tell, the reason WHY this is happening is that "something" placed [I]yieldmanager.com into your restricted zone. So when this "restricted" item tried to display an advertisement in your "internet" zone, you received the security warning.
As for WHAT placed it in your restricted zone, that's less clear... because the CURRENT databases for both SPYBOT, as well as for SPYWAREBLASTER, do not. (Perhaps an earlier version placed them there???)
If you wish to clean-up your restricted zones, you might consider downloading DelDomains.inf from
http://www.mvps.org/winhelp2002/restricted.htm
This will completely clear your restricted zones (as well as your trusted zones). You can then re-immunize with SpyBot [and with SpywareBlaster, if you use that program] to bring your restricted zone "up to date"... and by doing so, you should fix the "ad.yieldmanager.com" security popup [i.e., even if you leave the above security setting on PROMPT]
Note: My analysis/response in message #10 was based on the original wording in your message #1:
"The current Web page is trying to open a site on the Internet. Do you want
to allow this?
Current site: ad.yieldmanager.com
Internet site: C:\Windows\system32\shdoclc.dll"
However, I note that in message #3, you referred to the .dll as being a "Trusted site" ---
which is in fact confirmed by the .gif image you included in message #6:
"The current Web page is trying to open a site in your Trusted sites list. Do you want to allow this?
Current site: view.atdmt.com
Trusted site: C:\Windows\system32\shdoclc.dll"
This raises the question (as you already did) why this .dll is in your Trusted zone? I would venture that's a mistake, which should be removed from the Trusted Zone. but if, for whatever reason it belongs there, you might have to adjust the security PROMPT setting under Trusted Zone (rather than under Internet Zone).
bramweiser
2008-07-14, 23:52
Dear ky331,
Hello, and thank you for offering me some of your thoughts about this.
Please let me clarify a couple of points, though:
* shdoclc.dll is noted in the "pop-ups" as being a "Trusted Site" but does NOT appear explicitly in the list of Trusted Sites in my IE browser. Also, with these pop-ups, it's been, as far as I can recall, the ONLY "Trusted Site" involved in this whole escapade.
* It's not only yieldmanager.com but a number of ad-sites (including, as I recall, doubleclick.com and, yes, espn.com, too, for the videos on their espnsoccernet.com -- US version -- Home Page) that have been triggering these pop-ups. If they were placed into the Restricted Sites area, then it was Spybot or something similar that did it as I don't remember ever manually placing them there.
As I think(?) I noted previously, I used to get Status bar messages that Spybot, say, was blocking a "bad" site, such as something related to Avenue A or maybe even to one of these ad-sites, and that was just fine. What's "new" is that this has somehow migrated into full-blown "pop-ups" that, as I wrote, also draw "focus" away from whichever other window I'm looking at when they're launched.
May I please ask if this information changes your advice at all?
...and I apologize if I mis-typed the message in post #1. I don't honestly know if I did or not (for all I know now, the messages appeared both ways), but, if so, I surely didn't want to mislead you or anyone else reading it.
I hope this is helpful, and thank you again.
Bram
PS I don't use SpywareBlaster. I DO have Spybot and SuperAntiSpyware installed, however.
wyrmrider
2008-07-15, 00:32
after this gets resolved do use spywareblaster
what does SAS say?
update and run a scan
also your AV- full scan
something which may have placed itself and possibly other things in your trusted zone needs a full investigation
BTW
one of the features of spybot is a method to prevent getting to internet explorer features (internet options) FROM WITHIN INTERNET EXPLORER
first go to Control Panel and rt click on Internet Options and create a shortcut on your desktop
then go to Spybot MODE>advanced mode >tools>ie tweeks and click the misc locks
now if you are in IE and click on IE OPTIONS NO WAY
use your new shortcut to get to IE OPTIONS
(and the baddies can't get there either!)
now remember what you did and how you did it
now back to finding out what is going on
you may be looking at posting a HJT in the MAlware removal forum but I'll let one of the other posters make that suggestion
for now keep a list of what you do and what you find
I never assumed that your (mis??)type in message 1 was to mislead anyone. I only pointed out the difference between the post in message 1 vs. message 3, as i was unsure which one was actually the case.
before proceeding, let me point out that I am "just" an individual user of SpyBot (and SpywareBlaster), who has no affiliation whatsoever with SpyBot. So any advice/opinion I offer is purely my own. And anyone reading this has the right to reject (or accept) my "advice". I sincerely don't believe anything bad will happen, but as a formalilty, I guess I have to state that each person who chooses to proceed based on my suggestion is doing so at his/her own risk.
I too recently experienced the Security warning that I believe you did. It first started when SpywareBlaster placed doubleclick.net into my restricted zone, and I was unable to access my Yahoo.com home page without getting the warnings. I "solved" that problem by "instructing" SpywareBlaster NOT to include doubleclick.NET in its restricted immunizations.
A couple of weeks later, I started to recieve the warnings about ads.yieldmanager.com . Like you, it seemed to have ocurred after a SpyBot update. So I thought SpyBot might have been "involved".
But various tests I ran --- removing both the SpyBot and SpywareBlaster immunizations --- convinced me that neither was [currently] responsible. There were a few remaining sites in my restricted zone. But none that were obiously ads.yieldmanager.com ... several were simply in the form of numeric IP addresses, and perhaps one of these might have corresponded to yieldmanager --- but I just didn't know for sure.
By running the DelDomains program, ALL entries in both the restricted zone, as well as trusted zone, are cleared away. By doing so, I knew I'd be starting things completely fresh. You can consider trying this, but I admit this is the more "daring" approach (as you can't "UNDO" it 100%).
In contrast, the first approach that I mentioned... of changing the setting on
Websites in less priviledged web content zone can navigate into this zone
from PROMPT to DISABLE --- for the INTERNET Zone and/or the TRUSTED Zone --- should be both SAFE, and REVERSABLE (if it doesn't work, and/or if you change your mind). On that basis, I'd say it's worth a shot on your part. Change it in the INTERNET Zone. Be sure to close IE and then re-open it. Surf some, and see if it makes a difference. If not, change it in the TRUSTED Zone. again, close and reopen IE, and test things.
Let me know how it goes. If it doesn't "fix" your situation, you can always change the DISABLE setting[s] back to PROMPT --- you'll be no worse off than you are now --- and you can then continue to look for another potential solution.
P.S. I have taken for granted you'll find your setting at PROMPT... if it was already set to DISABLE (or ENABLE) for BOTH the INTERNET as well as TRUSTED Zones, there's really nothing for you to try here.
bramweiser
2008-07-15, 06:48
Dear ky331,
Thanks, and, yes, I have my grains of salt at the ready. :)
At present (because of advice I actually got before you posted yours), that entry in both Internet and Trusted is now set to ENABLE (I recall changing at least one from PROMPT), though Restricted is set to DISABLE.
Since that other person gave me that advice (not too long ago -- maybe several days or so), I don't recall seeing the pop-up. Still, I wonder what caused it in the first place, and, I must admit, the idea of it being from a new release of Spybot seems quite intriguing and appealing.
Also, for the record, the only truly Trusted Sites in my IE are two that relate to mcafee.com (probably because I had its Anti-Virus software on my machine sometime ago) and "about:internet". There is NO entry for shdoclc.dll, which made its appearance in those "pop-ups" curioser and curioser. ;)
Thanks for your advice (same to wyrmrider -- to whom I note that, as I wrote before, I don't have SpywareBlaster and I DO recall publishing a HijackThis log at another Forum, which is where that afore-mentioned advice came from...also, I must admit, I'm not quite clear on some of your steps -- the tweaking IE from within Spybot part -- wyrmrider).
If I need more from either of you beyond what I've written here, and previously, then I'll be back.
Thanks again.
Bram
cadilllinc
2008-12-28, 21:38
When using IE7, especially with Yahoo and sometimes eBay, and clicking the back button, nothing would happen. Looking at the dropdown history, there would be 1, 2 or 3 "ad.yieldmanager.com" entries. Finally found that there were 2 "yieldmanager" entries in the HOSTS, apparently put there by Spybot at some time in the past. I edited the HOSTS file (notepad %WINDIR%\system32\drivers\etc\HOSTS) and removed all of the entries added by Spybot. I then re-immunized with with the latest Spybot and checked the HOSTS file again. There were no "yieldmanager" entries. Tried IE7 again and there were no more "back button" problems. Problem solved! Hope this helps someone else.
PS: Don't know if this belongs in this thread. Hope the moderator will put it where it belongs.
cadilllinc, thank you for your response. I searched all over the internet for an answer to the annoying security warning popup "ad.yieldmanager.com." Voila! Edit the Hosts file, duh! I deleted the two ad.yieldmanager.com entries and breathed a sigh of relief.
I don't think Spybot added the entries as it only occurred on my laptop, not my desktop, and both have the same Spybot updates. Any way, thanks to your simple solution I can put away the aspirin bottle.
tameraj