Security Warning with shdoclc.dll

[bramweiser]

Hi, Everyone,

The following was posted to Microsoft's Newsgroups for Windows XP. As I'm now experiencing something very similar to this (my release is 1.5.2.20), and this author (who isn't me) thinks that Spybot may be at issue, I'm posting it here in the hopes that you might have insights into this as well.

Could he be right? Might Spybot be causing this? (I looked at the program's settings and couldn't find a way to turn these messages on/off.)

Please respond with any on-topic thoughts, please.

Thanks,
Bram

**********

It may be coincidental, but about the time I downloaded an upgraded Spybot
program, I began to get a Security Warning that oftens reads something like
this:

"The current Web page is trying to open a site on the Internet. Do you want
to allow this?

Current site: ad.yieldmanager.com

Internet site: C:\Windows\system32\shdoclc.dll



Warning: allowing this can expose your computer to security risks. If you
don't trust the current Web page, choose no."

[spybotsandra]

Hello,

This message is created by the bad download blocker, a tool of Spybot - Search & Destroy.
Yieldmanager, Doubleclick (and others like Advertising.com, Avenue A, Inc, CasaleMedia, Fastclick, Hitbox, Mediaplex etc.) are so-called tracking cookies. It is quite common for popular websites to employ such tracking cookies from third parties. They use them in order to track the users' surfing habits on their websites. As I said, these cookies are from third parties but they are employed by the site. There is a tool in Spybot-S&D: BrowserHelper, i.e. a bad download blocker for Internet Explorer. With this tool enabled such tracking cookies will be blocked. In order to activate this tool, please run Spybot-S&D and go to the "Tools"->"Resident" page. Checking the checkbox in front of SDHelper will enable the BrowserHelper.

Now open the Tools menu in your Internet Explorer and choose 'Spybot - Search Destroy Configuration'.
There you will find a drop down menu which will appear giving you some options.
(3rd picture)
You should select "Block all bad pages silently".
With that option set the notifications will no longer come up, but you will still have the protection.

Best regards
Sandra
Team Spybot

[bramweiser]

Dear spybotsandra,

Hello, and thank you for responding to my thread.

I'm not home right now but will try your advice later tonight when I return.

If I may, though, because I'm presuming that the "Team Spybot" as part of your signature means that you work with/for SaferNetworking and/or the makers of Spybot-S&D...

To NOT have these blocked silently, as happens now, is a feature that needs some work.

Right now, every(!) time one of those sites' tracking cookies is encountered, not only does a "pop-up" message appear which requires my attention, but it also automatically grabs the "focus" from whichever other window I'm currently looking at (not nice).

In addition, nowhere(!) in this window does it indicate that it's Spybot-S&D that's triggering it (I, as would others, have several anti-spyware apps on my PC, and, for all I knew, this was also possibly a result from a Microsoft Windows Update item I'd downloaded), nor is there a link to...something...that'd indicate how to adjust it if one wants to (and I clearly do).

Also, it's peculiar to read that a particular DLL on my hard drive(!) is a "Trusted Site". Go figure about that.

Please encourage your developers to make this feature more user-friendly in future (incremental) releases of Spybot-S&D.

Thanks, and, while I do appreciate your help with this, if, after I try your advice, the issue still happens for some reason, I'll be back to follow up.

Thanks again,
Bram

[bramweiser]

Dear spybotsandra,

As promised, I did as you asked.

Curiously, I really didn't need to DO anything as:

* The SDHelper was already checked in my Spybot-S&D, and...

* The Configuration in my IE already (and curiously) said "Block all bad pages silently"

...yet, the "pop-ups" are STILL happening, regardless.

Please, what more could you suggest?

Thanks,
Bram

[spybotsandra]

Hello,

Are you sure that this message comes from Spybot and not from your browser?
Do you have a screenshot of it?

Best regards
Sandra
Team Spybot

[bramweiser]

Dear spybotsandra,

I don't THINK it's from my browser as I've NEVER seen "pop-ups" like that before (Spybot 1.4 always placed those messages into my Status Bar) and because, when I went to try and configure Spybot via my browser as you asked, it said it found "0" sites, files and cookies...none...so maybe something was amiss with this release of Spybot (or so I was thinking).

Also, those "pop-ups" seemed to act a bit funny as hitting "spacebar", when the "pop-up" was active, would be like pressing its buttons, but hitting "enter" wouldn't...so maybe (dare I say) this could also be something Java-related, as I've seen those applets sometimes act in similar ways?

Attached, hopefully , is a GIF of what it looks like. (Thank you, MS Paint . )

Thanks, again, spybotsandra, and please let me know your thoughts.

Bram

[bramweiser]

Check that...

Hitting "Enter" WILL work, at least sometimes, but I can't, say, hit "Y" to mean "Yes", or "N" to mean "No" with one of those "pop-ups".

I just wanted to clear that up.

Hope this is helpful.

Thanks,
Bram

P.S. FYI -- Since I last wrote to you, the Configuration in IE says Spybot's found & blocked 79 "blacklisted sites & files", yet the "pop-ups" are still showing up at times, and, when I intentionally go to a site where the pop-up's been showing up, it does, without adding to that "79" count.

[spybotsandra]

Hello,

That message is not from Spybot.
Perhaps it is a security setting from your Internet Explorer.
By the way i do not run this browser as it is too unsafe for me.
There are alternatives to Internet Explorer, which should be considered, as - for example - Firefox (http://www.mozilla.org/) or Opera (http://www.opera.com).
Both of these are supposed to provide faster, safer and more efficient browsing than other browsers.
What is more: they come with an integrated pop-up blocking function, which means they stop annoying pop-up ads automatically. And, of course, Firefox as well as Opera are freeware.

Best regards
Sandra
Team Spybot

[bramweiser]

Dear spybotsandra,

Hello again, and thank you for writing back to me.

I'm perplexed, then, as IE 6 SP 2 (the version I use, and which also has a pop-up blocker, BTW, as does the Google Toolbar that I use) has never shown me these messages until recently, and only does so on my home computer (where Spybot is installed) but not at work (where it isn't).

(True, that's not definitive causality, but it's at least circumstantial.)

Also, I only get them, and only get this kind of behavior (i.e., annoyingly redirecting "focus" to the window where the "Warning" appears, etc.) when shdoclc.dll and, usually but not always, adsites are involved and cited, which is what led me to Spybot as a possible "culprit".

I'd looked in IE's security settings but didn't see what would be applicable. Do you have any ideas, please, about a specific one to examine?

Also, since I don't ever remember seeing this with 1.4 (again, messages there often appeared unobtrusively in my Status bar), what if I totally uninstalled 1.5.2.20 and either (a) installed 1.4 (if I can), or (b) reinstalled 1.5.2.20 fresh? Could this all be a sign of a bad installation/upgrade to 1.5.2.20? (I'm brainstorming here.)

What other thoughts might you have, please?

Thanks again.

Sincerely,
Bram Weiser

[ky331]

the message is being generated by an IE setting:

under tools / internet options / security
for the INTERNET zone, click on CUSTOM level,
scroll down, under Miscellaneous settings, to
Websites in less priviledged web content zone can navigate into this zone
I believe you'll find this set to PROMPT.

If you change it to DISABLE, you will no longer get the security message, and the advertisments from ad.yieldmanager.com will be suppressed --- you might see some red X's on the page, as a "placeholder" for the missing picture[s].
[If you change it to ENABLE, you will no longer get the security message, but the advertisements will be displayed]

--------------------------------------------

As best as I can tell, the reason WHY this is happening is that "something" placed yieldmanager.com into your restricted zone. So when this "restricted" item tried to display an advertisement in your "internet" zone, you received the security warning.

As for WHAT placed it in your restricted zone, that's less clear... because the CURRENT databases for both SPYBOT, as well as for SPYWAREBLASTER, do not. (Perhaps an earlier version placed them there???)

If you wish to clean-up your restricted zones, you might consider downloading DelDomains.inf from
http://www.mvps.org/winhelp2002/restricted.htm
This will completely clear your restricted zones (as well as your trusted zones). You can then re-immunize with SpyBot [and with SpywareBlaster, if you use that program] to bring your restricted zone "up to date"... and by doing so, you should fix the "ad.yieldmanager.com" security popup [i.e., even if you leave the above security setting on PROMPT]