1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Unwanted Porn

Discussion in 'Virus & Other Malware Removal' started by primed47, Feb 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    Please bear with me as im not very puter savvy..I have an intel celeron 700 , 20.5GB and 384 megs of ram. Im currently using windows xp professional. My husband and 3 granddaughters have their own seperate accts. with their own user Id and passwords. I started noticing a problem shortly after downloading Kazaa. I forgot about gator which i dont want on here. I deleted from add/delete or so i thought. Not sure if that has anything to do with this problem but now whenever i click on any of my granddaughters documents folder the screen goes totally white for a few seconds and then this darn sex site takes over and the only way to get rid of it is to ctrl alt del, then when you click on end task that one disappears but app 5 or 6 more show up and then i finally get rid of it for the time being but they always reappear..Ive tried getting rid of them by typing in the name in the seach bar for files and folders but each time this following error appears when i do >>>C:\WINDOWS\system32\URTTemp\config\machine config..then says parser returned error 0X80070003. I have downloaded Norton Antivirus 2003, Quickheal, AVG, Panda, Esafe, spybot and a few other programs trying to pinpoint and delete whats causing all this havoc but to no avail..Spybot found the following :
    C:\hiberfil.sys cannot open, not checked
    C:\WINDOWS\System32\Config\System.LOG cannot open, not checked
    C:\Documents and Settings\Network Service\ntuser.dat. LOG cannot open, not checked
    C:\Documents and Settings\Network Service\Local Settings\Applications cannot open, not checked
    C:\Documents and Settings\Network Service\Local Settings\Application Data\Microsoft\Windows\USR CLASS.DAT

    but as you can see it says cannot open, not checked . Im ready to pull my hair out..this is driving me crazy. I also have tweakand ad aware. I'm not sure but i think msn has something to do with this also because ive been getting pop up with msn messenger at the top and when ive tried to exit out from messenger an error comes up and says its in use, and there have been 2 icons on my desktop where there should have been only one. Any help or suggestions you could give would be greatly appreciated. I hope this isn't anything major. Thanks for listening Cheryl
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Welcome to TSG, primed47.

    Use the instructions and the application available on this page to give us a post of BOTH your HijackThis scan log and the StartupList itself:

    http://www.tomcoyote.org/hjt/

    Sometimes it is necessary to run Spybot twice to ensure complete removals but it doesn't sound like those files are any issue.
     
  3. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    Logfile of HijackThis v1.91.2
    Scan saved at 12:11:33 AM, on 2/14/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\Program Files\STOPzilla!\SZMsgSvc.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
    O16 - DPF: {18B01F09-2965-11D3-9461-00A0C9B1E042} (FunnyVoiceCtl Class) - http://www.kiddonet.com//kiddonet/luvclicks2/FunnyVoice.ocx
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.solitaire.com/download/solitaire.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37653.1858564815
    O16 - DPF: {A2A62F90-6106-11D3-96F3-00105A771372} (KaraokeComCtl Class) - http://www.kiddonet.com/lapware/actmenu/KaraokeKidd/karaokeCom.ocx
    O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.ichat.com/custom/nativeclient/msichat.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/sportsgames/ssxtricky/ea/wtinst.cab
    O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
    O16 - DPF: {E9B2DC2F-3659-11D5-811E-00C0F003066B} (Cleaner Class) - http://www.panicware.net/activex/pwiclean.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://www.paltalk.com/prod/RegDload.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    I will wait for the next step..thanks Cheryl
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The only real oddity I am seeing there is:

    O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)

    I can't find any info on the ID listed. I would use HijackThis to remove it and:

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/...y/ea/wtinst.cab

    I don't think either of these could be involved in the problem you describe.

    >>> The HijackThis program also provides a StartupList which is created by clicking Config > Misc Tool > Generate Startup List.

    We need to see that too.


    As I understand your description of the problem, trying to open any of your granddaughter's documents folders causes a porn site to appear? What happens if you are not connected to the net?

    When you ran HijackThis, were you logged on under your granddaughter's name? It might make a difference.

    For the "messenger" problem, I think this is not MSN messenger but a built in service of XP that needs to be disabled. It is a common problem that allows pop-ups to be displayed using the modem directly.

    Here's what you need to do: Open your Administrative Tools folder and then click the "Services" icon.

    Under the Services Profile, look for "Messenger" and right click on that and select "Properties". Set it to "disabled". You shouldn't see those messenger pop-ups any more.

    Finally, your description of the problem sounds suspiciously like the Js/Noclose virus. I don't know why Norton isn't finding it, it should.

    Try deleting all your Temprorary Internet Files.

    http://www.uwm.edu/IMT/purchase/itpsfaqs/jsnoclose.html
     
  5. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    The only real oddity I am seeing there is:

    O3 - Toolbar: (no name) - {8E4C16F3-45C8-4B24-99E6-F55082B7C4F1} - (no file)

    I can't find any info on the ID listed. I would use HijackThis to remove it and:

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/...y/ea/wtinst.cab

    I don't think either of these could be involved in the problem you describe

    In answer to your question i was under my own name not my granddaughters when i ran HijackThis scan...do you want me to try under her name? I want to be sure i understand you correctly..should i go ahead and REMOVE the 2 above? You have been such a big help, I couldn't have done this without you....I'm impressed to say the least ..Thanks Cheryl
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes I'd go ahead and remove the two above. But keep in mind the StartupList is different from the ScanLog. We want to see the StartupList. Note my instructions for running it.

    Also I edited my post to include some info about the JS/Noclose 'virus' ... which I now see from reading the Symantec link it includes, that they do not detect it because they do not consider it 'malicious'. Harrumph!

    Try the HouseCall scan as well:

    http://housecall.antivirus.com/
     
  7. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    Just wanted you to know im running the startup list now as per your instructions. I haven't tried going into granddaughters documents offline. I will also do what you said regarding msn messenger. It may take me a little time as I dont want to screw anything up here. I dont have any anti virus programs on my puter at this moment. I just uninstalled AVG earlier on. I need some help on where to go to download a good program that will protect us. If you have any links I'd appreciate it. Ive been all over but Im really not sure whether I'm doing more harm than good. Not sure if it matters but I have sympatico high speed and Im sure i should be going much faster than I am. Thanks again for your time and patience, you dont know how much this means to me to be able to talk to someone who knows what they are doing, present company excluded lol...Cheryl
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, but this is not msn messenger you will be disabling. It really a modem service that is independent of it.

    Do follow up on doing another full scan using HouseCall, and delete all temporary internet files. You will need to do this under the user name of each user who is having the problem. Check the temp folders as well under your GD's user name and empty those.

    It's a good bet that the Windows that the multiple windows that are appearing are some variation of js/ noclose.

    AVG is an adequate free bee, but it won't find everything. NAV would normally be the best, but it doesn't detect what you have either.

    Trend's antivirus, pc-cillin evidently does according to their site.
     
  9. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    StartupList report, 2/14/2003, 1:32:19 AM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\Cheryl H\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Cheryl H\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    PrinTray = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
    SZMsgSvc.exe = C:\Program Files\STOPzilla!\SZMsgSvc.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    WebCamRT.exe =
    TransparentIcons =
    BlockAds =
    Tweak-XP =

    --------------------------------------------------


    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\System32\macromed\Shockwave 8\Download.dll
    CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

    [EABootStrap Class]
    InProcServer32 = C:\WINDOWS\System32\eabtstrp.dll
    CODEBASE = http://www.ea.com/downloads/games/common/boot_strap/iegils.cab

    [FunnyVoiceCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\FUNNYV~1.OCX
    CODEBASE = http://www.kiddonet.com//kiddonet/luvclicks2/FunnyVoice.ocx

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [ColoringCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\Coloring.ocx
    CODEBASE = http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

    [SnoopyCtrl Class]
    InProcServer32 = C:\Program Files\EACOM\Update\NPSnpy.dll
    CODEBASE = http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab

    [Yahoo! Audio UI1]
    InProcServer32 = C:\Program Files\Yahoo!\Messenger\yacsui.dll
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

    [Sol2axctl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\sol2ax.dll
    CODEBASE = http://download.solitaire.com/download/solitaire.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37653.1858564815

    [KaraokeComCtl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\karaokeCom.ocx
    CODEBASE = http://www.kiddonet.com/lapware/actmenu/KaraokeKidd/karaokeCom.ocx

    [msichat50 Client Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MSICHA~1.OCX
    CODEBASE = http://www.ichat.com/custom/nativeclient/msichat.cab

    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
    CODEBASE = http://www.wildtangent.com/install/wdriver/sportsgames/ssxtricky/ea/wtinst.cab

    [AcceptLang Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\setacceptlang.dll
    CODEBASE = http://runonce.msn.com/setacceptlang.cab

    [Cleaner Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWIClean.dll
    CODEBASE = http://www.panicware.net/activex/pwiclean.cab

    [CRegistryDownload Class]
    InProcServer32 = C:\WINDOWS\System32\RegDload.dll
    CODEBASE = http://www.paltalk.com/prod/RegDload.CAB

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
    CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

    --------------------------------------------------
    End of report, 5,416 bytes
    Report generated in 0.070 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    *NOTE-This was done from my log in...do i need to do this from all the others also? I know you want me to do another full scan under all the other users names using Housecall...where do i find that program? Cheryl
     
  10. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    I put a checkmark beside 03 toolbar and 016-DBF but theres no delete or remove only choices available are save, fix check, info on selected item, info, config or add checked to ignore list...my guess is to add to ignore list but is that really elimating it? Just wanted to be sure before i went ahead and did so..Cheryl
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    No don't add to the ignore list. Click "fix"

    This is the link for HouseCall:

    http://housecall.antivirus.com/


    I don't see anything there to account for the problem, and I doubt whether it will show with a list under anyone elses User Name, but it wouldn't hurt to look.

    Do follow instructions for deleting Temporary Internet and Temp folder files under each User Name. I think that is where the problem is going to be found. You should do this both within Internet Options > Temporary Internet Files with IE closed by going to the Control Panel > Internet Options applet. You should also manually navigate to the folders and delete the remaining contents. For example:

    C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files
     
  12. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    I couldn't wait to give you the good news. I did everything you told me to and you hit the nail right on the head. I did indeed have the JS NOCLOSE.E virus. I just finished scanning with HouseCall and it found it. It was non cleanable so therefore I was instructed to delete it which i did. It was in C:\Documents and Settings\Gue whatever that means. I am going to run the same scan in each of my granddaughters and hubbies and my other daughters accts. I am also going to download PC-cillin2003. Your the greatest Rollins. Thanks a million Cheryl
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Definitely a nice Valentine's day greeting :)

    Yes, your description of the multiple windows popping up, once that sank in, was the best clue.

    Great that HouseCall found it. And it's a shame that Symantec does not consider it malicious, otherwise I would recommend NAV for you. But PC-cillin is a very well rated program. I think it's what the Department of Defense uses here these days. :)

    I'll tentatively mark this "resolved", but let us know if there are any further virus or security related issues. For others, a separate topic in the XP forum would be indicated.
     
  14. primed47

    primed47 Thread Starter

    Joined:
    Feb 12, 2003
    Messages:
    22
    When i click on Update Now in the trial version of PC-cillin I downloaded , it wont let me update as i have no license key. Is there a way around this. Even with other trial versions you can still get updates and will this still catch what viruses are out there by not being able to update? Looking forward to hearing from you on this..Cheryl
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I haven't seen the question asked or answered before, so I don't really know the answer; but I would suspect that is the nature of the beast.

    This link indicates that you should be able to update the trial version's pattern file once. I don't know what to suggest if it isn't letting you do that.

    http://www.sofsol.co.nz/p0001261.htm
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] Unwanted Porn
  1. Harry32
    Replies:
    18
    Views:
    1,430
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/118723

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice