Text based porn pop ups

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ming-1

Thread Starter
Joined
Apr 2, 2004
Messages
38
When web browsing on my home PC I get regular text pop ups announcing that some enterprising young lady has set up a home web cam and is about to....well you can guess. These are VERY irritating and i have never clicked OK on any of them. I don't get these (thankfully!) when browsing the web at work on my work computer.
How do they get there? how do they know i am on the web? and can i get rid of whatever doohicky it is that lets them know i am there?
I tried loading a pop up buster programme but this was no use as i do all my banking online and this seems to operate via pop ups and i could no longer use my banking web site. So i would rather get rid of the afforementioned doohicky.
I am running a Norton Anti-virus programme and this has never picked up anything.
Help!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

ming-1

Thread Starter
Joined
Apr 2, 2004
Messages
38
dvk01 suggested i post my hijack this log....i hope someone can decipher it for me!
Logfile of HijackThis v1.97.7
Scan saved at 8:27:53 PM, on 4/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm
F2 - REG:system.ini: UserInit=
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {17598C5F-F014-4D4B-9AD7-E4F8C952FBCB} - c:\program files\pop-up breaker v1.51\bspb.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win486] d:winlcs.HTA
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37891.132037037
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{9520DE11-98EC-4EE1-8A95-E9BC54B2B018}: NameServer = 178.18.32.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4F89661-A7F8-4416-9775-4040FAC7DE4C}: NameServer = 80.225.251.50 80.225.252.58



Thanks
 
Joined
Mar 15, 2004
Messages
389
Have only HJT running & fix these entries=
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm
O2 - BHO: (no name) - {17598C5F-F014-4D4B-9AD7-E4F8C952FBCB} - c:\program files\pop-up breaker v1.51\bspb.dll (file missing)
 
Joined
Jun 26, 2002
Messages
176
In Hijack this Check off all the listed below and click fix -



R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm









There is something else here that looks bad:


C:\WINNT\system32\wuauclt.exe


I am 95% sure that is a Trojan/Virus

http://www.sophos.com/virusinfo/analyses/trojcultb.html

http://www.symantec.com/avcenter/venc/data/backdoor.clt.html









jameso321
 
Joined
Mar 15, 2004
Messages
389
WinTasks Process Library


wuauclt - wuauclt.exe - Process Information

Process File: wuauclt or wuauclt.exe
Process Name: AutoUpdate for WindowsME
Description: Background process responsible for updates to Windows ME. Whenever you connect to the Internet, Wuauclt checks the Microsoft web site for updates to Windows ME.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
 
Joined
Jun 26, 2002
Messages
176
That is not Win ME he is using ---- Read the links I have about it.

http://www.symantec.com/avcenter/venc/data/backdoor.clt.html



When Backdoor.Clt is executed, it performs the following actions:


Copies itself as %System%\WUAUCLT.EXE.


Adds the value:

"Microsoft auto update"="%System%\wuauclt.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.


Connects to an IRC server to receive commands. By default, the Trojan will connect to irc.icq.com on port 6667 and join a specific channel.
 
Joined
Jun 26, 2002
Messages
176
stillearning said:
yep, just noticed that myself.


This looks suspicious

O4 - HKLM\..\Run: [win486] d:winlcs.HTA

I would Check this in HJT and Fix it also.

Any Idea what that is? I found some info. These are HTML apps that are commonly associated with adware crap. They are also a good way to deliver Virus and worms etc.

*.HTA Hyper Text Applications


jameso321
 
Joined
Oct 9, 2001
Messages
9,396
Ming......you have a CWS hijack.

Download and run CWshredder from http://www.thespykiller.co.uk/
And remember to click "Fix" (Not "Scan only")
In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability............re-boot after.

Post back with an update HijackThis log.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Hi Ming, and welcome, I've merged both of your threads, please always reply back to your original thread, otherwise the person helping you won't be notified that you have posted a new thread.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top