1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Text based porn pop ups

Discussion in 'Virus & Other Malware Removal' started by ming-1, Apr 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ming-1

    ming-1 Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    38
    When web browsing on my home PC I get regular text pop ups announcing that some enterprising young lady has set up a home web cam and is about to....well you can guess. These are VERY irritating and i have never clicked OK on any of them. I don't get these (thankfully!) when browsing the web at work on my work computer.
    How do they get there? how do they know i am on the web? and can i get rid of whatever doohicky it is that lets them know i am there?
    I tried loading a pop up buster programme but this was no use as i do all my banking online and this seems to operate via pop ups and i could no longer use my banking web site. So i would rather get rid of the afforementioned doohicky.
    I am running a Norton Anti-virus programme and this has never picked up anything.
    Help!
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,354
    First Name:
    Derek
    go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
    make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. ming-1

    ming-1 Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    38
    dvk01 suggested i post my hijack this log....i hope someone can decipher it for me!
    Logfile of HijackThis v1.97.7
    Scan saved at 8:27:53 PM, on 4/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
    C:\WINNT\MWW32\MANAGER\MWSSW32.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\tp4mon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\IOMEGA~1\directcd.exe
    C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm
    F2 - REG:system.ini: UserInit=
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
    O2 - BHO: (no name) - {17598C5F-F014-4D4B-9AD7-E4F8C952FBCB} - c:\program files\pop-up breaker v1.51\bspb.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_5_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Modem Update Reminder] C:\WINNT\MWW32\manager\mwremind.exe autorun
    O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [win486] d:winlcs.HTA
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: ThinkPad Modem Copyright.lnk = C:\WINNT\MWW32\manager\mwcpyrt.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37891.132037037
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9520DE11-98EC-4EE1-8A95-E9BC54B2B018}: NameServer = 178.18.32.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E4F89661-A7F8-4416-9775-4040FAC7DE4C}: NameServer = 80.225.251.50 80.225.252.58



    Thanks
     
  4. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Have only HJT running & fix these entries=
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm
    O2 - BHO: (no name) - {17598C5F-F014-4D4B-9AD7-E4F8C952FBCB} - c:\program files\pop-up breaker v1.51\bspb.dll (file missing)
     
  5. jameso321

    jameso321

    Joined:
    Jun 26, 2002
    Messages:
    176
    In Hijack this Check off all the listed below and click fix -



    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.terra.es/personal7/rusgirl/s/search.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://maebashi.cool.ne.jp/rifare/pucchi2/gol.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.terra.es/personal7/rusgirl/s/search.htm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/personal7/rusgirl/s/search.htm









    There is something else here that looks bad:


    C:\WINNT\system32\wuauclt.exe


    I am 95% sure that is a Trojan/Virus

    http://www.sophos.com/virusinfo/analyses/trojcultb.html

    http://www.symantec.com/avcenter/venc/data/backdoor.clt.html









    jameso321
     
  6. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    WinTasks Process Library


    wuauclt - wuauclt.exe - Process Information

    Process File: wuauclt or wuauclt.exe
    Process Name: AutoUpdate for WindowsME
    Description: Background process responsible for updates to Windows ME. Whenever you connect to the Internet, Wuauclt checks the Microsoft web site for updates to Windows ME.
    Company: Microsoft Corp.
    System Process: Yes
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A
     
  7. jameso321

    jameso321

    Joined:
    Jun 26, 2002
    Messages:
    176
    That is not Win ME he is using ---- Read the links I have about it.

    http://www.symantec.com/avcenter/venc/data/backdoor.clt.html



     
  8. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    yep, just noticed that myself.
     
  9. jameso321

    jameso321

    Joined:
    Jun 26, 2002
    Messages:
    176


    This looks suspicious

    O4 - HKLM\..\Run: [win486] d:winlcs.HTA

    I would Check this in HJT and Fix it also.

    Any Idea what that is? I found some info. These are HTML apps that are commonly associated with adware crap. They are also a good way to deliver Virus and worms etc.

    *.HTA Hyper Text Applications


    jameso321
     
  10. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Never seen it in any other logs. Nothing on google.
     
  11. ming-1

    ming-1 Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    38
    thanks folks...thats a real help.
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ming......you have a CWS hijack.

    Download and run CWshredder from http://www.thespykiller.co.uk/
    And remember to click "Fix" (Not "Scan only")
    In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability............re-boot after.

    Post back with an update HijackThis log.
     
  13. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi Ming, and welcome, I've merged both of your threads, please always reply back to your original thread, otherwise the person helping you won't be notified that you have posted a new thread.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Text based porn
  1. JackieTyler
    Replies:
    1
    Views:
    475
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216767

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice