PDA

View Full Version : Win32.pornpopup: Am I still infected?



Mariah
2010-07-13, 22:06
Hello, a couple weeks ago I had an issue with something called Win32.pornpopup. My Spybot found 20 cases of it one day, during one of my daily scans. It said they were removed, but I still experienced some performance problems with my computer, and I believe I had seen a popup appear for a split second, with the figure of a woman on it. I was told by someone to do a System Restore, which I now see from some of the Spybot forums I probably shouldn't have done. However, after the System Restore, my computer is better than it was when I knew I had the virus, but still not quite what it was (when it comes to speed and freezing) before we got the virus.
I was worried that maybe the virus is still in my computer. If I could receive some help, I'd be very grateful.

Here's my DDS:




DDS (Ver_10-03-17.01) - NTFSx86
Run by Mariah at 14:36:40.82 on Tue 07/13/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.97 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Mariah\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\mariah\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mariah\applic~1\mozilla\firefox\profiles\368y39oc.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\mariah\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-3 310320]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2009-12-22 4064]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-3 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-3 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100712.001\IDSXpx86.sys [2010-7-12 331640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-3 117640]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-22 4497704]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-22 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100712.051\NAVENG.SYS [2010-7-13 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100712.051\NAVEX15.SYS [2010-7-13 1347504]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-22 16168]

=============== Created Last 30 ================

2010-06-28 21:24:04 0 d-----r- c:\program files\Norton Support
2010-06-28 21:02:54 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-07-13 15:19:29 23048 ----a-w- c:\windows\system32\nvModes.dat
2010-05-28 23:33:11 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 15:20:24 668672 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:20:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-03-07 18:57:20 251 ----a-w- c:\program files\wt3d.ini

============= FINISH: 14:38:22.81 ===============

ken545
2010-07-17, 23:10
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.

Mariah
2010-07-18, 06:11
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.

It only found a DoubleClick this time around, but here's those copied results for you:



DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-01-21 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-07-13 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2010-07-13 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-07-13 Includes\HijackersC.sbi (*)
2010-07-13 Includes\KeyloggersC.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-07-13 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-13 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2010-07-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-13 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-07-13 Includes\Trojans.sbi (*)
2010-07-13 Includes\TrojansC-02.sbi (*)
2010-07-13 Includes\TrojansC-03.sbi (*)
2010-07-13 Includes\TrojansC-04.sbi (*)
2010-07-13 Includes\TrojansC-05.sbi (*)
2010-07-13 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ken545
2010-07-18, 13:32
Hello Mariah,

What you should do is empty out all the cookie folders for Internet Explorer, Firefox and Chrome. Before you do make sure you write down all your user names and passwords for sites you frequent as they will be lost when you remove cookies.

Open IE and go to Tools > Internet Options > General Tab and under Browsing History click on Delete.

Open Firefox and go to Tools > Options > Privacy Tab > Remove Individual Cookies and delete all cookies


Do the same for Chrome, here are instructions as I do not use chrome myself.
http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95626




Empty your Spybot Recovery (quarantine) folder


* Open Spybot and click on the "Recovery" button.
* The items that Spybot has quarantined will be listed.
* Place a check mark in the box next to each item listed and that click on "Purge Selected Items".
* Empty your recycle bin.





Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
Win32.pornpopup
:folderfind
Win32.pornpopup
:regfind
Win32.pornpopup


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Mariah
2010-07-19, 00:44
Hello Mariah,

What you should do is empty out all the cookie folders for Internet Explorer, Firefox and Chrome. Before you do make sure you write down all your user names and passwords for sites you frequent as they will be lost when you remove cookies.

Open IE and go to Tools > Internet Options > General Tab and under Browsing History click on Delete.

Open Firefox and go to Tools > Options > Privacy Tab > Remove Individual Cookies and delete all cookies


Do the same for Chrome, here are instructions as I do not use chrome myself.
http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95626




Empty your Spybot Recovery (quarantine) folder


* Open Spybot and click on the "Recovery" button.
* The items that Spybot has quarantined will be listed.
* Place a check mark in the box next to each item listed and that click on "Purge Selected Items".
* Empty your recycle bin.





Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
Win32.pornpopup
:folderfind
Win32.pornpopup
:regfind
Win32.pornpopup


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Thank you very much.
This was the result of the scan:


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:41 on 18/07/2010 by Mariah (Administrator - Elevation successful)

========== filefind ==========

Searching for "Win32.pornpopup"
No files found.

========== folderfind ==========

Searching for "Win32.pornpopup"
No folders found.

========== regfind ==========

Searching for "Win32.pornpopup"
No data found.

-=End Of File=-



I assume this is good, since it found nothing, correct?

ken545
2010-07-19, 02:07
Hello Mariah,

Yes thats a positive sign but this is something that is new and has been popping up on users threads lately, funny thing is one user says its gone and on another system it still shows up.

Why dont you run this free online virus scanner and see what it finds if anything


Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Mariah
2010-07-19, 23:52
Hello Mariah,

Yes thats a positive sign but this is something that is new and has been popping up on users threads lately, funny thing is one user says its gone and on another system it still shows up.

Why dont you run this free online virus scanner and see what it finds if anything


Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic



I did the scan, and it found 2 Trojan Downloaders and removed them, but I was unable to find where the ".txt" file you asked me to copy and paste was. Should I scan and try again?
Every few months or so my computer picks up a couple downloaders, and they're normally taken care of by my Norton security system after a scan. Those two it found probably got on my computer since the last scan, though I'm glad ESET was able to get rid of them. If another scan is not needed, is it alright to uninstall ESET?

ken545
2010-07-20, 00:27
Before you uninstall ESET, you can find the report here, post it please

C:\Program Files\EsetOnlineScanner\log.txt

Mariah
2010-07-20, 03:11
Ah ok, I found it, sorry.
Here it is:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e132c5009d64f84a8f205b84283006e5
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 08:43:40
# local_time=2010-07-19 04:43:40 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3589 16777173 100 100 781247 15456451 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=42289
# found=2
# cleaned=2
# scan_time=7064
C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\6.0\16\4c3fce10-1035f6fe Java/TrojanDownloader.Agent.NAQ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Mike\Application Data\Sun\Java\Deployment\cache\6.0\23\2c3b3a57-6831bbbb Java/TrojanDownloader.Agent.NAP trojan (deleted - quarantined) 00000000000000000000000000000000 C

ken545
2010-07-20, 03:56
Thats good it found and removed those. You can open the Quarantine folder and delete it all and then remove ESET if you wish, or keep it and run a scan now and then

Just to be on the safe side, run this program, its free and yours to keep and one of the better malware programs


Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

Mariah
2010-07-20, 06:08
I own Malwarebytes, so I did a quite update and scan. As usual, it found nothing, but here's those results for you:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4328

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/19/2010 11:05:41 PM
mbam-log-2010-07-19 (23-05-41).txt

Scan type: Quick scan
Objects scanned: 142142
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545
2010-07-20, 13:31
Good Morning,

I go to a conference each year relating to malware and met the fine folk who own Malwarebytes, great bunch of people. Keeping it updated is the key, thats the key for all your security programs with new threats appearing almost daily.

It looks like your Java is out dated , very easy to fix, new updates block holes that malware can enter your system

Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 21 <--The wording is confusing but this is what you need


Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version

You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.




What I will do is leave this thread open for you for about a week, post back if you still have issues and we can dig deeper if need be.





How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

Mariah
2010-07-21, 00:53
Thank you for all your help.

I have one more quick question, though. I was looking through my Norton Security History, and it said that earlier today it blocked an "unauthorized access".
It was called c:\windows\system32\rundll32.exe
Is this something that could be causing problems? Though perhaps I'm just being paranoid since it's in System 32.

ken545
2010-07-21, 02:01
That file is a legit windows files and is responsible for placing DLL files in memory when needed, sometimes its blocked by your firewall related to a program, I dont think there is anything to worry about

c:\windows\system32\rundll32.exe <--This is the correct folder for that file, if it was in a different folder it could be a virus but it is not

Hope this helped

Ken

Mariah
2010-07-21, 15:14
Alright, thank you again for all your help!
I'll be sure to post again if I have any questions.

ken545
2010-07-21, 19:18
Your very welcome,

Take Care,
Ken :)

Mariah
2010-07-25, 00:35
Hey, it's me again.
It seems that we have picked up another case of Win32.pornpopup. I believe it is a new case, since Spybot said we had 4 instances of it this time, while last time it was 20. I told Spybot to remove it, then did all the scans you told me to do before, and all of them said I was clear.
I've spoken to my younger brother, who also uses this computer, about what sites he's going on, to keep this from happening again. But if my computer shows signs that I may still have Win32.pornpopup, should I do another system restore, since it seemed to work last time?
Thanks once again for your help, this thing has been a real headache.

ken545
2010-07-25, 01:29
Sorry your still having problems, this little bugger is hard to get rid of.

Please go to start >> run and type

ipconfig /flushdns

and hit enter. Reboot.





Then run this program

http://www.systenance.com/indexdat.php

How to use Index.dat analyzer?

Choose one of three categories from the pull down menu: History, Cookies or Cache. Mark the checkboxes for the entries you want to delete and press “ Delete Cheched ” button. You can check and uncheck all entries at once and you have nice filter that can help you shorten the list to find what you are looking for.



Let me know if this helped

Mariah
2010-07-25, 02:28
Alright, thanks again.

For now, my computer seems to be running alright. I'm going to give it a few days to see if it acts up at all, though. Perhaps Spybot was able to remove it this time.

ken545
2010-07-25, 03:59
With Index Dat analyzer you can remove it all and it wont harm your system, let me know how it went

Mariah
2010-07-30, 00:59
Sorry for the late reply.
Everything worked fine. My computer still occasionally gets slower than normal, but it's no worse than it was when I first made a thread, so I assume Spybot was able to get rid of it this time.
Thanks again!

ken545
2010-07-30, 03:03
Your welcome.

You can post here if you wish and they may be able to help you sort out programs and start up programs that could be slowing you down. There are many causes for slow systems, not enough memory, a hard drive thats pretty well maxed out , conflicting programs. They can look it over for you and help you sort them out

http://forums.whatthetech.com/index.php?showforum=119

We work hand and hand with WhattheTech, like SaferNetworking its free but you will need to register.

Good luck
Ken :)