Random Porn Sites coming up in IE

[mike_bigley]

Hi,

I wrote in earlier with this problem, and did the hijack and spy-bot things that you recommended. I'm still getting random porn sites that just seem to appear from nowhere. It just happened again about an hour ago. I made a new hijack log, and am enclosing it below. By the way, I just checked for Windows and IE updates, and it looks like I'm all up-to-date. Any help is much appreciated.

Mike

Logfile of HijackThis v1.97.2
Scan saved at 12:32:03 PM, on 11/02/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MEDIASCAPE\HP ONE-TOUCH KEYBOARD\KEYBDMGR.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TASKMON.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MEDIASCAPE\HP ONE-TOUCH KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

F1 - win.ini: load=C:\HP\REGISTER\remind.exe
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\PROGRA~1\MEDIAS~1\HPONE-~1\KEYBDMGR.EXE
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [NomdCheck] C:\RealTime\Setup\naudiort\None\nomdchek.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan\VSHWIN32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...885.5494791667
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = harcourtbrace.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.53.130.2,216.53.130.3

[renegade600]

Sounds more like windows messenger. If this is the case you cannot disable it. See http://www.itc.virginia.edu/desktop/docs/messagepopup/

However I have read somewheres if you rename the folder windows messager resides in, it will stop the popups but after every ms update you will have to rename it again. I will not swear on this fix.

[mike_bigley]

Quote:

Originally Posted by renegade600

Sounds more like windows messenger. If this is the case you cannot disable it. See http://www.itc.virginia.edu/desktop/docs/messagepopup/

However I have read somewheres if you rename the folder windows messager resides in, it will stop the popups but after every ms update you will have to rename it again. I will not swear on this fix.

Dan,

Thanks for your response, but these are not messanger windows, but a whole new browser window will appear, pointing to some porn site. Not only that, but sometimes about 6 new browser windows come up, each pointing to a different porn site. I'm dreading the day when my little blue-haired mother comes over and wants a computer lesson.

Mike

[renegade600]

Quote:

Originally Posted by mike_bigley

Dan,

Thanks for your response, but these are not messanger windows, but a whole new browser window will appear, pointing to some porn site. Not only that, but sometimes about 6 new browser windows come up, each pointing to a different porn site. I'm dreading the day when my little blue-haired mother comes over and wants a computer lesson.

Mike

Wish you said that before. In your original message you just said it came out of nowheres but it actually comes up in a browser window. Then I suggest getting a popup stopper. You can get a free one from panicware.com. I use the pro version of the same.

As far as your log I do not see anything that pops out (no pun intended) but I am not an expert when it comes to log reading.

[AnnMarie]

Hi Mike - I have had a look at your log but I cannot see anything out of the ordinary running on your PC. Who is your ISP? The two below entries should point to your ISP and their DNS Server. The IP address 216.53.130.3 below resolves to mpinet.com.

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = harcourtbrace.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.53.130.2,216.53.130.3

[mike_bigley]

Quote:

Originally Posted by AnnMarie

Hi Mike - I have had a look at your log but I cannot see anything out of the ordinary running on your PC. Who is your ISP? The two below entries should point to your ISP and their DNS Server. The IP address 216.53.130.3 below resolves to mpinet.com.

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = harcourtbrace.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.53.130.2,216.53.130.3

AnnMarie,

Thanks for your help. My current ISP is RoadRunner. The MPINet was my previous ISP. The Harcourtbrace entry is from a previous job I had. Do you also think the popup-stopper would help here? It's really strange. It happens randomly, and it doesn't matter what site I happen to be in when these porn sites come up. I hate it.

Mike

[AnnMarie]

OK, it would be a good idea then to use Hijack This to remove those entries and reboot.

I can understand your concern Mike. It wouldnt hurt to install a popup-stopper and see if it helps. I use the latest Google Toolbar and I think it works well but if you run a search on our site, you find other options if the Google Toolbar doesnt appeal to you.

[tb525]

Hi Mike,
I wonder if this isn't the 'Hun.net' hijack...Click Start > Run > type regedit and click OK.
Click the + next to the following keys:

HKEY_CURRENT_USER
Software
Microsoft
Internet Explorer

Scroll down and click on the Main folder. In the right hand window look look and see if something like the following is present:

"YAHOOSubst"="a|http://www.thehun.net|http://www.xxxxxxxx.com/
b|http://www.thehun.net|http://www.xxxxxxxx.com/
c|http://www.thehun.net|http://www.xxxxxxxx.com/
d|http://www.thehun.net|http://www.xxxxxxxx.com/
e|http://www.thehun.net|http://www.xxxxxxxx.com/
f|http://www.thehun.net|http://www.xxxxxxxx.com/

*The xxxxxxx's could be any (porn) site.

If present, right click on the YAHOOSubst"=" value and choose delete.
also delete all the http://www.thehun.net|http://www.xxxxxxxx.com/ entries.

Then do the above steps for this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

[mike_bigley]

Quote:

Originally Posted by tb525

Hi Mike,
I wonder if this isn't the 'Hun.net' hijack...Click Start > Run > type regedit and click OK.
Click the + next to the following keys:

HKEY_CURRENT_USER
Software
Microsoft
Internet Explorer

Scroll down and click on the Main folder. In the right hand window look look and see if something like the following is present:

"YAHOOSubst"="a|http://www.thehun.net|http://www.xxxxxxxx.com/
b|http://www.thehun.net|http://www.xxxxxxxx.com/
c|http://www.thehun.net|http://www.xxxxxxxx.com/
d|http://www.thehun.net|http://www.xxxxxxxx.com/
e|http://www.thehun.net|http://www.xxxxxxxx.com/
f|http://www.thehun.net|http://www.xxxxxxxx.com/

*The xxxxxxx's could be any (porn) site.

If present, right click on the YAHOOSubst"=" value and choose delete.
also delete all the http://www.thehun.net|http://www.xxxxxxxx.com/ entries.

Then do the above steps for this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

WOW! You guys rule!

The YAHOO value was there in my registry. It did not point to thehun.net, but it did point to sshosting.com or something like that. And I do remember that the first porn site was always that particular URL. I removed the entries as you instructed, and re-booted. I don't expect to see the porn sites again. Thanks for all your wonderful help, folks!!!

Mike

[AnnMarie]

WTG tb525!