Pop ups
Porn storms keep attacking my browser. After a few clicks into an Internet session, Porno popups keep creating more browser session. The only way to stop them is to switch to off-line mode then shutdown each browser one by one untill their all gone.
After switching to on-line mode, a few minutes later they come back. What gives?
I want to know how this is done and how do I stop it! I wish to edit the registry or find the offending cause and manually eliminate it. I do not want to install anti-poppup software.
Any ideas?
After switching to on-line mode, a few minutes later they come back. What gives?
I want to know how this is done and how do I stop it! I wish to edit the registry or find the offending cause and manually eliminate it. I do not want to install anti-poppup software.
Any ideas?
ASKER
Already did that.
Removed all programs installed just before this started. Deleted cookies, casche, temp files using explorer and Nortons clean sweep. Also ran AdAware with updated references. Nothing found.
Checked the site you suggested, good site....=)
Still have same problem.
This is the link that keeps popping up first.
http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A
Then the rest follow, I looked through the code to see if I can determine anything, no such luck.
Any more ideas.
Removed all programs installed just before this started. Deleted cookies, casche, temp files using explorer and Nortons clean sweep. Also ran AdAware with updated references. Nothing found.
Checked the site you suggested, good site....=)
Still have same problem.
This is the link that keeps popping up first.
http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A
Then the rest follow, I looked through the code to see if I can determine anything, no such luck.
Any more ideas.
Do you have a firewall? If it's a program within your PC you can block it with the firewall. Here is a free easy to use firewall that helps me. I found programs when I installed it because it was trying to access the internet and zone alarm alerted me to it. When Zone alarm alerts you of it you can say no do not allow acces and remember this response plus you can take note of the program and unistall it. If it is a program it should be in the start up so you can also look there for suspicious programs. For Zone Alarm go to:
http://zonealarm.com/
http://zonealarm.com/
ASKER
Already have ZoneAlarm Pro installed. The culprit is the IE browser (it could be any browser, so don't ask me to switch) and it has to have Internet access.
Somehow I think a plugin or a service was installed without my knowledge. Or perhaps I approved accidently when I was trying to shut down all those popups.
I really want to disect this thing so I can understand how it happens.
Need more input....
Somehow I think a plugin or a service was installed without my knowledge. Or perhaps I approved accidently when I was trying to shut down all those popups.
I really want to disect this thing so I can understand how it happens.
Need more input....
What is your default home page when you open your browser?
ASKER
Homepage is Google.com
I doubt if it's coming from there. (But if you want to verify change it to something else close the browser open it again and see if it continues).
Did you check your start up to see if it there is anything there that may be starting on start up?
If you already did that then try in the registry:
Go to in your windows directory double click regedit
select HKEY_LOCAL_MACHINE -> software -> microsoft -> internet explorer
Then check each folder and see if that URL displays somewhere in the right window.
Hope I can help you with it. If I get this crap I want to know have to get rid of it.
Did you check your start up to see if it there is anything there that may be starting on start up?
If you already did that then try in the registry:
Go to in your windows directory double click regedit
select HKEY_LOCAL_MACHINE -> software -> microsoft -> internet explorer
Then check each folder and see if that URL displays somewhere in the right window.
Hope I can help you with it. If I get this crap I want to know have to get rid of it.
To Check your plugins go to c:\program files\internet explorer\plugins.
In here you will see all the plugins for you browser if it's not real player or any other plugin that you use move the file to your delete bin and try again. If it persist then restore the plugin and try another.
In here you will see all the plugins for you browser if it's not real player or any other plugin that you use move the file to your delete bin and try again. If it persist then restore the plugin and try another.
Check out this virus, it may and may not be your situation:
http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html
I was reading some of the virus that attack Internet explorer and they all have a lot in common. It creates a frame page that will load your selected home page on it to disguise itself and adds stuff to the home page url to force it to open the frame.
You can go to norton and look at all the various types but most of them says to fix the problem, on IE go to:
tools -> internet options -> then instead of changing the home page click on 'USE CURRENT'.
You can go to norton and look at all the various types but most of them says to fix the problem, on IE go to:
tools -> internet options -> then instead of changing the home page click on 'USE CURRENT'.
ASKER
Tried everything you suggested. Did complete search through the registry using registry search tool. Did not find any offending urls.
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.
Thanks for helping out with this!
Paul
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.
Thanks for helping out with this!
Paul
ASKER
Tried everything you suggested. Did complete search through the registry using registry search tool. Did not find any offending urls.
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.
Thanks for helping out with this!
Paul
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.
Thanks for helping out with this!
Paul
I'll keep looking and let you know if I find anything else. You may want to search norton.com they had a lot of different types of results for the keywords: Internet Explorer and Porn.
Intriguing, and believe that andriv has given you excellent guidance. Very baffled that you've deleted all cookies, cleared browser's temp int files/history files, autocomplete (if you haven't clear those entries as well) and the problem persists. I second andriv's recommendation to get updated virus definition files downloaded and run full scan on all (heuristic included).
It wouldn't surprise me if you checked cookies again you'd have many back you had or thought you had deleted. Many "free" things drag these types of problems along. I'd recommend Firewall settings as tight security, would also modify all my browser settings (security/privacy) to optimum security as well, and modify as needed.
Are you the only user? Perhaps others have access and modify your settings for you without your knowledge, it happens.
Good luck,
":0)
Asta
It wouldn't surprise me if you checked cookies again you'd have many back you had or thought you had deleted. Many "free" things drag these types of problems along. I'd recommend Firewall settings as tight security, would also modify all my browser settings (security/privacy) to optimum security as well, and modify as needed.
Are you the only user? Perhaps others have access and modify your settings for you without your knowledge, it happens.
Good luck,
":0)
Asta
Re. PORN Worms ... Aliases: Crayon of Doom, LIST.VBS, PORNLIST.DOC, VBS/Cod.A
http://vil.mcafee.com/dispVirus.asp?virus_k=98726
Windows ME? Trojan .... http://vil.mcafee.com/dispVirus.asp?virus_k=99071
http://vil.mcafee.com/dispVirus.asp?virus_k=98726
Windows ME? Trojan .... http://vil.mcafee.com/dispVirus.asp?virus_k=99071
The viruses shown below can infect a system 365 days a year. But on the payload dates designated on this calendar, the viruses may do more than just infect you. While these payloads may just be a nuisance, some may severely damage your system //// March 2002
http://www.mcafee.com/anti-virus/calendar/default.asp?
http://www.mcafee.com/anti-virus/calendar/default.asp?
ASKER
Did all the above, ran Norton's Virus Scan, runs auto update through "Live Update" (Nortons System Works). ZoneAlarm Pro, Ad Aware, Not free. I have all full registered versions of all software.
My machine: Dual 600 SGI/256M, Win2K. I am only user.
So far I have:
Deleted all cookies, deleted all temp files, deleted all files in Casche, removed all plugins and codecs(dated this year), Deleted all demo software installed this year. Ran full system scan on all drives. Searched through registry using search function for offending urls.
Still same page keeps coming back.
Interesting findings:
Occasionally an about:blank page sits in the start bar (bottom of screen) unable to expand it, sometimes it's an Inbox-Outlook Express page but unable to expand (interesting since I don't use Outlook Express and their is no email in it.
I can delete all Porn pages and still I am unable to expand either of those two pages which mysteriously appear in start bar.
The original porn page is a frame page written mostly in javascript which causes the rest to pop up, and others as you close the pages.
Here is the code to this page:
<begin code>
<!-- code by Shai Shprung 2/25/02 -->
<script>
var freeOut=0;
var n=self.location.href;
var i=n.indexOf('.cgi');
var freeOut=0; var j=0;
var s=new Array('','http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.xxxpassword.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|-500;175;http://67.bz/eraser/ce.html','http://tour.clubpix.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.scoopy.net/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|700;500;http://www.cematch.com/','http://67.bz/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.asianfrenzy.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.blowmelive.com/logurl/loadURL/consoles:9sticky.html/2125480:A','http://www.67.bz/logurl/loadURL/888casino:indexsticky.html/2125480:A','http://tour.riskymail4free.com/cgi-bin/mailFreeSignup.cgi/R/2125480:A');
function unload(){
if (freeOut==1) return;
window.open(n.substring(0,
}
</script>
<noscript><frameset rows='100%,*' scrolling=no border=0 frameborder=no framespacing=0>
<frame src='http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A' scrolling=auto border=0 frameborder=0>
</frameset></noscript>
<script>
document.write("<FRAMESET ROWS='100%,*' SCROLLING=no BORDER=0 frameborder=no "+
"framespacing=0 onunload='unload()'>");
document.write("<FRAME src='/show.html' SCROLLING=auto BORDER=0 frameborder=0></frameset>"
</script>
<end code>
The page it loads is called:
http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A
I am still at a loss to find what causes the orignal page to popin.
Thoughts......=(
My machine: Dual 600 SGI/256M, Win2K. I am only user.
So far I have:
Deleted all cookies, deleted all temp files, deleted all files in Casche, removed all plugins and codecs(dated this year), Deleted all demo software installed this year. Ran full system scan on all drives. Searched through registry using search function for offending urls.
Still same page keeps coming back.
Interesting findings:
Occasionally an about:blank page sits in the start bar (bottom of screen) unable to expand it, sometimes it's an Inbox-Outlook Express page but unable to expand (interesting since I don't use Outlook Express and their is no email in it.
I can delete all Porn pages and still I am unable to expand either of those two pages which mysteriously appear in start bar.
The original porn page is a frame page written mostly in javascript which causes the rest to pop up, and others as you close the pages.
Here is the code to this page:
<begin code>
<!-- code by Shai Shprung 2/25/02 -->
<script>
var freeOut=0;
var n=self.location.href;
var i=n.indexOf('.cgi');
var freeOut=0; var j=0;
var s=new Array('','http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.xxxpassword.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|-500;175;http://67.bz/eraser/ce.html','http://tour.clubpix.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.scoopy.net/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|700;500;http://www.cematch.com/','http://67.bz/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.asianfrenzy.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.blowmelive.com/logurl/loadURL/consoles:9sticky.html/2125480:A','http://www.67.bz/logurl/loadURL/888casino:indexsticky.html/2125480:A','http://tour.riskymail4free.com/cgi-bin/mailFreeSignup.cgi/R/2125480:A');
function unload(){
if (freeOut==1) return;
window.open(n.substring(0,
}
</script>
<noscript><frameset rows='100%,*' scrolling=no border=0 frameborder=no framespacing=0>
<frame src='http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A' scrolling=auto border=0 frameborder=0>
</frameset></noscript>
<script>
document.write("<FRAMESET ROWS='100%,*' SCROLLING=no BORDER=0 frameborder=no "+
"framespacing=0 onunload='unload()'>");
document.write("<FRAME src='/show.html' SCROLLING=auto BORDER=0 frameborder=0></frameset>"
</script>
<end code>
The page it loads is called:
http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A
I am still at a loss to find what causes the orignal page to popin.
Thoughts......=(
ASKER
Silver Lining?
I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.
PL
I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.
PL
ASKER
Silver Lining?
I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.
PL
I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.
PL
Interesting that you mention aboutblank.htm, take a look at this virus:
http://securityresponse.symantec.com/avcenter/venc/data/vbs.seeker.f.html
Also take a look in your windows directory and see if you have the file aboutblank.htm. If you do rename it to see what happens.
http://securityresponse.symantec.com/avcenter/venc/data/vbs.seeker.f.html
Also take a look in your windows directory and see if you have the file aboutblank.htm. If you do rename it to see what happens.
ASKER
Good try...=)
Ran a complete scan of all drives; no aboutblank.htm present.
It may be a trojan but definately not a virus since I run auto virus scans once a week. Norton checks everything as it comes in.
Thanks andriv
PL
Ran a complete scan of all drives; no aboutblank.htm present.
It may be a trojan but definately not a virus since I run auto virus scans once a week. Norton checks everything as it comes in.
Thanks andriv
PL
ASKER
Found this interesting article. Did not solve my issue but it may help someone later.
http://www.radsoft.net/news/20011101,00.html
PL
http://www.radsoft.net/news/20011101,00.html
PL
Do a search for the aboutblank.htm, about:blank.htm and see if it on your system anywhere.
What I would do at this point is to do a FIND for *.* and containing text field of cybererotica to find all files/items calling for this and then clean house.
I'd also force a home page change away from blank, both standard home page access as well as any ISP login process that includes home page options.
Asta
I'd also force a home page change away from blank, both standard home page access as well as any ISP login process that includes home page options.
Asta
ASKER
Nothing, Nada.
I am running the whole system completely secure. Prompt for scripts, cookies, still these things popup (but they request permission now). I think somehow I have a Trojan. Unfortunately, I have had one before. The only cure was to reformat.
Don't want to do that. I would rather find the antidote.
PL
I am running the whole system completely secure. Prompt for scripts, cookies, still these things popup (but they request permission now). I think somehow I have a Trojan. Unfortunately, I have had one before. The only cure was to reformat.
Don't want to do that. I would rather find the antidote.
PL
When you deleted your temporary internet files, did you check the item to also delete all offline content? If not, do that as well.
Curious if when you are in IE - General - Temporary Internet files - Settings - View Objects, any components there are listed as damaged. IF so, delete them, the next time they are needed based on your net activities, the needed component(s) will be updated/reinstalled.
There also appears to be some relationship with "winning money", etc. with that site when doing a google search, so that "may" be another clue.
When Internet Explorer is automated from an application that replaces the HTML document using the document.write method, and the HTML code contains an IFrame element, the IFrame may not display the intended page. Also, the URL in the address bar may change to about:blank.
RESOLUTION
The problem does not occur when the script within the page rewrites the document. You can insert the script function that rewrites the page into the document, and then call the script function. See the "More Information" section for an example.
STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. More here.
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q272760
That's it from me.
Asta
Curious if when you are in IE - General - Temporary Internet files - Settings - View Objects, any components there are listed as damaged. IF so, delete them, the next time they are needed based on your net activities, the needed component(s) will be updated/reinstalled.
There also appears to be some relationship with "winning money", etc. with that site when doing a google search, so that "may" be another clue.
When Internet Explorer is automated from an application that replaces the HTML document using the document.write method, and the HTML code contains an IFrame element, the IFrame may not display the intended page. Also, the URL in the address bar may change to about:blank.
RESOLUTION
The problem does not occur when the script within the page rewrites the document. You can insert the script function that rewrites the page into the document, and then call the script function. See the "More Information" section for an example.
STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. More here.
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q272760
That's it from me.
Asta
Wow, that was a fast find *.* text containing query. I've got a lightening fast system with large HDs, I'd still be running this query in another 30 minutes or so to get hits and all files containing. You'd have to find a result, given your circumstances, perhaps you misunderstood me. This could not happen, if something within your setup weren't calling for it to invoke. Much detail was provided here, and your responses very quick... hmmm off to ponder.
Asta
Asta
Are you synchronizing offline content? Assuming so, you should delete all offline content pages as well.
The indexsticky.html you note above is another whole realm of concern. See this.
http://www.google.com/search?hl=en&q=indexsticky.html&spell=1
http://www.google.com/search?hl=en&q=indexsticky.html&spell=1
Also look for stylehseets you may be using (css)
Remove anything to do with doubleclick, also a way to get these popup invasions, as well as fastclick items. They appear to be removed and reappear constantly from what I've read in researching your problems the past couple of days.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Between this patch and the article regarding indexsticky.html; I was sure I had it licked.
The popups are still happening. I'm still working on it though. I think it may be a Trojan at work (no real cure other than reformat and reinstall) so I will keep looking.
DM
The popups are still happening. I'm still working on it though. I think it may be a Trojan at work (no real cure other than reformat and reinstall) so I will keep looking.
DM
curious if you check your entire system and just search for
about
what you find.
I just scanned my system and found some about results as cookies that were NOT displayed within IE6 under settings/cookies.
about
what you find.
I just scanned my system and found some about results as cookies that were NOT displayed within IE6 under settings/cookies.
Please update/finalize this question. It is always to your benefit to remain active and respond to the experts who help you with results. If more specifics are needed, include URLs, etc.
Moondancer - EE Moderator
Moondancer - EE Moderator
ASKER
I still have the issue. I have just about given up. I will have to reformat and reinstall. I figure it must be a trojan.
Thanks astaec for all your help. Please submit another comment so I can give you the points. You deserve them for not giving up.
PL
Thanks astaec for all your help. Please submit another comment so I can give you the points. You deserve them for not giving up.
PL
Thank you, paulluke for your response here. astaec asked me to respond here to let you know that since we have reprogrammed some of our functions, you may now accept any comment posted by an expert to convert it to the accepted answer to then grade and close the question. If you need my help, just comment and I will assist you further.
Moondancer - EE Moderator
Moondancer - EE Moderator
ASKER
Thanks astaec for all your help. I figure I will just have to reformat and reinstall. It's the only way I know of to get rid of a hidden trojan.
Thanks again for all your leads.
Thanks again for all your leads.
Thanks, Paul. Sure wish we could have avoided your need to do a reinstall. I remain baffled that these efforts didn't zero in on the culprit and resolve it for you. After you reinstall, make sure you have needed patches and updates (security and upgrades) and current drivers.
This one is very important.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp
Good luck,
":0) Asta
This one is very important.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp
Good luck,
":0) Asta
Try deleting all cookies and temp files. If this does not work you will have to download a spyware to find and remove it. Visit the link below for more details.
http://www.spychecker.com/