Solved

Pop ups

Posted on 2002-03-23
41
371 Views
Last Modified: 2013-11-28
Porn storms keep attacking my browser. After a few clicks into an Internet session, Porno popups keep creating more browser session. The only way to stop them is to switch to off-line mode then shutdown each browser one by one untill their all gone.
After switching to on-line mode, a few minutes later they come back. What gives?
I want to know how this is done and how do I stop it! I wish to edit the registry or find the offending cause and manually eliminate it. I do not want to install anti-poppup software.
Any ideas?
0
Comment
Question by:paulluke
  • 15
  • 14
  • 10
  • +1
41 Comments
 
LVL 5

Expert Comment

by:andriv
ID: 6891852
You probably have some type of program downloaded into your computer from an email or a site you have visited that is causing it.

Try deleting all cookies and temp files.  If this does not work you will have to download a spyware to find and remove it.  Visit the link below for more details.

http://www.spychecker.com/
0
 

Author Comment

by:paulluke
ID: 6894369
Already did that.
Removed all programs installed just before this started. Deleted cookies, casche, temp files using explorer and Nortons clean sweep. Also ran AdAware with updated references. Nothing found.
Checked the site you suggested, good site....=)
Still have same problem.
This is the link that keeps popping up first.

http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A

Then the rest follow, I looked through the code to see if I can determine anything, no such luck.

Any more ideas.



0
 
LVL 5

Expert Comment

by:andriv
ID: 6894396
Do you have a firewall? If it's a program within your PC you can block it with the firewall. Here is a free easy to use firewall that helps me. I found programs when I installed it because it was trying to access the internet and zone alarm alerted me to it.  When Zone alarm alerts you of it you can say no do not allow acces and remember this response plus you can take note of the program and unistall it.  If it is a program it should be in the start up so you can also look there for suspicious programs. For Zone Alarm go to:

http://zonealarm.com/
0
 

Author Comment

by:paulluke
ID: 6894570
Already have ZoneAlarm Pro installed. The culprit is the IE browser (it could be any browser, so don't ask me to switch) and it has to have Internet access.

Somehow I think a plugin or a service was installed without my knowledge. Or perhaps I approved accidently when I was trying to shut down all those popups.

I really want to disect this thing so I can understand how it happens.

Need more input....
0
 
LVL 5

Expert Comment

by:andriv
ID: 6894638
What is your default home page when you open your browser?

0
 

Author Comment

by:paulluke
ID: 6894667
Homepage is Google.com
0
 
LVL 5

Expert Comment

by:andriv
ID: 6894750
I doubt if it's coming from there. (But if you want to verify change it to something else close the browser open it again and see if it continues).

Did you check your start up to see if it there is anything there that may be starting on start up?

If you already did that then try in the registry:

Go to in your windows directory double click regedit

select HKEY_LOCAL_MACHINE -> software -> microsoft -> internet explorer

Then check each folder and see if that URL displays somewhere in the right window.

Hope I can help you with it. If I get this crap I want to know have to get rid of it.
0
 
LVL 5

Expert Comment

by:andriv
ID: 6895289
To Check your plugins go to c:\program files\internet explorer\plugins.

In here you will see all the plugins for you browser if it's not real player or any other plugin that you use move the file to your delete bin and try again.  If it persist then restore the plugin and try another.
0
 
LVL 5

Expert Comment

by:andriv
ID: 6895319
Check out this virus, it may and may not be your situation:

http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html

0
 
LVL 5

Expert Comment

by:andriv
ID: 6895405
I was reading some of the virus that attack Internet explorer and they all have a lot in common.  It creates a frame page that will load your selected home page on it to disguise itself and adds stuff to the home page url to force it to open the frame.

You can go to norton and look at all the various types but most of them says to fix the problem, on IE go to:

tools -> internet options -> then instead of changing the home page click on 'USE CURRENT'.
0
 

Author Comment

by:paulluke
ID: 6895642
Tried everything you suggested. Did complete search through the registry using registry search tool. Did not find any offending urls.
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.

Thanks for helping out with this!

Paul
0
 

Author Comment

by:paulluke
ID: 6895699
Tried everything you suggested. Did complete search through the registry using registry search tool. Did not find any offending urls.
You brought up a good point though. It is possible that the offending url could be disguised as a harmless url which then loads a frame page which in turn loads the porn storm. Clever? I will have to check into this further.

Thanks for helping out with this!

Paul
0
 
LVL 5

Expert Comment

by:andriv
ID: 6895742
I'll keep looking and let you know if I find anything else. You may want to search norton.com they had a lot of different types of results for the keywords: Internet Explorer and Porn.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6898155
Intriguing, and believe that andriv has given you excellent guidance.  Very baffled that you've deleted all cookies, cleared browser's temp int files/history files, autocomplete (if you haven't clear those entries as well) and the problem persists.  I second andriv's recommendation to get updated virus definition files downloaded and run full scan on all (heuristic included).

It wouldn't surprise me if you checked cookies again you'd have many back you had or thought you had deleted.  Many "free" things drag these types of problems along.  I'd recommend Firewall settings as tight security, would also modify all my browser settings (security/privacy) to optimum security as well, and modify as needed.

Are you the only user?  Perhaps others have access and modify your settings for you without your knowledge, it happens.  

Good luck,
":0)
Asta



0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6898162
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6898166
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6898171
Re. PORN Worms ... Aliases:   Crayon of Doom, LIST.VBS, PORNLIST.DOC, VBS/Cod.A
http://vil.mcafee.com/dispVirus.asp?virus_k=98726

Windows ME? Trojan .... http://vil.mcafee.com/dispVirus.asp?virus_k=99071
 
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6898172
The viruses shown below can infect a system 365 days a year. But on the payload dates designated on this calendar, the viruses may do more than just infect you. While these payloads may just be a nuisance, some may severely damage your system //// March 2002
http://www.mcafee.com/anti-virus/calendar/default.asp?
0
 

Author Comment

by:paulluke
ID: 6898390
Did all the above, ran Norton's Virus Scan, runs auto update through "Live Update" (Nortons System Works). ZoneAlarm Pro, Ad Aware, Not free. I have all full registered versions of all software.
My machine: Dual 600 SGI/256M, Win2K. I am only user.
So far I have:
Deleted all cookies, deleted all temp files, deleted all files in Casche, removed all plugins and codecs(dated this year), Deleted all demo software installed this year. Ran full system scan on all drives. Searched through registry using search function for offending urls.

Still same page keeps coming back.

Interesting findings:
Occasionally an about:blank page sits in the start bar (bottom of screen) unable to expand it, sometimes it's an Inbox-Outlook Express page but unable to expand (interesting since I don't use Outlook Express and their is no email in it.
I can delete all Porn pages and still I am unable to expand either of those two pages which mysteriously appear in start bar.
The original porn page is a frame page written mostly in javascript which causes the rest to pop up, and others as you close the pages.
Here is the code to this page:

<begin code>
<!-- code by Shai Shprung 2/25/02 -->

<script>
var freeOut=0;
var n=self.location.href;
var i=n.indexOf('.cgi');
var freeOut=0; var j=0;
var s=new Array('','http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.xxxpassword.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|-500;175;http://67.bz/eraser/ce.html','http://tour.clubpix.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.scoopy.net/logurl/loadURL/fmp-free:indexsticky.html/2125480:A|700;500;http://www.cematch.com/','http://67.bz/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.asianfrenzy.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A','http://tour.blowmelive.com/logurl/loadURL/consoles:9sticky.html/2125480:A','http://www.67.bz/logurl/loadURL/888casino:indexsticky.html/2125480:A','http://tour.riskymail4free.com/cgi-bin/mailFreeSignup.cgi/R/2125480:A');

function unload(){
 if (freeOut==1) return;
 window.open(n.substring(0,i+4)+'/FMF_CE/2.2/2125480:A');
}
</script>
<noscript><frameset rows='100%,*' scrolling=no border=0 frameborder=no framespacing=0>          
<frame src='http://tour.cybererotica.com/logurl/loadURL/fmp-free:indexsticky.html/2125480:A' scrolling=auto border=0 frameborder=0>
</frameset></noscript>
<script>
 document.write("<FRAMESET ROWS='100%,*' SCROLLING=no BORDER=0 frameborder=no "+          
  "framespacing=0 onunload='unload()'>");
 document.write("<FRAME src='/show.html' SCROLLING=auto BORDER=0 frameborder=0></frameset>");
</script>
<end code>

The page it loads is called:
http://in.cybererotica.com/cgi-bin/show.cgi/FMF_CE/1/2125480:A

I am still at a loss to find what causes the orignal page to popin.

Thoughts......=(


 
0
 

Author Comment

by:paulluke
ID: 6898398
Silver Lining?

I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.

PL
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:paulluke
ID: 6898427
Silver Lining?

I've gotten real quick at finding that little X at the top right of browsers to shut them down before total Porn Storms set in.

PL
0
 
LVL 5

Expert Comment

by:andriv
ID: 6898454
Interesting that you mention aboutblank.htm, take a look at this virus:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.seeker.f.html

Also take a look in your windows directory and see if you have the file aboutblank.htm. If you do rename it to see what happens.
0
 

Author Comment

by:paulluke
ID: 6898473
Good try...=)

Ran a complete scan of all drives; no aboutblank.htm present.

It may be a trojan but definately not a virus since I run auto virus scans once a week. Norton checks everything as it comes in.

Thanks andriv

PL
0
 

Author Comment

by:paulluke
ID: 6898506
Found this interesting article. Did not solve my issue but it may help someone later.

http://www.radsoft.net/news/20011101,00.html

PL
0
 
LVL 5

Expert Comment

by:andriv
ID: 6898526
Do a search for the aboutblank.htm, about:blank.htm and see if it on your system anywhere.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899062
What I would do at this point is to do a FIND for *.* and containing text field of cybererotica to find all files/items calling for this and then clean house.

I'd also force a home page change away from blank, both standard home page access as well as any ISP login process that includes home page options.

Asta
0
 

Author Comment

by:paulluke
ID: 6899066
Nothing, Nada.

I am running the whole system completely secure. Prompt for scripts, cookies, still these things popup (but they request permission now). I think somehow I have a Trojan. Unfortunately, I have had one before. The only cure was to reformat.
Don't want to do that. I would rather find the antidote.

PL
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899079
When you deleted your temporary internet files, did you check the item to also delete all offline content?  If not, do that as well.

Curious if when you are in IE - General - Temporary Internet files - Settings - View Objects, any components there are listed as damaged.  IF so, delete them, the next time they are needed based on your net activities, the needed component(s) will be updated/reinstalled.

There also appears to be some relationship with "winning money", etc. with that site when doing a google search, so that "may" be another clue.

When Internet Explorer is automated from an application that replaces the HTML document using the document.write method, and the HTML code contains an IFrame element, the IFrame may not display the intended page. Also, the URL in the address bar may change to about:blank.
RESOLUTION
The problem does not occur when the script within the page rewrites the document. You can insert the script function that rewrites the page into the document, and then call the script function. See the "More Information" section for an example.
STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. More here.
http://support.microsoft.com/search/preview.aspx?scid=kb;en-us;Q272760

That's it from me.
Asta


0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899160
Wow, that was a fast find *.* text containing query.  I've got a lightening fast system with large HDs, I'd still be running this query in another 30 minutes or so to get hits and all files containing.  You'd have to find a result, given your circumstances, perhaps you misunderstood me.  This could not happen, if something within your setup weren't calling for it to invoke.  Much detail was provided here, and your responses very quick... hmmm off to ponder.
Asta

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899166
Are you synchronizing offline content?  Assuming so, you should delete all offline content pages as well.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899169
The indexsticky.html you note above is another whole realm of concern.  See this.
http://www.google.com/search?hl=en&q=indexsticky.html&spell=1
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899172
Also look for stylehseets you may be using (css)
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6899176
Remove anything to do with doubleclick, also a way to get these popup invasions, as well as fastclick items.  They appear to be removed and reappear constantly from what I've read in researching your problems the past couple of days.
0
 
LVL 27

Accepted Solution

by:
Asta Cu earned 300 total points
ID: 6906863
Somewhat off-topic, but important.

****************************** ALERT********************************
WindowsUpdate - Critical Update alert March 28, 2002 from Microsoft
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp
Synopsis:
Microsoft Security Bulletin MS02-015  
28 March 2002 Cumulative Patch for Internet Explorer
Originally posted: March 28, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Two vulnerabilities, the most serious of which would allow script to run in the Local Computer Zone.
Maximum Severity Rating: Critical
Recommendation: Consumers using the affected version of IE should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0

Thought you'd appreciate knowing this.
":0)
Asta
0
 

Author Comment

by:paulluke
ID: 6910463
Between this patch and the article regarding indexsticky.html; I was sure I had it licked.
The popups are still happening. I'm still working on it though. I think it may be a Trojan at work (no real cure other than reformat and reinstall) so I will keep looking.

DM
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6935427
curious if you check your entire system and just search for
about
what you find.
I just scanned my system and found some about results as cookies that were NOT displayed within IE6 under settings/cookies.
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6943261
Please update/finalize this question.  It is always to your benefit to remain active and respond to the experts who help you with results.  If more specifics are needed, include URLs, etc.
Moondancer - EE Moderator
0
 

Author Comment

by:paulluke
ID: 6943848
I still have the issue. I have just about given up. I will have to reformat and reinstall. I figure it must be a trojan.
Thanks astaec for all your help. Please submit another comment so I can give you the points. You deserve them for not giving up.

PL

0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6944859
Thank you, paulluke for your response here.  astaec asked me to respond here to let you know that since we have reprogrammed some of our functions, you may now accept any comment posted by an expert to convert it to the accepted answer to then grade and close the question.  If you need my help, just comment and I will assist you further.

Moondancer - EE Moderator
0
 

Author Comment

by:paulluke
ID: 6946809
Thanks astaec for all your help. I figure I will just have to reformat and reinstall. It's the only way I know of to get rid of a hidden trojan.

Thanks again for all your leads.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 6949348
Thanks, Paul.  Sure wish we could have avoided your need to do a reinstall.  I remain baffled that these efforts didn't zero in on the culprit and resolve it for you.  After you reinstall, make sure you have needed patches and updates (security and upgrades) and current drivers.

This one is very important.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp

Good luck,
":0) Asta
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now