win32:pornpopup continues to reappear even thought I’ve removed using both Spybot Search and Destroy and a boot scan using Avast 5.0, numerous times. Other solutions to permanently remove this virus have not worked as well. I can find no file that appears to cause this and suspect that it has an inoccuous name. So, any ideas of how to kill this permanently? Thanks…
So, any ideas of how to kill this permanently?
stop visiting porn sites ;D
okay, if Avast cannot remove it, try with mbam (free version)
http://www.malwarebytes.org/mbam.php
(do a quick scan, no need to scan the whole computer)
Now I’m on the defense! As far as I know this computer never has visited a porn site so I am mystified as to how this virus got on my computer. And, more disappointingly, why haven’t I received so juicy pop up ads? You’d think that the least that this virus could do is to give me some entertainment!
I’ll give your suggestion a try…
why haven't I received so juicy pop up ads ?
may be next time ??? (just kidding 
)
I suggest:
- Clean your temporary files.
- Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
- Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
- Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
- Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
- Clean your Hosts file (replacing it) with HostsMan tool.
- Disable System Restore and then reenable it again.
- Immunize your system with SpywareBlaster.
- Check if you have insecure applications with Secunia Software Inspector.
Have you tried Hitman Pro?
It’s the solution to almost everything.
Check your registry under HKLM > Software > Microsoft > Windows > CurrentVersion > Run and RunOnce to see if anything references the “popup”.
If it does, delete the entry.
Be extremely careful with the registry, and if you don’t feel comfortable going through it, I suggest not listening to what I just said…
No problems found with: Avast 5.0, Malawarebytes, Dr Web. Registry has no occurance of pornpopup, popup. Hijack This reports to problems. I’ll try the Hitman Pro. Thanks…
The win32:pornpopu problem persists. SpyBot will find this but nothing else does: HiJack This, Malawarebytes, Dr. Web, Hitman Pro 3.5, Avast 5.0, Avast Antiroot kit, all do not find. The process is not running and I’ve validated all running processes as ok. Searching the hard drive returns to occurance of :pornpopup". The problem is deleted using Spybot but it will return after a reboot. It is difficult to nail down exactly what causes this to return.
I don’t recieve unwanted popups and this computer has never visited a porn site. I suspect that this virus came in through an email attachment but how it got by Avast is beyond me.
Any other thoughts on how to kill this thing?
There are some special blogs dedicated to complete removal of this Spybot detection - and provide manual instructions
here is one -
http://blog.teesupport.com/how-to-guide-remove-win32-pornpopup/
although I have no personal experience of the virus (trojan on Windows platform - gets worse, apparently) you seem halfway to removal
if you now search the Windows directories using keyword like Win32.Pornpopup, you might find that it is on yr desktop
also clean out yr browser caches with ccleaner http://www.piriform.com/ccleaner
or one of the forum members may have a better cleaner tool built especially for this task
still a bit of an oddball detection this one, and seems always to draw a nasty rating - but still in ‘dont know’ basket
one alt. recommendation is to use firefox and you wont get it
I have followed the Tee Support suggestions and have found no occurrance of pornpopup in either the registry or on the hard drive. I will run ccleaner and give it a try. Thanks…
Time for essexboy. I have sent him a pm. He will be here shortly.
nmb
Lets see what you have
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Check the box that says Scan All Users
[*]Under the Custom Scan box paste this in
netsvcs
drivers32 /all
%SYSTEMDRIVE%*.*
%systemroot%\system32*.wt
%systemroot%\system32*.ruy
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\system32\spool\prtprocs\w32x86*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86*.dll
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.dat
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
Hi essexboy i had the same scenario where only spybot showed the pornpopup i have attached the OTL’s.
Please help…
Thanks.
Im using win7 64bit.
Is it only spybot showing it ? As I can see nothing there
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Attached are the two files generated by OTL.EXE. The mystery continues. win32:pornpopup continues to resurface and can be found by spybot search and destroy, only. I’ve run Malawarebytes, as suggested, along with six other programs that have been recommended. Thanks for your support…
Does spybot give a location for the intruder ?
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Dave\LOCALS~1\Temp\aswArKrn.sys -- (aswArKrn)
[2010/07/02 07:31:42 | 000,000,192 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\{268EB95C-7C1C-4826-B79E-0E50B1A64C5A}.dss
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Essexboy,
I reran OTL run fix option with the new code that you sent and here is the log:
All processes killed
========== OTL ==========
Service aswArKrn stopped successfully!
Service aswArKrn deleted successfully!
File C:\DOCUME~1\Dave\LOCALS~1\Temp\aswArKrn.sys not found.
C:\Documents and Settings\All Users\Application Data{268EB95C-7C1C-4826-B79E-0E50B1A64C5A}.dss moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
User: All Users
User: Dave
->Temp folder emptied: 5557316 bytes
->Temporary Internet Files folder emptied: 212384757 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 4892 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 83 bytes
User: LocalService
->Temp folder emptied: 131520 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 922814 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1146814 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3010250 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 9946046 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 3107302629 bytes
Total Files Cleaned = 3,186.00 mb
[EMPTYFLASH]
User: Administrator
User: All Users
User: Dave
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: LocalService
User: NetworkService
Total Flash Files Cleaned = 0.00 mb
Could you re-run Spybot and let me know the location of the file/registry key that is infected
Essexboy Fighting~!@!~@