How do I find the file/registry key?
Run Spybot and take a screenshot of the page where it shows the malware that it has detected - as at the moment I cannot see any sign of this. Are you getting any symptoms apart from this report ?
I cannot say for certain, however, the past month or so printing over the local network has been slower than it used to be. I suspected a network problem but have found nothing wrong. I hadn’t run Spybot in maybe a couple of months. It was only last week when I ran Spybot that I found the pornpopup. Spybot is the only program to identify this. I’ve checked the registry and local drives and can find no occurance of “pornpopup.”
Right lets do a search - this may take 10 minutes or so
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:
:regfind
pornpopup
[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Here is the log generated by SystemLook. I’ve checked the registry several times for an occurance of pornpopup and it never has been found. Also, I never see a pornpopop process running. A big mystery…
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:55 on 20/07/2010 by Dave (Administrator - Elevation successful)
========== regfind ==========
Searching for “pornpopup”
No data found.
-=End Of File=-
I reran the SytemLook program and checked for “porn” only rather than “pornpopup.” See below what was found (this is only the first few of about 1,200 registry entries pointing to a porn site). Regedit|find shows the same. I am the sole user of this computer and it has never visited a porn site. Spybot found the win32:pornpopup again, it keeps coming back. Somewhere there is a kernal generating these registry entries.
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:52 on 21/07/2010 by Dave (Administrator - Elevation successful)
========== regfind ==========
Searching for “porn”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\babespornmag.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\dailypornmag.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\gayspornmag.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\hardcorepornmag.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\maturespornmag.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\pornmagpass.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\pornohome.net]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\porntrack.com]
Go here and run the fixit - this will reset the p3p settings to default http://support.microsoft.com/kb/923737
The registry was clear of any occurance of “porn”. I reset Internet Explorer as suggested. The registry was still clean. I waited an hour or so and checked the registry. There are about 1,200 occurances of “porn” - its back. I ran Spybot and six problems were identified (see attached).
Somewhere there is a file that executes in the first hour or so after startup. What is that file called? How do we kill it for good?
Thanks…
could you click the plus next to that entry and then post that screen shot
There are no unrecognised files from the last 30 days that I can see. Prior to getting this alert did you visit any web site ?
Essexboy, I already deleted the problems with Spybot. Let me complete business as usual and then re-run Spybot. I’ll generate the requested report and send to you.
Thanks for all your help…
No problem, unfortunately I will be offline for the next five days or so
Here is the Spybot report with expanded detail. I go to two sites prior to running Spybot: Forbes.com and Excite.com. I’ll check back to see if you have responded. Meanwhile, I will pursue a fix for the nuisance of a virus…
They are just cookies as a redirect from adbright and are not related to anything else on your system
I’ve found that the pornpopup is not found if I stay away from the Excite.com page. So, when Spyboot does find pornpopup, that is nothing to worry about?
That is correct they are cookies, and they are being saved in the history portion of the registry
Essexboy, thank you for your assistance. Bottom line, system is running fine and I don’t have a virus. Thanks again…
My pleasure
Looking at that I am a happy bunny
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)
SPRING CLEAN
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
is it bad?
1.To stop all Win32.Pornpopup processes, press CTRL+ALT+DELETE to open the Windows Task Manager.
2.Click on the “Processes” tab, search for Win32.Pornpopup, then right-click it and select “End Process” key.
3.Click “Start” button and selecting “Run.” Type “regedit” into the box and click “OK.”
4.Once the Registry Editor is open, search for the registry key “HKEY_LOCAL_MACHINE\Software\Win32.Pornpopup.” Right-click this registry key and select “Delete.”
5.Navigate to directory %PROGRAM_FILES%\Win32.Pornpopup\Win32.Pornpopup.exe and delete Win32.Pornpopup.exe manually.