Adult Friend Finder Ads Everywhere?

[pvwojciak]

Just starting today, most of the websites that my wife and I visit on a daily basis (including this one) have graphic ads for Adult Friend Finder, all of which are showing nude women. These are common websites (People.com, this site, google, prosportsdaily.com, etc.) so I'm thinking that it's something on this computer that's leading to it. None of these occurrences are "pop-up" windows, they're just showing the ad right in the space on the website (which usually just shows advertisements at random).

My 4 year old uses this laptop for her Sesame Street website games and stuff, and I don't want to chance her being exposed to any of this stuff.

Has anyone heard of anything like this? I'm attaching 3 logs - not sure if I need to, but last time I had a problem, I did so, so I'm going for it again.

Thanks!
Paul

 

[Bobbye]

There is a Tracking cookie for this site:
C:\Documents and Settings\Karen\Cookies\karen@adultfriendfinder[1].txt

Let's get rid of the Tracking Cookies, block them in the future and restrict the site:
1. Did you check the line in SAS to remove what it found?
2. Reset Cookies:
Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.
3. Put the site in the Restricted Zone:
Open Internet Options> Security tab> Restricted Zone> Sites> type this in:
*.adultfriendfinder
Add

IF you get a message that it is already in another zone, go to the Trusted Zone> Sites> remove it from there, then put it in restricted Zone.

Might be a good time to do a disc cleanup to get rid of the temporary internet files, including History and cookies.

EDIT: Forgot to check HijackThis log: you have been Hijacked!
Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

O17 - HKLM\System\CCS\Services\Tcpip\..\{A1B21B80-CE62-4284-8CC5-03DAB223C694}: NameServer = 218.93.202.110,218.93.202.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{B38D9EAD-A45E-45AB-B593-58F7736A7E6F}: NameServer = 218.93.202.110,218.93.202.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4EF44B-4F57-4807-8210-F415FF304E89}: NameServer = 218.93.202.110,218.93.202.111
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0974E5D-A99A-45F4-A664-B43DC859028E}: NameServer = 218.93.202.110,218.93.202.111

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

This IP 218.93.202.110 is in the Asian Pacific Network, Chinanet to be specific.
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN

You also need to update both of the following:
Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 13 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 13

Update Adobe: Most current version: Adobe Reader 9.1

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

Please rescan with HijackThis when finished all of above and attach new log.

 

[pvwojciak]

THANKS for the response. I'm going to look into all of this now, and will let you know once I'm done.

Ok, did all the stuff - Adobe wouldn't let me download 9.1 - said I had Error 1402 and that it couldn't open a key (I have the error note if you need it), so I did the FoxIt instead.

I'm attaching the HJT log.

Let me know how it looks.

THANKS!

 

[Bobbye]

Okay, look good. Has the adultfinder problem been resolved? Were you able to put it in the Restricted Sites?

You still have Adobe Reader v7 installed. Just so you know how bloated it was, all of these processes were running for it. All can be checked for HijackThis to remove and Adobe Reader v7 can be uninstalled.
]• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed above

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

[/B]This single entry isn't complete and should be checked:

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
The WebexUCFObject ActiveX control, which comes with Cisco WebEx Meeting Manager, contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
http://www.kb.cert.org/vuls/id/661827

Also check the following processes for removal:

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe>> Live! Cam Console Auto Launcher.
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe">> Big resource user!
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe">> Java updater
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

When you have checked all of the noted entries:

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Boot into Safe Mode:
. Stop entries from starting on boot:
Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK the following:

ALL Adobe entries
ALL Java entries
Dell entries for processes you're not going to use- or ALL if you want to remove their trash.****
Live Cam entries
iTuner Helper
QuichTime task
Then Apply> OK

For the Services:
Start> Run> services.msc> double click on the Service to open> set Startup type as follows:

Dell Wireless WLAN Tray Service (wltrysvc)> Manual
Java Quick Starter (jqs)> Disable
sprtsvc_dellsupportcenter> <Manual if using, Disable if not=

For the WebEx 016 entry:

Open Internet Explorer> Tools> Manage Add-ons> Find the webexx entry> there are two sections here: 1. Add-ons currently being used and 2. Add-on previously used> click to highlight> Disable> OK

While still in Safe More:
QUICK TIME

:
1. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK(Done)
2. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
3. Rename the qttask.exe file:
Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

ITUNES Big resource user!

:
iTunesHelper.exe

Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory (Done).

Reboot the computer into Normal Mode> NOTE: ignore the nag message and close after checking 'don't show this message again.' Stay in Selective Startup.

NOTE: Having HijackThis remove an entry doesn't mean you're removing the program itself. you can still start the program manually when you need it.
****Dell pre-loads a lot of trash on a system. Most people don't know it's there, most don't know it can be removed and most don't use them. I have a list of the Dell Processes if you are interested in stopping them from starting up and/or uninstalling them. (I have Dell systems- these were the first to go!) There are 12 entries.