HotPorn476

Printable View

October 17th, 2003, 05:01 AM
MemorY

HotPorn476

Hey Guys. Recently i got this virus on my machine. It creates a file in my Windows/system folder a .exe file called HotPorn476 and a shortcut on my desktop called Sweet Girls Having Sex or something like it. I do not know how i got it . probably from some pop-up or sex website :D the weird thing is i looked it up in google and it doesnt show up so i went to Properties of Hotporn476.exe and saw the original filename . It's called Rampage.exe so i looked it up on google but came up with nothing. So i went to symantec.com and searched there and found it . Removal instructions say that i update my Norton AV and do a full system scan, so I install NAV 2004 and do a full system scan and it came up with no viruses found. :Big fat smile on my face: but now whenever a website redirects me to some "Search Website" like the ones with many categories to browse when a link doesnt work you clicked on i get the file again in my system folder. The best part comes. Whenever the file Hotporn.exe runs it kicks me offline and starts dialing a number, a (900) number. And symantec says that your phone comapany will charge you 40$ extra if it dials it . Lucky i pulled my modem out of the wall before it finished dialing. So my question is: Has anyone had this "virus" and if yes how can i remove it complitely because it only runs whenever i get the Search site, and yes i did a search for any other "Hotporn.exe or Rampage.exe file on my computer but didnt came up with anything. I also checked the registry and the Startup options. Any advice?
October 17th, 2003, 05:22 AM
whizkid2300

Hum... One sec

Ok I am looking through "Try to steal this Book2"

I am trying to see if I can find something, I remember seeing something about this.

But here is a link that i found

http://www.doxdesk.com/parasite/AccessPlugin.html

I also recommend that you get Registry prot

It will help to keep it from touching your Registry
October 17th, 2003, 05:41 AM
Computernerd22

hahahahaha yea my advice is stay away from the internet porn and scan your files before you first open them
October 17th, 2003, 06:05 AM
r8devil

this is probably one of those sites that install a software on your system when you visit them they most prob asked if you wanted to install and you had clicked yes either intentionally or not. some of them install without asking. dependign on your security settings.

yes they will dial a number and you gonna get charged a ridiculous amt for it. its mentioned in 'Steal this computer" book. check if the program can be uninstalled. run AV scan. run adaware & spybot.

See if that helps.
October 17th, 2003, 06:09 AM
whizkid2300

r8devil look up.

I already said all that, and he said that his Scanner wasn't picking it up.

Ok...
Now, I can't remember where I saw this at, I saw it somewhere else also.
October 17th, 2003, 11:03 AM
Tiger Shark

Try renamimg it from a DOS prompt. If that doesn't work go to task manager and see if it is there and the process ca be ended then rename the file, If that doesn't work boot to safe mode and try the same. Once you get the exe stopped you need to investigate iexplore.exe too IMO, try to get a good clean copy.... Better yet see if M$ has an IE upgrade or service pack that you haven't applied yet and apply it.... that should zap anything that got changed to do with ie.
October 17th, 2003, 11:38 AM
MemorY

ok here the replie to all your suggestion .

Whizkid:i already tried that but it says cannot load file. Check the location.

Computernerd: if n kewn there was a file on my computer i wouldnt even open it without knowing what it is, i always scan first.

Tigershark: I go to processes of course and kill the process tree of HotPorn476 and then i delete it from the folder and search for any rampage or hotporn registry entries and delete them, but whenever i get redirected to that search site the file comes up again, im gonna try your suggestion and download upgrades for IE and also play abit in the Internet option and download a pop-blocker because the search site pops-up only :)
October 17th, 2003, 12:25 PM
nihil

Hi MemorY,

Try:

http://www.spywareinfo.com/~merijn/index.html

and get Hijack This. it is specialist software to detect hijackers. Look for references to the scumware you have detected and delete them. Be careful!.......it will show you everything, not just the bad guys.

Also:

http://www.swatit.org

get SwatIT, update and run. This one takes a long time, but it digs pretty deep and can find things that AdAware and SpyBot Search & Destroy do not.

Then:

http://www.winpatrol.com

You want WinPatrol from BillP Studios. Look at cookies and kill what you don't like or understand (your problem could be from third party cookies) This app. also shows you startup and run once info. so check them also :)

Another posibility is that this has gotten into your "hosts" file, which you will find somewhere in your Windows folder. Edit this with Notepad and delete any references to the scumware. i am not sure why, but it seem that stuff buried in the "hosts" file does not get found by standard detection software. :(

Good Luck

BTW http://www.diamondcs.com.au is where you will find RegistryProt. the site is worth a visit anyways.
October 17th, 2003, 03:39 PM
dopeydadwarf

IE is a good place to look. Spyware it may or may not be. Try killing it from a DOS boot disk. Basicaly what everybody has suggested is good advice. One thing I may suggest that I didn't see mentioned herein. If you are using a firewall, set up a general rule blocking rampage.exe from using any ports, be sure that you block usage of both udp and tcp, and block access to it both to and from connections. I know with Norton, it will alert me as to what ip it is trying to access, what port it using and it also sometimes revels another name for the exectable. Sometimge reveling a *.dll, or another *.exe file. One that looks for the files you are deleting, and replaces them if they are found missing.

Also check your file integrity from
c:\>sfc /scannow

oh one more thing, don't forget to look at your prefetch files

Other than that, good luck

/edit added info
October 17th, 2003, 03:49 PM
creative_32X_mx

try the program porn cleaner, i brought a computer of a friend and it was filled with porn i used porn cleaner and it cleaned every ounce of porn of the hard drive.
I think you can still get it from

www.phazeddl.com

And yes it is one of those warez sites, but hey the program worked, i did go and buy the full copy from a computer shop.
And i give it 10\10 potatoes.

Anyhow cheers
October 17th, 2003, 03:50 PM
bballad

There is a way to block this, don't remember the spacifics though....but spy bot S&D removes it and blocks it.
October 17th, 2003, 09:38 PM
MemorY

looks like hijakthis took care of it ..tx everyone
October 18th, 2003, 01:04 AM
oofki

Yeah def. use either adaware or spybot and www.pandasoftware.com/activescan is a good free online viri scanner. If you still cant get rid of it id try safemode and search for it in the registry...Good luck
October 18th, 2003, 06:07 AM
MemorY

hey oofki ... just a friendly advice :).. what you said in your post has been already sugested in this thread ... if i were you i wouldnt do that ( repeating what others said) to avoid negative antipoints...i see it is your first post so if somebody negs you he is an ******* and doesnt know to appriciate newbies and help them out ...tx
October 18th, 2003, 10:55 AM
Fenka

I also had problems with sites like that. Not only porn, a whole bunch of obnoxious search engines and other sites tend to smack junk like that on your comp.
Through trial and error, I found PopupCop to be a great solution. It appears that it blocks most software like that, so I haven't had to run Spybot in a looong time. :D
October 18th, 2003, 01:04 PM
nihil

Hi Fenka,

Naughty naughty!...............you are becoming complacent, and that is dangerous. :(

I have AdAware, SpyBot and SwatIT, and run them all at least one a week. At any point in time one of them can find something that the others do not.

The point I would like to make is that scumware is different from malware.............people are making money out of scumware, so it is funded and motivated? I believe that it is much more likely to rapidly change and develop over time because of this.

Keep scanning regularly is all I can say :)

Cheers
October 18th, 2003, 01:56 PM
Extreme

Hijack this was the best piece of software i ever downloaded a while back - it tells you everything when ppl hijack ur pages. I did have a page/start page/etc hiijack protecter but it doesnt seem to work !
October 18th, 2003, 02:24 PM
nihil

Hello Extreme, and welcome to AO.

We are not alone in our enthusiasm fo HijackThis, I have seen it mentioned on other forums too. I would recommend it to everyone as a good tool to have around.

Regarding "blocker software". It goes back to my previous post when I mentioned that scumware was funded. It is actually legal in most places as well :mad:

The authors will have all the blocking software we have and then some, and will be looking for ways around it (still legal I am afraid). The blockers get updated, the scumware gets updated and so on. It is really no different from malware writers versus AV providers.

The one big difference is that as soon as scumware interferes with something else you put on your machine, it breaks the law in a lot of countries. This is why HijackThis is so useful, the scumware cannot avoid it easily, and cannot interfere with it?

Malware, on the other hand, can and does attack your defences and try to disable them.

Cheers
October 19th, 2003, 04:06 AM
creative_32X_mx

Good point nihil.

And everyone has given me a whole knew perspective on different programs.
My personal favourites are as follows.

*Mcafee anti virus 7.0
*Mcafeee personal firewall
*Adaware
*Power Scan 9.0

Anyhow i think that others here might prefer other programs, but these are my current favourites.

I did purchase Nortan Anti Virus 2004
But for some wierd reason it kept on Deleting everything, and no matter what i tried it still said everything was a virus.
Even when i installed a game (Age Of Empires 2).
It said that it contained the Jeefo virus....

In the end i brought Mcafee and no problems since.

Anyhow cheers
October 19th, 2003, 06:50 AM
gore

Quote:

Originally posted here by creative_32X_mx
try the program porn cleaner, i brought a computer of a friend and it was filled with porn i used porn cleaner and it cleaned every ounce of porn of the hard drive.

OH MY GOD!!!!!!!!!!!! OH MY GOD!!!!!!!!!!! HOW COULD YOU??!?!!?!?!?!?!?!?!?!?!?!?!?!?!?!!

*Wimpers*

All the pron all gone :( Man, if I bought a PC fulla porn I'd think of it as more of a time saver than a downside.
November 27th, 2003, 03:00 AM
MemorY

UPDATE: I just got my phone bill, and guess what, it suceeded to dial out twice so it charged me 39.99$ for each call. I called my phone company and they said that i downloaded some sport stuff (gamez) i guess and cuz of that they charged me. But in the end they told me i dont have to pay anything so it's all good but if you do get this virus , disconnet your computer from the phone line and follow the instructions in this thread :)
November 27th, 2003, 03:13 AM
groovicus

Ok, so stupid question time..... since you can get programs that allow you to make long distance phone calls from your computer, where would the charge go if you used your computer to dial one of these numbers (assuming you are on something other than dial-up)

:D
November 27th, 2003, 03:32 AM
cheyenne1212

I would think that if you were on broadband, you would be all right. I think, but I might be wrong.

The reason I say this is because theres no way for it to actually dial out when you only have a ethernet cable plugged in.
November 27th, 2003, 03:41 AM
groovicus

Hmmm...there used to be a program called net2phone, or something like that....I guess I don't know why it wouldn't work..I'm gonna have to go and try it out now. Anybody have any good 1-900 numbers :)
November 27th, 2003, 05:48 AM
Striek

Quote:

Originally posted here by cheyenne1212
I would think that if you were on broadband, you would be all right. I think, but I might be wrong.

The reason I say this is because theres no way for it to actually dial out when you only have a ethernet cable plugged in.

Yeah, you're wrong. I got this virus or something like it before on cable. But I still leave my modem plugged in to send faxes and stuff, and it's good for testing webpages for dialup speed when I'm deisgnings them. Anyway, you're safe if you've got broadband and do not have a modem plugged in. But if you keep one for backup or convenience, it could still happen. I heard that modem relay go a couple of times and having heard of things like this, I pulled it out of the wall right away. It can still dial out if you have an ethernet cable plugged in. I didn't know you get charged 40 bucks for it though.
November 27th, 2003, 07:09 AM
choppermct

I sent you a tool that might help if it is a trojan type file. Something is talking to something. Keep it simple stupid is the best method. The KISS method. I tend to go above and beyond myself. Clean your cookies, Delete temp files. Watch your ports. That is one way of communication. Remember to check the created dates of files.

Try this web site
http://www.antiy.net

There is more info to be learned under program binding.This is one way bugs get in. At Antionline. A good example of binary binding can be found at,

http://www.commodon.com/threat/threat-wam.htm

And it all seems so innocent.

Let me know how you make out. I can get a bug or two of my own. And I have a few friends that love a challenge.
November 27th, 2003, 09:59 AM
MrBabis

Try DrWeb antivirus, it usualy can find viruses thet mcafee and norton cannot.
But use it just for scan it is not good to use in realtime protection.
I got few times viruses that mcafee that I use could not find and drweb could, I run it as secoundare antivirus or if I got some trouble with pc. It is enouph to use it in just report or delete mode.

Free for download, but just evalution version.

http://www.sald.com/
November 27th, 2003, 12:29 PM
gizmofreak

Try adaware 6.0 ,it is really great & stay away from dialers
November 27th, 2003, 03:56 PM
valhallen

well good news for those in the uk - i dont think we can dial premium rate numbers in the US for a start and the PRS (premium Rate Services) offfered in the UK all have to adhere to the ICTIS guidelines so they can't charge like £50 per min or anything like that - think max is like £2.50 or so - but I advise people to keep an eye to ensure that they do not infect themselves with anything like this cause you will prolly be made pay it anyways......well i know for a fact if you are with BT you will hvae to pay it (used to work for them)
BT will not waive the fees as they are simply relaying the from the PRS provider - if you feel you got any charges from something like this you need to contact ICTIS not BT am afraid as they deal with it :)

v_Ln
November 27th, 2003, 11:31 PM
matenem

sounds like a prefetch issue clear that folder manually delete temp internet files cookies and porn favorites and check for a web browser self installed toolbar + change the browser seerch engine since it has set itself as the default.

...must be XP...

I drink, drive and I will never get caught!
November 28th, 2003, 07:54 AM
choppermct

:D
Thumbs up on Ad-Aware. It does a nice job on little buggers that hide in the registry and then lets you pick them out. That's user friendly. It is only really a start to find tool. I found a nice Trojan tool called Antiy Ports

All times are GMT +1. The time now is 10:19 AM.