Browsers, E-mail, & Web Apps forum

General discussion

Porn Favorites are appearing in my clients favorites

by hdware / August 27, 2008 12:12 AM PDT

Hi All,

Forgive me if Jane Nolan gets to this first but it is kind of urgent. I have a client (Honestly!) who has a large number of porn related favorites that have appeared on his browser. He has no AV (or he has never ran it) and spybot is out of date. I scanned it and found 600 threats using NOD32!!

Jane described the exact same situation and I wondered if anyone else knew what this may be. I have found many trojans and things such as openstream and favealert. I was alerted to this as his control panel was also missing.

Any help would be great as I dont know if Jane is still online.

Thanks

Jonathan

Post a reply
Discussion is locked
You are posting a reply to: Porn Favorites are appearing in my clients favorites
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Porn Favorites are appearing in my clients favorites
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Be sure to not cross post.
by R. Proffitt Forum moderator / August 27, 2008 12:51 AM PDT
Collapse -
Porn Favorites in IE
by hdware / August 27, 2008 12:56 AM PDT

Thanks for the reply.

This has only been posted on Cnet and the first was simply a reply to Jane Nolan who may no longer be a member. I am confident in removing this but need to be able to explain to others which particular malware has caused this.

Thanks

Jonathan

Collapse -
Re: what particular malware
by Kees Bakker / August 27, 2008 1:08 AM PDT
In reply to: Porn Favorites in IE

Any site your client visited (need not to be a porn site, any dubious site will do) can have caused this.

Clean it (or do a clean install of XP, depending on if cleaning is feasible), sell your client a decent antivirus (or point him to the free ones) and forget about the history. That's impossible to tell.

Kees

Collapse -
Need the culprit
by hdware / August 27, 2008 1:14 AM PDT

Do you think it could have been CWS Shredder? It is important to identify and replicate (via a VM) the cause for reasons I cannot divulge on this forum.

Thanks

Jonathan

Collapse -
The FORENSICS of such
by R. Proffitt Forum moderator / August 27, 2008 2:37 AM PDT
In reply to: Need the culprit

Are often too costly in terms of time and money. No one has paid me to find the exact cause in years. So the issue is usually dealt with by scanning with the usual FREE tools we note in the Spyware Forum then cleaning it up.

For FORENSICS this is not something you usually learn in one post in a forum but something of a life's endeavor. Here's some starting material -> http://www.google.com/search?hl=en&q=computer+forensics+training&btnG=Google+Search&aq=f&oq=

Bob

Collapse -
Why do you think it is CWShredder?
by MarkFlax Forum moderator / August 27, 2008 8:38 AM PDT
In reply to: Need the culprit

Or are you thinking of some malware named CWS Shredder?

CWShredder is a well known and often used tool to find and remove any traces of Cool Web Search browser hijackers. Whilst it may be that Cool Web Search has placed such favorites in the favorites folder, it is not the only cause.

The users surfing habits will contribute as well, "Click here to bookmark this site" in web pages will do the same. Ony the user can stop that.

But without any up to date anti-virus and anti-spyware scanners, and an effective firewall, the user leaves his computer open to threat any time he surfs. The other malware the computer has installed can come from a variety of sources, such as sharing files through P2P, opening infected emails, sharing infected CDs/DVDs, and drive-by surfing attacks.

Trying to backtrack a system with so many infections to find how they got there is going to be nigh on impossible. It will be difficult to justify the time and expense.

Mark

Collapse -
CWS
by hdware / August 27, 2008 5:54 PM PDT

Hi Mark,

Do you think that "hijack this" will indicate what favorites were added other than the defaults or perhaps there would be an ini file. I will search the drive (low level) and see if i can find the url titles anywhere else other than the defaults.

Jonathan

Collapse -
Not sure what you are getting at.
by MarkFlax Forum moderator / August 27, 2008 7:54 PM PDT
In reply to: CWS

Favorites are just added. They won't be picked up by HJT or anything else because in themselves they are not malicious.

You are trying to analyze this too deeply and it is time to move on. If you need to educate others there is no specific answer you can give.

For example, if you drive a car, how do you drive it carefully? Keep your speed down? From what to what? Use the proper signals? What signals, and where/when?

With malware we don't try to find out where they came from or how they work, we set up defenses against them and are vigilant in what we do. That's all we can do.

Mark

Collapse -
Perhaps I need to go to a malware forum.
by hdware / August 27, 2008 8:10 PM PDT

Wow this is really quite a patronising site!

Let?s say someone finds pornographic icons on their desktop and in their favorites that they have not requested or set up. Someone else sees these and assumed that the content was placed there deliberately. The implications of this could be very damaging and the defense of ?it was a virus or it was spyware? has never worked well in a court of law with 12 of your peers assuming you are guilty by the very virtue of the crime you are accused of.

The only way to be able to definitively answer the situation is to identify a piece of Malware that shows symptoms of putting favorites in the favorite?s folder. As per:-

http://www.symantec.com/security_response/writeup.jsp?docid=2003-111717-3802-99&tabid=2

http://www.symantec.com/security_response/writeup.jsp?docid=2008-042907-4420-99&tabid=2

and then find evidence of that Malware. If you were to Google the symptoms you will also see many examples. I was simply looking to get an answer from an expert in Malware instead I get childish replies ignoring the question.

No reply needed I have wasted enough time on this forum

Collapse -
Luckily, we have a malware forum also.
by Kees Bakker / August 28, 2008 6:20 AM PDT

That's http://forums.cnet.com/5204-6132_102-0.html?forumID=32

Of course, it's not unlikely that it was malware. After all, it would be rather stupid of that supposed person to add all those favorites himself on a machine that other people (with administrative capabilities) have access to, be it at work, at school or at home.

But saying it's unlikely is not the same as proving it. And I'm afraid that proving it will be difficult, if not impossible. And it's rather sure that it won't happen by only visiting respectable sites like Microsoft and Cnet and only opening trusted mails.

I can't find anything patronizing in the discussion. All we said (several posters) is that it such forensic activities are uncommon, have an unsure outcome, and might need specialist knowledge or tools. What's wrong with that?

Kees

Collapse -
If it came from the outside ...
by Kees Bakker / August 27, 2008 4:56 PM PDT
In reply to: Need the culprit

it might be impossible to recreate, because there's not a single guarantee exactly the same thing will be done again byt that outside actore even if YOU manage to do the utterly unknown thing that triggered it the last time.

Kees

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech Tip

Stuck without Internet and want to watch movies?

CNET shows you how to download movies and TV shows onto your device using Amazon Prime so you'll always be entertained.