View Full Version : Pornographic Adware/Joke Programs

21-11-2005, 07:16 PM
Hello everyone,

I've recently been having some problems with popups...but they don't "pop up." You see, I have Firefox set up so that any link I click will open in a new tab. A porn site has been opening in a new tab, and it's the same site every time. When I leave my computer and come back later, I have several of the pages open in several tabs. It's something like [edit: URL removed] or something...that's not the exact URL, but it's somewhere around that. I ran Spybot - Search & Destroy and Ad-Aware SE Personal, deleted several threats, but it hasn't seemed to work. Please help! I don't want my parents to be in the room and a porn site to pop up when it really wasn't me who went to it in the first place!

[Edit: I have removed your URL as it loaded an X-rated website which is not appropriate viewing for this forum - Jen (Moderator)]

21-11-2005, 07:21 PM
Try hijack this


21-11-2005, 07:24 PM
Put the log file here and it will tell you what to remove

21-11-2005, 07:47 PM
Thanks, Jen...I was typing through that fast and I didn't realize...sorry. :\

And thanks, johnboy. Here's the link to the log file analysis if you guys wanna see: http://www.hijackthis.de/logfiles/78965992f5d878799c3559f9cc455571.html

I know what I should get rid of, but I'm curious about the unknown ones...if you guys know anything about them, or if I should just google them...Thanks!


21-11-2005, 07:58 PM
Googled up wfwall1.exe and got this (http://help2go.com/postp77890.html&sid=93e0db0a39012bdebab1f251934f4d5a#77890)

Speedy Gonzales
21-11-2005, 08:03 PM
Tick these, and close browsers. Tick fix checked. Turn system restore off for now, and boot into safe mode.

C:\WINDOWS\system32\clusapi1.exe - Dont know what this is. Once this is ticked find this file and delete it in safe mode.

C:\WINDOWS\System32\wfwall1.exe. As above

C:\WINDOWS\System32\wfwall1.exe As above

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [fc1934c3ed0e] C:\WINDOWS\system32\clusapi1.exe

Once this is ticked and fix checked is selected, delete this file in safe mode.

O4 - HKLM\..\Run: [wfwall1.exe] C:\WINDOWS\System32\wfwall1.exe

As above.

O4 - HKLM\..\Run: [SkyAffiliate.exe] C:\WINDOWS\System32\SkyAffiliate.exe

As above.

This entry I think, is whats giving u the porn.

O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\wfwall1.exe

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

If you didnt lock this entry, tick this

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

See if weather something appears in add/remove programs. If there's something here, uninstall it.

Speedy Gonzales
21-11-2005, 08:20 PM
Forgot to add this bit.

That wfwall1.exe and skyaffliliates.exe file may be hard to remove.

Post another log after you've done the above. Post another log here, not a link to another site.

21-11-2005, 09:01 PM
Post another log after you've done the above. Post another log here, not a link to another site.


Speedy Gonzales
21-11-2005, 09:06 PM
Well if he's gonna post it there, why post it here? And tell us about it?

22-11-2005, 09:08 AM
But Speedy, the site linked was the hijack analysis site, its a very useful way to post the link. It offers reasonable diagnoses suggestions as well which is a bonus in many cases.

I think its a good way of saving server storage space (its auto deleted after a few days from that site).