Porno Pop ups on TS - HELP!!!

[Rinnt]

Hi all,

Recently there has has been an odd problem occuring on our W2K TS MF 1.8 server: Select people have been getting a Pornographic pop up when they open Internet Explorer. I do not know how this started happening nor do I know how to fix it. I have considered running AdAware on the TS but do not know if this is a good idea. The porno site they are pushed to is:

http://network.nocreditcard.com/?brokerid=25683&extlogin=1166

Can any of you help me out here? I would like to:

a) Fix the problem
b) Find out how this started
c) Prevent it from occuring in the future

I look forward to your advice

TIA

 

[xs4citrix]

I would suggest, that you install (the free) ad-aware from lavasoft

http://www.lavasoft.de/

to get rid of this.

http://www.printingsupport.com

Free citrixprinting support

 

[Rinnt]

Should I put the TS in "Install Mode" when I place this program on it?

 

[MikeKap]

If I could suggest SysTrack 3.1 to help you with the "b" part of your question; for future occurrences of a problem like this. SysTrack would provide you with a historical log of websites AND webpages that all of your TS/MF users visited. You could then find all of the people who had gone to that site, when they went there and how many times they went there. SysTrack is used for many other things in addition to web tracking. You can download a free trial copy of SysTrack 3.1 from their ftp site. Good luck with your problem.

Mike
kapski@yahoo.com

 

[Rinnt]

If any of you run into the same problem here's how I fixed it:

1). Went into install mode
2). Installed Adaware
3). Removed all detected files/reg/cookies
4). Back into execute mode
5). Removed Adware from user's start menu

This removed it great but left a problem where 4 Citrix users could not use the Internet. They would start IE only to have it crash on them - every time.

Thanks to carrr for the IE repair fix on that one! After hours, I simply went into install mode ran the following command from the run box, went to execute mode and restarted:

rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

works great now =)

 

[JeffHicks]

Thanks for sharing the solution.

 

[Rinnt]

You're welcome! That solved objective a) for me... Tracking the source down b) seems impossible. Now to address c) How to prevent this in the future.

I'm thinking maybe disable ActiveX and Cookies in our TSE Poilcy. How many of you guys do that or recommend this as a security percaution. I'm aware that cookies also play an important role for legitamate activities such as checking web mail. This could be a problem...

 

[JohnTcolo]

Again, systrack will provide the exact details of who is initiating this. I had similar issues with porn sites and adult chat activity. Using Systrack I got the user name, # of times they visited, how long they stayed, dates, etc. I blocked these sites, removed cookies and re-distributed our Corporate Internet Policy Document. We did not do anything to the culprits, but now that they know our "Big Brother" capabilities, these activities have ceased.

 

[Jontmke]

Just curious, why do you let your users out on to the web thru metaframe? Seems like a waste of bandwidth, connection licenses, hardware, etc.
We do have some in house apps that are web apps., but we only allow specific sites to be accessed.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)

 

[JohnTcolo]

We have many thin clients, no other way.

 

[tina2]

You might want to scan your servers and mailboxes for this virus:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_FORTNIGHT

This sucker attaches itself to the Auto signature in Outlook Express and spreads via e-mail. It puts shortcuts to porno sites in the user's favorites folder, and pops up with the sites when they open IE.

I have Symantec Anti Virus running on all of my servers, and Trend ScanMail for my exchange server. A few weeks ago, we got this virus, and it was not being detected by the Trend, but Symantec was catching it. Unfortunately, it did slip under the radar and affect one of my MetaFrame users. I never did find the registry entries mentioned in the Trend article, but I was able to kill it by deleting the shortcuts, history folder and all cookies in the Client's MetaFrame session. The website it was directing him to was also not listed in the article, so the URL in your original post could have been caused by this type of virus.

I think the latest virus updates are catching it now, but this particular one was detected on July 4th. If you got it before then, chances are you still have it...

Good luck!
Kristine

 

[bran2235]

This happened to us when we were MF1.8 All our problem was that the user's home Page in IE had been changed... I had even locked it down with a GPO!! Had to unlock it and change it back to our Intranet/Desired home page...

Maybe this helps??
Brandon