Porno Virus ... help

[RubberDuckie]

Long story but I will try to be shot:
A friend of mine at work is accused of surfing porno at work.
Looking at the internet log on the server there are about 3 porno sites hit every 3 minutes from his computer. Happened all day long. I belive it to be a virus. his computer is highly visible all day long and there is no way that this could have happened. I believe it to be a trojan virus making his computer hit port 80 to make it look like he was surfing porn all day long. I know he wasnt...cause someone would have see him hit one of 50,000 sites in one day.
anyone know of a virus that could do this? If I can find one I can look for it on his computer to help clear his name. ... Our IT department is clueless and is trying to pin him with surfing porn at work and get him fired. I dont know were to start looking ... his computer has been taken away by IT and is in holding....I am trying to inform our IT department what to look for on his computer, but they are clueless.
Any suggestions would be appreciated...
I can provide additional information if needed on what went on.
Oh yeah...his homepage was changed also.

[PreDatoR]

Well to me it sounds like he has went to a porn site at least once to get some of the BS those sites do... IT could have been spam in an email that when clicked on opens up the site and changes the homepage addy. Don't know what to tell ya but it don't sound good for your friend

[Sean]

I know this may be stupid, but have you tried running norton or something? Just a personal edition would probably do, if it was a trojan..

I don't know.. Good luck.

[RubberDuckie]

this happened just before we upgraded computers...now we have PIV Xeons with the latest McAfee...
this computer was a PII200 with a seriously outdated McAfee and it was an NT box.
Of course now our newer computers have protection against changing the Homepage and such with newer antiVirus.
I know this had to be a virus cause no one can hit 50,000 sites in a work day at a reception desk without someone seeing something.

[FlyingPenguin]

I would recommend a full Virus scan. If you don't have access to an up to date scanner, use the free online one here: http://housecall.antivirus.com/

Then install the free version of ZoneAlarm, and refuse permission to anything that wants internet access except his Internet browser, email clients, and anything else he legitimately uses.

[tunis5000]

Might wanna try Ad-Aware as well to look for known spyware...

[Executioner]

We have a large company with a huge IS department. I'm pretty good with one of the guys in the tech support, and he told me what they look for regarding porn. They first will look at cookies and graphic images left in the temporary internet folder for proof. Once they have this info, they will begin to monitor his pc very closely until they can catch him in the act. Once caught, they are fired on the spot. They also know that sometimes, you might visit one by accident, and they will ignore that. They are looking for repeated visits, and they target certain words when scanning pc's.

You won't believe how stupid people can be. The company's policy is very clear when it comes to porn, yet we've had idiots that will visit a porn site, and begin to print pages and pages of images to a color printer LOL. How dumb can you be!

I'm waiting for them to tell me that I can't download files using the company's pc. Lots of times, I use my pc at work to download patches and updates, plus some MP3's on FTP sites that I know and have permission to log into.

[LoneWolfX1X]

Originally posted by tunis5000
Might wanna try Ad-Aware as well to look for known spyware...

Definitely tell IT about the spyware angle

Divx, Sandra, and innumerable other proggies install spyware that creat porn popups...


just tell IT to run MSCONFIG and check the startup tab

hit google and try and get some linkage to back your theory (sorry it's late and im tired...) specifically divx+spyware, sandra+spyware, gator+spyware, comet+spyware

[TruckStuff]

That would be the wierdest damned virus I have ever seen. I would tell them to check their firewall logs before they go firing this guy to make sure they weren't hacked. It would be pretty easy once you are insde a firewall to bounce requests off of a particular computer and send them back to someplac else. So I would play the hacked network angle before I worry about the virus angle.

[Mike89]

50,000 porn hits a day? Are you kiddin me?

Either something is really amiss or this is the horniest dude on the planet!

[Slugbait]

My vote is spyware, too. Perhaps it has a referral ID, so someone is making cash at this guy's expense. Hell, that's what I would do if I were greedy...it's no fun writing a virus or whatever unless I get something out of it.

[wpublic]

he could have had some software unknowingly installed onto his system (probably while he was installing some other software, and this thing just gets "slid" in underneath..."Spyware, Scamware, Scumware, or whatever, same ballpark")that will replace legitimate ad banners on legitimate sites he was viewing with someone else's ads. and this person probably has no idea. like he could be at a disney site or something, and all the ad banners could be coming from a porn site, because the program has messed with this person's browser. the ads could have been served from a porn server. look in the server logs for gif files requested and see if the majority of the larger gif files are coming primarily from a small handful of IP's

unfortunately this happens a lot out there. and as per previous posters' suggestions, adaware should be able to detect and remove these programs. adaware site also has a helper app now that you can use to automatically check for updates to the signature file(list of files it scans for), if you don't want to update manually.

or if they are finding porn url's in his history folder, could be like some popunders or something that keep refreshing, or if he closes the window, it is set to reload after 3 minutes. if you boot up the pc and run for a few minutes, and then disconnect from the internet, wait for a while, the little popunder should be like a 404 error or something. or view the source on the popunder too see what kind of javascript it has on the page. most likely an external .js file, though. make sure they check the cache for .js files and see what turns up.

[RubberDuckie]

OK here is the rest of the story:

After the police got involved....(there was child pornographic material viewed from the history. this is a government computer located at city hall where I work, therefore it became a big deal quickly. Our IT department must be idiots not to catch this one) they discovered it to be this TROJAN VIRUS .

Duh is all I have to say. We use Novell and Groupwise for email. Outlook has been shut down on our computers for some time now. Therefore Im not sure how someone on the outside got in to this computer thru the firewall only to get back out and surf. Let ablone be able to do this without our IT department catching it or having a clue how TROJANS work. It took the involvement of the local police department to find it origian. I am still a bit confused how this could happen at my location but I do not know how IT has the network setup.

The guy never lost his job and got a formal appology and refunded his loss of income during his layoff.

I think this shows the stupidity of our IT department.

Oh well, all is good now.

[PreDatoR]

Thats good to hear he didn't lose his job... That IT department must not be the swiftest there is... Most should have picked that up right away and had it taken care of immediately. Damn trojans...