This is a question for something that I ran into a couple days ago. It is not a virus in the true sense of the word, but it behaves like one so I thought this would be the best place to post this question.

I have a client that who's machine I worked on for the first time this week. His desktop was literally covered with icons, but nestled in amongst all of them was a shortcut that was labeled "Liveshows". The icon was crude, showing a naked lady from the waist, up.

Each time the PC is booted, a small dialog box pops up asking for the user to read an agreement and click either the "accept" or "cancel" button. In reading this so-called agreement, I found that this is actually a dialer that connects to a porn site, but it does it through a proprietary phone number that costs $7.99 per minute.

I tried several times, using different methods, to remove this thing from the machine. No matter what I did, it would come back on the next boot up.

It resides at c:\liveshows\dialer.exe

I deleted these files and checked to be sure there was nothing in the "Startup" Group. I deleted these files and even did a regisrty search to find anything like "liveshows", etc.

No matter what I did, it would come right back on the next boot.

Anybody else run into this and have a successful way to clean it up??

Thanks

[quote]Originally posted by Curt:
<strong>This is a question for something that I ran into a couple days ago. It is not a virus in the true sense of the word, but it behaves like one so I thought this would be the best place to post this question.

I have a client that who's machine I worked on for the first time this week. His desktop was literally covered with icons, but nestled in amongst all of them was a shortcut that was labeled "Liveshows". The icon was crude, showing a naked lady from the waist, up.

Each time the PC is booted, a small dialog box pops up asking for the user to read an agreement and click either the "accept" or "cancel" button. In reading this so-called agreement, I found that this is actually a dialer that connects to a porn site, but it does it through a proprietary phone number that costs $7.99 per minute.

I tried several times, using different methods, to remove this thing from the machine. No matter what I did, it would come back on the next boot up.

It resides at c:\liveshows\dialer.exe

I deleted these files and checked to be sure there was nothing in the "Startup" Group. I deleted these files and even did a regisrty search to find anything like "liveshows", etc.

No matter what I did, it would come right back on the next boot.

Anybody else run into this and have a successful way to clean it up??

Thanks</strong><hr></blockquote>

press ctrl, alt, del when the pc is running (am I assuming this is a 9x/me box), it should show you the prog that's actually running.. and it may not be in the reg, but in the system or win.ini files and getting started from there.

Noo noo is right on depending on your OS it could be in system and win. I just thought i'd ask also did you go into the registry and look to see what was being launched at start up.
Win9x would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\run even runservices

I have seen this before (one of my former bosses) and there was an entry for it under Add/Remove Programs.

Another way (if the Add/Remove is not listed) is to follow the below:

[quote]Liveshows is a dialler program, a common scam among less-reputable adult Web sites. A dialer changes your ISP dial-out number to a high-charge per-minute phone number, often in another country (the US equivalent would be a 1-900 number). Dialers may also silently disconnect and reconnect your modem even as you are surfing the Web, as soon as the program is executed.

A Liveshows installer reportly comes as an attachment in a piece of unsolicited email. It may also be installed from some adult Web sites. If executed, a window will appear every time the computer is started, hounding the user to accept a set of Terms and install the dialer. The installer will also add install links to your Start menu and desktop.


Delete the Liveshows folder (normally C:\Liveshows). It typically contains three files; dialer.exe, dialer.ini, and terms.txt.
Delete the file C:\FINDFAST.EXE . This is the program that runs at startup. (It appears to be trying to look legitimate to fool the user - findfast.exe is also the name of a legitimate, albeit useless, Microsoft utility installed with MS Office.) <hr></blockquote>

A system I dealt with recently suffered from numerous porn-spyware-adware infections, including the DIALER.EXE one installed at least three different ways. It manifested as a supposedly asian sourced version titled "GO IN". There was also a persistent Russian flavoured pair of red lips in amongst the junk. As the system basically had Windows & this stuff on a 2G FAT16 partition on a 60G hard drive, I wiped it & re-installed.

Thanks for the input, Guys. I appreciate it :D

[quote]Originally posted by Curt:
<strong>Thanks for the input, Guys. I appreciate it :D </strong><hr></blockquote>

Did the suggestions work?

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Wyckyd1:
<strong>Noo noo is right on depending on your OS it could be in system and win. I just thought i'd ask also did you go into the registry and look to see what was being launched at start up.
Win9x would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\run even runservices</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Might even be in HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by dead:
<strong> </font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Wyckyd1:
<strong>Noo noo is right on depending on your OS it could be in system and win. I just thought i'd ask also did you go into the registry and look to see what was being launched at start up.
Win9x would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\run even runservices</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Might even be in HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">That was what was already said though????? :confused: