Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 324
  • Last Modified:

Intermittant Nudie Pop-Up window

Hello experts. I am troubleshooting a PC for a co-worker of mine. There's an intermittant nudie pop-up occurring when she browses the web. It doesn't happen frequently, but it does happen. What do you recommend I do to cleanse her machine of this. I kind of need to do it quickly. Thanks.
0
jaerob
Asked:
jaerob
  • 4
  • 4
  • 4
2 Solutions
 
war1Commented:
Greetings, jaerob !

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://mysite.webroot.com/forms/Infoworld

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.

Best wishes!
0
 
jaerobAuthor Commented:
Here's the link to the analysis file: http://www.hijackthis.de/logfiles/a6007b01e869bd51599c2a2ac855727a.html
I'll be standing by.
0
 
war1Commented:
1. C:\Program Files\IntCodec\pmsngr.exe is a dangerous trojan. Go to Add/Remove Programs and uninstall IntCodec or anything similar to that.

Did you run Ewido?  It would have remove the trojan.

2. Put a check mark by the following items in HijackThis log and click "Fix Checked".

C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jaerobAuthor Commented:
Hi war1. Here's the scoop. The Messenger service was already disabled and I did not see a listing in Add Remove Programs for IntCodec. I was able to delete the O2 listing above with HijackThis, but I could not find the listings for IntCodec\pmsngr and IntCodec\pmmon.exe. I ran Exido and it found about 191 spyware entries. I had it delete them all and rebooted the machine. I then ran another scan and it came back with 6 entries. Here they are: Trojan.Agent.qg (high risk), Downloader.zlob.abw (high risk), Adware.IntCodec (Medium Risk), Adware.Search Assistant (Medium Risk), Adware.Spysheriff (Medium Risk), Adware.WeirWeb (Medium Risk). What should I do from here?
0
 
war1Commented:
In Add/Remove Programs, do you recognize any program that you did not install?

Delete those files with with Ewido.  Sometimes you need to run a few passes to remove all the trojans.

You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip 
0
 
war1Commented:
Use Prevx1 to remove IntCodec
http://free.prevx.com/

Then go into the Program Files and remove the IntCodec folder.
0
 
rpggamergirlCommented:
Hi,

Do this:

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
rpggamergirlCommented:
After you run smitfraudfix option 2,
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.
0
 
jaerobAuthor Commented:
Ok, After a second run of Ewido and running prevx, everything seemed to be gone. However I went ahead with rpggamergirls recommendations as well. Here's the rapport file:
SmitFraudFix v2.115

Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Any further thoughts?
0
 
rpggamergirlCommented:
smitfraudfix deleted a smitfraud entry which is this one --> "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


Please run option 3 in normal mode to clear your trusted zone as well.

If you still have other malware problem we can run other diagnostic tool.
0
 
jaerobAuthor Commented:
I ran the "clear trusted zone" option in normal mode as well. The machine appears to be running fine now. I'm going to declare, "Mission Accomplished!" Thanks so much for your timely and expert advice. To be fair, I will split the points between you evenly. By the way... Nice working with you again, rpggamergirl. This is the second time you've come to my rescue. My co-worker will no doubt be very pleased with her machine. God bless you both.
0
 
rpggamergirlCommented:
Well done jaerob!
Glad to know you've got it sorted out.

Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.

God bless you too!
Thank you.

0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now