Solved

Intermittant Nudie Pop-Up window

Posted on 2006-10-28
12
314 Views
Last Modified: 2013-11-28
Hello experts. I am troubleshooting a PC for a co-worker of mine. There's an intermittant nudie pop-up occurring when she browses the web. It doesn't happen frequently, but it does happen. What do you recommend I do to cleanse her machine of this. I kind of need to do it quickly. Thanks.
0
Comment
Question by:jaerob
  • 4
  • 4
  • 4
12 Comments
 
LVL 97

Expert Comment

by:war1
ID: 17826650
Greetings, jaerob !

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://mysite.webroot.com/forms/Infoworld

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.

Best wishes!
0
 

Author Comment

by:jaerob
ID: 17826683
Here's the link to the analysis file: http://www.hijackthis.de/logfiles/a6007b01e869bd51599c2a2ac855727a.html
I'll be standing by.
0
 
LVL 97

Expert Comment

by:war1
ID: 17826741
1. C:\Program Files\IntCodec\pmsngr.exe is a dangerous trojan. Go to Add/Remove Programs and uninstall IntCodec or anything similar to that.

Did you run Ewido?  It would have remove the trojan.

2. Put a check mark by the following items in HijackThis log and click "Fix Checked".

C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program
0
 

Author Comment

by:jaerob
ID: 17826901
Hi war1. Here's the scoop. The Messenger service was already disabled and I did not see a listing in Add Remove Programs for IntCodec. I was able to delete the O2 listing above with HijackThis, but I could not find the listings for IntCodec\pmsngr and IntCodec\pmmon.exe. I ran Exido and it found about 191 spyware entries. I had it delete them all and rebooted the machine. I then ran another scan and it came back with 6 entries. Here they are: Trojan.Agent.qg (high risk), Downloader.zlob.abw (high risk), Adware.IntCodec (Medium Risk), Adware.Search Assistant (Medium Risk), Adware.Spysheriff (Medium Risk), Adware.WeirWeb (Medium Risk). What should I do from here?
0
 
LVL 97

Expert Comment

by:war1
ID: 17826915
In Add/Remove Programs, do you recognize any program that you did not install?

Delete those files with with Ewido.  Sometimes you need to run a few passes to remove all the trojans.

You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip  
0
 
LVL 97

Assisted Solution

by:war1
war1 earned 250 total points
ID: 17826937
Use Prevx1 to remove IntCodec
http://free.prevx.com/

Then go into the Program Files and remove the IntCodec folder.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 17826984
Hi,

Do this:

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17826991
After you run smitfraudfix option 2,
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.
0
 

Author Comment

by:jaerob
ID: 17827274
Ok, After a second run of Ewido and running prevx, everything seemed to be gone. However I went ahead with rpggamergirls recommendations as well. Here's the rapport file:
SmitFraudFix v2.115

Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Any further thoughts?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17827320
smitfraudfix deleted a smitfraud entry which is this one --> "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


Please run option 3 in normal mode to clear your trusted zone as well.

If you still have other malware problem we can run other diagnostic tool.
0
 

Author Comment

by:jaerob
ID: 17827335
I ran the "clear trusted zone" option in normal mode as well. The machine appears to be running fine now. I'm going to declare, "Mission Accomplished!" Thanks so much for your timely and expert advice. To be fair, I will split the points between you evenly. By the way... Nice working with you again, rpggamergirl. This is the second time you've come to my rescue. My co-worker will no doubt be very pleased with her machine. God bless you both.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17827380
Well done jaerob!
Glad to know you've got it sorted out.

Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.

God bless you too!
Thank you.

0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now