jaerob
asked on
Intermittant Nudie Pop-Up window
Hello experts. I am troubleshooting a PC for a co-worker of mine. There's an intermittant nudie pop-up occurring when she browses the web. It doesn't happen frequently, but it does happen. What do you recommend I do to cleanse her machine of this. I kind of need to do it quickly. Thanks.
ASKER
Here's the link to the analysis file: http://www.hijackthis.de/logfiles/a6007b01e869bd51599c2a2ac855727a.html
I'll be standing by.
I'll be standing by.
1. C:\Program Files\IntCodec\pmsngr.exe is a dangerous trojan. Go to Add/Remove Programs and uninstall IntCodec or anything similar to that.
Did you run Ewido? It would have remove the trojan.
2. Put a check mark by the following items in HijackThis log and click "Fix Checked".
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-9 1c14d081f9 e} - C:\Program
Did you run Ewido? It would have remove the trojan.
2. Put a check mark by the following items in HijackThis log and click "Fix Checked".
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-9
ASKER
Hi war1. Here's the scoop. The Messenger service was already disabled and I did not see a listing in Add Remove Programs for IntCodec. I was able to delete the O2 listing above with HijackThis, but I could not find the listings for IntCodec\pmsngr and IntCodec\pmmon.exe. I ran Exido and it found about 191 spyware entries. I had it delete them all and rebooted the machine. I then ran another scan and it came back with 6 entries. Here they are: Trojan.Agent.qg (high risk), Downloader.zlob.abw (high risk), Adware.IntCodec (Medium Risk), Adware.Search Assistant (Medium Risk), Adware.Spysheriff (Medium Risk), Adware.WeirWeb (Medium Risk). What should I do from here?
In Add/Remove Programs, do you recognize any program that you did not install?
Delete those files with with Ewido. Sometimes you need to run a few passes to remove all the trojans.
You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip
Delete those files with with Ewido. Sometimes you need to run a few passes to remove all the trojans.
You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After you run smitfraudfix option 2,
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.
ASKER
Ok, After a second run of Ewido and running prevx, everything seemed to be gone. However I went ahead with rpggamergirls recommendations as well. Here's the rapport file:
SmitFraudFix v2.115
Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\S mitfraudFi x
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Share dTaskSched uler]
"cholecyst"="{ee2975b6-e8d 5-405e-844 8-8fe9590f 6cfb}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Any further thoughts?
SmitFraudFix v2.115
Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\S
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWA
"cholecyst"="{ee2975b6-e8d
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Any further thoughts?
smitfraudfix deleted a smitfraud entry which is this one --> "cholecyst"="{ee2975b6-e8d 5-405e-844 8-8fe9590f 6cfb}"
Please run option 3 in normal mode to clear your trusted zone as well.
If you still have other malware problem we can run other diagnostic tool.
Please run option 3 in normal mode to clear your trusted zone as well.
If you still have other malware problem we can run other diagnostic tool.
ASKER
I ran the "clear trusted zone" option in normal mode as well. The machine appears to be running fine now. I'm going to declare, "Mission Accomplished!" Thanks so much for your timely and expert advice. To be fair, I will split the points between you evenly. By the way... Nice working with you again, rpggamergirl. This is the second time you've come to my rescue. My co-worker will no doubt be very pleased with her machine. God bless you both.
Well done jaerob!
Glad to know you've got it sorted out.
Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.
God bless you too!
Thank you.
Glad to know you've got it sorted out.
Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.
God bless you too!
Thank you.
1. If you have Windows Messenger Service, disable it. The Messenger is the source of popups and virus.
http://www.itc.virginia.edu/desktop/docs/messagepopup/
2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://mysite.webroot.com/forms/Infoworld
3. If still no joy, download HijackThis
http://www.majorgeeks.com/download3155.html
Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.
Best wishes!