Solved

Intermittant Nudie Pop-Up window

Posted on 2006-10-28
12
317 Views
Last Modified: 2013-11-28
Hello experts. I am troubleshooting a PC for a co-worker of mine. There's an intermittant nudie pop-up occurring when she browses the web. It doesn't happen frequently, but it does happen. What do you recommend I do to cleanse her machine of this. I kind of need to do it quickly. Thanks.
0
Comment
Question by:jaerob
  • 4
  • 4
  • 4
12 Comments
 
LVL 97

Expert Comment

by:war1
ID: 17826650
Greetings, jaerob !

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://mysite.webroot.com/forms/Infoworld

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.

Best wishes!
0
 

Author Comment

by:jaerob
ID: 17826683
Here's the link to the analysis file: http://www.hijackthis.de/logfiles/a6007b01e869bd51599c2a2ac855727a.html
I'll be standing by.
0
 
LVL 97

Expert Comment

by:war1
ID: 17826741
1. C:\Program Files\IntCodec\pmsngr.exe is a dangerous trojan. Go to Add/Remove Programs and uninstall IntCodec or anything similar to that.

Did you run Ewido?  It would have remove the trojan.

2. Put a check mark by the following items in HijackThis log and click "Fix Checked".

C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:jaerob
ID: 17826901
Hi war1. Here's the scoop. The Messenger service was already disabled and I did not see a listing in Add Remove Programs for IntCodec. I was able to delete the O2 listing above with HijackThis, but I could not find the listings for IntCodec\pmsngr and IntCodec\pmmon.exe. I ran Exido and it found about 191 spyware entries. I had it delete them all and rebooted the machine. I then ran another scan and it came back with 6 entries. Here they are: Trojan.Agent.qg (high risk), Downloader.zlob.abw (high risk), Adware.IntCodec (Medium Risk), Adware.Search Assistant (Medium Risk), Adware.Spysheriff (Medium Risk), Adware.WeirWeb (Medium Risk). What should I do from here?
0
 
LVL 97

Expert Comment

by:war1
ID: 17826915
In Add/Remove Programs, do you recognize any program that you did not install?

Delete those files with with Ewido.  Sometimes you need to run a few passes to remove all the trojans.

You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip 
0
 
LVL 97

Assisted Solution

by:war1
war1 earned 250 total points
ID: 17826937
Use Prevx1 to remove IntCodec
http://free.prevx.com/

Then go into the Program Files and remove the IntCodec folder.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
ID: 17826984
Hi,

Do this:

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17826991
After you run smitfraudfix option 2,
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.
0
 

Author Comment

by:jaerob
ID: 17827274
Ok, After a second run of Ewido and running prevx, everything seemed to be gone. However I went ahead with rpggamergirls recommendations as well. Here's the rapport file:
SmitFraudFix v2.115

Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Any further thoughts?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17827320
smitfraudfix deleted a smitfraud entry which is this one --> "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


Please run option 3 in normal mode to clear your trusted zone as well.

If you still have other malware problem we can run other diagnostic tool.
0
 

Author Comment

by:jaerob
ID: 17827335
I ran the "clear trusted zone" option in normal mode as well. The machine appears to be running fine now. I'm going to declare, "Mission Accomplished!" Thanks so much for your timely and expert advice. To be fair, I will split the points between you evenly. By the way... Nice working with you again, rpggamergirl. This is the second time you've come to my rescue. My co-worker will no doubt be very pleased with her machine. God bless you both.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17827380
Well done jaerob!
Glad to know you've got it sorted out.

Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.

God bless you too!
Thank you.

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
An overview of how to create reports in Adobe Analytics (formerly Omniture Site Catalyst) using pageNames, events, eVars and props. This video will show you how to install the Omniture Debugger tool so can see (and test) what is being passed int…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question