We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Intermittant Nudie Pop-Up window

jaerob
jaerob asked
on
Medium Priority
334 Views
Last Modified: 2013-11-28
Hello experts. I am troubleshooting a PC for a co-worker of mine. There's an intermittant nudie pop-up occurring when she browses the web. It doesn't happen frequently, but it does happen. What do you recommend I do to cleanse her machine of this. I kind of need to do it quickly. Thanks.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2008

Commented:
Greetings, jaerob !

1. If you have Windows Messenger Service, disable it.  The Messenger is the source of popups and virus.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

2. Use Ewido to remove hard to remove spyware
http://www.ewido.net/en/
or
Spy Sweeper
http://mysite.webroot.com/forms/Infoworld

3. If still no joy, download HijackThis

http://www.majorgeeks.com/download3155.html

Run the program and you will find many entries. Most are OK. Post the log at http://www.hijackthis.de/, click Analyze, Save, and post a link to the save analysis here.

Best wishes!

Author

Commented:
Here's the link to the analysis file: http://www.hijackthis.de/logfiles/a6007b01e869bd51599c2a2ac855727a.html
I'll be standing by.
CERTIFIED EXPERT
Top Expert 2008

Commented:
1. C:\Program Files\IntCodec\pmsngr.exe is a dangerous trojan. Go to Add/Remove Programs and uninstall IntCodec or anything similar to that.

Did you run Ewido?  It would have remove the trojan.

2. Put a check mark by the following items in HijackThis log and click "Fix Checked".

C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmmon.exe
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program

Author

Commented:
Hi war1. Here's the scoop. The Messenger service was already disabled and I did not see a listing in Add Remove Programs for IntCodec. I was able to delete the O2 listing above with HijackThis, but I could not find the listings for IntCodec\pmsngr and IntCodec\pmmon.exe. I ran Exido and it found about 191 spyware entries. I had it delete them all and rebooted the machine. I then ran another scan and it came back with 6 entries. Here they are: Trojan.Agent.qg (high risk), Downloader.zlob.abw (high risk), Adware.IntCodec (Medium Risk), Adware.Search Assistant (Medium Risk), Adware.Spysheriff (Medium Risk), Adware.WeirWeb (Medium Risk). What should I do from here?
CERTIFIED EXPERT
Top Expert 2008

Commented:
In Add/Remove Programs, do you recognize any program that you did not install?

Delete those files with with Ewido.  Sometimes you need to run a few passes to remove all the trojans.

You have Spysherrif, a variation of SmitFraud. Use SmitFraudFix to remove it
http://www.geekstogo.com/forum/index.php?showtopic=109268
OR
http://siri.geekstogo.com/SmitfraudFix.zip 
CERTIFIED EXPERT
Top Expert 2008
Commented:
Use Prevx1 to remove IntCodec
http://free.prevx.com/

Then go into the Program Files and remove the IntCodec folder.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT
Top Expert 2007
Commented:
Hi,

Do this:

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
CERTIFIED EXPERT
Top Expert 2007

Commented:
After you run smitfraudfix option 2,
also run option 3(NOT in safe mode) just in normal mode, to clear your trusted zone so the infection won't have a chance to come back.

Author

Commented:
Ok, After a second run of Ewido and running prevx, everything seemed to be gone. However I went ahead with rpggamergirls recommendations as well. Here's the rapport file:
SmitFraudFix v2.115

Scan done at 19:39:28.48, Sat 10/28/2006
Run from C:\Documents and Settings\BestBuy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Any further thoughts?
CERTIFIED EXPERT
Top Expert 2007

Commented:
smitfraudfix deleted a smitfraud entry which is this one --> "cholecyst"="{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"


Please run option 3 in normal mode to clear your trusted zone as well.

If you still have other malware problem we can run other diagnostic tool.

Author

Commented:
I ran the "clear trusted zone" option in normal mode as well. The machine appears to be running fine now. I'm going to declare, "Mission Accomplished!" Thanks so much for your timely and expert advice. To be fair, I will split the points between you evenly. By the way... Nice working with you again, rpggamergirl. This is the second time you've come to my rescue. My co-worker will no doubt be very pleased with her machine. God bless you both.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Well done jaerob!
Glad to know you've got it sorted out.

Thanks for the points, glad to work with you again, anytime you have pc problems malware/viruses etc, we'll all be here ready to assist if we could.

God bless you too!
Thank you.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.