Non killable Pop Ups
Beady Eye
Thread Starter
Join Date: Feb 2001
Location: UK
Posts: 1,495
Likes: 0
Received 0 Likes
on
0 Posts
Non killable Pop Ups
Please help. I have suddenly picked up something which is bombarding my PC with pop up's, they often come in flurries and it means I can't use Word too well as when they appear the input focus moves to the pop up window.
There seems to be no requirement to have IE running, nor to be connected to the internet. Using Win XPPro, am on NTL broadband
I have run Ad-Aware several times, both when the PC is running and set for when it boots up.
Similarly SpyBot and PestControl.
They detect and delete registry entries etc. for PurityScan. I have done a www search for that and my symptoms match exactly. Have followed all the advice on how to delete and manually delete that I found online.
Have done a Symantec Virus search and the TrendMicro, both come up clean.
I have the firewall in place and messenger disabled, System Restore off.
Have done everything I can think of to rid myself of this bug but it has proven very persistant and I'm approaching my wits end.
Any thoughts anyone? Please!?
There seems to be no requirement to have IE running, nor to be connected to the internet. Using Win XPPro, am on NTL broadband
I have run Ad-Aware several times, both when the PC is running and set for when it boots up.
Similarly SpyBot and PestControl.
They detect and delete registry entries etc. for PurityScan. I have done a www search for that and my symptoms match exactly. Have followed all the advice on how to delete and manually delete that I found online.
Have done a Symantec Virus search and the TrendMicro, both come up clean.
I have the firewall in place and messenger disabled, System Restore off.
Have done everything I can think of to rid myself of this bug but it has proven very persistant and I'm approaching my wits end.
Any thoughts anyone? Please!?
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi BDiONU,
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Although I didn't intend to do these here, I'll use it as an instructional thread, and explain what I'm doing throughout, so everyone gets to learn a bit more about this scum that keeps attacking PCs. I'll also put in the links to the various databases/sites that I use for reference etc. and then that will give the forum members a chance to carry out their own scumware audit.
To the PPruner.. I won't make a habit of this..
but I will make it easy to follow and informative.. 
Cheers
Liam
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Although I didn't intend to do these here, I'll use it as an instructional thread, and explain what I'm doing throughout, so everyone gets to learn a bit more about this scum that keeps attacking PCs. I'll also put in the links to the various databases/sites that I use for reference etc. and then that will give the forum members a chance to carry out their own scumware audit.
To the PPruner.. I won't make a habit of this..
but I will make it easy to follow and informative.. Cheers
Liam
Beady Eye
Thread Starter
Join Date: Feb 2001
Location: UK
Posts: 1,495
Likes: 0
Received 0 Likes
on
0 Posts
E-Liam
Can't tell you how much I appreciate the help! Tried to paste the log but PPrune wouldn't allow it, too many images!! Have sent you a PM in the hope thats OK?
BDi
BDi
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
Hi,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded file...
C:\WINDOWS\System32\wnsintcc.exe
Then please boot back into normal mode and post a new log, just to make sure. That should be you sorted out regards popups. This seems to be a new strain of executables causing multiple popups, and although the filename is ultimately random, they usually look like this..
wnxxxxxx.exe (random string length)
..to make them look as though they are genuine Windows files at first glance.
I do however urge anyone who wants to suddenly delete any files that look like this to proceed with caution..!!!!!!!!!
Cheers
Liam
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintcc.exe
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded file...
C:\WINDOWS\System32\wnsintcc.exe
Then please boot back into normal mode and post a new log, just to make sure. That should be you sorted out regards popups. This seems to be a new strain of executables causing multiple popups, and although the filename is ultimately random, they usually look like this..
wnxxxxxx.exe (random string length)
..to make them look as though they are genuine Windows files at first glance.
I do however urge anyone who wants to suddenly delete any files that look like this to proceed with caution..!!!!!!!!!
Cheers
Liam
Last edited by E-Liam; 25th Feb 2004 at 21:52.
Beady Eye
Thread Starter
Join Date: Feb 2001
Location: UK
Posts: 1,495
Likes: 0
Received 0 Likes
on
0 Posts
E-Liam I now consider you something of an internet Guru! It seems to be fixed! Thank you very much indeed! I wonder where the H*ll it came from? I did find this morning a file in my documents & setting folder which the www informed was summat to do with Buddylink and a saddam message. Deleted that and the registry entry (kids whilst I was on holiday). I'd never have found this other and none of the programs out there seem able to detect it!
I owe you several beers! Thank you very much!
BDi
I owe you several beers! Thank you very much!
BDi
Join Date: Jan 2004
Location: Bracknell UK
Posts: 357
Likes: 0
Received 0 Likes
on
0 Posts
You're welcome BDi..
I do this security stuff several hours a day, so apart from being able to fix people up, I also see the latest threats before a lot of the security program writers do. I'm sure the guys at Lavasoft and Kolla are working to get this particular nasty into the next update, so hopefully it shouldn't be a problem in a week or so... but it's nice to get in there first.
It probably got in by driveby download. In order to protect yourself against a similar occurence, go to Start | Settings | Control Panel | Internet Options | Advanced(tab) and uncheck both the Install on demand choices in the Browsing section. It's not perfect, but it will help.
Cheers
Liam
I do this security stuff several hours a day, so apart from being able to fix people up, I also see the latest threats before a lot of the security program writers do. I'm sure the guys at Lavasoft and Kolla are working to get this particular nasty into the next update, so hopefully it shouldn't be a problem in a week or so... but it's nice to get in there first.
It probably got in by driveby download. In order to protect yourself against a similar occurence, go to Start | Settings | Control Panel | Internet Options | Advanced(tab) and uncheck both the Install on demand choices in the Browsing section. It's not perfect, but it will help.
Cheers
Liam
Beady Eye
Thread Starter
Join Date: Feb 2001
Location: UK
Posts: 1,495
Likes: 0
Received 0 Likes
on
0 Posts
Ahah! I had the Install on Demand (Internet Explorer) disabled but was unaware of the Other option! DOH!
So an early virus/bug/nasty, I'd feel almost priviliged but it was a real nightmare and seemed to come out of left field!
Thanks again for your inestimable help!
BDi
So an early virus/bug/nasty, I'd feel almost priviliged but it was a real nightmare and seemed to come out of left field!
Thanks again for your inestimable help!
BDi
