Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing pop-ups (pancolp.com; precata.com)


  • Please log in to reply
9 replies to this topic

#1 1sgolfer

1sgolfer

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 06 December 2008 - 02:20 PM

I have Mcafee Total Protection and I am still getting pop-ups from these websites (pnacolp.com,pantomi.com, etc.). Any suggestions how I can get this removed from my computer. Will Combo fix take care of the problem. If so, how do I go about using that process to fix my computer?

Help would be much appreciated

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:48 AM

Posted 06 December 2008 - 09:06 PM

http://www.superantispyware.com/ Works best at finding and removing the malware when scan is run in SAFE MODE AFTER INSTALLING.

Download and install SUPERAntiSpyware Free from the link above.

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the
definitions before scanning by selecting "Check for Updates".
* Under the "Configuration and Preferences", click the Preferences... button.
* Click the "General and Startup" tab, and under
Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
* Click the "Scanning Control" tab, and under Scanner
Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen and exit the program.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

* Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes" and reboot normally.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 1sgolfer

1sgolfer
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 07 December 2008 - 12:27 AM

I ran everthing as you said and it appears that my computer is working fine again. Thanks for the information and advice.

#4 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:48 AM

Posted 07 December 2008 - 07:16 AM

The adware/malware you reported is often associated with Vundo.
Please post the SAS log.

You should check all of your programs for security updates. Especially Java, Adobe Flash and Windows. Use the Secunia online scanner to check all of your programs for missing security updates. Vundo is known hide in old Java programs so after updating Java go to Add/Remove and remove all old Java programs.
http://secunia.com/vulnerability_scanning/online/

Use Ccleaner to remove temporary files, logs, cookies, etc. During install you will be offered the Yahoo Toolbar. UNcheck if not wanted. http://www.ccleaner.com/

SAS will likely update late Monday. You should get the new update and run another full scan in safe mode.

Edited by buddy215, 07 December 2008 - 07:17 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 gigthis

gigthis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 09 December 2008 - 12:49 AM

Buddy215...I stumbled across your fix when researching how to get rid of the same issue. I'm getting popups from the same sites and warnings to install AnitVirus 2009. I completed all the steps below and I am still getting the popups. Attahced is my SAS log. Any help is much appreciated.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2008 at 11:00 PM

Application Version : 4.23.1006

Core Rules Database Version : 3668
Trace Rules Database Version: 1647

Scan type : Complete Scan
Total Scan Time : 00:24:17

Memory items scanned : 209
Memory threats detected : 0
Registry items scanned : 5708
Registry threats detected : 27
File items scanned : 54417
File threats detected : 35

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\NANULOTE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL
C:\WINDOWS\SYSTEM32\BIYEDEPU.DLL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Adware.MyWebSearch
HKU\S-1-5-21-583907252-1417001333-839522115-3769\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-21-583907252-1417001333-839522115-3769\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-583907252-1417001333-839522115-3769\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Adware.Tracking Cookie
C:\Documents and Settings\agough\Cookies\agough@adopt.specificclick[1].txt
C:\Documents and Settings\agough\Cookies\agough@specificmedia[1].txt
C:\Documents and Settings\agough\Cookies\agough@revsci[2].txt
C:\Documents and Settings\agough\Cookies\agough@ads.cnn[2].txt
C:\Documents and Settings\agough\Cookies\agough@realmedia[1].txt
C:\Documents and Settings\agough\Cookies\agough@tribalfusion[1].txt
C:\Documents and Settings\agough\Cookies\agough@ads.bleepingcomputer[2].txt
C:\Documents and Settings\agough\Cookies\agough@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\agough\Cookies\agough@serving-sys[2].txt
C:\Documents and Settings\agough\Cookies\agough@questionmarket[2].txt
C:\Documents and Settings\agough\Cookies\agough@directtrack[1].txt
C:\Documents and Settings\agough\Cookies\agough@advancedscanner[2].txt
C:\Documents and Settings\agough\Cookies\agough@mediaplex[1].txt
C:\Documents and Settings\agough\Cookies\agough@zedo[1].txt
C:\Documents and Settings\agough\Cookies\agough@atdmt[2].txt
C:\Documents and Settings\agough\Cookies\agough@s.clickability[2].txt
C:\Documents and Settings\agough\Cookies\agough@imrworldwide[2].txt
C:\Documents and Settings\agough\Cookies\agough@clickbank[2].txt
C:\Documents and Settings\agough\Cookies\agough@ad.yieldmanager[2].txt
C:\Documents and Settings\agough\Cookies\agough@bs.serving-sys[2].txt
C:\Documents and Settings\agough\Cookies\agough@casalemedia[2].txt
C:\Documents and Settings\agough\Cookies\agough@specificclick[2].txt
C:\Documents and Settings\agough\Cookies\agough@trafficmp[1].txt
C:\Documents and Settings\agough\Cookies\agough@angleinteractive.directtrack[2].txt
C:\Documents and Settings\agough\Cookies\agough@doubleclick[1].txt
C:\Documents and Settings\agough\Cookies\agough@2o7[2].txt
C:\Documents and Settings\agough\Cookies\agough@overture[2].txt
C:\Documents and Settings\agough\Cookies\agough@apmebf[1].txt

Adware.MyWebSearch/FunWebProducts
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Trojan.Fake-Alert/Trace
HKU\S-1-5-21-583907252-1417001333-839522115-3769\SOFTWARE\Microsoft\fias4013

Adware.Vundo Variant/HAL
C:\WINDOWS\SYSTEM32\GAYUSOMI.DLL

Trace.Known Threat Sources
C:\Documents and Settings\agough\Local Settings\Temporary Internet Files\Content.IE5\E8N7GYGK\indexsg[1].htm
C:\Documents and Settings\agough\Local Settings\Temporary Internet Files\Content.IE5\ET6C8BJG\l.s.bg1z[1].gif
C:\Documents and Settings\agough\Local Settings\Temporary Internet Files\Content.IE5\E8N7GYGK\l.s.bg2z[1].gif
C:\Documents and Settings\agough\Local Settings\Temporary Internet Files\Content.IE5\MPQHZB6N\favicon[4].ico

#6 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:48 AM

Posted 09 December 2008 - 10:00 AM

gigthis----It is best to start your own topic. Suggest you do that after following the instructions for using MBAM
in the link below. The malware you have, Vundo, is constantly changing and the security programs are always playing
catchup. Give MBAM a go at it and post the results in a new topic.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 gigthis

gigthis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 09 December 2008 - 08:12 PM

Thanks buddy215. I'll try that tonight and start a new topic with my log.

#8 gigthis

gigthis

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 09 December 2008 - 11:52 PM

buddy215...update...I went to the link for the MBAM topic you provided and followed the instructions for running MBAM. Problem solved. Up to this point I could not go online for the last 2 days for more than 10 seconds without the pop-ups starting (and continuing non-stop almost every other page request until I got off the web). I have been online now for an hour and not a single pop-up. And more noticeably my pages are FLYING now. Web pages on my laptop always seemed to have had a slight delay when they loaded...I guess I had gotten use to it. But now they come up very quickly. I'm about to travel for work and was going to have to do a web based demo from my laptop...that would not have been an option with my laptop in the state it was in. Thanks for your help. Ya really saved me.

Should I still open a new topic to post my results? Not sure of the protocol on the message board and I want to make sure I follow it.

Thanks again!

Edited by gigthis, 09 December 2008 - 11:54 PM.


#9 buddy215

buddy215

  • BC Advisor
  • 12,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:48 AM

Posted 10 December 2008 - 07:47 AM

You likely had some adware/malware before getting your latest infection. Good that your computer is working better.

Use Ccleaner to remove temporary files, logs, etc. During install you will be offered the Yahoo Toolbar. UNcheck if not wanted.
http://www.ccleaner.com/

Allow Secunia to scan your computer for programs that need security updates to prevent their being exploited.
http://secunia.com/vulnerability_scanning/online/

To be sure (as one can be with commercial programs) that no other malware is presently on your computer, do a scan using Kaspersky online scanner. http://www.kaspersky.com/virusscanner
Post back if it finds malware other than cookies.

Some of your restore points are infected and the way to remove them is by deleting ALL restore points. Here are links to BC's
tutorials for doing do that if needed.
Vista---http://www.bleepingcomputer.com/tutorials/windows-vista-system-restore-guide/
XP------http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#10 Dani1476

Dani1476

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 December 2008 - 08:10 AM

Wanted to say thanks to buddy215! Ran both the Super Anti Spyware and MBAM (from new thread posted by gigthis) - problem with pancolp gone.

1sgolfer - I also have McAfee total protection and it didn't help. The advice I got from their techs was useless. Run SuperAntiSpyware and MBAM - worked for me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users