***VIRUS WARNING***

[roosh]

Apologies if the title of the thread is somewhat misleading, because it isn't a warning about a "virus" per se, but it is a warning about a "root kit", which is a potentially problematic program - and I wasn't sure if everyone would know what a root kit is, because I certainly didn't.

I started a thread in general discussion about an activeX issue  I am encountering at the moment. I keep getting a recurring activeX issue, which is very annoying and prevents me from viewing websites some times - it seems to be very erratic.

To cut a long story short. If you are greeted with a pop-up that asks you if you want to install something from a company called: Inca Internet, don't install it.

[guy_ratus]

Just read your other post. I had the same problem starting about 2 months ago. And yes it is very random. For example, sometimes waygook.org would open with no problems and then sometimes the activeX pop up would stop it from opening. Same went for most websites, to the point that using the internet became a huge hassle.

The popup is to download some useless antivirus programs. They aren't viruses (I hope). I found that by clicking it from Chrome wouldn't do anything, but clicking it from IE would install Ahnlab's V3 Security program and another by nprotect. These are those pesky, constantly interrupting programs on all the school computers. Installing them has stopped all the activeX popups and I can surf the net without problems, but now I have these two programs that seem impossible to get off my computer......

[roosh]

Just read your other post. I had the same problem starting about 2 months ago. And yes it is very random. For example, sometimes waygook.org would open with no problems and then sometimes the activeX pop up would stop it from opening. Same went for most websites, to the point that using the internet became a huge hassle.

The popup is to download some useless antivirus programs. They aren't viruses (I hope). I found that by clicking it from Chrome wouldn't do anything, but clicking it from IE would install Ahnlab's V3 Security program and another by nprotect. These are those pesky, constantly interrupting programs on all the school computers. Installing them has stopped all the activeX popups and I can surf the net without problems, but now I have these two programs that seem impossible to get off my computer......

that's the issue alright. I installed the nprotect one, bcos that was the only option I was getting. Did you get that little window that opens by itself and cannot be closed? Has it affected the performance of your computer by any chance?

I've heard that it is supposed to be a root-kit, which is supposed to be a pretty nasty piece of software, and that it drains the machines resources. I had to delete a few things from the registry to get rid of it. I accidentally ended up deleting a couple of things I shouldn't and then when I restarted my computer it wouldn't reboot. Luckily there is a way to restore it to "the last known working configuration", so I did that and just deleted the correct registry items.

[Paul]

The popup is to download some useless antivirus programs. They aren't viruses (I hope).

The common terminology is "rogueware", and the distinction between rogueware and a virus can sometimes be tenuous at best. V3 is the most clear example of rogueware I can think of.

I've had the same problem as you essentially at the very beginning of the year. I cannot recall whether anything by Inca popped up, so I cannot confirm nor deny that your problem is the same as Roosh's. See, I thought I managed to luck out with a machine at one school without those two nuisances (former student machine that some savvy student had purged of V3 in the past to view inappropriate web content judging by what I had to remove to sanitise the machine) but eventually had to break down and install V3 at least. I do anything requiring nProtect on the classroom machine. nProtect is legit, just very poorly constructed. You need it to get the digital certificates the board of education needs every time you take a business trip or leave. V3 is then needed for that to operate, and also to prevent that Active X web blocking script* you've run into.

Personally, the first thing I do in the morning is turn V3 off to cut it off from sapping all the machine's resources, and then again when it boots up again automatically over lunch. When you shut it off manually like that, it basically leaves you alone but maintains one process that presumably cuts the Active X interferences. Be sure to cut the automatic afternoon scan before closing it after lunch or it'll leave more than one process running. All the machines here are protected by a legit antivirus program (MSE) anyway.

* Which is kinda useless when you think about it as anyone attempting to view truly objectionable content would have the tenacity to interrupt the desired page load before it took control. I find it reminiscent of Homer Simpson's website when he hides his identity by having an overly large paper bag image load over his head a few seconds after his photo loads.

[Paul]

↑

For the same subjective definition of "legit" that'd include stuff like SecureROM mind (legit in intent, nefarious in behaviour).

[guy_ratus]

Did you get that little window that opens by itself and cannot be closed? Has it affected the performance of your computer by any chance?

Yes, that window! I haven't noticed any change in performance, though.
I'd love any advice on how to completely remove these programs, and if possible, without having to run in safe mode and delete specific files because I'd have no idea what to look for.

[roosh]

Did you get that little window that opens by itself and cannot be closed? Has it affected the performance of your computer by any chance?

Yes, that window! I haven't noticed any change in performance, though.
I'd love any advice on how to completely remove these programs, and if possible, without having to run in safe mode and delete specific files because I'd have no idea what to look for.

Paul might be able to give some better advice on how to work with the program, but if you still want to remove it I found this article to be a helpful starting point. Following the steps in it, wasn't sufficient, bcos not all of it was relevant, but that may be different on your machine.

The following was what I did to get rid of it

The next part is the tricky part as it involves editing the registry. Go wrong here and you could render your operating system unusable, so be careful. It might be a good idea to create a system restore point before going further.

    To run the registry editor: Click Start > Run > then type 'Regedit' without the quotes.

    Browse to the following branch:

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NPPTNT2

Remove the entire branch. Close Regedit and reboot your PC.

Be careful doing this though, bcos if you delete the wrong thing, it can cause a serious issue - in my case it was easily reversible though.

What I did was check the nprotect folder (or whatever it was called) for the various file names and then looked in the registry for file with those names. Most of them, from what I can remember had the stem "npentac". So I deleted any file in the registry with "npentac".

To be safe, google the name of the file first; I googled "what is npentac" and one of the results told me it was a file associated with Inca Internet, so I duly deleted it. I googled "what is [file name]" for other files too.


Be careful though, I didn't google the name of every file I deleted and ended up deleting things I shouldn't have. When I restarted my computer windows XP wouldn't load - the screen with Wndows XP appeared, with the loading progress indicator, but then a dialogue box would pop-up saying "enpoint not valid" (or something to that effect).

Luckily that was reversible. I just needed to restart the computer, and before the XP loading screen appeared I had to hit the "F8" key; this brought me into a screen which allowed me to select "use the last know working configuration", which worked  but nprotect was back on the machine. So I had to go back into the registry and delete the correct files again. I was doubly sure to google every file before deleting it and only deleted the ones associated with Inca Internet.