Solved

Pop Up Problem possibly trojan or spyware

Posted on 2003-10-25
21
14,141 Views
Last Modified: 2010-04-11
I have had an ever increasing popup ad problem for a few weeks and have installed Ad Aware 6.0 and Spybot S&D and neither gets rid of it. I am at the point where something is launching each time I start Internet Explorer. I have managed to get rid of most of the rest of the ads that just pop up in a small box.  This web page that remains used to have advertising, but now comes up as "page not found" and there is no close or exit box.  

I did check to see what programs start at startup by using Autostart Explorer and found that the most suspicious and unknown to me are webassist.exe and belt.exe  The problem is  so bad that I can barely type anything and had to switch to my son's PC to ask this question. Every 10 seconds I get a popup window and I have to control-alt-delete to close it up.  This morning after some Internet research I downloaded and ran Trojan Hunter.  That gave me one possible file to delete and I have done so but the problem still exists.  

I think that the original culprit was dw.exe which I tried to remove with Add-Install in Control Panel and was unsuccessful so I tried to delete it to no avail and so I re-named it.  I did try to delete webassist.exe and it won't let me - says it's in use or else a critical file.

Any help would be greatly appreciated.  I assume my last resort is to reformat my hard drive and I'd obviously prefer not to do that.  
0
Comment
Question by:barbtrd
21 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9620769
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9620820
Sunray already gave you this link:
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml

can you try and run it and post the log here, we should be able to find out what's wrong.

also, You should have some kind of firewall to stop at least some of those pop-ups and trace the source. Try Zonealarm => www.zonealarm.com it's a free firewall.

LucF
0
 

Author Comment

by:barbtrd
ID: 9620879
Here's the log from the webattack hijack program.  Thanks

Logfile of HijackThis v1.97.3
Scan saved at 6:40:36 PM, on 10/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\webassist.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Barbara Toth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6CDDAD19-4DE5-4F84-9FA3-2E6139DC0837} - C:\WINDOWS\System32\blackdbox.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Common Files\Microsoft Shared\Perl.exe /LASTSCAN
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60910.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/download/advertisingdotcom/pcpowerscan.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download/FastSeekerSetup.cab

0
 
LVL 7

Expert Comment

by:philby11
ID: 9621713
Have you tried to delete these apps in safe mode?
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 125 total points
ID: 9621988
webassist.exe has to go, it's a popup generator
O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe
C:\WINDOWS\webassist.exe


FastSeeker toolbar also has to go, it's spyware. It also records the domain name of any sites you have viewed or are viewing, as well as page titles and keywords, to its controlling servers, even if the toolbar is turned off.
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download/FastSeekerSetup.cab



Qagent : Quicken program is controlled by a separate utility program called the Quicken Download Manager (also known as Qagent). When Quicken Download Manager option is enabled, background downloading takes advantage of unused bandwidth to download current financial information anytime your computer is connected to the Internet. So if you don't use it get rid of it. http://www.pacs-portal.co.uk/startup_pages/startup_q.php
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE

And this line also has to go:
Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)

I hope I didn't miss any.

LucF




0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9622731
missed at least one

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe <= Abetterinternet adware related

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9622779
> I think that the original culprit was dw.exe

http://www.pacs-portal.co.uk/startup_pages/startup_d.php
--------------------------------------------------------------------------------------------
DownloadWare - executes arbitrary code from advertisers and not considered to be adware but is a security risk (see here ). If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. Installed along with programs such as MovieNetworks , Medialoads and PAgent
--------------------------------------------------------------------------------------------

You said you had renamed the file, can you delete it now?

LucF
0
 

Author Comment

by:barbtrd
ID: 9623193
I think I have already deleted the renamed dw.exe file since I now can't find it.  One more dumb question - how do I delete these files - when you say this line "has to go"- do I use regedit or msconfig command from run? or use the hijack log file and delete the lines there?  Thanks very much for your help, its a lifesaver.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623262
You can let HijackThis delete them safely. It gives you the option to select them and delete them.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623302
FYI there's a checkbox in front of every thing, just check the box and choose "Fix checked" It'll remove it from the startup list or from the registry. After you've done this, you'll have to reboot your computer and run HijachThis again to see if they're really gone. If they come back, you should try running HijackThis from safe-mode.

LucF
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623311
> One more dumb question
The only dumb questions are the ones never being asked! ;-)
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623525
Barbara,
Have you checked your e-mail yet?
Have you tried any of my suggestions?

LucF
0
 

Author Comment

by:barbtrd
ID: 9623551
Yes - I just did the removal with hijack.  Yeah!  You're the best!  Thanks a million.  You made my day, my week, my month. It's been a long battle. Sigh.  
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623568
So now everything is working fine?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623628
Barbara Toth,
If it now works fine, please take a look at: http://www.experts-exchange.com/help/closing.jsp#2
Sinds you're new here, please take a look at the help pages, Experts here are always here to help you solve your questions, but they like to be awarded for their work using the points system. The points system makes this site as valuable as it is at the moment.
You should really read:
> http:help
> http:memberAgreement.jsp

LucF

p.s. welcome to Experts-Exchange, you'll learn a lot more if you stay!!
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623632
hmmz, I also make mistakes

http:help should be http://www.experts-exchange.com/help/

still welcome aboard!!
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9623810
Anyway, I'm glad you found my comments helpfull.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 9625063
thanQ
0
 

Expert Comment

by:lominy
ID: 10156351
Hi barbtrd

You know if you don't have a probem i can to send you a application to blocked your popup
verry good if you wand just write and i send the application 143 kb
Lominy

<edited by CS>
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10162039
lominy, please take a look here: http:/help.jsp#hi99 Posting your e-mailaddress is a violation of the Member Agreement.

also, there is a list of popupblockers allready in this tread.
0
 

Expert Comment

by:mgbyrne2004
ID: 11497491
*** advertising removed by Netminder, Site Admin ***
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now