Pop Up Problem possibly trojan or spyware

I have had an ever increasing popup ad problem for a few weeks and have installed Ad Aware 6.0 and Spybot S&D and neither gets rid of it. I am at the point where something is launching each time I start Internet Explorer. I have managed to get rid of most of the rest of the ads that just pop up in a small box.  This web page that remains used to have advertising, but now comes up as "page not found" and there is no close or exit box.  

I did check to see what programs start at startup by using Autostart Explorer and found that the most suspicious and unknown to me are webassist.exe and belt.exe  The problem is  so bad that I can barely type anything and had to switch to my son's PC to ask this question. Every 10 seconds I get a popup window and I have to control-alt-delete to close it up.  This morning after some Internet research I downloaded and ran Trojan Hunter.  That gave me one possible file to delete and I have done so but the problem still exists.  

I think that the original culprit was dw.exe which I tried to remove with Add-Install in Control Panel and was unsuccessful so I tried to delete it to no avail and so I re-named it.  I did try to delete webassist.exe and it won't let me - says it's in use or else a critical file.

Any help would be greatly appreciated.  I assume my last resort is to reformat my hard drive and I'd obviously prefer not to do that.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Luc FrankenEMEA Server EngineerCommented:
Sunray already gave you this link:
HijackThis : http://www.webattack.com/download/dlhijackthis.shtml 

can you try and run it and post the log here, we should be able to find out what's wrong.

also, You should have some kind of firewall to stop at least some of those pop-ups and trace the source. Try Zonealarm => www.zonealarm.com it's a free firewall.

barbtrdAuthor Commented:
Here's the log from the webattack hijack program.  Thanks

Logfile of HijackThis v1.97.3
Scan saved at 6:40:36 PM, on 10/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Barbara Toth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6CDDAD19-4DE5-4F84-9FA3-2E6139DC0837} - C:\WINDOWS\System32\blackdbox.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Common Files\Microsoft Shared\Perl.exe /LASTSCAN
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60910.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50039/QDow.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/download/advertisingdotcom/pcpowerscan.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download/FastSeekerSetup.cab

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Have you tried to delete these apps in safe mode?
Luc FrankenEMEA Server EngineerCommented:
webassist.exe has to go, it's a popup generator
O4 - HKLM\..\Run: [webassist] C:\WINDOWS\webassist.exe

FastSeeker toolbar also has to go, it's spyware. It also records the domain name of any sites you have viewed or are viewing, as well as page titles and keywords, to its controlling servers, even if the toolbar is turned off.
O16 - DPF: {F1A51F21-59DF-4486-BA31-5B816DA481EB} (FastSeekerToolbar Control) - http://www.fastseeker.com/toolbar/download/FastSeekerSetup.cab

Qagent : Quicken program is controlled by a separate utility program called the Quicken Download Manager (also known as Qagent). When Quicken Download Manager option is enabled, background downloading takes advantage of unused bandwidth to download current financial information anytime your computer is connected to the Internet. So if you don't use it get rid of it. http://www.pacs-portal.co.uk/startup_pages/startup_q.php
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE

And this line also has to go:
Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll (file missing)

I hope I didn't miss any.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Luc FrankenEMEA Server EngineerCommented:
missed at least one

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe <= Abetterinternet adware related

Luc FrankenEMEA Server EngineerCommented:
> I think that the original culprit was dw.exe

DownloadWare - executes arbitrary code from advertisers and not considered to be adware but is a security risk (see here ). If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. Installed along with programs such as MovieNetworks , Medialoads and PAgent

You said you had renamed the file, can you delete it now?

barbtrdAuthor Commented:
I think I have already deleted the renamed dw.exe file since I now can't find it.  One more dumb question - how do I delete these files - when you say this line "has to go"- do I use regedit or msconfig command from run? or use the hijack log file and delete the lines there?  Thanks very much for your help, its a lifesaver.
Luc FrankenEMEA Server EngineerCommented:
You can let HijackThis delete them safely. It gives you the option to select them and delete them.

Luc FrankenEMEA Server EngineerCommented:
FYI there's a checkbox in front of every thing, just check the box and choose "Fix checked" It'll remove it from the startup list or from the registry. After you've done this, you'll have to reboot your computer and run HijachThis again to see if they're really gone. If they come back, you should try running HijackThis from safe-mode.

Luc FrankenEMEA Server EngineerCommented:
> One more dumb question
The only dumb questions are the ones never being asked! ;-)
Luc FrankenEMEA Server EngineerCommented:
Have you checked your e-mail yet?
Have you tried any of my suggestions?

barbtrdAuthor Commented:
Yes - I just did the removal with hijack.  Yeah!  You're the best!  Thanks a million.  You made my day, my week, my month. It's been a long battle. Sigh.  
Luc FrankenEMEA Server EngineerCommented:
So now everything is working fine?
Luc FrankenEMEA Server EngineerCommented:
Barbara Toth,
If it now works fine, please take a look at: http://www.experts-exchange.com/help/closing.jsp#2
Sinds you're new here, please take a look at the help pages, Experts here are always here to help you solve your questions, but they like to be awarded for their work using the points system. The points system makes this site as valuable as it is at the moment.
You should really read:


p.s. welcome to Experts-Exchange, you'll learn a lot more if you stay!!
Luc FrankenEMEA Server EngineerCommented:
hmmz, I also make mistakes

http:help should be http://www.experts-exchange.com/help/

still welcome aboard!!
Luc FrankenEMEA Server EngineerCommented:
Anyway, I'm glad you found my comments helpfull.
Luc FrankenEMEA Server EngineerCommented:
Hi barbtrd

You know if you don't have a probem i can to send you a application to blocked your popup
verry good if you wand just write and i send the application 143 kb

<edited by CS>
Luc FrankenEMEA Server EngineerCommented:
lominy, please take a look here: http:/help.jsp#hi99 Posting your e-mailaddress is a violation of the Member Agreement.

also, there is a list of popupblockers allready in this tread.
*** advertising removed by Netminder, Site Admin ***
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.