Jump to content


Photo

Pop-up help


  • Please log in to reply
3 replies to this topic

#1 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 02 June 2004 - 11:55 AM

:grrr: I've been getting these weird pop-ups at work. I allowed my TA to use my classroom computer for all of 10 minutes and now I'm getting pop-ups. I don't know what to do. I DLed a pop-up blocker and it didn't do much. So... now what? I ran HJT and there are a couple weird items in it... which ones should I remove?

Logfile of HijackThis v1.97.7
Scan saved at 9:53:48 AM, on 6/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\GNET98\GMNET.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
F0 - system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NetMouse] C:\GNET98\gmnet.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [HP Port Resolver] c:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] c:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qcp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7869.5224537037
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...mail/ac4sbc.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab



#2 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 02 June 2004 - 10:25 PM

Hi,
Here's the spyware you need to remove. But first you have to uninstall NewDotNet. It is a winsock LSP and can interfere with your internet connections if not removed properly.

Click on start / settings / control panel / add remove programs
In that list look for NewDotNet and - or - New.Net, highlight them and click remove, it's entries also appear in your Hijack log, but you need to successfully uninstall it before you can remove it's entries in Hijack,

While your in 'add remove programs' also look for IncrediFind and remove it too,

------>

Run the scan for Hijack again, put a check next to all of the following and click 'Fix' ...


C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE

C:\WINDOWS\SYSUPD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch


O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s


010 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

------->

Reboot into 'safe mode' - start pc, tap F8 key till you see the black windows startup screen, select 'safe mode' using your up and down arrow keys and hit enter,

Click - start / find / all files .....
search for and delete the following files:
WCMDMGR.EXE
TWAINTEC.DLL
SYSUPD.EXE
INCFIN~1.DLL


Now search for and delete these folders:
"WT"

"IncrediFind"


Use the quotations in your search, that will eliminate everything except these exact folders, if they don't come up, don't worry,

:)

#3 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 02 June 2004 - 10:26 PM

Hi,
Here's the spyware you need to remove. But first you have to uninstall NewDotNet. It is a winsock LSP and can interfere with your internet connections if not removed properly.

Click on start / settings / control panel / add remove programs
In that list look for NewDotNet and - or - New.Net, highlight them and click remove, it's entries also appear in your Hijack log, but you need to successfully uninstall it before you can remove it's entries in Hijack,

While your in 'add remove programs' also look for IncrediFind and remove it too,

------>

Run the scan for Hijack again, put a check next to all of the following and click 'Fix' ...


C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE

C:\WINDOWS\SYSUPD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\ATPART~1.DLL

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch


O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s


010 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

------->

Reboot into 'safe mode' - start pc, tap F8 key till you see the black windows startup screen, select 'safe mode' using your up and down arrow keys and hit enter,

Click - start / find / all files .....
search for and delete the following files:
WCMDMGR.EXE
TWAINTEC.DLL
SYSUPD.EXE
INCFIN~1.DLL


Now search for and delete these folders:
"WT"

"IncrediFind"


Use the quotations in your search, that will eliminate everything except these exact folders, if they don't come up, don't worry,

:)

#4 sights0d

sights0d

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 02 June 2004 - 11:46 PM

You're awesome! I'll do it when I get back to work tomorrow. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button