Computing.Net > Forums > Security and Virus > pop ups

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

pop ups

Reply to Message Icon
Original Message
Name: mike2159
Date: March 6, 2004 at 10:53:13 Pacific
Subject: pop ups
OS: xp
CPU/Ram: 3/256
Comment:

I am constantly recieving pop ups. I have aol as internet provider. Pop ups coming in internet explorer window. Used spybot & ad-aware after updating them. Still having problem. Here is log file of hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 1:38:20 PM, on 3/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Valued Sony Customer\Application Data\bmuu.exe
C:\WINDOWS\System32\wnscpcc.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Valued Sony Customer\Desktop\spyware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Pilot Group LLC\Save Flash 2.4\SaveFlash.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - HKCU\..\Run: [Tcsm] C:\Documents and Settings\Valued Sony Customer\Application Data\bmuu.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpcc.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Flash Catcher (HKLM)
O9 - Extra 'Tools' menuitem: Flash Catcher (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37933.5064467593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8997ACC8-0EEE-4A6E-ABA4-0C95327DB93C}: NameServer = 205.188.146.146



Report Offensive Message For Removal

Response Number 1
Name: mike2159
Date: March 6, 2004 at 11:01:09 Pacific
Subject: pop ups
Reply: (edit)

I also ran my virus scan.

Finished scanning: 10:33:48 AM, 3/6/2004
Number of files scanned: 47794.
Number of files that could not be scanned: 44
Number of archives containing infected files: 1
Number of infections: 5
Number of infected files deleted: 2
Number of infected files not cleaned/deleted/renamed: 3
C:\Documents and Settings\Valued Sony Customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a603-43a4fd1b.zip>Counter.class (Java.ByteVerify.exploit trojan)
C:\Documents and Settings\Valued Sony Customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a603-43a4fd1b.zip>Dummy.class (Java.ByteVerify.exploit trojan)
C:\Documents and Settings\Valued Sony Customer\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a603-43a4fd1b.zip>Parser.class (Java.ByteVerify.exploit trojan)


Report Offensive Follow Up For Removal

Response Number 2
Name: mike2159
Date: March 6, 2004 at 11:03:01 Pacific
Subject: pop ups
Reply: (edit)

Still getting pop ups after doing scans


Report Offensive Follow Up For Removal

Response Number 3
Name: Wombat
Date: March 6, 2004 at 12:55:46 Pacific
Subject: pop ups
Reply: (edit)

Go and post your hjt log here...

www.netrn.net/phpBB2/

Iligitimi non carborundum est


Report Offensive Follow Up For Removal

Response Number 4
Name: Stinkweed
Date: March 8, 2004 at 00:06:14 Pacific
Subject: pop ups
Reply: (edit)

I just downloaded a few screensavers.. installed 2 of them... and after getting the same problem as you did.. I hunted it down... you may have what I just got.. open your Task Manager and organize the list by CPU Useage. then sit there with your mouse at the ready on the 2nd item. (first will be System Idol Process) you will see a routine of things that windows runs. (explorer, rtvscan ect...) but then one will pop up for a sec when your pop-ups appear. click that and highlight it. write it down and then end that process. for me it was

wnscpcc.exe

(your process list says you have the same)

I then hunted it down on my computer
\\winnt\system32
is where I found it. then I blasted it and went into regedit and searched for all keys linked to it and blasted them too.. job done.

Hope I helped


Report Offensive Follow Up For Removal







Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: pop ups

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



all fonts are gone

Xp only boots with ext. drive in

Problem with my IP address?

no newline with a new

Home directories

All Posts Awaiting Replies