Spyware? WindowsME

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

KathyRR

Thread Starter
Joined
Sep 24, 2003
Messages
10
I am new to this site so I hope you will bear with me. I am fairly sure my teenager has visited sites that have put something on the computer. I am running WinME with a cable modem and Roadrunner. The computer has slowed down a lot in the last couple of weeks. The performance tab shows a maximum of 42% on start up. I also notice that the cable modem light blinks constantly (even when not on Internet Explorer) and sometimes it doesn't blink, just stays on. The internet locks up very frequently. I just ran SpyBot and Adaware and took care of the things they found. I also have AdSubtract on here hoping to find the sites that are accessing without being asked. Norton Internet Security's log shows activity every 5 minutes always and often every 1-2 minutes. The log list websites that I know I haven't been to. Am I right? Is this Spyware? After reading through this site I have the registry log which I am pasting if this helps.
Thank you for any help. I have to go pick up the teenager from school now, but I don't think she will be on the computer today.

Logfile of HijackThis v1.97.2
Scan saved at 1:53:58 PM, on 9/24/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\FONTS\SYSTEM\EXPLORER\MRU\MSNI.EXE
C:\PROGRAM FILES\ROAD RUNNER\MEDIC\RRMEDIC.EXE
C:\PROGRAM FILES\EPSON\EPSON SMART PANEL FOR SCANNER\ESPMAIN.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\tpabnwin.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Startup: WebPatch Check.lnk = C:\Program Files\WebPatchWizard\WebPatch Autostart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab
 
Joined
Sep 11, 2000
Messages
10,673
Spyware is everywhere on the net these days so you would have picked some up sooner or later ;)

Did you update spybot and AdAware before you ran them? If not update them and run them again (let us know how many it found). Then I would post the hijackthis list again (unless you already updated) so we can weed through it and make sure that everything is squeaky clean ;)
 
Joined
Jun 19, 2003
Messages
303
Originally posted by Wet Chicken:
I would download and update spybot and or AdAware. Run them and they will automatically remove all of the spyware for you (let us know how many it found).
Hey Wet Chicken, How's it going? Please read KathyRR's post again. ;)

Added on edit: O.K. I see you edited your post. (y)
 
Joined
Sep 11, 2000
Messages
10,673
Originally posted by Alaska:
Hey Wet Chicken, How's it going? Please read KathyRR's post again. ;)
Ha ha I beat you to it :p I'm rushing around and spreading myself too thin today :D Probably wouldn't hurt to remove the sand from my eyes :eek: All's well that ends well ;)
 

flavallee

Trusted Advisor
Joined
May 12, 2002
Messages
81,320
First Name
Frank
Kathy:

You need to reduce your startup load in the MSCONFIG startup tab. Read here.

I'm also using Roadrunner cable on my 98SE computer. Your advertised connection speeds should be 384/2000(upload/download).

Unplug the power from your cable modem, wait 1 - 2 minutes, then plug it back in. This allows your cable modem to refresh itself. It's good to do this about once a week, especially if your computer stays on 24/7.

By the way, there are several things that you can do to increase and optimize your cable connection.

The first thing to do is go here and download and install Cablenut 4.08.

Once you finish doing that, open the Cablenut adjuster window and enter the following values:

BcastNameQueryCount - 1
BcastQueryTimeout - 100
BSDUrgent - 1
CacheTimeout - 600000
DefaultRecvWindow - 128480
DefaultTTL - 64
EnableDNS - 0
GlobalMaxTcpWindoSize - 128480
KeepAliveInterval - 500
KeepAliveTime - 14400000
Lanabase - 0
LocalCopyMade - 1
MaxConnections - 64
MaxConnectRetries - 5
MaxDataRetries - 99
NameTableSize - 255
NameSrvQueryTimeout - 100
PMTUBlackHoleDetect - 0
PMTUDiscovery - 1
RoutingBufSize - 146432
RoutingPackets - 100
SackOpts - 1
SessionKeepAlive - 7200
SessionTableSize - 255
Size/Small/Medium/Large - 3
Tcp1323Opts - 1
TcpTimedWaitDelay - 30
MaxDupAcks - 3
DefaultTOS - 92
IGMPLevel - 2
MaxConnectionsPer1_0Server - 20
MaxConnectionsPerServer - 10

Save the settings to the registry, then reboot.

For additional tweaks and settings for your cable connection, go here.


Frank's Windows 95/98 Tips
 

KathyRR

Thread Starter
Joined
Sep 24, 2003
Messages
10
Concerning the original log I sent, this was run after running Adaware and Apybot, both updated. I ran them both today, Adaware updated 2 days ago and Spybot today. Is there something on there that is trying to contact the internet even when I haven't opened IE?

As to the Start up list. I have tried to pare it down but it doesn't seem to help. Here is the MSCONFIG list along with the items that I have unchecked.

ScanRegistry
TaskMonitor
System Tray
LoadPowerProfile
EnsoniqMixer
tgcmd
HPDJ Taskbar Utility
ccApp
ccRegVfy
Windows System Tray
LoadPowerProfile
SchedulingAgent
SSDPSRV
*StateMgr
ccEvtMgr
Nisum
CCPxySvc
ScriptBlocking
Medic
WebPatch Check
Microsoft Office StartUp
EPSON SMART PANEL for Scanner
AdSubtract

Unchecked:
PC Health
StillImage Monitor
Microsoft Office StartUp
WebPatch Check
EPSON SMART PANEL for Scanner
Quicken StartUp
Billminder
QuickBooks Delivery Agent
CreataCard Gold 2 Forget Me Not Reminders
Cal Reminder Shortcut
HotSync Manager
America Online 6.0 Tray Icon
Scheduler
Medic
Office StartUp


I checked the sights you recommended, tgcmd and ensoniqmixer are probably not needed. Does anyone agree?
I have tried to uncheck Microsoft Office startup but it seem to keep reappearing.

Thanks for your time, I am going crazy with this.
 
Joined
Sep 11, 2000
Messages
10,673
Originally posted by KathyRR:
I have tried to uncheck Microsoft Office startup but it seem to keep reappearing
Right click on your start button.

Choose Explore.

Look for a folder called Start Up.

Is Office hiding in there? If so, then delete :D
 

KathyRR

Thread Starter
Joined
Sep 24, 2003
Messages
10
Microsoft Office Tools is under Start Menu. Is that the same as StartUp?
 

KathyRR

Thread Starter
Joined
Sep 24, 2003
Messages
10
Another note to the above: There is a very long list of programs under the Start Menu. Should they all be there? Does that mean they are loading every time on start?
 
Joined
Sep 11, 2000
Messages
10,673
Yep and they are robbing you of resources :eek:

Those are shortcuts to start the programs. If you remove the shortcut, the program won't start when the computer boots startup :D
 

KathyRR

Thread Starter
Joined
Sep 24, 2003
Messages
10
Thanks for that info, I thought that what showed when I typed MSCONFIG was all that was starting every time. No wonder it has slowed down, a quick glance seem to tell me that almost every program is starting. I will start deleting the shortcuts tomorrow.
Can anyone log over the HJT log file for me?

Thanks again.
 
Joined
Sep 11, 2000
Messages
10,673
If it's possible I would post a picture of what's in that folder before you start deleting everything. Just make sure that they are only shortcuts that you are deleting. Go ahead and post your HJT log and I'm sure someone will be able to look through it for you ;)
 

flavallee

Trusted Advisor
Joined
May 12, 2002
Messages
81,320
First Name
Frank
KathyRR:

You can still trim down more from your startup list.

ScanRegistry, SystemTray, StateMgr, and your antivirus program should remain checked and enabled. Many of the others can be unchecked and disabled.

If you check out the 4 links in my article, "MSCONFIG - Reduce Your Startup Load", you'll be able to read about most all these items and decide which ones to disable.


Frank's Windows 95/98 Tips
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top