1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware? WindowsME

Discussion in 'Earlier Versions of Windows' started by KathyRR, Sep 24, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. KathyRR

    KathyRR Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    10
    I am new to this site so I hope you will bear with me. I am fairly sure my teenager has visited sites that have put something on the computer. I am running WinME with a cable modem and Roadrunner. The computer has slowed down a lot in the last couple of weeks. The performance tab shows a maximum of 42% on start up. I also notice that the cable modem light blinks constantly (even when not on Internet Explorer) and sometimes it doesn't blink, just stays on. The internet locks up very frequently. I just ran SpyBot and Adaware and took care of the things they found. I also have AdSubtract on here hoping to find the sites that are accessing without being asked. Norton Internet Security's log shows activity every 5 minutes always and often every 1-2 minutes. The log list websites that I know I haven't been to. Am I right? Is this Spyware? After reading through this site I have the registry log which I am pasting if this helps.
    Thank you for any help. I have to go pick up the teenager from school now, but I don't think she will be on the computer today.

    Logfile of HijackThis v1.97.2
    Scan saved at 1:53:58 PM, on 9/24/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\HPZTSB04.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\FONTS\SYSTEM\EXPLORER\MRU\MSNI.EXE
    C:\PROGRAM FILES\ROAD RUNNER\MEDIC\RRMEDIC.EXE
    C:\PROGRAM FILES\EPSON\EPSON SMART PANEL FOR SCANNER\ESPMAIN.EXE
    C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
    C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\tpabnwin.dll
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
    O4 - Startup: WebPatch Check.lnk = C:\Program Files\WebPatchWizard\WebPatch Autostart.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
    O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab
     
  2. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    Spyware is everywhere on the net these days so you would have picked some up sooner or later ;)

    Did you update spybot and AdAware before you ran them? If not update them and run them again (let us know how many it found). Then I would post the hijackthis list again (unless you already updated) so we can weed through it and make sure that everything is squeaky clean ;)
     
  3. Alaska

    Alaska

    Joined:
    Jun 19, 2003
    Messages:
    303
    Hey Wet Chicken, How's it going? Please read KathyRR's post again. ;)

    Added on edit: O.K. I see you edited your post. (y)
     
  4. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    Oh and welcome to the forum :D
     
  5. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    Ha ha I beat you to it :p I'm rushing around and spreading myself too thin today :D Probably wouldn't hurt to remove the sand from my eyes :eek: All's well that ends well ;)
     
  6. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,403
    First Name:
    Frank
    Kathy:

    You need to reduce your startup load in the MSCONFIG startup tab. Read here.

    I'm also using Roadrunner cable on my 98SE computer. Your advertised connection speeds should be 384/2000(upload/download).

    Unplug the power from your cable modem, wait 1 - 2 minutes, then plug it back in. This allows your cable modem to refresh itself. It's good to do this about once a week, especially if your computer stays on 24/7.

    By the way, there are several things that you can do to increase and optimize your cable connection.

    The first thing to do is go here and download and install Cablenut 4.08.

    Once you finish doing that, open the Cablenut adjuster window and enter the following values:

    BcastNameQueryCount - 1
    BcastQueryTimeout - 100
    BSDUrgent - 1
    CacheTimeout - 600000
    DefaultRecvWindow - 128480
    DefaultTTL - 64
    EnableDNS - 0
    GlobalMaxTcpWindoSize - 128480
    KeepAliveInterval - 500
    KeepAliveTime - 14400000
    Lanabase - 0
    LocalCopyMade - 1
    MaxConnections - 64
    MaxConnectRetries - 5
    MaxDataRetries - 99
    NameTableSize - 255
    NameSrvQueryTimeout - 100
    PMTUBlackHoleDetect - 0
    PMTUDiscovery - 1
    RoutingBufSize - 146432
    RoutingPackets - 100
    SackOpts - 1
    SessionKeepAlive - 7200
    SessionTableSize - 255
    Size/Small/Medium/Large - 3
    Tcp1323Opts - 1
    TcpTimedWaitDelay - 30
    MaxDupAcks - 3
    DefaultTOS - 92
    IGMPLevel - 2
    MaxConnectionsPer1_0Server - 20
    MaxConnectionsPerServer - 10

    Save the settings to the registry, then reboot.

    For additional tweaks and settings for your cable connection, go here.


    Frank's Windows 95/98 Tips
     
  7. KathyRR

    KathyRR Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    10
    Concerning the original log I sent, this was run after running Adaware and Apybot, both updated. I ran them both today, Adaware updated 2 days ago and Spybot today. Is there something on there that is trying to contact the internet even when I haven't opened IE?

    As to the Start up list. I have tried to pare it down but it doesn't seem to help. Here is the MSCONFIG list along with the items that I have unchecked.

    ScanRegistry
    TaskMonitor
    System Tray
    LoadPowerProfile
    EnsoniqMixer
    tgcmd
    HPDJ Taskbar Utility
    ccApp
    ccRegVfy
    Windows System Tray
    LoadPowerProfile
    SchedulingAgent
    SSDPSRV
    *StateMgr
    ccEvtMgr
    Nisum
    CCPxySvc
    ScriptBlocking
    Medic
    WebPatch Check
    Microsoft Office StartUp
    EPSON SMART PANEL for Scanner
    AdSubtract

    Unchecked:
    PC Health
    StillImage Monitor
    Microsoft Office StartUp
    WebPatch Check
    EPSON SMART PANEL for Scanner
    Quicken StartUp
    Billminder
    QuickBooks Delivery Agent
    CreataCard Gold 2 Forget Me Not Reminders
    Cal Reminder Shortcut
    HotSync Manager
    America Online 6.0 Tray Icon
    Scheduler
    Medic
    Office StartUp


    I checked the sights you recommended, tgcmd and ensoniqmixer are probably not needed. Does anyone agree?
    I have tried to uncheck Microsoft Office startup but it seem to keep reappearing.

    Thanks for your time, I am going crazy with this.
     
  8. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    Right click on your start button.

    Choose Explore.

    Look for a folder called Start Up.

    Is Office hiding in there? If so, then delete :D
     
  9. KathyRR

    KathyRR Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    10
    Microsoft Office Tools is under Start Menu. Is that the same as StartUp?
     
  10. KathyRR

    KathyRR Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    10
    Another note to the above: There is a very long list of programs under the Start Menu. Should they all be there? Does that mean they are loading every time on start?
     
  11. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    Yep and they are robbing you of resources :eek:

    Those are shortcuts to start the programs. If you remove the shortcut, the program won't start when the computer boots startup :D
     
  12. KathyRR

    KathyRR Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    10
    Thanks for that info, I thought that what showed when I typed MSCONFIG was all that was starting every time. No wonder it has slowed down, a quick glance seem to tell me that almost every program is starting. I will start deleting the shortcuts tomorrow.
    Can anyone log over the HJT log file for me?

    Thanks again.
     
  13. Wet Chicken

    Wet Chicken

    Joined:
    Sep 11, 2000
    Messages:
    10,674
    If it's possible I would post a picture of what's in that folder before you start deleting everything. Just make sure that they are only shortcuts that you are deleting. Go ahead and post your HJT log and I'm sure someone will be able to look through it for you ;)
     
  14. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,403
    First Name:
    Frank
    KathyRR:

    You can still trim down more from your startup list.

    ScanRegistry, SystemTray, StateMgr, and your antivirus program should remain checked and enabled. Many of the others can be unchecked and disabled.

    If you check out the 4 links in my article, "MSCONFIG - Reduce Your Startup Load", you'll be able to read about most all these items and decide which ones to disable.


    Frank's Windows 95/98 Tips
     
  15. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi KathyRR ,

    You can have Hijack This fix these 3 entries , Then reboot your computer

    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)


    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab

    Good luck
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167133

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice