# Spyware? WindowsME



## KathyRR (Sep 24, 2003)

I am new to this site so I hope you will bear with me. I am fairly sure my teenager has visited sites that have put something on the computer. I am running WinME with a cable modem and Roadrunner. The computer has slowed down a lot in the last couple of weeks. The performance tab shows a maximum of 42% on start up. I also notice that the cable modem light blinks constantly (even when not on Internet Explorer) and sometimes it doesn't blink, just stays on. The internet locks up very frequently. I just ran SpyBot and Adaware and took care of the things they found. I also have AdSubtract on here hoping to find the sites that are accessing without being asked. Norton Internet Security's log shows activity every 5 minutes always and often every 1-2 minutes. The log list websites that I know I haven't been to. Am I right? Is this Spyware? After reading through this site I have the registry log which I am pasting if this helps. 
Thank you for any help. I have to go pick up the teenager from school now, but I don't think she will be on the computer today.

Logfile of HijackThis v1.97.2
Scan saved at 1:53:58 PM, on 9/24/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\FONTS\SYSTEM\EXPLORER\MRU\MSNI.EXE
C:\PROGRAM FILES\ROAD RUNNER\MEDIC\RRMEDIC.EXE
C:\PROGRAM FILES\EPSON\EPSON SMART PANEL FOR SCANNER\ESPMAIN.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\tpabnwin.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Startup: WebPatch Check.lnk = C:\Program Files\WebPatchWizard\WebPatch Autostart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab


----------



## Wet Chicken (Sep 11, 2000)

Spyware is everywhere on the net these days so you would have picked some up sooner or later 

Did you update spybot and AdAware before you ran them? If not update them and run them again (let us know how many it found). Then I would post the hijackthis list again (unless you already updated) so we can weed through it and make sure that everything is _squeaky_ clean


----------



## Alaska (Jun 20, 2003)

> _Originally posted by Wet Chicken:_
> *I would download and update spybot and or AdAware. Run them and they will automatically remove all of the spyware for you (let us know how many it found).*


Hey Wet Chicken, How's it going? Please read KathyRR's post again. 

Added on edit: O.K. I see you edited your post. :up:


----------



## Wet Chicken (Sep 11, 2000)

Oh and welcome to the forum


----------



## Wet Chicken (Sep 11, 2000)

> _Originally posted by Alaska:_
> *Hey Wet Chicken, How's it going? Please read KathyRR's post again.  *


Ha ha I beat you to it  I'm rushing around and spreading myself too thin today  Probably wouldn't hurt to remove the sand from my eyes  All's well that ends well


----------



## flavallee (May 12, 2002)

Kathy:

You need to reduce your startup load in the MSCONFIG startup tab. Read here.

I'm also using Roadrunner cable on my 98SE computer. Your advertised connection speeds should be 384/2000(upload/download).

Unplug the power from your cable modem, wait 1 - 2 minutes, then plug it back in. This allows your cable modem to refresh itself. It's good to do this about once a week, especially if your computer stays on 24/7.

By the way, there are several things that you can do to increase and optimize your cable connection.

The first thing to do is go here and download and install Cablenut 4.08.

Once you finish doing that, open the Cablenut adjuster window and enter the following values:

BcastNameQueryCount - 1
BcastQueryTimeout - 100
BSDUrgent - 1
CacheTimeout - 600000
DefaultRecvWindow - 128480 
DefaultTTL - 64
EnableDNS - 0
GlobalMaxTcpWindoSize - 128480
KeepAliveInterval - 500
KeepAliveTime - 14400000 
Lanabase - 0
LocalCopyMade - 1
MaxConnections - 64
MaxConnectRetries - 5
MaxDataRetries - 99
NameTableSize - 255
NameSrvQueryTimeout - 100
PMTUBlackHoleDetect - 0
PMTUDiscovery - 1
RoutingBufSize - 146432
RoutingPackets - 100
SackOpts - 1
SessionKeepAlive - 7200
SessionTableSize - 255
Size/Small/Medium/Large - 3
Tcp1323Opts - 1
TcpTimedWaitDelay - 30
MaxDupAcks - 3
DefaultTOS - 92
IGMPLevel - 2
MaxConnectionsPer1_0Server - 20
MaxConnectionsPerServer - 10

Save the settings to the registry, then reboot.

For additional tweaks and settings for your cable connection, go here.

Frank's Windows 95/98 Tips


----------



## KathyRR (Sep 24, 2003)

Concerning the original log I sent, this was run after running Adaware and Apybot, both updated. I ran them both today, Adaware updated 2 days ago and Spybot today. Is there something on there that is trying to contact the internet even when I haven't opened IE?

As to the Start up list. I have tried to pare it down but it doesn't seem to help. Here is the MSCONFIG list along with the items that I have unchecked.

ScanRegistry 
TaskMonitor 
System Tray 
LoadPowerProfile 
EnsoniqMixer 
tgcmd 
HPDJ Taskbar Utility 
ccApp 
ccRegVfy 
Windows System Tray 
LoadPowerProfile 
SchedulingAgent 
SSDPSRV 
*StateMgr 
ccEvtMgr 
Nisum 
CCPxySvc 
ScriptBlocking 
Medic 
WebPatch Check 
Microsoft Office StartUp 
EPSON SMART PANEL for Scanner 
AdSubtract 

Unchecked: 
PC Health 
StillImage Monitor 
Microsoft Office StartUp 
WebPatch Check 
EPSON SMART PANEL for Scanner 
Quicken StartUp 
Billminder 
QuickBooks Delivery Agent 
CreataCard Gold 2 Forget Me Not Reminders 
Cal Reminder Shortcut 
HotSync Manager 
America Online 6.0 Tray Icon 
Scheduler 
Medic 
Office StartUp 


I checked the sights you recommended, tgcmd and ensoniqmixer are probably not needed. Does anyone agree?
I have tried to uncheck Microsoft Office startup but it seem to keep reappearing.

Thanks for your time, I am going crazy with this.


----------



## Wet Chicken (Sep 11, 2000)

> _Originally posted by KathyRR:_
> *I have tried to uncheck Microsoft Office startup but it seem to keep reappearing *


*Right* click on your start button.

Choose *Explore.*

Look for a folder called *Start Up.*

Is Office hiding in there? If so, then delete


----------



## KathyRR (Sep 24, 2003)

Microsoft Office Tools is under Start Menu. Is that the same as StartUp?


----------



## KathyRR (Sep 24, 2003)

Another note to the above: There is a very long list of programs under the Start Menu. Should they all be there? Does that mean they are loading every time on start?


----------



## Wet Chicken (Sep 11, 2000)

Yep and they are robbing you of resources  

Those are shortcuts to start the programs. If you remove the shortcut, the program won't start when the computer boots startup


----------



## KathyRR (Sep 24, 2003)

Thanks for that info, I thought that what showed when I typed MSCONFIG was all that was starting every time. No wonder it has slowed down, a quick glance seem to tell me that almost every program is starting. I will start deleting the shortcuts tomorrow.
Can anyone log over the HJT log file for me? 

Thanks again.


----------



## Wet Chicken (Sep 11, 2000)

If it's possible I would post a picture of what's in that folder before you start deleting everything. Just make sure that they are only shortcuts that you are deleting. Go ahead and post your HJT log and I'm sure someone will be able to look through it for you


----------



## flavallee (May 12, 2002)

KathyRR:

You can still trim down more from your startup list.

ScanRegistry, SystemTray, StateMgr, and your antivirus program should remain checked and enabled. Many of the others can be unchecked and disabled.

If you check out the 4 links in my article, "MSCONFIG - Reduce Your Startup Load", you'll be able to read about most all these items and decide which ones to disable.

Frank's Windows 95/98 Tips


----------



## BlueSpruce (Jul 24, 2003)

Hi KathyRR ,

You can have Hijack This fix these 3 entries , Then reboot your computer

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab

Good luck


----------



## KathyRR (Sep 24, 2003)

Sorry it took so long to get back here.
I fixed the 3 items you suggested, could you please look at this again and tell me what you see? I don't really know a lot but I was wondering if part of the slow down could be caused by Norton Internet Security having to work so much. This morning I started IE, which opened the Roadrunner homepage and let it sit for 30 minutes. When I checked the Connections Log and Privacy Log in Norton, the Connections log printed out at 11 pages and the Privacy Log at 29 pages. The only part of the logs I printed was the activity over that 30 minutes. The Privacy log has times on it, all the activity occurred in the first 30 seconds so maybe that isn't a problem. But one of the things I notice is that there seems to be items repeatedly blocked, then finally permitted. Maybe this is common with cable connections or with RoadRunner?

Thanks for your time

Logfile of HijackThis v1.97.2
Scan saved at 12:42:10 PM, on 9/26/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\FONTS\SYSTEM\EXPLORER\MRU\MSNI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ROAD RUNNER\MEDIC\RRMEDIC.EXE
C:\PROGRAM FILES\EPSON\EPSON SMART PANEL FOR SCANNER\ESPMAIN.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\tpabnwin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunOnce: [AdSubtract] C:\Program Files\AdSubtract\Cleaner.exe wipedat
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Startup: WebPatch Check.lnk = C:\Program Files\WebPatchWizard\WebPatch Autostart.exe
O4 - Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab


----------



## Wet Chicken (Sep 11, 2000)

> _Originally posted by KathyRR:_
> * I was wondering if part of the slow down could be caused by Norton Internet Security having to work so much.
> *


Well that's possible. When I used to use Norton Internet Security it made my computer _sooooooooo_ slow and then I discovered Zone Alarm and I've never looked back! Norton makes a lot of good products, but I don't think Internet Security is one of them


----------



## bayanbaru (Jun 9, 2003)

Recently I encountered my Ad-Aware keep shut down due to illegal operation after performing the scanning. I am using Window 95 and IE 5.0


----------



## bayanbaru (Jun 9, 2003)

New help. Its driving me crazy!!!!!


----------



## $teve (Oct 9, 2001)

Hi Kathy......you have quite a bit more to "fix"

run hijackthis again and put a checkmark against these entries....double check
in case you miss anything
.....then,close all browser and outlook windows and "fix checked"
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

O2 - BHO: (no name) - {89044184-F260-4FDD-8FAB-2662814846E5} - C:\WINDOWS\SYSTEM\tpabnwin.dll

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf

O4 - HKLM\..\Run: [Windows System Tray] C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/dmb/dm1.cab

Re-boot into and delete the following:
C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\msni.exe 
C:\PROGRAM FILES\MYWAY [ENTIRE FOLDER]
C:\WINDOWS\SYSTEM\tpabnwin.dll

For the blue item:
Check the folders leading to it and make sure there is nothing you recognise or have placed there yourself.The genuine fonts folder is in C:\Windows.....i suspect the whole file path is bad but you need to make sure theres nothing there of importance.
If not,delete the whole:C:\WINDOWS\SYSTEM\fonts [ENTIRE FOLDER]

Before deleting the item in RED 
could you send me a zipped copy of the file for analysis please?
[email protected]


----------



## $teve (Oct 9, 2001)

bayanbaru 
If you have a security problem or question could you please post your Hijackthis log in the SECURITY forum.

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## TonyKlein (Aug 26, 2001)

Kathy,

Could I ask you to please send a copy of that C:\WINDOWS\SYSTEM\fonts\system\explorer\mru\*msni.exe*
file to this e-mail address for analysis, please?
It would seem to be an all new baddie, and in that case we'd certainly like to forward copies to the developers ASAP!

We'd appreciate it!


----------



## $teve (Oct 9, 2001)

Thanx for the info Tony.:up:


----------



## TonyKlein (Aug 26, 2001)

My pleasure.

I hope Kathy will think of sending me a copy of the file before deleting it...


----------



## $teve (Oct 9, 2001)

Tony
I emailed Kathy just to let her know her log has been re-reviewed.


----------



## TonyKlein (Aug 26, 2001)

Thanks! :up:


----------



## KathyRR (Sep 24, 2003)

Steve and Tony,
I can't begin to thank all of you enough. I did take off broadjump after confirming with RoadRunner that it isn't necessary and I was wondering about tpabnwin since I couldn't find anything on it. I can't get back to the computer until tomorrow. Since I am not extremely computer savvy, how do I send you a zipped copy of the files in questions. I'm sure that I should have mentioned that I do have Spectorsoft on this computer for monitoring my teenager.

Kathy


----------



## $teve (Oct 9, 2001)

YAWN!!..............Good morning Kathy

You will need a program like Winzip( If you dont have one already)http://www.winzip.com/
This will enable you to "zip" the file....its kind of like putting it in a bag or envelope before you send it.
Install winzip(its free and its very handy to have around)then right click the file and choose the zip and e-mail option.

thanx


----------



## TonyKlein (Aug 26, 2001)

Or just send the files as they are. I'll be careful!


----------



## $teve (Oct 9, 2001)

And I will try to be


----------



## KathyRR (Sep 24, 2003)

Tony & Steve,
I just sent the files you requested by email. I was having trouble with the computer so if you don't get them let me know.

Thanks,
KathyRR


----------



## TonyKlein (Aug 26, 2001)

Thanks Kathy,

They haven't arrived yet, but I'll keep an eye out for them.


----------



## KathyRR (Sep 24, 2003)

Tony,
Obviously you didn't receive the email. I just sent another one.

Kathy


----------



## $teve (Oct 9, 2001)

And i havent recieved it either......Kathy........you can actually forward it to Tony.

thanx


----------



## KathyRR (Sep 24, 2003)

Steve,
I sent both files to Tony and I haven't received anything that they were not able to send so I assume that they have been received. However, I didn't receive anything about yours not being able to be sent so I'm not sure. I did delete the msni files and have done the registry fixes you suggested (except for the tpabnwin) as well as some other cleaning up and the computer just started up with 73% resources. Much better that the 36% I had. I will see how it works today, but I think you guys have saved me from doing a total reinstallation. I can't thank you enough.
KathyRR


----------



## $teve (Oct 9, 2001)

Kathy...............<img src=http://forums.techguy.org/attachment.php?s=&postid=1153815>


----------

