Pop-ups, Spyware, system slowdowns - Grrrr...

New here and just venturing into the wonderful twisted world of eliminating this junk without killing our computer in the process. We have a Dell Dimension Pentium 4 CPU, 768 MB Ram, running Windows ME. I'm on a dial up connection to the internet. IE version = 6.0. I use Norton SystemWorks, Ad-Aware (free version) and Panicware Pop-Up Stopper.

Lately we've been getting pop-ups that break through the pop-up stopper and occasionally pop up even when no Dialup connection is present. The system has become slower and slower to respond and we occasionally have our start page hijacked (lately by C5.zedo.com, flashlightsearch.com and slotch.com).

I've run the Ad-Aware and it spots them but I want to know what I need to block them before they get in. I've been looking at the Ad-Aware Pro for $26.95 and am wondering if it will be the tool I need. Reading over the posts here, it looks like many are using multiple tools and still having troubles.

I have two kids (9 & 14) who also use the computer and we've talked about sticking to known safe sites, but lately it seems that no site is completely safe and I'm spending hours each night doing clean up after they have been on during the daytime. I'm hoping to put on a Hardware firewall but haven't gotten into researching what is best there yet. Until then, how can I protect our system without having to spend hours each day or at each reboot doing clean up and protect?

Any help would be appreciated...

~Heather~

 

Welcome to MG !! I also run WinME and here's what I run to keep my computer as safe as possible:
AdAware, SpyBot S&D, Spyware Blaster, and Crap Cleaner. It sounds as if you may already be infected with some malware and I am no expert at its removal. I do know a few things.
WinME has SystemRestore, which is agreat program, except that if you get infected and remove the infection, the next time you boot up you will be reinfected all over again out of System restore.
All of the programs above are available, free, right here on MG. Download them, then UPDATE them, then disable system restore, run all of the programs, clean up whatever it shows (you can really trust these programs), re-enable system restore, and re-boot. I am sure you will see some improvement.
You may have to disable Panicware pop-up stopper prior to your download. Do not be surprised to see these programs want to remove a LOT of stuff. Do this and if you continue to have problems please post back.
EDIT: Sorry MA...didn't see you there.

 

Thanks Boccemon and Major Attitude - well, tonight starts the beginning of my quest to knock out these pests. I'll start with the SpyBlaster since you both recommended it and am looking into the Ad-Aware Pro update. We use it at work and it seems to keep things under control pretty well there - but then, we also are running other software to keep things safe and we don't tend to do that much surfing there.

Last night our Norton Anti Virus Auto-Protect came up with the Downloader.Trojan Virus and my husband spent the next 2 hours cleaning that up at 2:00 am. Grrrr...

At work, we have McAfee but at home I have Norton - any preferences, advantages, disadvantages of these two? I use the Norton SystemWorks 2001 (Version 4.0) for most of my system maintenance and repairs. I don't know that much about McAfee's capabilities tho...

MA - you are right about the cookies and temp files. I do keep an eye on them (tho the older daughter knows how to clean them out herself) and our computers are in our living room where we can peek over their shoulders any time our kids are on.

What gets me about the malware is that it doesn't seem to come in from any particular site. They can go to the same site multiple times and sometimes the popups hit - other times nothing... I've disabled the Auto dial out on our system so it can't dial up as soon as it boots but was pretty freaked when I saw popups occuring with no dial up connection. So it appears that the problem is already on our system and is attempting to go out to the internet as soon as the PC is booted.

Time to go do some clean up... What a way to spend our 30th anniversary...

~Heather~

 

I had Norton SystemWorks on my box for awhile and found that it and WinME did not get along at all. It conflicted with many programs and used a lot of resources. I finally got rid of it, downloaded programs (free) that did as well or better, and was frankly amazed at the performance difference. It was my experience that SystemWorks is a chore to get rid of though. If it is working for you that's great, but I think there are many better options out there. I, for one, was glad to see it gone.

It sounds as tho you have some cooties already and I hope that you can get rid of them. I guess there are worse ways to spend your anniversary, I hope you have a great one!!

Let us know how you come out??

 

The only thing I have to add is get SpywareGuard. It's in the spyware section, too. It gets some of the stuff that SpywareBlaster doesn't.

 

Well, we are getting better here, but still having issues... I spent a few more hours last night combing through every file and folder looking for anything that was installed or updated in the last few weeks. The night we got hit the hardest, was June 23rd around 10m and I'm finding numerous folders and files with that date and approximate time that I don't recognise.

Do we have a place here where we can post symptoms in order to determine what hit us?

I'm still getting a mix of problems:

1. Very slow response time when opening applications like Word.
2. Occasional inability to connect to internet. I'm on a dial up and it appears to verify and connect, but IE can't find any sites and Netscape can't download email. Running Adaware and Norton Antivirus finds nothing, but seems to reset something because after that, it connects.
3. Occasional and unpredictable reboots. No errors or anything, it just flat out reboots itself. I was posting this post here last night when it hit and was so mad because I was within minutes of submitting and lost the entire post...
4. Still getting popups attempting to get to the internet (this is before I open anything or attempt to dial out) so I know there is still a cootie inside here somewhere and need to find and stomp it.
5. When opening the Windows Media Player a few days ago, we got a series of beeps and the PC powered itself off. Since then, we've gotten a notice from Norton about a Downloader.Trojan Virus. This error has also come up in various locations at other times but the address is different and each time Norton was able to quarantine it... Where is this thing and how do I find/kill/prevent it?

Now for the long part of this post... I went through and the following list shows files and folders that I don't recognise or think might be suspicious. Can anyone identify these and help me determine whether they need to be removed or are part of a valid application?

Spyware and other nasties questions:

• Folder on C drive called WUTemp. Properties say it was created on Friday, April 11, 2003, 9:04:05 PM but it appears to be empty.
• Folder on D drive called C_DILLA. Properties say it was created on Sunday, March 30, 2003, 11:22:25 PM. It’s attributes show it as “Hidden” and it’s General tab name is SafeCast Product Licences (Interesting note: miss-spelling of Licenses). It contains a DAT file called BD6FD000.DAT that is both Hidden and Read Only. Application is unknown.
• Folder on C:\Windows\Application Data called Lycos (create date = 6/23/04 10:04 pm). Contains another folder called Sidesearch. Sidesearch appears to be empty but is dated 6/25/04 10:53 am. Could this be related to a spyware Lycos toolbar that was installed on 6/23/04 at about that time of night? I was able to uninstall the toolbar but am not sure if this is a remnant or not.
• I have another folder called Lycos that is located in the C:\Program Files and is dated 6/25/04 10:53 am. It contains a file called IEagent that appears to be empty and is dated 6/29/04 2:40 am. When I’d tried to delete this one, I got errors from Internet Explorer so I restored it. After that, I was afraid to mess with the one in the Application Data.
• Folder in C:\Windows\System called FLEOK created 3/19/04 7:43 pm that contains two text files called log.bak.txt from 3/25/04 6:24 am and log0.txt from 3/25/04 6:24 am. The txt files seem to be logs that show information about system activities and actions taken to correct them. They aren’t long, but I’m concerned about their content. Any idea what these are?

Log.bak.txt = ; nCase Log File

; 5.4

; New log session started. 03/25/2004, 12:22:49 (Process: fff8b22f)

03/25/04 12:22:49 fff8b22f fffaf137 0 4 1061 00000000 180SA started - version : 5.4.1 .\source\nCASE.cpp 119 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:22:49 fff8b22f fffaf137 0 2 1101 00000000 found existing search assistant process - shutting it down .\source\CUtil.cpp 69 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:23:19 fff8b22f fffaf137 0 2 1102 00000000 process not dying - attempting to kill it .\source\CUtil.cpp 78 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:23:19 fff8b22f fffaf137 0 2 1104 00000000 process shutdown successful .\source\CUtil.cpp 104 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 2 1094 00000000 copied up new version from FLEOK directory .\source\nCASE.cpp 229 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 2 1068 00000000 killing debug window .\source\CDebugWin.cpp 42 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 4 1062 00000000 180SA exiting c:\dev\ncase\source\CVerifyExitCleanup.h 26 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt


log0.txt = ; nCase Log File

; 5.4

; New log session started. 03/25/2004, 12:22:49 (Process Id: fff8b22f)

03/25/04 12:22:49 fff8b22f fffaf137 0 4 1061 00000000 180SA started - version : 5.4.1 .\source\nCASE.cpp 119 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:22:49 fff8b22f fffaf137 0 2 1101 00000000 found existing search assistant process - shutting it down .\source\CUtil.cpp 69 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:23:19 fff8b22f fffaf137 0 2 1102 00000000 process not dying - attempting to kill it .\source\CUtil.cpp 78 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:23:19 fff8b22f fffaf137 0 2 1104 00000000 process shutdown successful .\source\CUtil.cpp 104 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 2 1094 00000000 copied up new version from FLEOK directory .\source\nCASE.cpp 229 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 2 1068 00000000 killing debug window .\source\CDebugWin.cpp 42 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

03/25/04 12:24:05 fff8b22f fffaf137 0 4 1062 00000000 180SA exiting c:\dev\ncase\source\CVerifyExitCleanup.h 26 5.4 322 324tccgnnvkjxsxdnbvehudzsuypbt

; Log session ending. 03/25/2004, 12:24:05

• Folder on C\Windows\Program Files called MaxSpeed 6/23/04 10:04. This folder has three Internet Shortcuts in it called Privacy Info, Terms and Conditions and Uninstall Instructions. These all point to a site called www.consumersoftwarelabs.com.
• Folder on C:\Windows\Program Files called Motive 5/21/01 1:42 am. The properties on this one say it is a Motive Monitor Service Application but what surprised me were the log files with it. They seem to list all the applications on my system. Has anyone heard of this application or is it something that was loaded and is mining information to send out somewhere?
• - Folder on C:\Windows\Program Files called SEP 6/23/04 10:07 pm. There is a sep.dll and an Uninst.exe in the folder but nothing else. Again, this file being dated at the same time as we got hit with a bunch of things makes it suspect in my mind but I don’t have a list of what was on the system before that date/time.

General cleanup questions:

• I generally do a clean up daily on all the internet cache files and a weekly cleanup of all tmp and temp files. While looking through this system, I found the C:\Windows\Recent folder to contain over 900 entries. I know these are shortcuts to recently viewed items, but can’t imagine any reason that the folder should be kept that large. Do you delete any of these or is there a setting somewhere to auto delete after a certain number of days?
• How do I know what in the C:\Windows\TEMP file should be deleted? I know the tmp and temp files are okay to delete, but what about other files that I see there. My 14 yr old has gotten into the habit of downloading WMV, WAV, TMF, Adobe Acrobat & Adobe Webbuy Plugins, GIF, BMP, one called bundletracking.asp, ini files dat, dcr, dmp, fdr, QTPluginTemp files, HTML Documents, Log files, MPEGs, MP3, MTX, ICM ICC Profiles, log files, inf files, Shockwave swf files, WinZip cab files and several exe files. There are currently 229 files in the TEMP folder that I don’t know whether to delete or leave alone. Some of these files are very large so if they aren’t needed, it would sure clean things up to delete them, but I don’t want to kill anything that my system needs either.
• One in particular is dated 6/23/04 10:06 pm (at about the same time we got nailed by a whole bunch of popups and the Lycos search bar is called THI4428.TMP. It has a WinZip file, an Application extension file, Setup Information in an inf file and the exe file called preinsMt.exe. These are all named mxTarget. Does anyone know what that is and why it would be in my TEMP folder?

And a prevention question...

I see many types of software to clean up and remove problems after the fact and multiple programs to block it in the first place. How do these programs play with each other? I put on the SpyBlaster the other night and since, have had only a few cookies get in that AdAware spotted. If I install other blocking programs, what goes well with SpyBlaster? Do any of these work against each other?


~Heather~