@#$%ing spyware problems........AGAIN!

pkbites · May 16, 2004, 9:05pm

Ad-Aware does a good job of taking spyware off my computer. But by the middle of the day it’s full of the stuff again, and I’m under attack by zillions of ads and sub-par computer performance.
Is there anything out there that will keep that shit off my hard drive in the first place?

And, secondly, is there any legislation in the works to ban this stuff?
What is the difference between these companies tapping into my computer use, and, say, bugging my phone? Why isn’t it a very serious crime to screw up someones computer like this, AND spy on their activity withing their own home?
Damn I’m sick of this! It’s really making surfing the web miserable!:mad:

Zabali_Clawbane · May 16, 2004, 9:13pm

Yeah, there are popup blockers. I don’t use them, but from what my friend who does use them says, he can’t even watch music videos on Launch because it blocks those too. That’s the price he pays to be completely popup free. This is why I choose not to use the blockers, but I do use Adaware and Spybot. Sorry I couldn’t name programs for you. I’m sure there will be someone along soon to do so though. Hope you solve your problem soon.

ZipperJJ · May 16, 2004, 9:19pm

You probably have stuff “stuck” in your startup.

Run AdAware, doing a deep system scan. You’ll have to customize the scan by going to “Configure” (the gear icon) and click ‘scanning’ then check the ‘Scan within archives’ button as well as everything under “memory & Registry”.

Also make sure AdAware is updated before you run it. Check for Updates and install them before starting the scan.

Then run Spybot Search & Destroy (found on www.download.com) THEN get HijackThis (also on download.com). If you are not really good with computers, post your Hijack This log either here or at the TechGuy Forums and someone will help you get rid of the right entries.

Zabali_Clawbane · May 16, 2004, 9:30pm

Some sites put pop ups on your computer every time you visit them. One I go to for EverQuest quest research does this. The only way to prevent them completely would be a blocker, but I don’t want one of those so I scan right after visiting the site. Still would be worth checking to make sure you’ve eradicated all signs of the evil things too.

dogbutler · May 16, 2004, 11:16pm

Hitting the “Ctrl” key overides the popup blocker on the Google toolbar.

pkbites · May 16, 2004, 11:29pm

I use a pop-up blocker. The satanwa…uh, I mean spyware over rides it!:mad::eek:

brianjedi · May 16, 2004, 11:35pm

Also, might I suggest switching to a Mozilla browser, either Mozilla 1.7 or Firefox? Internet Explorer is the reason most of this stuff exists, sadly, because of the way it’s structured.

Definitely keep Ad-aware and Spybot updated and running.

Mamapotomus · May 16, 2004, 11:51pm

I switched to Firefox for this very reason. Between not using IE and running Ad-Aware every day or so I haven’t had any more problems on my PC.

Necro_Romancer · May 17, 2004, 12:31am

SpywareBlaster keeps spyware off your system in the first place; Spybot actually recommends it after immunization.

I completely agree with the others who said to stop using Internet Explorer, but also make sure your new browser isn’t using the Internet Explorer engine. Mozilla, (Mozilla) Firefox, and Opera are great browsers that use their own engines. They also use their own pop up blockers. When you come across a webpage that needs Internet Explorer, use MyIE2.

pkbites · May 17, 2004, 12:53am

Alright. I just completed doing everything you said here, especially the customize of Ad-Aware, and I used spyblaster. It’s sunday, May 16, 2004, at 7:50p.m. CST. Let’s see how long it takes for spyware to attack me again. It usually takes 6 hours or less.
I’ll report back.

AbbySthrnAccent · May 17, 2004, 1:43am

I’ve been trying to do all this. I did ok with AdAware it found 15 somethings. Spyware found no threats. But when I try to download HijackThis I get a window that says “The documents format is invalid or not supported” oddly enough it comes up over something called imaging.

I’ve been running virus scans for a couple of days without finding anything. The computer seems to be running really slow. I’m not sure if a teenager downloaded something or if the monitor is just crashing, but the on the right of the monitor there is an inch lost to black, every thing is there its just smaller because of the black space. Also the whole screen color has gone pink and blue. It’s rather painful on the eyes.

I suspect there are alot of things running on startup that I don’t want, someone showed me quite awhile back what to do about this, and I’ve poked around but I cannot remember and frankly, I’m afraid to mess up the computer further.

pkbites · June 3, 2004, 6:40am

And now it’s Thursday, June 3rd, 2004. Not a single bit of spyware on my 'puter.
Thanks ZipperJJ

LouisB · June 3, 2004, 9:51am

Not to hijack the thread, but----for the last month or so, whenever I run SpyBot I get a message that says “Congratulations—no threats found” or words to that effect. I immediately afterward run Adaware and invariably it comes up with some number of “data miner” type things. Do the two programs look for different things? Is what I am seeing normal?

Early_Out · June 3, 2004, 11:31am

Absolutely normal. In fact, that’s why everyone always says to get both AdAware and Spybot - each is good at detecting different types of scumware. AdAware is well-known for being more alert to the “data miners” than Spybot.

LouisB · June 3, 2004, 2:17pm

Thanks for the reply. I feel better, now.

RealityChuck · June 3, 2004, 3:58pm

Data miners and tracking cookies are the most benign type of spyware, anyway. They do keep track of how you browse and can send personal information, and that is a concern, but they do not affect the operation of your computer. Usually, they can be removed merely by clearing your cookies.

There are also differing definitions of what is bad. Most antispyware targets Bluemountain.com, which is a perfectly legitimate site. It does use cookies, and I suppose they’re banned because they may not have a good policy about them, but I subscribe to them and use them and find it a pain that I have to keep telling the computer that I do want them.

mhendo · June 3, 2004, 6:34pm

I’ve been following this thread with interest.

I run Spybot and AdAware fairly regularly, i use the Google popup blocker4 on IE, and use Opera the rest of the time. I also use the Sygate Personal Firewall.

I haven’t had any real trouble recently, but i’ve also never run Hijack This before, so i thought i’d give it a go. I’ve posted the log below, and if anyone has any advice, i’d be happy to hear it. I think i’ve spotted at least one thing that needs to go–ptsnoop.exe. The question is, should i just select this in Hijack This, and hit the “Fix Checked” button, or is there more i need to do?


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.library.jhu.edu/home/index3.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.library.jhu.edu/home/index3.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS	askmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Download using &Mass Downloader - C:\PROGRAM FILES\MASS DOWNLOADER\Add_Url.htm
O8 - Extra context menu item: Download &All using Mass Downloader - C:\PROGRAM FILES\MASS DOWNLOADER\Add_All.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Mass Downloader (HKLM)
O9 - Extra 'Tools' menuitem: &Mass Downloader (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38018.6471412037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe

RealityChuck · June 3, 2004, 6:55pm

Don’t go by name: ptsnoop.exe is used by PCTEL modems and is needed to make them run. Don’t delete it, especially if you’re using that type of modem (if you removed the modem, then you can remove the entry, but it doesn’t do any harm to keep it).

Otherwise, the log looks clean.

Fritz_The_Cat · June 3, 2004, 7:49pm

Along with SpywareBlaster, you might want to add SpywareGuard. I use them together and they work real well.

mhendo · June 3, 2004, 7:58pm

Thanks, RC.

Before i posted the log, i Googled ptsnoop, and a couple of sites gave the same explanation that you did. A couple of others, however, described it as a “backdoor trojan,” and recommended removal.

If you think it does no harm, however, i’ll leave it there.

(BTW: I’m currently running Verizon DSL through a Westell Wirespeed modem and a Linksys router. Not sure if any of that qualifies as a PCTEL modem.)