Problems with slow OE6 load

This afternoon, my Windows Media Player was hijacked and tossed off of my computer, then replaced with something else. I cleaned everything and downloaded a fresh version of the Media Player. But now OE6 is slow to load--just the main page, not any of the folders.

I had this happen once before, and it was because Windows Messenger had been disabled. I tweaked my registry (I no longer remember what I did), and the problem went away.

I enabled Windows Messenger, and sure enough, everything works fine. Does anyone know the registry tweak so that I can disable it and still have OE6 open quickly? I've looked and looked and cannot find it anywhere.

 

I finally found the registry values to get rid of. I got rid of them and OE opens just fine now.

Unfortunately, I now have popups that cannot be disabled by my popup stopper and SpyBot is not catching everything. I have been bombarded since I downloaded the fresh Windows Media Player. I also had to download an updated Windows Messenger because it would not let me manipulate it without upgrading it. So...any suggestions on that?

 

Update and run spybot once again. Then the same with ad-aware.

After that, get Hijackthis and CWShredder from Here. Follow the directions on the page for generating a log with Hijackthis but post it here rather than at the URL they give. Mainly, pay attention to the "Don't fix anything yet " part.

Moving this thread to the security section.

 

Newt,

Thanks for replying. I have since found a critical Spybot update I must have missed before. I also disabled the Windows messenger service, did another cleanup, and ran Spybot again. So far, everything is just fine.

The link above does not work. I tried going to just the main page, but it, too, is disabled.

 

Must be a new server issue for them. I tested the link before I posted it and all was well. Not now. Hmmmmm.

You can get Hijackthis from http://download.com.com/3000-2144-10227352.html and it's a good app to have around.

CWshredder is only good for getting rid of coolweb search if you happen to get it so no need for that right now. But since we are this far, a Hijackthis log posted for the experts to look over will probably allow for more cleanup of your system. It nearly always shows some trash you didn't know you had, don't need, and will run better without.

 

Thanks much, and here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 9:21:21 PM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\netcpli.exe
C:\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe "
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netcpli] C:\WINNT\System32\netcpli.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.charter.com/sdccommon/download/tgctlar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://www.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab

 

Thanks for posting the log file. I see a couple things I wonder about but am strictly an amateur with these so want to wait for the expert opinions.

GWMDMMSG.exe - not much info on it but appears to be some sort of Gateway modem messaging thing. I wonder if you really need it running as a task?

 

Have all IE windows and Windows Explorer closed, and remove these items in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.searchalot.com/

O4 - HKLM\..\Run: [netcpli] C:\WINNT\System32\netcpli.exe
I could find no information on this file at all, I hold it suspect. I would rename it for now after removing the entry. Some of these spy/adware add some unknown or sound alike named file to keep themselves there.

 

Fix these also.

O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O14 - IERESET.INF: START_PAGE_URL=


Info on the 03 entry.

 

What are all the R1 entries that end in about:blank?

 

Done.

Somehow, in the midst of the cleaning out, I wound up missing a Word dll spelling file, but it doesn't seem to be messing anything up. The spellcheck function still works.

Thanks much to both of you.

 

Some of these hijackers set the home and search pages to about:blank, and it seems to be difficult to remove this. While about:blank [the legitimate one] is itself harmless as the start page, having it as the search page keeps them from using their preferred search page.
Cafeslave, glad to hear you got the hijack thing straightened out.

 

Thanks for the blank info. Interesting.