Can't start SpywareGuard

Discussion in 'SpywareBlaster & Other Forum' started by Guy, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. Guy

    Guy Guest

    Have just run the install setup for SpywareGuard, and the live update (both ran ok). However, if I try to invoke SpywareGuard, absolutely nothing happens o_O
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Guy,

    Could you elaborate a bit on what you are trying to do?
    I'm not sure what the problem is.

    Regards,

    Pieter
     
  3. Guy

    Guy Guest

    Pieter,

    overall, I'm trying to apply some protection to prevent pop-up's and hijacking of my browser. It got so bad this morning that IE would crash every time. I was advised by another forum to download, install, and run Adware, SpyBot, and Spyware Blaster - I also noticed the info about Spyware Guard too so I downloaded and installed this as well. I thought when I came to run it I'd see something (like I do when running the other s/w mentioned), but nothing happens (is it meant to?).

    Incidentally, in addition to these packages, I also installed StartPage Guard. But would you believe it, I'm still getting pop-up's and my browser start hi-jacked.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Guy,

    Now I see what you mean. I'm a bit slow. ;)
    You were expecting SpywareGuard to be a scanner like AdAware and SpyBot S&D.
    Well, it's not. SpywareGuard does the same that StartPageGuard does and more. It keeps an eye on your settings and alerts you when any of them are changed and when you try to run spyware that is in it´s database.

    Let's get you cleaned out first.
    Please follow the instructions postyed here:
    http://www.wilderssecurity.com/showthread.php?t=15913
    Skip the steps you have already done. and let us have a look at your HijackThis log.

    Regards,

    Pieter
     
  5. Guy

    Guy Guest

    Pieter - here's my HijackThis log: (I should perhaps mention I also ran CWShredder as a late addition to the programs mentioned above - seems to have done the trick)

    Logfile of HijackThis v1.97.7
    Scan saved at 14:49:26, on 03/02/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\ScanToPc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Guy\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [TBGR] C:\WINDOWS\TBGR.exe
    O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Scan to PC.lnk = C:\WINDOWS\ScanToPc.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.co.uk/asfiles/files/install/MFImgVwr.cab
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Guy,

    Better disable all the Startpage protection before you do this, or you will get alarmed a few times.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [TBGR] C:\WINDOWS\TBGR.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Then reboot and delete:
    C:\PROGRAM FILES\Toolbar <= entire folder
    C:\WINDOWS\System32\internetfeatures.exe
    C:\WINDOWS\System32\iefeatures.exe

    Then change your Startpage to the one you want and start up the protection programs.

    Regards,

    Pieter
     
  7. Guy

    Guy Guest

    Thanks, Pieter - I'll take a look at this. Meanwhile, can I ask another (dumb?) question? I'm running Windows XP and have set up four users. I signed on as myself to apply all the Adware etc... programs, but when my wife logged in she got inundated with the usual popup's. So - do I need to log in as everyone in turn and run the programs? I'd sort of assumed I need do it just once for the whole pc.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Guy,

    Depending on where the spy/adware is running from, they can be user-independant. Since this is obviously the case, you will have to clean all infected users separately.

    Regards,

    Pieter
     
  9. Guy

    Guy Guest

    Pieter,

    I'm also now getting pop-ups again with my user-id. Is it simply a question of re-running Adware, Spybot etc... every day?

    Guy
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
Thread Status:
Not open for further replies.