Help with a "Spyware Alert" popup

Discussion in 'adware, spyware & hijack cleaning' started by keddzs, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. keddzs

    keddzs Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Southwest england
    Hello all,
    I have a problem with a computer coming up with an about:Blank homepage, and a popup supposedly warning of Spyware on the pc. AdAware says that it is a coolweb set of things, but whenever I clean them off they just come back again. Looking at the other posts on the forum it seems to be a common problem!!. I have run HJT and added the log below.
    If someone could help me with it I would be very grateful.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:30:54, on 17/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPMMKBD.EXE
    C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
    C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\RSRCMTR.EXE
    C:\ANTISPYWARESTUFF\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
    O4 - HKLM\..\Run: [MWProEng] C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
    O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
    O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
    O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
    O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O4 - Startup: PhoneManager.lnk = C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ktx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38118.1677662037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Greinerpc
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.199
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi keddzs,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\System\services.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Then boot normally and download StartDreck from http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
    Download: "StartDreck", unzip!
    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Post the log.

    Regards,

    Pieter
     
  3. keddzs

    keddzs Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Southwest england
    Hello Pieter,
    Thanks for the help.

    The log from StartDreck is:

    StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 09:22:11
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *HpMmKbd=HpMmKbd.exe
    *MWProEng=C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
    *e-DT LAN Sniffer=C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
    *Client Access Service="C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    *Client Access Taskbar="C:\Program Files\IBM\Client Access\cwbuitsk.exe"
    *Client Access API Daemon="C:\Program Files\IBM\Client Access\cwbappcd.exe"
    *Client Access Help Update="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    *Client Access Check Version="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    *POINTER=point32.exe
    *PivotSoftware=C:\Program Files\WinPortrait\wpctrl.exe
    *vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *InCD=C:\Program Files\Ahead\InCD\InCD.exe
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *Client Access Start Incoming RC=###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
    *Client Access Network Drive=C:\Program Files\IBM\Client Access\cwbbs.exe
    *Client Access Network Print=C:\Program Files\IBM\Client Access\cwbnpred.exe
    *rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    *defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    »RunServicesOnce
    **x=rundll32 C:\WINDOWS\SYSTEM\RESN.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFCF3673=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF73C7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFF6157=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFF409F=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFE030F=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
    *FFFE0ACF=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
    *FFFE5C27=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    *FFFE8343=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    *FFFD3B63=C:\WINDOWS\RUNDLL32.EXE
    *FFFDB833=C:\WINDOWS\EXPLORER.EXE
    *FFFB403F=C:\WINDOWS\TASKMON.EXE
    *FFFB4983=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFB21DB=C:\WINDOWS\SYSTEM\HPMMKBD.EXE
    *FFFB30B7=C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
    *FFFB6D57=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
    *FFFA3BF3=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
    *FFF9FBA7=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    *FFFB0C73=C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
    *FFFBDF33=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    *FFFB5CDF=C:\WINDOWS\SYSTEM\QTTASK.EXE
    *FFFB1DA3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFF913C7=C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    *FFF93073=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFF989A3=C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    *FFF8337F=C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
    *FFFA685F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    *FFF88B03=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    *FFF674F7=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFF7C1FF=C:\ANTISPYWARESTUFF\STARTDRECK\STARTDRECK.EXE
    »Application specific



    I hope its OK.

    CHeers
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.