Help with a "Spyware Alert" popup

Hello all,
I have a problem with a computer coming up with an about:Blank homepage, and a popup supposedly warning of Spyware on the pc. AdAware says that it is a coolweb set of things, but whenever I clean them off they just come back again. Looking at the other posts on the forum it seems to be a common problem!!. I have run HJT and added the log below.
If someone could help me with it I would be very grateful.

Logfile of HijackThis v1.97.7
Scan saved at 15:30:54, on 17/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPMMKBD.EXE
C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\ANTISPYWARESTUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [MWProEng] C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe
O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Startup: PhoneManager.lnk = C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ktx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38118.1677662037
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Greinerpc
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.199

 

Hi keddzs,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL

O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe

Then reboot into safe mode and delete:
C:\WINDOWS\System\services.exe

Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

Then boot normally and download StartDreck from http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
Download: "StartDreck", unzip!
DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Post the log.

Regards,

Pieter

 

Hello Pieter,
Thanks for the help.

The log from StartDreck is:

StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 09:22:11
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*HpMmKbd=HpMmKbd.exe
*MWProEng=C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
*e-DT LAN Sniffer=C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
*Client Access Service="C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
*Client Access Taskbar="C:\Program Files\IBM\Client Access\cwbuitsk.exe"
*Client Access API Daemon="C:\Program Files\IBM\Client Access\cwbappcd.exe"
*Client Access Help Update="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
*Client Access Check Version="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
*POINTER=point32.exe
*PivotSoftware=C:\Program Files\WinPortrait\wpctrl.exe
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*InCD=C:\Program Files\Ahead\InCD\InCD.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Client Access Start Incoming RC=###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
*Client Access Network Drive=C:\Program Files\IBM\Client Access\cwbbs.exe
*Client Access Network Print=C:\Program Files\IBM\Client Access\cwbnpred.exe
*rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
»RunServicesOnce
**x=rundll32 C:\WINDOWS\SYSTEM\RESN.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFCF3673=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF73C7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF6157=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF409F=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE030F=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
*FFFE0ACF=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
*FFFE5C27=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
*FFFE8343=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
*FFFD3B63=C:\WINDOWS\RUNDLL32.EXE
*FFFDB833=C:\WINDOWS\EXPLORER.EXE
*FFFB403F=C:\WINDOWS\TASKMON.EXE
*FFFB4983=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB21DB=C:\WINDOWS\SYSTEM\HPMMKBD.EXE
*FFFB30B7=C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
*FFFB6D57=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
*FFFA3BF3=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
*FFF9FBA7=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
*FFFB0C73=C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
*FFFBDF33=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
*FFFB5CDF=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFFB1DA3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF913C7=C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
*FFF93073=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFF989A3=C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
*FFF8337F=C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
*FFFA685F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
*FFF88B03=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
*FFF674F7=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF7C1FF=C:\ANTISPYWARESTUFF\STARTDRECK\STARTDRECK.EXE
»Application specific



I hope its OK.

CHeers

 

Excellent.

Dwonload Win98Fix from: http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
DoubleClick on: 'RunFix.reg' file, hit 'yes' on the prompt
- Restart your computer
- C:\WINDOWS\SYSTEM\RESN.DLL should now be visible
- Delete that one.

Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

Regards,

Pieter