Help with a "Spyware Alert" popup

Discussion in 'adware, spyware & hijack cleaning' started by keddzs, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. keddzs

    keddzs Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Southwest england
    Hello all,
    I have a problem with a computer coming up with an about:Blank homepage, and a popup supposedly warning of Spyware on the pc. AdAware says that it is a coolweb set of things, but whenever I clean them off they just come back again. Looking at the other posts on the forum it seems to be a common problem!!. I have run HJT and added the log below.
    If someone could help me with it I would be very grateful.

    Logfile of HijackThis v1.97.7
    Scan saved at 15:30:54, on 17/06/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPMMKBD.EXE
    C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
    C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\RSRCMTR.EXE
    C:\ANTISPYWARESTUFF\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
    O4 - HKLM\..\Run: [MWProEng] C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
    O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
    O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
    O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Client Access Start Incoming RC] ###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
    O4 - HKLM\..\RunServices: [Client Access Network Drive] C:\Program Files\IBM\Client Access\cwbbs.exe
    O4 - HKLM\..\RunServices: [Client Access Network Print] C:\Program Files\IBM\Client Access\cwbnpred.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe
    O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
    O4 - Startup: PhoneManager.lnk = C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .ktx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38118.1677662037
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Greinerpc
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.199
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi keddzs,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {C191D881-BE33-11D8-A668-0004144A6B28} - C:\WINDOWS\SYSTEM\MGBP.DLL

    O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\services.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\System\services.exe

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

    Then boot normally and download StartDreck from http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
    Download: "StartDreck", unzip!
    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Post the log.

    Regards,

    Pieter
     
  3. keddzs

    keddzs Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    2
    Location:
    Southwest england
    Hello Pieter,
    Thanks for the help.

    The log from StartDreck is:

    StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 09:22:11
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *HpMmKbd=HpMmKbd.exe
    *MWProEng=C:\PROGRAM FILES\MOUSEWAREPRO\MWProEng.exe
    *e-DT LAN Sniffer=C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
    *Client Access Service="C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
    *Client Access Taskbar="C:\Program Files\IBM\Client Access\cwbuitsk.exe"
    *Client Access API Daemon="C:\Program Files\IBM\Client Access\cwbappcd.exe"
    *Client Access Help Update="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
    *Client Access Check Version="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    *POINTER=point32.exe
    *PivotSoftware=C:\Program Files\WinPortrait\wpctrl.exe
    *vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *InCD=C:\Program Files\Ahead\InCD\InCD.exe
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *Client Access Start Incoming RC=###C:\WINDOWS\command\start.exe /MINIMIZED C:\WINDOWS\cwbrxd.exe
    *Client Access Network Drive=C:\Program Files\IBM\Client Access\cwbbs.exe
    *Client Access Network Print=C:\Program Files\IBM\Client Access\cwbnpred.exe
    *rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    *defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    »RunServicesOnce
    **x=rundll32 C:\WINDOWS\SYSTEM\RESN.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFCF3673=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF73C7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFF6157=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFF409F=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFE030F=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
    *FFFE0ACF=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
    *FFFE5C27=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    *FFFE8343=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    *FFFD3B63=C:\WINDOWS\RUNDLL32.EXE
    *FFFDB833=C:\WINDOWS\EXPLORER.EXE
    *FFFB403F=C:\WINDOWS\TASKMON.EXE
    *FFFB4983=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFB21DB=C:\WINDOWS\SYSTEM\HPMMKBD.EXE
    *FFFB30B7=C:\PROGRAM FILES\MOUSEWAREPRO\MWPROENG.EXE
    *FFFB6D57=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
    *FFFA3BF3=C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
    *FFF9FBA7=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    *FFFB0C73=C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
    *FFFBDF33=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    *FFFB5CDF=C:\WINDOWS\SYSTEM\QTTASK.EXE
    *FFFB1DA3=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFF913C7=C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    *FFF93073=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFF989A3=C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT\IXAPPLET.EXE
    *FFF8337F=C:\PROGRAM FILES\AVAYA\IP OFFICE\PHONE MANAGER\PHONEMANAGER.EXE
    *FFFA685F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    *FFF88B03=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    *FFF674F7=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFF7C1FF=C:\ANTISPYWARESTUFF\STARTDRECK\STARTDRECK.EXE
    »Application specific



    I hope its OK.

    CHeers
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.