Spyware Device within system trying to connect . . .?

Unknown
edited April 2005 in Spyware & Virus Removal
Hi! Greetings.
I'm fairly new to computers, so thank-you for your patience. Well, I have Sygate firewall, and "Spool32.exe trying to launch Monitor.exe" to the net, started showing up on the 'traffic' log, and popup warnings from the tooltray. It's only during internet connection, but it managed to turn off the firewall and invite a torrent of spoofed IP addresses (I backtraced with the firewall utility) which promptly installed about 7 very destructive trojans and spywares, which were removed by PCCillin. But the problem persisted. I ran AdAware, Spybot S&D, SpywareDoctor, SpywareGuard, and about 8 others and found nothing. Ran 4 different Antivirus programs, and came up clean. Then reinstalled the OS clean, and it must have scanned me before I got the firewall installed, and it's here again. I have tried everything I know, and need real help from some generous soul who is more knowledgeable than I. If I make a mistake, or should not have put this HijackThis scan here, please let me know.Logfile of HijackThis v1.99.1
Scan saved at 2:09:07 PM, on 4/6/05
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\MRU-BLASTER\SCHEDULER.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMUSBKB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\Bin\BandObject.dll (disabled by BHODemon)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (disabled by BHODemon)
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPKBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll__BHODemonDisabled_CCIKDEIAVAKDEDEHKBAL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\VAIO Smart Keyboard\MediaCtr.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [IE Privacy Keeper] "C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE" -stcleanup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CACHE
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe

WOW! This is a far cry from morse code. Much gratitude to all for any and all help.
--Catmandoo

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    If you still need need help for this problem please post a new hijackthis log.
  • Catmandoo
    edited April 2005
    Hi Buckeye_Sam, and thanks.
    Here's the HJT log, and I'm going to try "About Buster," the only one on the list I haven't already tried.
    Logfile of HijackThis v1.99.1
    Scan saved at 11:09:52 AM, on 4/8/05
    Platform: Windows 98 SE (Win9x 4.10.1998A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MEDIACTR.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
    C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
    C:\PROGRAM FILES\MRU-BLASTER\SCHEDULER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMUSBKB.EXE
    C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
    C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
    C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
    O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\Bin\BandObject.dll (disabled by BHODemon)
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (disabled by BHODemon)
    O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPKBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll__BHODemonDisabled_CCIKDEIAVAKDEDEHKBAL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
    O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\VAIO Smart Keyboard\MediaCtr.exe
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
    O4 - HKLM\..\Run: [IE Privacy Keeper] "C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE" -stcleanup
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CACHE
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe

    Hope we can find something causing this. --Catmandoo
  • Catmandoo
    edited April 2005
    Hello, Buckeye_Sam,
    I installed and ran AboutBuster four times and restarted twice, and still have the same thing trying to access the Internet.
    --Catmandoo
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    Your log does not show any malware. And the fact that you have run multiple spyware and virus scans that show nothing leads me to believe that you are clean. The two files that you noted are being picked up by your firewall are legitimate Windows files. You can find info on each at these links.

    http://www.liutilities.com/products/wintaskspro/processlibrary/spool32/
    http://www.liutilities.com/products/wintaskspro/processlibrary/monitor/


    Assuming that is the only issue you are having I would just configure your firewall to stop notifying you every time they try to access the Internet and don't worry about it. If you are experiencing other problems or have more information that might lead to a different conclusion, please share that with me.
  • Catmandoo
    edited April 2005
    Hello, and thanks for the links and evaluation of the HJT log. I tried reinstalling the system (twice in the hope of killing this bug), and put Sygate firewall from PCWorld on FIRST, but the bad guys were port-scanning ferociously and got it into the system AGAIN (and yes, it tries to access spoofed addresses again) before the firewall started up, after download and installation (off-line, of course). The next thing is to try using ZoneAlarm which came with MS security updates CD's--not my first choice, but if it'll keep these dogs off the trail it's worth a try. The instructions at Wilders seem to be thorough, and even though my past experiences with ZA were a disaster, they seem to think it's ok. The ports are being scanned systematically, just running consecutive #s, so it would really lift my spirits to blow 'em off for good. I was leaning toward your suggestion to ignore it, but it seems so intrusive. Nobody should get away with that kind of harrassment. I'll let you know what happens.
    --Catmandoo
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited April 2005
    If I understand what you are saying then what you are experiencing is just your firewall doing it's job. If you connect to the Internet through a broadband connection you are going to get scanned almost continuously. That is why it's so important to have a firewall if you have this type of connection. It's not unusual, in fact it's perfectly normal. Let your firewall do it's job silently without notifying you everytime and you'll worry about it a lot less.
This discussion has been closed.