Blasted Mru blaster

Just a heads up for people who are thinking of installing mru-blaster.
I downloaded and installed this to compare its finds to adaware's list of mru's.
I noticed that I seemed to be connected to a specific IP when I rebooted
the machine and logged back in. I traced the IP to GATOR.COM. I was not
sure that mru-blaster was the culprit, so I rebooted several times. each time
I connected to the Internet I could see that I was connected to the same IP.
(I usually keep a dos window open with the netstat -an running as a process)
GATOR.COM. I removed mru-blaster and rebooted and reconnected. And... surprise no connection to GATOR.COM.
There was nothing during installation that indicated that my pc would be
connecting itself to GATOR.COM. I learned My lesson way back when the
comet cursor was popular. So beware if you plan on installing this software.
And no I did not select the auto matic update option.

Reptile

 

I think you must have some other culprit on your computer that is just now showing itself or you have mistaken the name of the program. MRU Blaster does not have spyware or do anything to connect to the net...the only thing this program does is clean out usage tracks, cookies, temp internet files, etc. MRU Blaster doesn't even have an auto-updater, you have to update manually. I used to use this program all the time and forgot to reinstall it after my last format so I just reinstalled it b/c of your post...everything is fine...I have rebooted...nothing is trying to connect to the net...not so much as a message from my firewall, MS spyware. etc.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above if you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Good morning,

I do not have a problem any longer with MRUBlaster. As soon as I
removed it the persistent IP disappeared. I did however perform
all the steps to see is anything else could be found on My pc.
The results of each step is listed below. Thank your for your
timely response.

Rep

I have not had
a problem since I removed the mrublaster. I did not have
a problem before I installed it. It was on My machine for
about half a day before I noticed the persistent IP on
my Netstat ouput. Persisted even after I had closed firefox
and rebooted. It started up as soon as I connected to the net.
I do not connect on startup of the pc. I connect when I want
to be on the net. So it was strange to see the IP show up
as soon as I connected. I do not have anything set for
automatic updates. Not the WMP or AVG or ZA or BHODemon
or windows or any software that I have installed. I have had
this pc for several years and know its habits. I use Norton
utilities to perform regular maintenance tasks.


Step 1 - I'm running Win98 SE fully patched and updated
so I skipped step 1

Step 2 - when I enter services.msc My system has no clue what that is
"Cannot find the file 'services.msc' (or one of its components).
Make sure the path and filename are correct and that all
required libraries are available"
But then I'm running Win98 sooo.........

Step 3 - As for enabling the views this was done the day My pc arrived at My home.
I check periodically to make sure they stay that way. I like seeing
everything on My pc.

Step 4 - I already have Adaware and spybot, as well I have the BHODemon, for Ie
but I have been using mozilla and now firefox for several years now.
I have run HJL and the Mcafee stinger periodically as well as the online
scans from Norton, Panda, Mcafee .. and several reputable places that
have online scans. Also ran some of the neat utilities from Hanson's page.

But I created the folder and downloaded everything, and put HJT new
download in its own folder as recommended. I am curious to see if
anything new gets trapped. I run a clean machine with a minimal
start up. I run AVG free and Zone alarm. I got tired of Norton then
Mcafee hogging the machine resources.

Always willing and eager to learn more about security and maintenance.
Ad-Aware SE.......Install, click Check for Updates now and get any updates, then exit.
Already have Ad-Aware. Ran update (last time was last week) ok

Ad-Aware VX2 Cleaner Plug-In.....Install only
Installed ok

CCleaner.............Install only, then exit
Installed ok

Spybot................Install, do the search for updates now and get any updates, then exit.
When I updated spybot the immunization module kept running. I could
hear My machine working. It was the only thing running that does not
normally run when I do a ctrl/alt/del.


SpywareBlaster...Install, click Download Latest Protection Updates, Check for Updates, and then Enable All Protection, then exit. It does a great job of blocking known vulnerabilities as well as known malicious websites.
Installed updated and all protection set

McAfee AVERT Stinger.....No installation required! Ready to run as is.
Done
CWShredder......No installation required! Just unzip it to a folder.
This was not in a zip file, it was downloaded as an executable
When I double clicked it the ap opened and displayed the 4 options
Scan Only Check For Update Create Report Fix
I closed the ap.

Kill2me..............No installation required! Just unzip it to a folder.
Done

about:Buster......No installation required! Just unzip it to a folder. Click Update and download any before scanning.
Installed and updated

HSRemove........No installation required! Ready to run as is. (Only for WinNT, 2K, XP)
I'm running Win98, not needed



Step 5 - Rebooted normally and was blue screened just before the desktop was to load
Rebooted ok, there is a lost cluster, but I'll forego fixing it until I have
run the online scans.

Began the BitDefender scan... the estimated time is now over 2hours , this step is gonna take a while it seems. It found this so far. I clicked on the delete radio and it says that update failed, yet the stats list it as deleted. I went in and deleted it Myself. I rarely use aim at all. I don't need a shortcut.
Scanning continues.

1: Virus And Trojan Scanning (do not skip these two scans or you will be asked to run them before continuing)
a) Win9x (Windows 95, 98, 98SE) users boot normal mode.
====================================================

* do an online scan at Bitdefender <-- agree to the license and then select Scan
http://www.bitdefender.com/scan/license.php

C:\WINDOWS\Desktop\Le Bureau\Start me up\Shortcut (2) to aim95.exe.lnk=>C:\Program Files\AIM95\aim95.exe=>wise0034=>wise0008 is infected with Adware.Wheaterbug.A

C:\WINDOWS\Desktop\Browsers-Etc\scooby_kg.exe=>wise0018 is infected with Application.Adware.180solutions.B (Actually nea

C:\WINDOWS\Desktop\Browsers-Etc\scooby_kg.exe=>wise0020 is infected with Backdoor.Ruledor.F

C:\WINDOWS\Desktop\Browsers-Etc\scooby_kg.exe=>wise0021 is infected with Dropped:Trojan.Secondthought.AA

C:\WINDOWS\Desktop\Browsers-Etc\Install_AIM.exe=>wise0041=>wise0008 is infected with Adware.Wheaterbug.A

C:\WINDOWS\Desktop\S-O-S\Install_AIM.exe=>wise0041=>wise0008 is infected with Adware.Wheaterbug.A (This was downloaded from the AIM Messenger site. When prompted that
there is an update available I usually wait several months before updating, but I do it by going
to the site Myself, not through their link)

C:\Program Files\AIM95\Sysfiles\WxBug.EXE=>wise0008 is infected with Adware.Wheaterbug.A

C:\Program Files\AIM95\aim95.exe=>wise0034=>wise0008 is infected with Adware.Wheaterbug.A

Everything except the scooby executable was from Installing Aim
====================================================

* do an online scan at RavAntivirus <-- select Auto Clean then click Scan My PC
http://www.ravantivirus.com/scan/

Scan started at 07/14/2005 9:45:33 PM

Scanning memory...
c:\RECYCLED\DC1.EXE->[wise.20] - Backdoor:Win32/Ruledor.F -> Infected

Scanned
============================
Objects: 44149
Directories: 4771
Archives: 1703
Size(Kb): -971522
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 24969

Same file that the other process deleted. It found it in the recycle bin.
=====================================================

* now boot in safe mode (and remain there) and run McAfee AVERT Stinger. See how to boot in safe mode below.

Results were that it found nothing

b) And Windows XP, 2000, NT, ME, users boot in "safe mode with networking support" (and remain in there). See how to boot in safe mode below.

* do an online scan at Bitdefender <-- agree to the license and then select Scan
http://www.bitdefender.com/scan/license.php

* do an online scan at RavAntivirus <-- select Auto Clean then click Scan My PC
http://www.ravantivirus.com/scan/

* run McAfee AVERT Stinger

Important Note Before continuing with scans:
To provide the greatest ability for the scanners to properly detect and remove all forms of malware, make sure to close any other applications that are running on your system especially browsers before you run these tools. It is in your best interest to follow this directive. So disconnect from the internet now and close all browsers and any other applications you have running now and then continue with step 2 below.

2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. Run CCleaner with the default options to clean out temporary files. Optionally, check the clean "Delete Index.dat" checkbox. Only use the Windows tab and select Run Cleaner. Do not run any other options from other tabs.

Cleaned up a some stuff. but all the files were legit.

>>>>>>>>>>>>>>>>>>>
CLEANING COMPLETE - (1.932 secs)
------------------------------------------------------------------------------------------
17.2MB removed.


Details of files deleted
------------------------------------------------------------------------------------------
IE Temporary Internet Files (3 files) 14.1MB
Marked for deletion: C:\WINDOWS\Cookies\index.dat
Marked for deletion: C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\TEMP\ravonline.htm 7.28KB
C:\WINDOWS\TEMP\~DF7FE1.TMP 6.50KB
C:\WINDOWS\SIREGIST.LOG 2.40KB
C:\WINDOWS\Directx.log 0.31MB
C:\WINDOWS\Dir.log 2.42KB
C:\WINDOWS\SYMINST.LOG 1.02KB
C:\WINDOWS\NewsUpd.log 40 bytes
C:\WINDOWS\msshlib2.log 92 bytes
C:\WINDOWS\Norton Utilities.log 7.22KB
C:\WINDOWS\DYNAZIP.LOG 68.17KB
C:\WINDOWS\HomeConnect.log 281 bytes
C:\WINDOWS\Sti_Trace.log 0 bytes
C:\WINDOWS\TWAIN.LOG 547 bytes
C:\WINDOWS\EnterNetInstall.log 1.16KB
C:\WINDOWS\SETUP95.LOG 3.53KB
C:\WINDOWS\wmsetup.log 0.13MB
C:\WINDOWS\xtreamlok.log 19.42KB
C:\WINDOWS\Windows Update.log 0.10MB
C:\WINDOWS\vminst.log 2.05KB
C:\WINDOWS\dahotfix.log 1.58KB
C:\WINDOWS\Norton Rescue.LOG 401 bytes
C:\WINDOWS\SYMEVENT.LOG 3.54KB
C:\WINDOWS\wmsetup-bck.log 0.12MB
C:\WINDOWS\doomcln.log 25.46KB
C:\WINDOWS\yacs.log 14.86KB
C:\WINDOWS\LUINSTALL.LOG 513 bytes
C:\WINDOWS\IOS.LOG 930 bytes
C:\WINDOWS\brndlog.bak 141 bytes
C:\WINDOWS\Active Setup Log.BAK 42.06KB
C:\WINDOWS\WININIT.BAK 44 bytes
C:\WINDOWS\Fix IE Log.BAK 32.00KB
C:\WINDOWS\NDISLOG.TXT 0 bytes
C:\WINDOWS\brndlog.txt 10.07KB
C:\WINDOWS\OEWABLog.txt 1.25KB
C:\WINDOWS\INSTLOG.TXT 713 bytes
C:\WINDOWS\Active Setup Log.txt 1.57KB
C:\WINDOWS\wplog.txt 0 bytes
C:\WINDOWS\IE4 Error Log.txt 1.35KB
C:\WINDOWS\SFCLOG.TXT 0.20MB
C:\WINDOWS\IE Setup Log.Txt 88.58KB
C:\WINDOWS\RunOnceEx Log.txt 21.49KB
C:\WINDOWS\Fix IE Log.txt 17.50KB
C:\WINDOWS\Reg Save Log.txt 3.65KB
C:\WINDOWS\SchedLog.Txt 19.96KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\cache\_CACHE_MAP_ 0.13MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\cache\_CACHE_001_ 4.00KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\cache\_CACHE_002_ 4.00KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\cache\_CACHE_003_ 4.00KB
C:\WINDOWS\Application Data\Netscape\NSB\profiles\3p0j4hx2.default\cache\_CACHE_MAP_ 0.13MB
C:\WINDOWS\Application Data\Netscape\NSB\profiles\3p0j4hx2.default\cache\_CACHE_001_ 4.00KB
C:\WINDOWS\Application Data\Netscape\NSB\profiles\3p0j4hx2.default\cache\_CACHE_002_ 4.00KB
C:\WINDOWS\Application Data\Netscape\NSB\profiles\3p0j4hx2.default\cache\_CACHE_003_ 4.00KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\history.dat 1.18KB
C:\WINDOWS\Application Data\Netscape\NSB\profiles\3p0j4hx2.default\history.dat 347 bytes
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\arwl3qzr.default\downloads.rdf 206 bytes
C:\WINDOWS\Application Data\Mozilla\profiles\default\xvfyanc9.slt\downloads.rdf 1.73KB
C:\Program Files\Common Files\Real\Update_OB\RealPlayer-log.txt 77.41KB
C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref.old 0.46MB
C:\WINDOWS\Internet Logs\ZALog2005.07.29.txt 0.33MB
C:\WINDOWS\Internet Logs\ZALog.txt 38.57KB
C:\WINDOWS\Internet Logs\ZALog2005.07.062005.07.11.txt 48.83KB
C:\WINDOWS\Internet Logs\ZALog2005.07.12.txt 56.86KB
C:\WINDOWS\Internet Logs\ZALog2005.07.13.txt 65.87KB
C:\WINDOWS\Internet Logs\ZALog2005.07.01.txt 48.38KB
C:\WINDOWS\Internet Logs\ZALog2005.07.02.txt 0.23MB
C:\WINDOWS\Internet Logs\ZALog2005.07.03.txt 87.42KB
C:\WINDOWS\Internet Logs\ZALog2005.07.04.txt 30.58KB
C:\WINDOWS\Internet Logs\ZALog2005.07.05.txt 36.31KB

>>>>>>>>>>>>>>>>>>>>>

3: Main Spyware Scan And Removal; Scan your machine with Ad-Aware SE (remember to install the Ad-Aware VX2 Cleaner Plug-In for it) and Spybot. Look for the Immunize feature in Spybot and use it.

Adaware 0 Objects recognized
0 Objects Ignored
0 New Critical Objects

4 MRU's 1 from wordpad 3 from real player

Spybot No Immediate Threats found
Immunize recommends I run the SpywareBlaster
1480 added another 521. Now 2001 bad products blocked
I enabled perm blocking of bad addresses in IE
(I have the BHODemon installed already)

4: Secondary Spyware Scan And Removal: Other Removal Tools; Run the other programs you downloaded; CWShredder (make sure you select Fix), Kill2me, about:Buster and HSRemove. They are free, standalone and easy to use. Note: about:Buster and HSRemove need only be run if you are having about:blank or HomeSearchAssistent hijacks. Also, note that HSRemove is not compatible with Win9x or WinMe systems.

CWShredder - Scan is complete. CoolWebSearch was not found on this computer

Kill2me - No sign of an infection was found, scan anyway? I said yes

about.Buster AboutBuster 5.0 reference file 30
Scan started on [07/15/2005] at [12:42:58 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:42:59 AM

 

Good evening Abby Sue , Chaslang

As I indicated before, the problem no longer exists. I did the
4 clean up steps a few days ago, but since My hjt log is requested
here it is. I repeated the same 4 steps as the previous night then
ran the hjt. This is the result. I am sending as an attachment as
requested. Please let me know the results of your analysis.

Answers to questions asked
Chas - "Did you have MRU-Blaster's scheduler running and how often?"
No whenever I install anything I always disable auto updates and any automatically scheduled tasks by the application.

Chas - "Question: What version of SpyBot are you running and what are your Laste detections update date?"

I am running spybot search and destroy v 1.3
Last detection update was 2005-07-15

Chas - "Do you have a firewall installed? If you did, you should have noticed that there was never an attempt for MRU-Blaster or its scheduler to access the internet. "

I am running free zone alarm and it is up to date.

Regards and thankyou
Rep

 

Good morning

Thanks for the help and the info. I downloaded the
latest spybot and installed and ran it last night.
All clean. I ran the HJT and removed the items you indicated.
including the windows update entry. Just a word of explantion though.
I had disabled activeX in IE as I rarely use it, except
to run windows update and the odd page that requires IE.
Then when I ran windows update I got an error. I went to
the microsoft site and found that others had the same problem.
The entry in My trusted zone came from their solution
on the Microsoft site.

http://support.microsoft.com/default.aspx?scid=kb;en-us;836942

It instructs the user to add the "http://*.windowsupdate.com" to the
trusted zones.
For security I have removed it as requested.

Thank you Chas, for your help.

Rep

 

Go figure. Microsoft is leading the lambs to slaughter.
Thanks again to Chas and AbbySue for the great advice.

Reptyle