Questions about SpywareBlaster and plz look at my Hijack this log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Kaboth, Jul 20, 2004.

  1. Kaboth

    Kaboth Private E-2

    Hello all,
    I have installed the latest version of SpywareBlaster on my computer. Do I need to run it manually every time I restart my computer to ensure I'm protected when connecting to the Internet? Is there a way to make it run on Windows startup?

    I've read the post and checked my HiJackThis log which looks fine, could the experts just give it a quick skim to see I havn't missed anything.

    Thanks for your time,

    Logfile of HijackThis v1.98.0
    Scan saved at 11:40:18 PM, on 20/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\RAM Idle LE\RAM_XP.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuamgrd.exe
    C:\windows\winsock16.exe
    C:\Program Files\Game Accelerator\gamexl.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\12Ghosts\12popup.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Download Accelerator Plus\DAP.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\sphost.exe
    C:\WINDOWS\System32\lsas.exe
    C:\WINDOWS\System32\wuamagr32.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SYSTEM] lsas.exe
    O4 - HKLM\..\Run: [Windows Firewalll] sphost.exe
    O4 - HKLM\..\Run: [Explorer32] C:\windows\winsock16.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GameXL] "C:\Program Files\Game Accelerator\gamexl.exe"
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
    O4 - HKLM\..\RunServices: [SYSTEM] lsas.exe
    O4 - HKLM\..\RunServices: [Windows Firewalll] sphost.exe
    O4 - HKLM\..\RunServices: [EnableDCOM] N
    O4 - HKLM\..\RunServices: [MSN Messenger] xbmswrl.exe
    O4 - HKCU\..\Run: [SYSTEM] lsas.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
    O4 - HKCU\..\Run: [Windows Firewalll] sphost.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] wuamgrd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunServices: [MSN Messenger] xbmswrl.exe
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DOWNLO~1\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DOWNLO~1\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4320/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BDD78D4A-E6C2-4D74-AE17-D99632294144}: NameServer = 203.12.160.35 203.12.160.36
     
    Kaboth, Jul 20, 2004
    #1
  2. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    Hi Kaboth, i think you must have skimmed your log as its not as clean as you think :rolleyes:
    As i can see at least two trojans by having a quick skim over, please run an online virus scan here
    http://housecall.trendmicro.com/
    or here
    http://www.pandasoftware.com/activescan/
    maybe a trojan scan here
    http://www.windowsecurity.com/trojanscan/
    or even run all three ;)
    IF you havent already please download, install, update then scan with Ad-Aware and Spybot Search and destroy both found here
    http://www.majorgeeks.com/downloads31.html

    AS for spyware blaster its a run once app install it and enable protection and its good to go :)

    do all the things mentioned then repost your newest log file and well take it from there
     
    General_Lee_Stoned, Jul 20, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Absolutely agree with the General. In about 30 seconds, I immediately see:

    C:\WINDOWS\System32\wuamgrd.exe
    C:\windows\winsock16.exe
    C:\WINDOWS\System32\sphost.exe
    C:\WINDOWS\System32\lsas.exe
    C:\WINDOWS\System32\wuamagr32.exe

    Not good. You need to run the scans recommended and you need to make sure you have updated all of Microsoft's Critical Updates. Check what you need by going to Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
    Then click scan for updates.
    Download ALL of the critical updates.
     
    chaslang, Jul 20, 2004
    #3
  4. Kaboth

    Kaboth Private E-2

    Gee Thanks for the links and the viruses you guys spotted, I think I eliminated a few of the viruses. I'll post the log so you can help locate any more. Incedentally the Panda Active Scan seemed to work the most effectively for me.

    Am I right to be suspicious of this entry O4 - HKLM\..\RunServices: [EnableDCOM] N?

    Anyway heres the log:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:16:01 AM, on 22/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RAM Idle LE\RAM_XP.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Game Accelerator\gamexl.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\12Ghosts\12popup.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\Overnet\overnet.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GameXL] "C:\Program Files\Game Accelerator\gamexl.exe"
    O4 - HKLM\..\RunServices: [EnableDCOM] N
    O4 - HKLM\..\RunServices: [MSN Messenger] xbmswrl.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunServices: [MSN Messenger] xbmswrl.exe
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Program Files\12Ghosts\12popup.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DOWNLO~1\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DOWNLO~1\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4320/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BDD78D4A-E6C2-4D74-AE17-D99632294144}: NameServer = 203.12.160.35 203.12.160.36
     
    Kaboth, Jul 21, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 21, 2004
    #5
  6. NeoNemesis

    NeoNemesis Moutharrhea

    isn't wumagr32.exe the windows update manager?
     
    NeoNemesis, Jul 21, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As far as I know, WUPDMGR.EXE is Windows Update Manager. Just type in wupdmgr.exe in a Start, Run, dialog box and you will get Windows Update.

    The other filename (wumagr32.exe) I have seen associated with a Back Door Trojan.
     
    chaslang, Jul 22, 2004
    #7
  8. Kaboth

    Kaboth Private E-2

    When I scanned from the suggested sites WUPDMGR.EXE was reported as some form of virus for me, so I presume it is for everyone. In anycase I deleted its registry value as the virus report suggested and I havn't had any problems.
     
    Kaboth, Jul 28, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    WUPDMGR.EXE is Windows Update Manager. It is not a virus. Unless yours was some how infected. wuamagr32.exe on the otherhand is a problem that needed to be fixed.

    Which virus report are you talking about? Do you have a link you are referring to?
     
    chaslang, Jul 28, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds