SpywareBlaster, Protect Against unchecks selected items.

Discussion in 'SpywareBlaster & Other Forum' started by catseyenu, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Working on a friends box with ME.
    She had all scumware known to man on it.
    Installed SpywareBlaster, updated, hit select all but when I hit the "Protect Against.." it unchecks and leaves in red all updates.
    Tried running Spybot S&D and had trouble getting updates.
    Ran AdAware, cleaned 162 items and retried SpywareBlaster. Same problem.
    Uninstalled, reinstalled...same problem.
    Any ideas?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi catseyenu,

    It might help to download BHODemon and disable any or all BHO's that are left. I suspect some downloadmanager was removed incompletely.

    Keep us posted,

    Pieter
     
  3. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Thanks Pieter, I'll give it a swing tomorrow when I get back over there.

    ~cat~
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi catseyenu,

    If that does not help:

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  5. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Pieter,
    Got it and will do.
    This started out as a simple "install a firewall" for her new broadband connection.
    Weaning them of AOL can be tedious. ;)
    Thank you again,

    ~cat~
     
  6. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Pieter, this is what I've got from Hijack This.
    See any likelt candidates for termination?
    TIA.
    ~cat~


    Logfile of HijackThis v1.96.0
    Scan saved at 12:08:30 AM, on 8/15/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\ARCHIVE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consumericon&c=2C01&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?s=searchicon&c=2C01&lc=0409
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {CF419EB8-5219-4562-82BC-06A41623212C} - C:\WINDOWS\SYSTEM\MBHO.DLL (disabled by BHODemon)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} (Gtek Print Control) - http://www.kiddonet.com/kiddonet/GtekPrt.ocx
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37846.9041203704
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi catseyenu,

    Actually only the one you already disabled by BHODemon:
    O2 - BHO: (no name) - {CF419EB8-5219-4562-82BC-06A41623212C} - C:\WINDOWS\SYSTEM\MBHO.DLL (disabled by BHODemon)

    Which is most likely
    http://www.doxdesk.com/parasite/WurldMedia.html

    Regards,

    Pieter
     
  8. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Pieter,
    I've run Ad-Aware, RapidBlaster remover and disabled everything I can and still no love.
    SpywareBlaster still won't take the settings.
    Could it be a new exploit or just a badly maintained box.
    I removed 5 instances of Klez from it at the start so it's hard to tell who really ownes this box.
    Time to format and reinstall, I've too many other people that need help right now.
    Thanks for your help.

    ~cat~
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Anytime catseyenu,

    Wish I could have been of more assistance. :doubt:

    Regards,

    Pieter
     
  10. catseyenu

    catseyenu Registered Member

    Joined:
    Dec 13, 2002
    Posts:
    15
    Heh, though we try to educate & salvage what we can, "we" didn't create the problem.
    "They" perish for lack of knowledge...
     
Loading...
Thread Status:
Not open for further replies.