StarDestroyer.Net BBS

1. SD.net is an ad-free site, right? Well, I'm starting ot get pop-up ads (Ironically, they say "Stop pop-ups now!"). A similar thing has happened to another computer. What might be causing this?

2. Twice tonight, I have recieved a notice that something on my computer has unexpectedly terminated, and gives me a minute to log off. I have never had this problem before, and fear it might happen even more. How can I fix this?

I'm worried, because I don't want this computer to end up like my other one (Slow as hell, constant pop-up ads, even in ad-free sites, and constant Illegal Operation messages)

Asst. Asst. Lt. Cmdr. Smi wrote:I'm worried, because I don't want this computer to end up like my other one (Slow as hell, constant pop-up ads, even in ad-free sites, and constant Illegal Operation messages)

You've probably got some spyware (i.e. trojans) running on your box. Get HijackThis and run it. You can send the log to Ein if you wish, he's better at reading things than I am.

Crayz, I think it's more likely that he has Blaster!

Asst. Asst. Lt. Cmdr. Smi wrote:2. Twice tonight, I have recieved a notice that something on my computer has unexpectedly terminated, and gives me a minute to log off. I have never had this problem before, and fear it might happen even more. How can I fix this?

::sigh::

There have been numerous threads about this on SDN and it's been major news on the Internet. Go into the Task Manager and kill the process MSBLAST. Then get Symantec's removal tool to clean it out. Finally, head to WindowsUpdate and patch your computer.

Dalton wrote:Crayz, I think it's more likely that he has Blaster!

He's got Blaster and probably a bunch of spyware and trojan crud on his box.

I saved the log, and copied it to here:

Logfile of HijackThis v1.96.0
Scan saved at 12:36:44 AM, on 8/13/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\msblast.exe
C:\Documents and Settings\Owner\Application Data\iebs.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us6.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~3\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1AC4C6D-A67C-47D4-84A4-6B4855239D59}: NameServer = 64.84.96.2 64.215.86.12

Any advice on what to delete?

Yup, he's got blaster. AALCS, follow Phong's advice NOW.

Am I the only one in the world who doesn't have this virus? Shitfire

Hamel wrote:Am I the only one in the world who doesn't have this virus? Shitfire

Our home firewall's been protecting us (I've been getting strange NetBIOS request on the log all day) so we're not affected, luckily. However, my brother's laptop wasn't patched and he routinely takes it outside the firewall ...

Hamel wrote:Am I the only one in the world who doesn't have this virus? Shitfire

People who use Mac OS X, Linux or FreeBSD are also unaffected. We scoff at Windows users' plight.

Hamel wrote:Am I the only one in the world who doesn't have this virus? Shitfire

I didnt get it, Im patched and firewalled. My dad's computer is not, but luckily he is on his own DSL line seperate from mine. ( long story why we have two DSL lines , but it is kinda cool. )

Win98 computer upstairs isn't affected either. Linux box down here ok.

[nelson]HA HA!!![/nelson]

To be honest, I feel downright evil about this. Half the Internet seems to be panicking, and here I am, with a nice Linux network... completely unconcerned about Blaster or any of these trojans.

My mom, in fact, asked me several times about the trojan. I told her that she didn't have to worry, since we've got tighter security than most Department of Defense servers.

Durandal wrote:

Hamel wrote:Am I the only one in the world who doesn't have this virus? Shitfire

People who use Mac OS X, Linux or FreeBSD are also unaffected. We scoff at Windows users' plight.

I'm running WinXP, totally unpatched, behind a linksys router.

I've not had a single virus, worm, etc on this computer in 2 years, even before I had a router. Seems most people get their virii through Outlook and Geocities sites.

My house has never been hit by any of the worms going around the 'net. We've usually had some sort of firewall up (might be basic, but better than nothing).

At first we used IPRoute on DOS 6.22 running an external ISDN modem. I later got tired of having a mighty P166 doing nothing but sitting there, so I shoved NT4 Server on it and acquired a copy of WinRoute. Both IPRoute and WinRoute had firewalling, though to what extent I'm not sure.

We later moved on to using a cheap Linksys router hooked up to an ADSL modem; that router has been replaced by a more sophisticated 2Wire product.

I seem to be unaffected by this worm thingy.

The thing reccomends that I back up my files before running it, does anyone have tips on how to do that? Or is it okay to run it without backing up files?

Asst. Asst. Lt. Cmdr. Smi wrote: C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\msblast.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKCU\..\Run: [Ahst] C:\Documents and Settings\Owner\Application Data\iebs.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe

KILL THESE NOW AND REBOOT!!!

Haven't been touched by msblast yet. I now have two firewalls on my comp, plus a hardware firewall in my router or cable modem (I think, not sure which one).

Crayz9000 wrote:To be honest, I feel downright evil about this. Half the Internet seems to be panicking, and here I am, with a nice Linux network... completely unconcerned about Blaster or any of these trojans.

I know how you feel. Yesterday one of my coworkers came in and asked the people in my office if we'd patched our machines. I said, "Yes, I've been using Mac OS X for quite a while now."

Shinova wrote:Haven't been touched by msblast yet. I now have two firewalls on my comp, plus a hardware firewall in my router or cable modem (I think, not sure which one).

Not smart. Do you want all three of those firewalls conflicting?

Very not smart. Keep two firewalls (hardware + software), but only one software firewall, period.

Asst. Asst. Lt. Cmdr. Smi wrote:1. SD.net is an ad-free site, right? Well, I'm starting ot get pop-up ads (Ironically, they say "Stop pop-ups now!"). A similar thing has happened to another computer. What might be causing this?

You appear not to have disabled Windows Messenger Service.

Start, Right click My Computer, Manage, Services, Messenger, Disable.

You don't need the service running, and it's a spam-hole.

Vendetta wrote:You appear not to have disabled Windows Messenger Service.

Start, Right click My Computer, Manage, Services, Messenger, Disable.

You don't need the service running, and it's a spam-hole.

It's not Windows Messenging Services. It was a bunch of trojans, according to a system scan he posted.

Although disabling WM never hurts.

Hamel wrote:I'm running WinXP, totally unpatched, behind a linksys router.

I've not had a single virus, worm, etc on this computer in 2 years, even before I had a router. Seems most people get their virii through Outlook and Geocities sites.

Along with dialers, browser hijacks, spyware, etc. Geocities websites are riddled with that sort of garbage.

beyond hope wrote:

Hamel wrote:I'm running WinXP, totally unpatched, behind a linksys router.

I've not had a single virus, worm, etc on this computer in 2 years, even before I had a router. Seems most people get their virii through Outlook and Geocities sites.

Along with dialers, browser hijacks, spyware, etc. Geocities websites are riddled with that sort of garbage.

Ya, see my sig for details too