Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't kill wuapdate16


  • Please log in to reply

#1
guest 1

guest 1

    New Member

  • Member
  • Pip
  • 2 posts
Hi, I recently upgraded from Windows 98 SE to Windows XP, and in the process either immediatly got a bunch of virii(unlikely) or provided a suitable environment for virii already lurking on my computer. I got rid of msblaster with ease, but cannot get rid of this wuapdate16 program. I started by manually deleting the exe in the win32 folder and deleting it from the registry. I can delete all references from the computer, but it will come back if I am connected to the internet for a long time (I'm on 28.8 dialup), and will start sending data unless I close it. Also, as I'm typing this, mswinccp.exe seems to have gotten on to my computer, set itself to start up in the registry in the same places as wuapdate16. I'm going delete this and assume that I need to run a real windows update. I have also been getting seemingly non browser related pop-ups trying to tell me to update and how I can buy viagra from some website. Nice.

Here is my log before I got rid of mswinccp.exe from the registry with HijackThis (I closed the running process the second I noticed it)


Logfile of HijackThis v1.97.7
Scan saved at 6:08:36 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Microsoft CCP Update] mswinccp.exe
O4 - HKLM\..\RunServices: [Microsoft CCP Update] mswinccp.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macr...ash/swflash.cab

and here it is after I deleted mswinccp.exe

Logfile of HijackThis v1.97.7
Scan saved at 6:09:31 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macr...ash/swflash.cab

Notes:
*Notepad is open because I'm writing what you are now reading in it
*And I'm almost %100 positive that sm56hlpr.exe is legit and used by my modem
*Wuapdate16 appears the same way as mswinccp in HijackThis when it is on the computer
*I closed a copy of SVCHOST.exe labled LOCAL SERVICE (local somthing at least) earlier this session, it does not seem to have an effect on getting or not getting the troublesome programs
*I usually have Quintessential Player running when I'm on the internet, this is a free music player and may have something to do with it. I doubt this though, but I want to give you all as much information to work with. I also use an old version of dead AIM that I downloaded off of www.oldversion.com if that could be causing a problem.

I'm now guessing that I am getting these because I have not updated Windows XP, and the programs are being installed remotely through some type of security hole, or some exploit in the old version of AIM I use. Any help in how to update (I'm new to XP) or pointing out what really is the problem would be greatly appreciated.

Thanks for helping.
  • 0

Advertisements


#2
guest 1

guest 1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I also want to add that I use Mozilla 1.6 (I think it's 1.6) as my primary browser, and neither Ad-Aware nor Spybot seem to detect these programs.

Also this thing seems to randomly appear in HijackThis sometimes:


O17 - HKLM\System\CCS\Services\Tcpip\..\{C5701A54-11E1-4426-920C-2B7A629A79FC}: NameServer = 209.251.129.10 209.251.129.9

It's not my ip address, and I'm not sure if it is my service providers or not.
  • 0

#3
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Hello guest 1,

I notice that you do not have a Anti-Virus program running. We recommend install AVG. Click Here for AVG. You will have to register for the free version.

Also, you can try a free online virus scan here:
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Also is this a city computer that you are using?

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP