Worm or trojan, pleaqse help

[nikita]

Hello

I am going crazy. I have email messages and sex sites running in the background when I open Task Manager in Windows 2000. Something is also closing my Norton AV Auto-protect.

I have run Spybot, Ad-aware, etc., etc. and nothing helps.

Here is my hijack log.


Logfile of HijackThis v1.97.7
Scan saved at 4:59:15 AM, on 1/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Barak013\fts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\Program Files\MailFrontier\mlfbuddy.exe
C:\PROGRA~1\Barak013\FWPortal.exe
C:\winnt\rundll32.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijack\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 209.66.123.175 admin.promaxhost.com
O1 - Hosts: 209.66.123.175 tds.alekshost.com
O1 - Hosts: 209.66.123.175 tds.bgporn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [12113589.exe] C:\WINNT\System32\12113589.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [Matador] "C:\Program Files\MailFrontier\mlfbuddy.exe" -quiet
O4 - HKCU\..\Run: [%FP%Barak013 FWPortal.exe] "C:\PROGRA~1\Barak013\FWPortal.exe" -no_dialog
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mailfrontier.com/matador/instmtdr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a4ef06/netzip/RdxIE601.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171.73.downloads.es...90.213.238_44909&=&req=1054884848622OneCC.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.4042824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

THANKS IN ADVANCE TO ANYONE WHO CAN HELP ME

 

[Jiminy777]

Go into the registry and check your Windows run key.
May be try this:
This procedure terminates the running malware process from memory.

Open Windows Task Manager.
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
which looks suspicious.

Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
For the registry:
KEY_USERS>%SystemInfo%>Software>Microsoft>Windows>
CurrentVersion>Run

>>>>REMEMBER TO BACK UP REGISTRY BEFORE TOUCHING IT<<<<

Good Luck!

 

[param4u]

Under CurrentVersion you will find Run -> the old ones use to install themselves there..... but the newer ones try going in to: RunServices or RunOnce - try these too..

 

[mitschej]

There is a new virus out that is doing the same thing for windows XP and win 2000. Download AVG and run their antivirus it should find and remove the virus from your computer. This new virus is running thru the same hole in windows that the Sobig virus did.

 

[nikita]

Tried all that, still have problem

Hi and thanks to all.

I went into the registry and cannot see anything that should cause this.

I am current with my Norton AV.

My problem is that I cannot format because I have some programs I need that I cannot reinstall, at least not now.

I cannot use the computer, these email messages, and porn sites running in the background take all the memory.

Any new ideas?

 

[Helium]

Seems like you got spammed... ouch. I suggest getting a firewall such as this then when the programs ask for internet acess you can see where the programs are and delete them.

 

[Apokalipse]

yeh Zone Alarm, i tested that on the internet and all of my ports were found as "stealth"

 

[petogaz]

you can also try another anti-virus online like trendmicro. personally i got rid of norton 'cause it was too slow for me. one day i scanned with norton. that did'nt detect any virus. i tried with trendmicro it found 2 virus. now i'm running AVG and get no troubles.