Worm or trojan, pleaqse help - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
Thread Tools Display Modes
Old 01-22-2004, 05:15 AM   #1 (permalink)
Newb Techie
Join Date: Jan 2004
Posts: 2
Default Worm or trojan, pleaqse help


I am going crazy. I have email messages and sex sites running in the background when I open Task Manager in Windows 2000. Something is also closing my Norton AV Auto-protect.

I have run Spybot, Ad-aware, etc., etc. and nothing helps.

Here is my hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 4:59:15 AM, on 1/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Barak013\fts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\MailFrontier\mlfbuddy.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: admin.promaxhost.com
O1 - Hosts: tds.alekshost.com
O1 - Hosts: tds.bgporn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [12113589.exe] C:\WINNT\System32\12113589.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [Matador] "C:\Program Files\MailFrontier\mlfbuddy.exe" -quiet
O4 - HKCU\..\Run: [%FP%Barak013 FWPortal.exe] "C:\PROGRA~1\Barak013\FWPortal.exe" -no_dialog
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mailfrontier.com/matador/instmtdr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...970.4042824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab


nikita is offline  
Old 01-22-2004, 06:56 AM   #2 (permalink)
Junior Techie
Join Date: Jan 2004
Posts: 55
Send a message via AIM to Jiminy777

Go into the registry and check your Windows run key.
May be try this:
This procedure terminates the running malware process from memory.

Open Windows Task Manager.
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
which looks suspicious.

Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
For the registry:


Good Luck!

Jiminy777 is offline  
Old 01-22-2004, 08:48 AM   #3 (permalink)
Join Date: Dec 2003
Posts: 129
Send a message via Yahoo to param4u

Under CurrentVersion you will find Run -> the old ones use to install themselves there..... but the newer ones try going in to: RunServices or RunOnce - try these too..
param4u is offline  
Old 01-22-2004, 03:10 PM   #4 (permalink)
Junior Techie
Join Date: Nov 2003
Posts: 73

There is a new virus out that is doing the same thing for windows XP and win 2000. Download AVG and run their antivirus it should find and remove the virus from your computer. This new virus is running thru the same hole in windows that the Sobig virus did.
mitschej is offline  
Old 01-23-2004, 03:20 AM   #5 (permalink)
Newb Techie
Join Date: Jan 2004
Posts: 2
Default Tried all that, still have problem

Hi and thanks to all.

I went into the registry and cannot see anything that should cause this.

I am current with my Norton AV.

My problem is that I cannot format because I have some programs I need that I cannot reinstall, at least not now.

I cannot use the computer, these email messages, and porn sites running in the background take all the memory.

Any new ideas?
nikita is offline  
Old 01-23-2004, 03:42 AM   #6 (permalink)
Newb Techie
Join Date: Jan 2004
Posts: 16

Seems like you got spammed... ouch. I suggest getting a firewall such as this then when the programs ask for internet acess you can see where the programs are and delete them.
Helium is offline  
Old 01-23-2004, 05:44 AM   #7 (permalink)
Techie Beyond Description
Apokalipse's Avatar
Join Date: Jun 2003
Location: Melbourne, Australia
Posts: 14,559

yeh Zone Alarm, i tested that on the internet and all of my ports were found as "stealth"
Apokalipse is offline  
Old 01-23-2004, 07:05 AM   #8 (permalink)
True Techie
Join Date: Jan 2004
Posts: 164

you can also try another anti-virus online like trendmicro. personally i got rid of norton 'cause it was too slow for me. one day i scanned with norton. that did'nt detect any virus. i tried with trendmicro it found 2 virus. now i'm running AVG and get no troubles.

\"you cant hold a good techie down\"
petogaz is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 03:40 PM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.