Worm or trojan, pleaqse help - Techist - Tech Forum

Go Back   Techist - Tech Forum > Computer Software > Microsoft Windows and Software
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 01-22-2004, 06:15 AM   #1 (permalink)
Newb Techie
 
Join Date: Jan 2004
Posts: 2
Default Worm or trojan, pleaqse help

Hello

I am going crazy. I have email messages and sex sites running in the background when I open Task Manager in Windows 2000. Something is also closing my Norton AV Auto-protect.

I have run Spybot, Ad-aware, etc., etc. and nothing helps.

Here is my hijack log.


Logfile of HijackThis v1.97.7
Scan saved at 4:59:15 AM, on 1/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltcm000c.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Barak013\fts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\Program Files\MailFrontier\mlfbuddy.exe
C:\PROGRA~1\Barak013\FWPortal.exe
C:\winnt\rundll32.exe
C:\Program Files\ACT\SideACT.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijack\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 209.66.123.175 admin.promaxhost.com
O1 - Hosts: 209.66.123.175 tds.alekshost.com
O1 - Hosts: 209.66.123.175 tds.bgporn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [12113589.exe] C:\WINNT\System32\12113589.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
O4 - HKCU\..\Run: [Matador] "C:\Program Files\MailFrontier\mlfbuddy.exe" -quiet
O4 - HKCU\..\Run: [%FP%Barak013 FWPortal.exe] "C:\PROGRA~1\Barak013\FWPortal.exe" -no_dialog
O4 - HKCU\..\Run: [rundll32] C:\winnt\rundll32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SideACT!.lnk = C:\Program Files\ACT\SideACT.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2EC77245-C97C-4F5E-80D1-9B280C4CD820} - http://download.mailfrontier.com/matador/instmtdr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/166d52a3eb3907a...p/RdxIE601.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171.73.downloads.est...48622OneCC.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...970.4042824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

THANKS IN ADVANCE TO ANYONE WHO CAN HELP ME
__________________

nikita is offline  
Old 01-22-2004, 07:56 AM   #2 (permalink)
Junior Techie
 
Join Date: Jan 2004
Posts: 55
Send a message via AIM to Jiminy777
Default

Go into the registry and check your Windows run key.
May be try this:
This procedure terminates the running malware process from memory.

Open Windows Task Manager.
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
which looks suspicious.

Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
For the registry:
KEY_USERS>%SystemInfo%>Software>Microsoft>Windows>
CurrentVersion>Run

>>>>REMEMBER TO BACK UP REGISTRY BEFORE TOUCHING IT<<<<

Good Luck!
__________________

Jiminy777 is offline  
Old 01-22-2004, 09:48 AM   #3 (permalink)
Banned
 
Join Date: Dec 2003
Posts: 129
Send a message via Yahoo to param4u
Default

Under CurrentVersion you will find Run -> the old ones use to install themselves there..... but the newer ones try going in to: RunServices or RunOnce - try these too..
param4u is offline  
Old 01-22-2004, 04:10 PM   #4 (permalink)
Junior Techie
 
Join Date: Nov 2003
Posts: 73
Default

There is a new virus out that is doing the same thing for windows XP and win 2000. Download AVG and run their antivirus it should find and remove the virus from your computer. This new virus is running thru the same hole in windows that the Sobig virus did.
mitschej is offline  
Old 01-23-2004, 04:20 AM   #5 (permalink)
Newb Techie
 
Join Date: Jan 2004
Posts: 2
Default Tried all that, still have problem

Hi and thanks to all.

I went into the registry and cannot see anything that should cause this.

I am current with my Norton AV.

My problem is that I cannot format because I have some programs I need that I cannot reinstall, at least not now.

I cannot use the computer, these email messages, and porn sites running in the background take all the memory.

Any new ideas?
nikita is offline  
Old 01-23-2004, 04:42 AM   #6 (permalink)
Newb Techie
 
Join Date: Jan 2004
Posts: 16
Default

Seems like you got spammed... ouch. I suggest getting a firewall such as this then when the programs ask for internet acess you can see where the programs are and delete them.
Helium is offline  
Old 01-23-2004, 06:44 AM   #7 (permalink)
Techie Beyond Description
 
Apokalipse's Avatar
 
Join Date: Jun 2003
Location: Melbourne, Australia
Posts: 14,559
Default

yeh Zone Alarm, i tested that on the internet and all of my ports were found as "stealth"
__________________
Apokalipse is offline  
Old 01-23-2004, 08:05 AM   #8 (permalink)
True Techie
 
Join Date: Jan 2004
Posts: 164
Default

you can also try another anti-virus online like trendmicro. personally i got rid of norton 'cause it was too slow for me. one day i scanned with norton. that did'nt detect any virus. i tried with trendmicro it found 2 virus. now i'm running AVG and get no troubles.
__________________

__________________
\"you cant hold a good techie down\"
petogaz is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 07:31 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.