0

I have 709 processess running on a win2k pc.
these 2 programs are repeating them selfs over and over.
844b7whatk.exe and 8wlo0jlvhs.exe/
is this a virus? I ran adware and spybot s&d and they found nothing.
I also did a google search on them and nothing.
what are they?

3
Contributors
3
Replies
4
Views
13 Years
Discussion Span
Last Post by TheOgre
0

sorry took so long my friend took awhile to send me the file.
I cut out alot of the repeated files from the log already other wise it would take up alot of space.


Logfile of HijackThis v1.97.7
Scan saved at 4:59:10 PM, on 2/29/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\Program Files\3dhq Tools\v_ctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\taskmgr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\PB41\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
O2 - BHO: TX4 - {00000000-0C95-B1F8-547A-405204D6961A} - C:\WINNT\System32\avifile32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [xv_crtl] C:\Program Files\3dhq Tools\v_ctrl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bkf8r4vgh0] C:\WINNT\8w1o0jlvhs.exe
O4 - HKLM\..\Run: [xy0dl5iy4t] C:\WINNT\8w1o0jlvhs.exe
O4 - HKLM\..\Run: [mcopxlwar9] C:\WINNT\844b7whatk.exe
O4 - HKLM\..\Run: [8p22sdksl2] C:\WINNT\844b7whatk.exe
O4 - HKLM\..\Run: [gji8bpvyat] C:\WINNT\844b7whatk.exe
O4 - HKLM\..\Run: [xczevuy47j] C:\WINNT\8w1o0jlvhs.exe
O4 - HKLM\..\Run: [stlgk5k1hg] C:\WINNT\844b7whatk.exe
O4 - HKLM\..\Run: [1m2m49w6f7] C:\WINNT\8w1o0jlvhs.exe


O13 - WWW. Prefix: http://ehttp.cc/?
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/015e51105c1e2e5c8205/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab

0

You've been infected with the Blaster worm, which spawns random filename processes if one of them gets killed.

Do a search on Google for a Blaster removal tool, such as from Symantec, Sophos, etc., then PATCH YOUR BOX using Windows Update - specifically, the DCOM update.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.