Mysterious traffic being sent out to IRC server

Question

anjimito 0 Newbie Poster

19 Years Ago

Hi, I'm an IT assistant at my workplace, and according to a network management fellow, one of the user's computers (Win2K OS) is sending traffic to an IRC server without her knowledge (she doesn't even know what IRC is).

I did a scan with Adaware and found/removed Alexia and VX2. But the traffic is still going on. I used HJT, and the logfile had an entry which I could not find any info about:

O4 - HKLM\..\Run: [MSKCES32] D:\WINNT\msapps\dir\clt.exe

Anyone know what this is? I've checked a few other Win2K workstations, and none of them had this clt.exe file, let alone a dir folder in msapps.

here's the complete logfile also in the next post. thanks to anyone who can help.

windows-virus

1 Contributor
1 Reply
99 Views
6 Hours Discussion Span
Latest Post 19 Years Ago Latest Post by anjimito

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

anjimito 0 Newbie Poster · Answer 1 · 2005-10-22T02:31:08+00:00

Logfile of HijackThis v1.99.1
Scan saved at 9:35:36 AM, on 10/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\NavNT\DefWatch.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\gearsec.exe
D:\WINNT\system32\inetservice.exe
D:\PROGRA~1\NavNT\Rtvscan.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\userinit.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
D:\PROGRA~1\NavNT\vptray.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\OSA.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Documents and Settings\super\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD50] "D:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MSKCES32] D:\WINNT\msapps\dir\clt.exe
O4 - HKLM\..\Run: [Winamp3] "C:\regsvc.exe" /h shell33.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O20 - Winlogon Notify: NavLogon - D:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - D:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: FireDaemon Service: Dll32.exe (Dll32.exe) - Unknown owner - C:\WINNT\system32\winmgnt\winmgnt\FireDaemon.EXE (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - D:\WINNT\system32\gearsec.exe
O23 - Service: Internet Service (INetSR) - Unknown owner - D:\WINNT\system32\inetservice.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\orant\BIN\ONRSD80.EXE
O23 - Service: FireDaemon Service: winmgnt.exe (winmgnt.exe) - Unknown owner - C:\WINNT\system32\winmgnt\winmgnt\FireDaemon.EXE (file missing)