Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Media Player


  • Please log in to reply

#1
magusbuckley

magusbuckley

    Member

  • Member
  • PipPipPip
  • 625 posts
Hello:

I had an issue with this the other day and made a post. It thought the problem was solved, but I guess not.

Problem: Windows Media Player 9 Series runs every time this system boots. This is a Windows 2000 Professional PC that I use at work with one other user.

I have tried: I can't find anything in the registry that calls Media Player at startup. In addition, I have download and run MSCONFIG. There are no references to Windows Media Player there either. I have also tried searching the Microsoft Knowledge Base.

I uninstalled the player, rebooted, and everything was OK. I downloaded the player again from the Microsoft site, installed the software, and again it loads during startup.

Can any of you help me prevent this program from running at system startup?
  • 0

Advertisements


#2
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
When first run, W32/Agobot-BM copies itself to the Windows system folder as wmplayer.exe and creates the following registry entries so that wmplayer.exe is run automatically on startup:

Here is the full listing

W32/Agobot-BM is an IRC backdoor Trojan and network worm.
W32/Agobot-BM is capable of spreading to computers on the local network protected by weak passwords. The worm can also spread to other machines using certain vulnerabilities.
When first run, W32/Agobot-BM copies itself to the Windows system folder as wmplayer.exe and creates the following registry entries so that wmplayer.exe is run automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe
The worm runs in the background as a service process named "Windows Media Player".
Each time W32/Agobot-BM is run it attempts to connect to a remote IRC server, join a specific channel and wait for backdoor commands.
W32/Agobot-BM attempts to terminate and disable various security-related programs and attempts to prevent its own process from being deleted.

Edited by Keith, 10 June 2005 - 05:54 AM.

  • 0

#3
bobthemailman

bobthemailman

    Member

  • Member
  • PipPipPip
  • 193 posts
i think you have the W32/Agobot-BM (according to keith)
please go to the malaware forum and post your hijack this log there. You will receive help from experts who are trained to deal with malaware :tazz:
go here 1st http://www.geekstogo..._Log-t2852.html
and then here http://www.geekstogo...o_Here-f37.html
  • 0

#4
magusbuckley

magusbuckley

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 625 posts
Thanks guys.

I've moved my topic here:

http://www.geekstogo...yer-t34150.html

It is now in the Malware section. I have run Hijack this and posted the log. I believe user Metallica has just solved my problem.

Thanks for the help and wealth of information. :tazz:
  • 0

#5
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
Thank you for posting the outcome
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP