Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Media Player


  • Please log in to reply

#1
magusbuckley

magusbuckley

    Member

  • Member
  • PipPipPip
  • 626 posts
Hello:

I had an issue with this the other day and made a post. It thought the problem was solved, but I guess not.

Problem: Windows Media Player 9 Series runs every time this system boots. This is a Windows 2000 Professional PC that I use at work with one other user.

I have tried: I can't find anything in the registry that calls Media Player at startup. In addition, I have download and run MSCONFIG. There are no references to Windows Media Player there either. I have also tried searching the Microsoft Knowledge Base.

I uninstalled the player, rebooted, and everything was OK. I downloaded the player again from the Microsoft site, installed the software, and again it loads during startup.

Can any of you help me prevent this program from running at system startup?
  • 0

Advertisements


#2
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
When first run, W32/Agobot-BM copies itself to the Windows system folder as wmplayer.exe and creates the following registry entries so that wmplayer.exe is run automatically on startup:

Here is the full listing

W32/Agobot-BM is an IRC backdoor Trojan and network worm.
W32/Agobot-BM is capable of spreading to computers on the local network protected by weak passwords. The worm can also spread to other machines using certain vulnerabilities.
When first run, W32/Agobot-BM copies itself to the Windows system folder as wmplayer.exe and creates the following registry entries so that wmplayer.exe is run automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Media Player = wmplayer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Media Player = wmplayer.exe
The worm runs in the background as a service process named "Windows Media Player".
Each time W32/Agobot-BM is run it attempts to connect to a remote IRC server, join a specific channel and wait for backdoor commands.
W32/Agobot-BM attempts to terminate and disable various security-related programs and attempts to prevent its own process from being deleted.

Edited by Keith, 10 June 2005 - 05:54 AM.

  • 0

#3
bobthemailman

bobthemailman

    Member

  • Member
  • PipPipPip
  • 193 posts
i think you have the W32/Agobot-BM (according to keith)
please go to the malaware forum and post your hijack this log there. You will receive help from experts who are trained to deal with malaware :tazz:
go here 1st http://www.geekstogo..._Log-t2852.html
and then here http://www.geekstogo...o_Here-f37.html
  • 0

#4
magusbuckley

magusbuckley

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 626 posts
Thanks guys.

I've moved my topic here:

http://www.geekstogo...yer-t34150.html

It is now in the Malware section. I have run Hijack this and posted the log. I believe user Metallica has just solved my problem.

Thanks for the help and wealth of information. :tazz:
  • 0

#5
Retired Tech

Retired Tech

    Retired Staff

  • Retired Staff
  • 20,563 posts
Thank you for posting the outcome
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP