[duffy26]

Just tryed using windows media player and it is trying to connect to some premium rate site. Open the exe. file in notepad to find out why and this is what I got.

MZ   ÿÿ ¸ @ ° º ´ Í!¸
LÍ!This program cannot be run in DOS mode.

$ ]ÛvsˆvsˆvsˆvsˆvsˆåVaˆvsˆRichvsˆ PE L

6S@ à 

  ¬   @      Ô?        <
8 ” < .data     @ À c:\progra~1\intern~1\iexplore.exe 5 0, 9, —˜Ÿf–œ–—™œfÎÚÚÖ_••œš”—›œ”™—”›Ÿ•ÛÑÎÕÓ˔ÎÚÓÒf–Ÿ–Ÿ–˜˜˜––f–Ÿ–Ÿ–˜˜˜–—f–Ÿ–Ÿ–˜˜˜–˜f–Ÿ–Ÿ–˜˜˜–™fª¯ª¯fÖØËÓÏÛÓfÊÖÅf¦ÓÓÖØÙfffff°²@ ¾@ Ê@ Ö@ done done X 4 ” | ž ¸ Ð Þ î ü
   ( B N d v „ Ð Þ î ü
   ( B N d v „ u ExitProcess X
GetTickCount h
GlobalAlloc o
GlobalFree sSleep _WinExec ÓlstrcatA ÜlstrcpyA KERNEL32.dll RasDialA  RasEnumConnectionsA  RasEnumDevicesA 4 RasHangUpA D RasSetEntryPropertiesA RASAPI32.dll 
þ@ ‡@ PZ+ÈQ[3Ɋ,fˆA;Ëuó3À3É닐ÿ@ Š
ÛtAQXÁàƒùré‰
c@ h [email protected]èâ ÀtÇ  £w@ P[hâ@ CPèá hï@ ƒ PèÐ h‹@ ƒ Pè¹ h‡@ ƒ Pè¨ hó@ ƒ Pè— hç@ ƒ PèŒ h’@ h @ èw hè [email protected]èS ÀtÇ è £{@ èY è°
Àtÿ@ ƒ=@ sëæÀujh @ è' ƒ=w@ tÿ5w@ è ƒ={@ tÿ5{@ èó j èÚ U‹ìƒÄìh0 [email protected]èÔ ÀtÇ œ
‰Eô‹¸ ÷ã‰]ø3ۉ]üEüPEøPÿuôèÐ Àu
ƒ}ü …µ hÐ [email protected]èŒ ÀtÇ ˜ ‰Eð¸Ð ‰Eø3ۉ]ìEìPEøPÿuðè’ Àt!ƒ}ô tÿuôèV ƒ}ð tÿuðèH ƒÈÿÉË]ìK¸˜ ÷ãEðPZ‹{@ RSBPƒÝ Pè3 [ZBPƒÌ Pè! ƒ}ô tÿuôèû
ƒ}ð tÿuðèí
3ÀÉË{@ ‹]ôRSƒ
P‚Ý Pèã
[ZSƒ
P‚Ì PèÍ
[ÿsèÜ
h¸ è¨
ƒ}ô tÿuôè”
3ÀÉÃèP
™÷5c@ Áâ‹w@ ƒ=@ u'Rhp@ ƒ
Pèx
Zÿ²ÿ@ ƒ
Pè_
ëBƒ=@ u'Rhm@ ƒ
PèH
Zÿ²ÿ@ ƒ
Pè/
ëÿ²ÿ@ ƒ
Pè!
‹{@ ÇC ǃ¸  ǃ¼
ƃ¤ žÆƒ¥ ˜Æƒ¦
ƃ§ +ƃ¨ žÆƒ© ˜Æƒª
ƃ« :hk@ CPèº j j ÿ3Shâ@ j èÅ ÀtƒÈÿÃ3À£s@ hs@ j jÿÿ5w@ j j è† Àt&‹s@ ÛtSè„ h¸ èP 3ۉs@ ƒÈÿÃ3ÀÃ3Òè( ¹ ™÷ñ‹Â»mNÆA÷ã90 3Ò¹ €÷ñ‹ÂÃÿ%”@ ÿ%˜@ ÿ%œ@ ÿ%_@ ÿ%¤@ ÿ%¨@ ÿ%¬@ ÿ%°@ ÿ%¸@ ÿ%¼@ ÿ%À@ ÿ%Ä@ ÿ%È@ 8  0‚& *†H†÷

_‚0‚

10*†H†÷
 0g
+

‚7
_Y0W03
+

‚7
0%
_ ¢€ < < < O b s o l e t e > > >0 0*†H†÷
 :ø‹“™éÚ.M÷˜™tË2_‚
90‚'0‚_


0
 *†H†÷


 0Î10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0& *†H†÷


[email protected]
960801000000Z
201231235959Z0Î10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0& *†H†÷


premium-ser[email protected]Ÿ0
 *†H†÷



  0‰ Ò66j‹×Â[žÚAb8îIUÖÐï•GïH5:Rô+j;/êV㯆ž÷ž´euMïË ¢!Q؛Ðgк
’sԓ˗* œ\N¼úRüòDnÚJnŸ/-ãùª:†s¶FSXȉ½ƒ¸s?ªôBMç@7

£00U

ÿ0

ÿ0
 *†H†÷


  &H,ÂXúètªª_T?ò×Éx`^^n7c"w6~²Ä4¹õ…üÉ
8ÿM¾òBCç»ZFûÁÆñJ°(FÉÃÄB}¼ú«YnÕ·Qˆ㤅k‚L¤_餮?ñÃIešŒÅÈ>%·”™»’2qð†^íP'¦
¦#ù»Ë¦B0‚N0‚·_


0
 *†H†÷


 0Î10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting cc1(0&UCertification Services Division1!0UThawte Premium Server CA1(0& *†H†÷


[email protected]
030806000000Z
130805235959Z0U10 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0Ÿ0
 *†H†÷



  0‰ Ƹ¹'`¯ã‘ieÛ~í‘æªñ¾ÕíþmÔ,Ñpwû&™W´Ý?0¸Ü!êh’ü.K‘5„ òÚJº´üæڈò Å!’ G•_ ¦y¾±LüñŠnTÒi¡ñL“:Aþ}Ôd{cE÷``1¤éÓ‹ûn&$³¨ÿååÔ´ÂÜP`®Y

£³0°0U

ÿ0

ÿ
[email protected]U90705_3_1†/http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0+
+
0U

ÿ
0)U"0 ¤010UPrivateLabel2-1440
 *†H†÷


  v²œîŸö-4’”Es4܎k.\üL}‰ëÃhñי.ȵ‹¾ÍŠòI:[É ŽmRáv_ÃeŠ"gäSS7F¿¼×/ë{žÐ[email protected]!â]uvf0ô߂Š/½ó¢¿۟¢šr7M°wHèJ? ÎU,ïæ$á¯ì0‚¸0‚!_
KÄ0
 *†H†÷


 0U10 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0
031125170549Z
051124170549Z0ž10 UVI10UTortola10U Road Town10U
Click Yes To Enter Ltd1'0%USecure Application Development10UClick Yes To Enter Ltd0‚
"0
 *†H†÷



 ‚
 0‚

‚

Ë,G0ª-àBa‹5_Œ‰õ±!Ë©ä§
n¤†ÈŠÝR7lkÞnμǫ<V
Å2ßoÂhL”BÚÈMHÑòkœZû"ʬ猨ÍÏàc
otÒDçë3´ù™ún±x°(±°>Õ?óé¶!ü¹0Nv‚¡ln¿<ɍ<¿‡sq5øæI¦†(9ÆnÃÏä_¤¼‚]`°ô5ò–ëÄ¿ìÒÑ@Ê_ ´î$þdtø
MÐʗÁbˆüÃ=
í-¥æýn<øjژL¢£3%šÁ2-¤{H1c²É5Ë´7Uö~
4fã2›;™hŠŠ;
] >w¶¿Ë#îô(ÜkùC‰

£Ç0Ä0U%0+

+

‚7
0 `†H
†øB

0U000
+

‚7
€0!U0‚www.clickyes2enter.com0>U70503_1_/†-http://crl.thawte.com/ThawteCodeSigningCA.crl0U

ÿ0 0
 *†H†÷


  %ÙDÿ`ì?S
-Ož
ÏáÌÖàKô”Ê`Ð Ð9'§ö‹x1Ì÷®é
0©
Dpô³3ƒ/¢ˆÚ©—y֌éÍ.yÎIÍy_LÆ}cä/Ïؑ¦À̉Sôà!Þö®ŒÀL–ñ’6ù}y˜aÑ<n_®f9¸h1‚
V0‚
R

0\0U10 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CAKÄ0*†H†÷
 _‚Ì0 *†H†÷

1
+

‚7
0
+

‚7
10
+

‚7
0 *†H†÷

1’ªñ½t’¹_eÔƎe_0‚n
+

‚7
1‚^0‚Z_‚V€‚R Y O U M U S T R E A D , U N D E R S T A N D A N D A C C E P T T H E F O L L O W I N G T E R M S B E F O R E U S I N G T H I S S E R V I C E , Y O U C O N F I R M T H A T ( 1 ) Y o u a r e 1 8 y e a r s o f a g e o r o l d e r ( 2 ) Y o u a r e e i t h e r t h e s u b s c r i b e r o f t h e t e l e p h o n e l i n e t o w h i c h t h i s c o m p u t e r s m o d e m i s c o n n e c t e d , o r y o u h a v e t h e L i n e S u b s c r i b e r s p e r m i s s i o n t o u s e t h e S e r v i c e . Y O U U N D E R S T A N D T H A T ( 3 ) T h i s c o m p u t e r s m o d e m w i l l b e c o n n e c t e d t o a p r e m i u m r a t e t e l e p h o n e n u m b e r c h a r g e d a t G B P 1 . 5 0 , a n d t h a t t h e L i n e S u b s c r i b e r w i l l b e c h a r g e d f o r t h e d u r a t i o n o f t h i s c a l l a t t h e r a t e o f G B P 1 . 5 0 ( 4 ) B y u s i n g t h e S e r v i c e , y o u m a y b e e x p o s e d t o m a t e r i a l w h i c h i s o f f e n s i v e , i n d e c e n t o r o b j e c t i o n a b l e ( 5 ) O n c e c o n n e c t e d t o t h e S e r v i c e , t h e t e l e p h o n e c a l l w i l l n o t t e r m i n a t e u n l e s s ( a ) y o u t e r m i n a t e t h e c o n n e c t i o n b y s e l e c t i n g t h e m o d e m s y m b o l l o c a t e d a t t h e l o w e r r i g h t o f t h e W i n d o w s t a s k b a r a n d c l i c k D I S C O N N E C T ( b ) y o u s t a y c o n n e c t e d f o r l o n g e r t h a n 1 3 . 3 3 m i n u t e s ( c ) y o u c l i c k t h e C L O S E b u t t o n o n t h e d i a l l e r d i a l o g u e b o x . A c c e s s v i a 0 9 0 9 0 2 7 2 2 0 0 - 3 c a l l s c h a r g e d a t G B P 1 . 5 0 p e r m i n u t e . W o r l d C o n t e n t L t d , M i t c h e l H o u s e , T h e V a l l e y , A n g u i l a0
 *†H†÷



 ‚

%ëüx>~å’AÁÍvw‘!¹r_±,k´ÓûDo)(̋ÍÝè–!†ÄºïÖ
°
p9¼[ìP\›”œۙ³Yñ'2?÷ÝØÎCͯè¨GdÓEþ¤û£ùÚñ·@ïTÑDJÂçÓ©¤å÷-¿Ys ¿®©•5\ü@Ôüy(ò
„3_HÀž
_‡‚㶩q¼@2ŸM#Úp´²1p˜˜‹…ˆ7Ôß³µ ˜h_ˆ)uÄe¸¶o_Û%
i³v’_<5¥L_±W<»‚ðÉ2¶Âqî£Ìé$Bˆ‚”†¸Š…1¶r^O2¬M_
FöÙ©ÞäÏBì
\›®~

Anyone had this prob before and do I have to reinstall windows media player.

 

[winchester73]

Go here and download HijackThis v1.97.7: http://www.majorgeeks.com/download.php?det=3155

It is a zip file, so you will need to unzip it.

Run HJT and then you will need to post the contents of the logfile it creates ... simply click "Save log" in order to create it ... it will open in Notepad, and you can copy/paste it here.

Do not fix anything until after the logfile is reviewed. Most of what is found is harmless or essential to the safe workings of your computer.

 

[duffy26]

Here is the log file it created.

Logfile of HijackThis v1.97.7
Scan saved at 23:32:35, on 02/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\downloaded programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Microsoft Configuration] msconfigure32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.5090625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82DC254E-9934-4B14-925D-AA4C896D70DD}: NameServer = 194.72.9.34 194.74.65.68

 

[winchester73]

This seems odd:

O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe

Let's wait until a fresh pair of eyes looks at your HJT log.