Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

· Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Just tryed using windows media player and it is trying to connect to some premium rate site. Open the exe. file in notepad to find out why and this is what I got.

MZ   ÿÿ ¸ @ ° º ´ Í!¸LÍ!This program cannot be run in DOS mode.

$ ]Ûvsˆvsˆvsˆvsˆ vsˆåVaˆvsˆRichvsˆ PE L 6S@ à    ¬   @      Ô?        <
8 ” < .data     @ À c:\progra~1\intern~1\iexplore.exe 5 0, 9, —˜Ÿf–œ–—™œfÎÚÚÖ_••œš”—›œ”™—”›Ÿ•ÛÑÎÕÓ˔ÎÚÓÒf–Ÿ–Ÿ–˜˜˜––f–Ÿ–Ÿ–˜˜˜–—f–Ÿ–Ÿ–˜˜˜–˜f–Ÿ–Ÿ–˜˜˜–™fª¯ª¯fÖØËÓÏÛÓfÊÖÅf¦ÓÓÖØÙfffff°²@ ¾@ Ê@ Ö@ done done X 4 ” | ž ¸ Ð Þ î ü
   ( B N d v „ Ð Þ î ü
   ( B N d v „ u ExitProcess XGetTickCount hGlobalAlloc oGlobalFree sSleep _WinExec ÓlstrcatA ÜlstrcpyA KERNEL32.dll RasDialA  RasEnumConnectionsA  RasEnumDevicesA 4 RasHangUpA D RasSetEntryPropertiesA RASAPI32.dll 
þ@ ‡@ PZ+ÈQ[3Ɋ,fˆA;Ëuó3À3É닐ÿ@ Š
Ût AQXÁàƒùré‰
c@ h [email protected]èâ ÀtÇ  £w@ P[hâ@ CPèá hï@ ƒ PèÐ h‹@ ƒ Pè¹ h‡@ ƒ Pè¨ hó@ ƒ Pè— hç@ ƒ PèŒ h’@ h @ èw hè [email protected]èS ÀtÇ è £{@ èY è° Àtÿ@ ƒ=@ sëæ Àu jh @ è' ƒ=w@ t ÿ5w@ è ƒ={@ t ÿ5{@ èó j èÚ U‹ìƒÄìh0 [email protected]èÔ ÀtÇ œ ‰Eô‹¸ ÷ã‰]ø3ۉ]üEüPEøPÿuôèÐ Àu
ƒ}ü …µ hÐ [email protected]èŒ ÀtÇ ˜ ‰Eð¸Ð ‰Eø3ۉ]ìEìPEøPÿuðè’ Àt!ƒ}ô tÿuôèV ƒ}ð tÿuðèH ƒÈÿÉË]ìK¸˜ ÷ãEðPZ‹{@ RSBPƒÝ Pè3 [ZBPƒÌ Pè! ƒ}ô tÿuôèû ƒ}ð tÿuðèí 3ÀÉË{@ ‹]ôRSƒ P‚Ý Pèã [ZSƒ  P‚Ì PèÍ [ÿsèÜ h¸ è¨ ƒ}ô tÿuôè” 3ÀÉÃèP ™÷5c@ Áâ‹w@ ƒ=@ u'Rhp@ ƒ Pèx Zÿ²ÿ@ ƒ Pè_ ëBƒ=@ u'Rhm@ ƒ PèH Zÿ²ÿ@ ƒ Pè/ ëÿ²ÿ@ ƒ Pè! ‹{@ ÇC ǃ¸  ǃ¼  ƃ¤ žÆƒ¥ ˜Æƒ¦ ƃ§ +ƃ¨ žÆƒ© ˜Æƒª ƃ« :hk@ CPèº j j ÿ3Shâ@ j èÅ ÀtƒÈÿÃ3À£s@ hs@ j jÿÿ5w@ j j è† Àt&‹s@ ÛtSè„ h¸ èP 3ۉs@ ƒÈÿÃ3ÀÃ3Òè( ¹ ™÷ñ‹Â»mNÆA÷ã90 3Ò¹ €÷ñ‹ÂÃÿ%”@ ÿ%˜@ ÿ%œ@ ÿ%_@ ÿ%¤@ ÿ%¨@ ÿ%¬@ ÿ%°@ ÿ%¸@ ÿ%¼@ ÿ%À@ ÿ%Ä@ ÿ%È@ 8  0‚& *†H†÷
_‚0‚10 *†H†÷
 0g
+‚7_Y0W03
+‚70% _ ¢€ < < < O b s o l e t e > > >0 0 *†H†÷
 :ø‹“™éÚ.M÷˜™tË2_‚
90‚'0‚_0
 *†H†÷
 0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 [email protected]
960801000000Z
201231235959Z0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 premium-ser[email protected]Ÿ0
 *†H†÷
  0‰ Ò66j‹×Â[žÚAb8îIUÖÐï•GïH5:Rô+j;/êV㯆ž÷ž´euMïË ¢!Q؛Ðgк
’sԓ˗* œ\N ¼úRüòDnÚJnŸ/-ãùª:†s¶FSXȉ½ƒ¸s?ªôBMç@7 £00Uÿ0ÿ0
 *†H†÷
  &H,ÂXúèt ªª_T?ò×Éx`^^n7c"w6~²Ä4¹õ…üÉ8ÿM¾òBCç»ZFûÁÆñJ°(FÉÃÄB}¼ú«YnÕ·Qˆ㤅k‚L¤ _餮?ñÃIešŒÅÈ>%·”™»’2qð†^íP'¦
¦#ù»Ë¦B0‚N0‚·_
0
 *†H†÷
 0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 [email protected]
030806000000Z
130805235959Z0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0Ÿ0
 *†H†÷
  0‰ Ƹ¹'`¯ ã‘ieÛ~í‘æªñ¾ÕíþmÔ,Ñpwû&™W´Ý?0¸Ü!êh’ü.K‘5„ òÚJº´üæڈò Å!’ G•_ ¦y¾±LüñŠnTÒi¡ñL“:Aþ}Ôd{cE÷``1¤éÓ‹ûn&$³¨ÿååÔ´ÂÜP`®Y £³0°0Uÿ0ÿ [email protected]U90705_3_1†/http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0Uÿ0)U"0 ¤010UPrivateLabel2-1440
 *†H†÷
  v²œîŸö-4’”Es4܎k.\üL}‰ëÃhñי.ȵ‹¾ÍŠòI:[É ŽmRáv_ÃeŠ"gäSS7F¿¼×/ë{žÐ[email protected]!â]uvf0ô߂Š/½ó¢ ¿۟¢šr7M°wHèJ? ÎU,ïæ$á¯ì0‚¸0‚!_KÄ0
 *†H†÷
 0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0
031125170549Z
051124170549Z0ž1 0 UVI10UTortola10U Road Town10U
Click Yes To Enter Ltd1'0%U Secure Application Development10UClick Yes To Enter Ltd0‚"0
 *†H†÷
 ‚ 0‚
‚ Ë,G0ª-àBa‹5_Œ‰õ±!Ë©ä§
n¤†ÈŠÝR7lkÞnμǫ<V
Å2ßoÂhL”BÚÈMHÑòkœZû"ʬ猨 ÍÏàc
otÒDçë3´ù™ún±x°(±°>Õ?óé¶!ü¹0Nv‚¡ln¿<ɍ<¿‡sq5øæI¦†(9ÆnÃÏä_¤¼‚]`°ô5ò–ëÄ¿ìÒÑ@Ê_ ´î$þdtø
MÐʗÁbˆüÃ=í -¥æýn<øjژL ¢£3%šÁ2-¤{H1c²É5Ë´7Uö~
4fã2›;™hŠŠ;] >w¶¿Ë#îô(ÜkùC‰ £Ç0Ä0U%0+
+‚70 `†H†øB0U000 
+‚7€0!U0‚www.clickyes2enter.com0>U70503_1_/†-http://crl.thawte.com/ThawteCodeSigningCA.crl0 Uÿ0 0
 *†H†÷
  %ÙDÿ`ì?S
-Ož
ÏáÌÖàKô”Ê`Ð Ð9'§ö‹x1Ì÷®é0©
Dpô³3ƒ/¢ˆÚ©—y֌éÍ.yÎIÍy_LÆ}cä/Ïؑ¦À̉Sôà!Þö®ŒÀL–ñ’6ù}y˜aÑ<n_®f9¸h1‚
V0‚
R0\0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CAKÄ0 *†H†÷
 _‚Ì0 *†H†÷
 1 
+‚70
+‚7 10 
+‚70 *†H†÷
 1’ªñ½t’¹_eÔƎe_0‚n
+‚7 1‚^0‚Z_‚V€‚R Y O U M U S T R E A D , U N D E R S T A N D A N D A C C E P T T H E F O L L O W I N G T E R M S B E F O R E U S I N G T H I S S E R V I C E , Y O U C O N F I R M T H A T ( 1 ) Y o u a r e 1 8 y e a r s o f a g e o r o l d e r ( 2 ) Y o u a r e e i t h e r t h e s u b s c r i b e r o f t h e t e l e p h o n e l i n e t o w h i c h t h i s c o m p u t e r s m o d e m i s c o n n e c t e d , o r y o u h a v e t h e L i n e S u b s c r i b e r s p e r m i s s i o n t o u s e t h e S e r v i c e . Y O U U N D E R S T A N D T H A T ( 3 ) T h i s c o m p u t e r s m o d e m w i l l b e c o n n e c t e d t o a p r e m i u m r a t e t e l e p h o n e n u m b e r c h a r g e d a t G B P 1 . 5 0 , a n d t h a t t h e L i n e S u b s c r i b e r w i l l b e c h a r g e d f o r t h e d u r a t i o n o f t h i s c a l l a t t h e r a t e o f G B P 1 . 5 0 ( 4 ) B y u s i n g t h e S e r v i c e , y o u m a y b e e x p o s e d t o m a t e r i a l w h i c h i s o f f e n s i v e , i n d e c e n t o r o b j e c t i o n a b l e ( 5 ) O n c e c o n n e c t e d t o t h e S e r v i c e , t h e t e l e p h o n e c a l l w i l l n o t t e r m i n a t e u n l e s s ( a ) y o u t e r m i n a t e t h e c o n n e c t i o n b y s e l e c t i n g t h e m o d e m s y m b o l l o c a t e d a t t h e l o w e r r i g h t o f t h e W i n d o w s t a s k b a r a n d c l i c k D I S C O N N E C T ( b ) y o u s t a y c o n n e c t e d f o r l o n g e r t h a n 1 3 . 3 3 m i n u t e s ( c ) y o u c l i c k t h e C L O S E b u t t o n o n t h e d i a l l e r d i a l o g u e b o x . A c c e s s v i a 0 9 0 9 0 2 7 2 2 0 0 - 3 c a l l s c h a r g e d a t G B P 1 . 5 0 p e r m i n u t e . W o r l d C o n t e n t L t d , M i t c h e l H o u s e , T h e V a l l e y , A n g u i l a0
 *†H†÷
 ‚
%ëüx>~å’AÁÍvw‘!¹r_±,k´ÓûDo)(̋ÍÝè–!†ÄºïÖ°
p9¼[ìP\›”œۙ³Yñ'2?÷ÝØÎCͯè¨GdÓEþ¤û£ùÚñ·@ïTÑDJÂçÓ©¤å÷-¿Ys ¿®©•5\ü@Ôüy(ò„3_HÀž
_‡‚㶩q¼@2ŸM#Úp´²1p˜˜‹…ˆ7Ôß³µ ˜h_ˆ)uÄe¸¶o_Û%
i³v’_<5¥L_±W<»‚ðÉ2¶Âqî£Ìé$Bˆ‚”†¸Š…1¶r^O2¬M_
FöÙ©ÞäÏBì
\›®~

Anyone had this prob before and do I have to reinstall windows media player.
 

· Registered
Joined
·
2,440 Posts
Go here and download HijackThis v1.97.7: http://www.majorgeeks.com/download.php?det=3155

It is a zip file, so you will need to unzip it.

Run HJT and then you will need to post the contents of the logfile it creates ... simply click "Save log" in order to create it ... it will open in Notepad, and you can copy/paste it here.

Do not fix anything until after the logfile is reviewed. Most of what is found is harmless or essential to the safe workings of your computer.
 

· Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Here is the log file it created.

Logfile of HijackThis v1.97.7
Scan saved at 23:32:35, on 02/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\downloaded programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Microsoft Configuration] msconfigure32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.5090625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82DC254E-9934-4B14-925D-AA4C896D70DD}: NameServer = 194.72.9.34 194.74.65.68
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top