1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows media player hacked

Discussion in 'Virus & Other Malware Removal' started by duffy26, Apr 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. duffy26

    duffy26 Thread Starter

    Joined:
    Dec 20, 2003
    Messages:
    9
    Just tryed using windows media player and it is trying to connect to some premium rate site. Open the exe. file in notepad to find out why and this is what I got.

    MZ   ÿÿ ¸ @ ° º ´ Í!¸LÍ!This program cannot be run in DOS mode.

    $ ]Ûvsˆvsˆvsˆvsˆ vsˆåVaˆvsˆRichvsˆ PE L 6S@ à    ¬   @      Ô?        <
    8 ” < .data     @ À c:\progra~1\intern~1\iexplore.exe 5 0, 9, —˜Ÿf–œ–—™œfÎÚÚÖ_••œš”—›œ”™—”›Ÿ•ÛÑÎÕÓ˔ÎÚÓÒf–Ÿ–Ÿ–˜˜˜––f–Ÿ–Ÿ–˜˜˜–—f–Ÿ–Ÿ–˜˜˜–˜f–Ÿ–Ÿ–˜˜˜–™fª¯ª¯fÖØËÓÏÛÓfÊÖÅf¦ÓÓÖØÙfffff°²@ ¾@ Ê@ Ö@ done done X 4 ” | ž ¸ Ð Þ î ü
       ( B N d v „ Ð Þ î ü
       ( B N d v „ u ExitProcess XGetTickCount hGlobalAlloc oGlobalFree sSleep _WinExec ÓlstrcatA ÜlstrcpyA KERNEL32.dll RasDialA  RasEnumConnectionsA  RasEnumDevicesA 4 RasHangUpA D RasSetEntryPropertiesA RASAPI32.dll 
    þ@ ‡@ PZ+ÈQ[3Ɋ,fˆA;Ëuó3À3É닐ÿ@ Š
    Ût AQXÁàƒùré‰
    c@ h [email protected]èâ ÀtÇ  £w@ P[hâ@ CPèá hï@ ƒ PèÐ h‹@ ƒ Pè¹ h‡@ ƒ Pè¨ hó@ ƒ Pè— hç@ ƒ PèŒ h’@ h @ èw hè [email protected]èS ÀtÇ è £{@ èY è° Àtÿ@ ƒ=@ sëæ Àu jh @ è' ƒ=w@ t ÿ5w@ è ƒ={@ t ÿ5{@ èó j èÚ U‹ìƒÄìh0 [email protected]èÔ ÀtÇ œ ‰Eô‹¸ ÷ã‰]ø3ۉ]üEüPEøPÿuôèÐ Àu
    ƒ}ü …µ hÐ [email protected]èŒ ÀtÇ ˜ ‰Eð¸Ð ‰Eø3ۉ]ìEìPEøPÿuðè’ Àt!ƒ}ô tÿuôèV ƒ}ð tÿuðèH ƒÈÿÉË]ìK¸˜ ÷ãEðPZ‹{@ RSBPƒÝ Pè3 [ZBPƒÌ Pè! ƒ}ô tÿuôèû ƒ}ð tÿuðèí 3ÀÉË{@ ‹]ôRSƒ P‚Ý Pèã [ZSƒ  P‚Ì PèÍ [ÿsèÜ h¸ è¨ ƒ}ô tÿuôè” 3ÀÉÃèP ™÷5c@ Áâ‹w@ ƒ=@ u'Rhp@ ƒ Pèx Zÿ²ÿ@ ƒ Pè_ ëBƒ=@ u'Rhm@ ƒ PèH Zÿ²ÿ@ ƒ Pè/ ëÿ²ÿ@ ƒ Pè! ‹{@ ÇC ǃ¸  ǃ¼  ƃ¤ žÆƒ¥ ˜Æƒ¦ ƃ§ +ƃ¨ žÆƒ© ˜Æƒª ƃ« :hk@ CPèº j j ÿ3Shâ@ j èÅ ÀtƒÈÿÃ3À£s@ hs@ j jÿÿ5w@ j j è† Àt&‹s@ ÛtSè„ h¸ èP 3ۉs@ ƒÈÿÃ3ÀÃ3Òè( ¹ ™÷ñ‹Â»mNÆA÷ã90 3Ò¹ €÷ñ‹ÂÃÿ%”@ ÿ%˜@ ÿ%œ@ ÿ%_@ ÿ%¤@ ÿ%¨@ ÿ%¬@ ÿ%°@ ÿ%¸@ ÿ%¼@ ÿ%À@ ÿ%Ä@ ÿ%È@ 8  0‚& *†H†÷
    _‚0‚10 *†H†÷
     0g
    +‚7_Y0W03
    +‚70% _ ¢€ < < < O b s o l e t e > > >0 0 *†H†÷
     :ø‹“™éÚ.M÷˜™tË2_‚
    90‚'0‚_0
     *†H†÷
     0Î1 0 UZA10U Western Cape10U Cape Town10U
    Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
     [email protected]
    960801000000Z
    201231235959Z0Î1 0 UZA10U Western Cape10U Cape Town10U
    Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
     [email protected]Ÿ0
     *†H†÷
      0‰ Ò66j‹×Â[žÚAb8îIUÖÐï•GïH5:Rô+j;/êV㯆ž÷ž´euMïË ¢!Q؛Ðgк
    ’sԓ˗* œ\N ¼úRüòDnÚJnŸ/-ãùª:†s¶FSXȉ½ƒ¸s?ªôBMç@7 £00Uÿ0ÿ0
     *†H†÷
      &H,ÂXúèt ªª_T?ò×Éx`^^n7c"w6~²Ä4¹õ…üÉ8ÿM¾òBCç»ZFûÁÆñJ°(FÉÃÄB}¼ú«YnÕ·Qˆ㤅k‚L¤ _餮?ñÃIešŒÅÈ>%·”™»’2qð†^íP'¦
    ¦#ù»Ë¦B0‚N0‚·_
    0
     *†H†÷
     0Î1 0 UZA10U Western Cape10U Cape Town10U
    Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
     [email protected]
    030806000000Z
    130805235959Z0U1 0 UZA1%0#U
    Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0Ÿ0
     *†H†÷
      0‰ Ƹ¹'`¯ ã‘ieÛ~í‘æªñ¾ÕíþmÔ,Ñpwû&™W´Ý?0¸Ü!êh’ü.K‘5„ òÚJº´üæڈò Å!’ G•_ ¦y¾±LüñŠnTÒi¡ñL“:Aþ}Ôd{cE÷``1¤éÓ‹ûn&$³¨ÿååÔ´ÂÜP`®Y £³0°0Uÿ0ÿ [email protected]U90705_3_1†/http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0Uÿ0)U"0 ¤010UPrivateLabel2-1440
     *†H†÷
      v²œîŸö-4’”Es4܎k.\üL}‰ëÃhñי.ȵ‹¾ÍŠòI:[É ŽmRáv_ÃeŠ"gäSS7F¿¼×/ë{žÐ[email protected]!â]uvf0ô߂Š/½ó¢ ¿۟¢šr7M°wHèJ? ÎU,ïæ$á¯ì0‚¸0‚!_KÄ0
     *†H†÷
     0U1 0 UZA1%0#U
    Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0
    031125170549Z
    051124170549Z0ž1 0 UVI10UTortola10U Road Town10U
    Click Yes To Enter Ltd1'0%U Secure Application Development10UClick Yes To Enter Ltd0‚"0
     *†H†÷
     ‚ 0‚
    ‚ Ë,G0ª-àBa‹5_Œ‰õ±!Ë©ä§
    n¤†ÈŠÝR7lkÞnμǫ<V
    Å2ßoÂhL”BÚÈMHÑòkœZû"ʬ猨 ÍÏàc
    otÒDçë3´ù™ún±x°(±°>Õ?óé¶!ü¹0Nv‚¡ln¿<ɍ<¿‡sq5øæI¦†(9ÆnÃÏä_¤¼‚]`°ô5ò–ëÄ¿ìÒÑ@Ê_ ´î$þdtø
    MÐʗÁbˆüÃ=í -¥æýn<øjژL ¢£3%šÁ2-¤{H1c²É5Ë´7Uö~
    4fã2›;™hŠŠ;] >w¶¿Ë#îô(ÜkùC‰ £Ç0Ä0U%0+
    +‚70 `†H†øB0U000 
    +‚7€0!U0‚www.clickyes2enter.com0>U70503_1_/†-http://crl.thawte.com/ThawteCodeSigningCA.crl0 Uÿ0 0
     *†H†÷
      %ÙDÿ`ì?S
    -Ož
    ÏáÌÖàKô”Ê`Ð Ð9'§ö‹x1Ì÷®é0©
    Dpô³3ƒ/¢ˆÚ©—y֌éÍ.yÎIÍy_LÆ}cä/Ïؑ¦À̉Sôà!Þö®ŒÀL–ñ’6ù}y˜aÑ<n_®f9¸h1‚
    V0‚
    R0\0U1 0 UZA1%0#U
    Thawte Consulting (Pty) Ltd.10UThawte Code Signing CAKÄ0 *†H†÷
     _‚Ì0 *†H†÷
     1 
    +‚70
    +‚7 10 
    +‚70 *†H†÷
     1’ªñ½t’¹_eÔƎe_0‚n
    +‚7 1‚^0‚Z_‚V€‚R Y O U M U S T R E A D , U N D E R S T A N D A N D A C C E P T T H E F O L L O W I N G T E R M S B E F O R E U S I N G T H I S S E R V I C E , Y O U C O N F I R M T H A T ( 1 ) Y o u a r e 1 8 y e a r s o f a g e o r o l d e r ( 2 ) Y o u a r e e i t h e r t h e s u b s c r i b e r o f t h e t e l e p h o n e l i n e t o w h i c h t h i s c o m p u t e r s m o d e m i s c o n n e c t e d , o r y o u h a v e t h e L i n e S u b s c r i b e r s p e r m i s s i o n t o u s e t h e S e r v i c e . Y O U U N D E R S T A N D T H A T ( 3 ) T h i s c o m p u t e r s m o d e m w i l l b e c o n n e c t e d t o a p r e m i u m r a t e t e l e p h o n e n u m b e r c h a r g e d a t G B P 1 . 5 0 , a n d t h a t t h e L i n e S u b s c r i b e r w i l l b e c h a r g e d f o r t h e d u r a t i o n o f t h i s c a l l a t t h e r a t e o f G B P 1 . 5 0 ( 4 ) B y u s i n g t h e S e r v i c e , y o u m a y b e e x p o s e d t o m a t e r i a l w h i c h i s o f f e n s i v e , i n d e c e n t o r o b j e c t i o n a b l e ( 5 ) O n c e c o n n e c t e d t o t h e S e r v i c e , t h e t e l e p h o n e c a l l w i l l n o t t e r m i n a t e u n l e s s ( a ) y o u t e r m i n a t e t h e c o n n e c t i o n b y s e l e c t i n g t h e m o d e m s y m b o l l o c a t e d a t t h e l o w e r r i g h t o f t h e W i n d o w s t a s k b a r a n d c l i c k D I S C O N N E C T ( b ) y o u s t a y c o n n e c t e d f o r l o n g e r t h a n 1 3 . 3 3 m i n u t e s ( c ) y o u c l i c k t h e C L O S E b u t t o n o n t h e d i a l l e r d i a l o g u e b o x . A c c e s s v i a 0 9 0 9 0 2 7 2 2 0 0 - 3 c a l l s c h a r g e d a t G B P 1 . 5 0 p e r m i n u t e . W o r l d C o n t e n t L t d , M i t c h e l H o u s e , T h e V a l l e y , A n g u i l a0
     *†H†÷
     ‚
    %ëüx>~å’AÁÍvw‘!¹r_±,k´ÓûDo)(̋ÍÝè–!†ÄºïÖ°
    p9¼[ìP\›”œۙ³Yñ'2?÷ÝØÎCͯè¨GdÓEþ¤û£ùÚñ·@ïTÑDJÂçÓ©¤å÷-¿Ys ¿®©•5\ü@Ôüy(ò„3_HÀž
    _‡‚㶩q¼@2ŸM#Úp´²1p˜˜‹…ˆ7Ôß³µ ˜h_ˆ)uÄe¸¶o_Û%
    i³v’_<5¥L_±W<»‚ðÉ2¶Âqî£Ìé$Bˆ‚”†¸Š…1¶r^O2¬M_
    FöÙ©ÞäÏBì
    \›®~

    Anyone had this prob before and do I have to reinstall windows media player.
     
  2. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Go here and download HijackThis v1.97.7: http://www.majorgeeks.com/download.php?det=3155

    It is a zip file, so you will need to unzip it.

    Run HJT and then you will need to post the contents of the logfile it creates ... simply click "Save log" in order to create it ... it will open in Notepad, and you can copy/paste it here.

    Do not fix anything until after the logfile is reviewed. Most of what is found is harmless or essential to the safe workings of your computer.
     
  3. duffy26

    duffy26 Thread Starter

    Joined:
    Dec 20, 2003
    Messages:
    9
    Here is the log file it created.

    Logfile of HijackThis v1.97.7
    Scan saved at 23:32:35, on 02/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\gsicon.exe
    C:\WINNT\system32\dslagent.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\downloaded programs\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\RunServices: [Microsoft Configuration] msconfigure32.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.5090625
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{82DC254E-9934-4B14-925D-AA4C896D70DD}: NameServer = 194.72.9.34 194.74.65.68
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    This seems odd:

    O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe

    Let's wait until a fresh pair of eyes looks at your HJT log.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216934

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice