Windows media player hacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

duffy26

Thread Starter
Joined
Dec 20, 2003
Messages
9
Just tryed using windows media player and it is trying to connect to some premium rate site. Open the exe. file in notepad to find out why and this is what I got.

MZ   ÿÿ ¸ @ ° º ´ Í!¸LÍ!This program cannot be run in DOS mode.

$ ]Ûvsˆvsˆvsˆvsˆ vsˆåVaˆvsˆRichvsˆ PE L 6S@ à    ¬   @      Ô?        <
8 ” < .data     @ À c:\progra~1\intern~1\iexplore.exe 5 0, 9, —˜Ÿf–œ–—™œfÎÚÚÖ_••œš”—›œ”™—”›Ÿ•ÛÑÎÕÓ˔ÎÚÓÒf–Ÿ–Ÿ–˜˜˜––f–Ÿ–Ÿ–˜˜˜–—f–Ÿ–Ÿ–˜˜˜–˜f–Ÿ–Ÿ–˜˜˜–™fª¯ª¯fÖØËÓÏÛÓfÊÖÅf¦ÓÓÖØÙfffff°²@ ¾@ Ê@ Ö@ done done X 4 ” | ž ¸ Ð Þ î ü
   ( B N d v „ Ð Þ î ü
   ( B N d v „ u ExitProcess XGetTickCount hGlobalAlloc oGlobalFree sSleep _WinExec ÓlstrcatA ÜlstrcpyA KERNEL32.dll RasDialA  RasEnumConnectionsA  RasEnumDevicesA 4 RasHangUpA D RasSetEntryPropertiesA RASAPI32.dll 
þ@ ‡@ PZ+ÈQ[3Ɋ,fˆA;Ëuó3À3É닐ÿ@ Š
Ût AQXÁàƒùré‰
c@ h [email protected]èâ ÀtÇ  £w@ P[hâ@ CPèá hï@ ƒ PèÐ h‹@ ƒ Pè¹ h‡@ ƒ Pè¨ hó@ ƒ Pè— hç@ ƒ PèŒ h’@ h @ èw hè [email protected]èS ÀtÇ è £{@ èY è° Àtÿ@ ƒ=@ sëæ Àu jh @ è' ƒ=w@ t ÿ5w@ è ƒ={@ t ÿ5{@ èó j èÚ U‹ìƒÄìh0 [email protected]èÔ ÀtÇ œ ‰Eô‹¸ ÷ã‰]ø3ۉ]üEüPEøPÿuôèÐ Àu
ƒ}ü …µ hÐ [email protected]èŒ ÀtÇ ˜ ‰Eð¸Ð ‰Eø3ۉ]ìEìPEøPÿuðè’ Àt!ƒ}ô tÿuôèV ƒ}ð tÿuðèH ƒÈÿÉË]ìK¸˜ ÷ãEðPZ‹{@ RSBPƒÝ Pè3 [ZBPƒÌ Pè! ƒ}ô tÿuôèû ƒ}ð tÿuðèí 3ÀÉË{@ ‹]ôRSƒ P‚Ý Pèã [ZSƒ  P‚Ì PèÍ [ÿsèÜ h¸ è¨ ƒ}ô tÿuôè” 3ÀÉÃèP ™÷5c@ Áâ‹w@ ƒ=@ u'Rhp@ ƒ Pèx Zÿ²ÿ@ ƒ Pè_ ëBƒ=@ u'Rhm@ ƒ PèH Zÿ²ÿ@ ƒ Pè/ ëÿ²ÿ@ ƒ Pè! ‹{@ ÇC ǃ¸  ǃ¼  ƃ¤ žÆƒ¥ ˜Æƒ¦ ƃ§ +ƃ¨ žÆƒ© ˜Æƒª ƃ« :hk@ CPèº j j ÿ3Shâ@ j èÅ ÀtƒÈÿÃ3À£s@ hs@ j jÿÿ5w@ j j è† Àt&‹s@ ÛtSè„ h¸ èP 3ۉs@ ƒÈÿÃ3ÀÃ3Òè( ¹ ™÷ñ‹Â»mNÆA÷ã90 3Ò¹ €÷ñ‹ÂÃÿ%”@ ÿ%˜@ ÿ%œ@ ÿ%_@ ÿ%¤@ ÿ%¨@ ÿ%¬@ ÿ%°@ ÿ%¸@ ÿ%¼@ ÿ%À@ ÿ%Ä@ ÿ%È@ 8  0‚& *†H†÷
_‚0‚10 *†H†÷
 0g
+‚7_Y0W03
+‚70% _ ¢€ < < < O b s o l e t e > > >0 0 *†H†÷
 :ø‹“™éÚ.M÷˜™tË2_‚
90‚'0‚_0
 *†H†÷
 0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 [email protected]
960801000000Z
201231235959Z0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 [email protected]Ÿ0
 *†H†÷
  0‰ Ò66j‹×Â[žÚAb8îIUÖÐï•GïH5:Rô+j;/êV㯆ž÷ž´euMïË ¢!Q؛Ðgк
’sԓ˗* œ\N ¼úRüòDnÚJnŸ/-ãùª:†s¶FSXȉ½ƒ¸s?ªôBMç@7 £00Uÿ0ÿ0
 *†H†÷
  &H,ÂXúèt ªª_T?ò×Éx`^^n7c"w6~²Ä4¹õ…üÉ8ÿM¾òBCç»ZFûÁÆñJ°(FÉÃÄB}¼ú«YnÕ·Qˆ㤅k‚L¤ _餮?ñÃIešŒÅÈ>%·”™»’2qð†^íP'¦
¦#ù»Ë¦B0‚N0‚·_
0
 *†H†÷
 0Î1 0 UZA10U Western Cape10U Cape Town10U
Thawte Consulting cc1(0&U Certification Services Division1!0UThawte Premium Server CA1(0& *†H†÷
 [email protected]
030806000000Z
130805235959Z0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0Ÿ0
 *†H†÷
  0‰ Ƹ¹'`¯ ã‘ieÛ~í‘æªñ¾ÕíþmÔ,Ñpwû&™W´Ý?0¸Ü!êh’ü.K‘5„ òÚJº´üæڈò Å!’ G•_ ¦y¾±LüñŠnTÒi¡ñL“:Aþ}Ôd{cE÷``1¤éÓ‹ûn&$³¨ÿååÔ´ÂÜP`®Y £³0°0Uÿ0ÿ [email protected]U90705_3_1†/http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0Uÿ0)U"0 ¤010UPrivateLabel2-1440
 *†H†÷
  v²œîŸö-4’”Es4܎k.\üL}‰ëÃhñי.ȵ‹¾ÍŠòI:[É ŽmRáv_ÃeŠ"gäSS7F¿¼×/ë{žÐ[email protected]!â]uvf0ô߂Š/½ó¢ ¿۟¢šr7M°wHèJ? ÎU,ïæ$á¯ì0‚¸0‚!_KÄ0
 *†H†÷
 0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CA0
031125170549Z
051124170549Z0ž1 0 UVI10UTortola10U Road Town10U
Click Yes To Enter Ltd1'0%U Secure Application Development10UClick Yes To Enter Ltd0‚"0
 *†H†÷
 ‚ 0‚
‚ Ë,G0ª-àBa‹5_Œ‰õ±!Ë©ä§
n¤†ÈŠÝR7lkÞnμǫ<V
Å2ßoÂhL”BÚÈMHÑòkœZû"ʬ猨 ÍÏàc
otÒDçë3´ù™ún±x°(±°>Õ?óé¶!ü¹0Nv‚¡ln¿<ɍ<¿‡sq5øæI¦†(9ÆnÃÏä_¤¼‚]`°ô5ò–ëÄ¿ìÒÑ@Ê_ ´î$þdtø
MÐʗÁbˆüÃ=í -¥æýn<øjژL ¢£3%šÁ2-¤{H1c²É5Ë´7Uö~
4fã2›;™hŠŠ;] >w¶¿Ë#îô(ÜkùC‰ £Ç0Ä0U%0+
+‚70 `†H†øB0U000 
+‚7€0!U0‚www.clickyes2enter.com0>U70503_1_/†-http://crl.thawte.com/ThawteCodeSigningCA.crl0 Uÿ0 0
 *†H†÷
  %ÙDÿ`ì?S
-Ož
ÏáÌÖàKô”Ê`Ð Ð9'§ö‹x1Ì÷®é0©
Dpô³3ƒ/¢ˆÚ©—y֌éÍ.yÎIÍy_LÆ}cä/Ïؑ¦À̉Sôà!Þö®ŒÀL–ñ’6ù}y˜aÑ<n_®f9¸h1‚
V0‚
R0\0U1 0 UZA1%0#U
Thawte Consulting (Pty) Ltd.10UThawte Code Signing CAKÄ0 *†H†÷
 _‚Ì0 *†H†÷
 1 
+‚70
+‚7 10 
+‚70 *†H†÷
 1’ªñ½t’¹_eÔƎe_0‚n
+‚7 1‚^0‚Z_‚V€‚R Y O U M U S T R E A D , U N D E R S T A N D A N D A C C E P T T H E F O L L O W I N G T E R M S B E F O R E U S I N G T H I S S E R V I C E , Y O U C O N F I R M T H A T ( 1 ) Y o u a r e 1 8 y e a r s o f a g e o r o l d e r ( 2 ) Y o u a r e e i t h e r t h e s u b s c r i b e r o f t h e t e l e p h o n e l i n e t o w h i c h t h i s c o m p u t e r s m o d e m i s c o n n e c t e d , o r y o u h a v e t h e L i n e S u b s c r i b e r s p e r m i s s i o n t o u s e t h e S e r v i c e . Y O U U N D E R S T A N D T H A T ( 3 ) T h i s c o m p u t e r s m o d e m w i l l b e c o n n e c t e d t o a p r e m i u m r a t e t e l e p h o n e n u m b e r c h a r g e d a t G B P 1 . 5 0 , a n d t h a t t h e L i n e S u b s c r i b e r w i l l b e c h a r g e d f o r t h e d u r a t i o n o f t h i s c a l l a t t h e r a t e o f G B P 1 . 5 0 ( 4 ) B y u s i n g t h e S e r v i c e , y o u m a y b e e x p o s e d t o m a t e r i a l w h i c h i s o f f e n s i v e , i n d e c e n t o r o b j e c t i o n a b l e ( 5 ) O n c e c o n n e c t e d t o t h e S e r v i c e , t h e t e l e p h o n e c a l l w i l l n o t t e r m i n a t e u n l e s s ( a ) y o u t e r m i n a t e t h e c o n n e c t i o n b y s e l e c t i n g t h e m o d e m s y m b o l l o c a t e d a t t h e l o w e r r i g h t o f t h e W i n d o w s t a s k b a r a n d c l i c k D I S C O N N E C T ( b ) y o u s t a y c o n n e c t e d f o r l o n g e r t h a n 1 3 . 3 3 m i n u t e s ( c ) y o u c l i c k t h e C L O S E b u t t o n o n t h e d i a l l e r d i a l o g u e b o x . A c c e s s v i a 0 9 0 9 0 2 7 2 2 0 0 - 3 c a l l s c h a r g e d a t G B P 1 . 5 0 p e r m i n u t e . W o r l d C o n t e n t L t d , M i t c h e l H o u s e , T h e V a l l e y , A n g u i l a0
 *†H†÷
 ‚
%ëüx>~å’AÁÍvw‘!¹r_±,k´ÓûDo)(̋ÍÝè–!†ÄºïÖ°
p9¼[ìP\›”œۙ³Yñ'2?÷ÝØÎCͯè¨GdÓEþ¤û£ùÚñ·@ïTÑDJÂçÓ©¤å÷-¿Ys ¿®©•5\ü@Ôüy(ò„3_HÀž
_‡‚㶩q¼@2ŸM#Úp´²1p˜˜‹…ˆ7Ôß³µ ˜h_ˆ)uÄe¸¶o_Û%
i³v’_<5¥L_±W<»‚ðÉ2¶Âqî£Ìé$Bˆ‚”†¸Š…1¶r^O2¬M_
FöÙ©ÞäÏBì
\›®~

Anyone had this prob before and do I have to reinstall windows media player.
 
Joined
Aug 18, 2003
Messages
2,438
Go here and download HijackThis v1.97.7: http://www.majorgeeks.com/download.php?det=3155

It is a zip file, so you will need to unzip it.

Run HJT and then you will need to post the contents of the logfile it creates ... simply click "Save log" in order to create it ... it will open in Notepad, and you can copy/paste it here.

Do not fix anything until after the logfile is reviewed. Most of what is found is harmless or essential to the safe workings of your computer.
 

duffy26

Thread Starter
Joined
Dec 20, 2003
Messages
9
Here is the log file it created.

Logfile of HijackThis v1.97.7
Scan saved at 23:32:35, on 02/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\downloaded programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Microsoft Configuration] msconfigure32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38066.5090625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82DC254E-9934-4B14-925D-AA4C896D70DD}: NameServer = 194.72.9.34 194.74.65.68
 
Joined
Aug 18, 2003
Messages
2,438
This seems odd:

O4 - HKLM\..\Run: [Microsoft Configuration] msconfigure32.exe

Let's wait until a fresh pair of eyes looks at your HJT log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top