tagasaurus got me - i've loaded hijack this...

Reply

Join Date: Sep 2006
Posts: 1
Reputation: rfgavin is an unknown quantity at this point 
Solved Threads: 0
rfgavin rfgavin is offline Offline
Newbie Poster

tagasaurus got me - i've loaded hijack this...

 
0
  #1
Sep 4th, 2006
I found a post from Laughing Eyes about Tagasaurus and what to do, but since LE couldn't get online, couldn't download HiJack This.

I did, ran the scan, which I've pasted below. As Little Richard Says "Can anybody help me?"


Logfile of HijackThis v1.99.1
Scan saved at 6:25:43 PM, on 9/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\ge security supra\syncservice.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINNT\system32\MSTask.exe
C:\SSL\stunnel-4.10.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\outlook\outlook.exe
C:\kybrdff_16.exe
C:\WINNT\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\ms05643834781.exe
C:\WINNT\Duce6.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Documents and Settings\Mike and Bob Laptop\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms05643834781] C:\WINNT\ms05643834781.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\fpnu0359e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Reply With Quote Quick reply to this message  
Join Date: Jul 2006
Posts: 277
Reputation: Xpenetrator is an unknown quantity at this point 
Solved Threads: 10
Xpenetrator Xpenetrator is offline Offline
Posting Whiz in Training

Re: tagasaurus got me - i've loaded hijack this...

 
0
  #2
Sep 5th, 2006
Your system has quite some unwanted new inhabitants. I found traces of all kind of malware:

(If you didn't install a "Network Monitor" tool deliberately, this is possibly a bad one)
C:\Program Files\Network Monitor\netmon.exe
(Mimail-M worm or relatives)
http://www.bleepingcomputer.com/star....exe-3645.html

C:\WINNT\v1201.exe
(Trojan-Clicker.Win32.VB.is)
http://www.pestpatrol.com/spywarecen...x?id=453097395

C:\kybrdff_16.exe
(Seen a lot in these days - cannot assign this clearly to a specific malware, but definitely a nasty ("DollarRevenue" trojan?))

C:\Program Files\Internet Optimizer\optimize.exe
(TrojanDownloader.Win32.Dyfuca.ac/ "Moneytree" Spyware/Dialer)
http://www3.ca.com/securityadvisor/p...x?id=453072536

C:\WINNT\ms05643834781.exe
(TagAsaurus)
http://www.pestpatrol.com/spywarecen...x?id=453097586

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://searchbar.findthewebsiteyouneed.com
(CoolWebSearch malware bundle)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
(unknown but suspect - 90% of all tool- and search bars are fishy)

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
(Advertising Spyware "SaveNow")

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
(Win32.Worm.VB.DW - Backdoor!)
http://www.bitdefender.com/VIRUS-195...orm.VB.DW.html

O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
(Troj/Dloadr-LO)
http://www.sophos.com/virusinfo/anal...jdloadrlo.html

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
(W32/Colevo-A/Buddy email worm)
http://www.sophos.com/security/analyses/w32colevoa.html

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
(Maybe the source of all evil and known to be spyware itself, potentially dangerous if used with default sharing settings - "user-installed backdoor")

Whenever a backdoor has been installed, hardliner security experts refuse to cure such a system. They say it's heavily compromised and cannot be trusted anymore, because no one can say if all holes that may have been created can be found.
Since the cure of such a badly contaminated system can take much longer than a format/reinstall procedure, I recommend the latter one. If you use that computer for monetary/professional purposes, you should consider all sensible data (passwords etc.) as stolen and public and take actions accordingly.
Last edited by Xpenetrator; Sep 5th, 2006 at 11:47 am.
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum


Views: 1862 | Replies: 1
Thread Tools Search this Thread



Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-virussitesaccessissue antivirus apple audio avg bar blackhat botnet combofix commercials conficker connect crosssitescripting cyber cyberwarfare ddos domains e-mafia education email europe explorer facebook fake gaming gtaiv gumblar halloween herss.exe hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news norton obama onlinethreats paedophile panel parents pdf phishing police president privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted usa virus viruses vista volume vulnerability war warning web windows worm yahoo zero-day zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC