tagasaurus got me - i've loaded hijack this...

Expand Post »

I found a post from Laughing Eyes about Tagasaurus and what to do, but since LE couldn't get online, couldn't download HiJack This.

I did, ran the scan, which I've pasted below. As Little Richard Says "Can anybody help me?"

Logfile of HijackThis v1.99.1
Scan saved at 6:25:43 PM, on 9/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\ge security supra\syncservice.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINNT\system32\MSTask.exe
C:\SSL\stunnel-4.10.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\outlook\outlook.exe
C:\kybrdff_16.exe
C:\WINNT\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\ms05643834781.exe
C:\WINNT\Duce6.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Documents and Settings\Mike and Bob Laptop\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms05643834781] C:\WINNT\ms05643834781.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\fpnu0359e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Similar Threads

ICON.EXE - Hijack this log attached - HELP PLS !!! in Viruses, Spyware and other Nasties
Hijack + Explorer invalid syntax error in Viruses, Spyware and other Nasties
About:Blank troubles and ad/spyware questions (don't worry, it isn't a Hijack log :)) in Viruses, Spyware and other Nasties
Computer Locking Up when Access Inet via IE in Web Browsers
svchost.exe *sigh* in Windows NT / 2000 / XP

rfgavin

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

1 posts
since Sep 2006

Permalink

Sep 5th, 2006

Re: tagasaurus got me - i've loaded hijack this...

Your system has quite some unwanted new inhabitants. I found traces of all kind of malware:

(If you didn't install a "Network Monitor" tool deliberately, this is possibly a bad one)
C:\Program Files\Network Monitor\netmon.exe
(Mimail-M worm or relatives)
http://www.bleepingcomputer.com/star....exe-3645.html

C:\WINNT\v1201.exe
(Trojan-Clicker.Win32.VB.is)
http://www.pestpatrol.com/spywarecen...x?id=453097395

C:\kybrdff_16.exe
(Seen a lot in these days - cannot assign this clearly to a specific malware, but definitely a nasty ("DollarRevenue" trojan?))

C:\Program Files\Internet Optimizer\optimize.exe
(TrojanDownloader.Win32.Dyfuca.ac/ "Moneytree" Spyware/Dialer)
http://www3.ca.com/securityadvisor/p...x?id=453072536

C:\WINNT\ms05643834781.exe
(TagAsaurus)
http://www.pestpatrol.com/spywarecen...x?id=453097586

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://searchbar.findthewebsiteyouneed.com
(CoolWebSearch malware bundle)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
(unknown but suspect - 90% of all tool- and search bars are fishy)

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
(Advertising Spyware "SaveNow")

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
(Win32.Worm.VB.DW - Backdoor!)
http://www.bitdefender.com/VIRUS-195...orm.VB.DW.html

O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
(Troj/Dloadr-LO)
http://www.sophos.com/virusinfo/anal...jdloadrlo.html

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
(W32/Colevo-A/Buddy email worm)
http://www.sophos.com/security/analyses/w32colevoa.html

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
(Maybe the source of all evil and known to be spyware itself, potentially dangerous if used with default sharing settings - "user-installed backdoor")

Whenever a backdoor has been installed, hardliner security experts refuse to cure such a system. They say it's heavily compromised and cannot be trusted anymore, because no one can say if all holes that may have been created can be found.
Since the cure of such a badly contaminated system can take much longer than a format/reinstall procedure, I recommend the latter one. If you use that computer for monetary/professional purposes, you should consider all sensible data (passwords etc.) as stolen and public and take actions accordingly.

Last edited by Xpenetrator; Sep 5th, 2006 at 11:47 am.

Xpenetrator

Reputation Points: 32

Solved Threads: 11

Posting Whiz in Training

Offline

277 posts
since Jul 2006

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Help! Win32 error....

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Possible virus infection!

DaniWeb Message

Cancel Changes

User Name
Password