0

I found a post from Laughing Eyes about Tagasaurus and what to do, but since LE couldn't get online, couldn't download HiJack This.

I did, ran the scan, which I've pasted below. As Little Richard Says "Can anybody help me?"


Logfile of HijackThis v1.99.1
Scan saved at 6:25:43 PM, on 9/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
c:\program files\ge security supra\syncservice.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\WINNT\system32\MSTask.exe
C:\SSL\stunnel-4.10.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\outlook\outlook.exe
C:\kybrdff_16.exe
C:\WINNT\v1201.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\ms05643834781.exe
C:\WINNT\Duce6.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Documents and Settings\Mike and Bob Laptop\Desktop\HiJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_16.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_16.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINNT\v1201.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ms05643834781] C:\WINNT\ms05643834781.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O20 - Winlogon Notify: MCD - C:\WINNT\system32\fpnu0359e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

2
Contributors
1
Reply
2
Views
10 Years
Discussion Span
Last Post by Xpenetrator
0

Your system has quite some unwanted new inhabitants. I found traces of all kind of malware:

(If you didn't install a "Network Monitor" tool deliberately, this is possibly a bad one)
C:\Program Files\Network Monitor\netmon.exe
(Mimail-M worm or relatives)
http://www.bleepingcomputer.com/startups/netmon.exe-3645.html

C:\WINNT\v1201.exe
(Trojan-Clicker.Win32.VB.is)
http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453097395

C:\kybrdff_16.exe
(Seen a lot in these days - cannot assign this clearly to a specific malware, but definitely a nasty ("DollarRevenue" trojan?))

C:\Program Files\Internet Optimizer\optimize.exe
(TrojanDownloader.Win32.Dyfuca.ac/ "Moneytree" Spyware/Dialer)
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453072536

C:\WINNT\ms05643834781.exe
(TagAsaurus)
http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453097586

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://searchbar.findthewebsiteyouneed.com
(CoolWebSearch malware bundle)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
(unknown but suspect - 90% of all tool- and search bars are fishy)

O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
(Advertising Spyware "SaveNow")

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
(Win32.Worm.VB.DW - Backdoor!)
http://www.bitdefender.com/VIRUS-195364-en--Win32.Worm.VB.DW.html

O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
(Troj/Dloadr-LO)
http://www.sophos.com/virusinfo/analyses/trojdloadrlo.html

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TWljaGFlbCBTY2htaWR0ICY\command.exe (file missing)
(W32/Colevo-A/Buddy email worm)
http://www.sophos.com/security/analyses/w32colevoa.html

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
(Maybe the source of all evil and known to be spyware itself, potentially dangerous if used with default sharing settings - "user-installed backdoor")

Whenever a backdoor has been installed, hardliner security experts refuse to cure such a system. They say it's heavily compromised and cannot be trusted anymore, because no one can say if all holes that may have been created can be found.
Since the cure of such a badly contaminated system can take much longer than a format/reinstall procedure, I recommend the latter one. If you use that computer for monetary/professional purposes, you should consider all sensible data (passwords etc.) as stolen and public and take actions accordingly.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.