Media Tickets Browser HiJack

NatanielKlug · July 2nd, 2004, 05:59 PM

Hello Everyone,

I have Microsoft Windows XP Pro installed at my notebook (Sony Vaio PCG-FRV35) but every minute it opens a web page to join Media Tickets. I looked all over the internet and found many other guys who have the same problem, but no one was the same file or program that has been doind this pop-up.

Right now, when I am typing this message, it's the third time I have to log in techimo forum to finish this.

I have instaled HiJack Software and this is the log it returns to me when I am logged with my personal login (it has administrative rights).

Any help will be apreciated.

Att,

Nataniel Klug

---- HIJACK LOG ----
Logfile of HijackThis v1.98.0
Scan saved at 17:37:00, on 02/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\WINDOWS\Explorer.EXE
D:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\System32\carpserv.exe
D:\Arquivos de programas\Sony\HotKey Utility\HKserv.exe
D:\WINDOWS\System32\oavsznv.exe
D:\WINDOWS\System32\fep.exe
D:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
D:\Arquivos de programas\Sony\HotKey Utility\HKWnd.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Arquivos de programas\MSN Apps\Updater\01.02.0000.2693\pt-br\msnappau.exe
C:\Cyber Nett\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.drumcash.com/click.cgi?christanhalfman
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 200.163.208.11:3128
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - D:\Arquivos de programas\MSN Apps\ST\01.02.0000.2693\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.0000.2693\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - D:\WINDOWS\Downloaded Program Files\gbieh.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.0000.2693\pt-br\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] D:\Arquivos de programas\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Microsoft Update] oavsznv.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] fep.exe
O4 - HKLM\..\Run: [Updater] "D:\Arquivos de programas\MSN Apps\Updater\01.02.0000.2693\pt-br\msnappau.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] oavsznv.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] fep.exe
O4 - HKCU\..\Run: [Microsoft Update] oavsznv.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] fep.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Arquivos de programas\ICQLite\ICQLite.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3276E82C-C39F-4A41-BFFD-5B0362E9415B}: NameServer = 200.163.208.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{42A8488C-E744-4097-B677-2900E0198350}: NameServer = 200.163.208.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C91CCDA-4034-45E1-8013-DE1C42CFBB51}: NameServer = 200.163.208.4

twistedbrntucker · July 2nd, 2004, 06:32 PM

http://www.avast.com/

Go here and load this antivirus and update. Set to run at startup and see if it will get it.

NatanielKlug · July 3rd, 2004, 08:15 AM

Quote:

Originally Posted by twistedbrntucker

http://www.avast.com/

Go here and load this antivirus and update. Set to run at startup and see if it will get it.

Twisted,

Thanks for your help but this program did not get any virus in my computer. Its more like a worm.

Att,

Nataniel Klug

LeftCoast · July 3rd, 2004, 09:59 AM

Hey Nataniel,

Welcome to the forums.

Try these two free programs; they work on a lot of stuff.

http://www.webroot.com (Spy sweeper)

and http://www.safer-networking.org/index.php?page=spybotsd (Spybot search and destroy)

Both progs give you options to immunize your system. Also, have you run your AV program in safe mode yet? Sometimes you need to...

John Prophet · July 3rd, 2004, 11:33 AM

also of course..make sure you have dome all the windows critical updates

John Prophet · July 3rd, 2004, 11:42 AM

there is a forum where peeps help you read those hijack this lists

http://forums.net-integration.net/in...p?showforum=32

evidently that "media tickets" is a lil hard ot get rid off

-----

I have seen this file mentioned several times

C:\WINDOWS\System32\systemse.exe

do you have that one? it could be "hidden" so you might need to set your folders to display all files including hidden ones

it is also shown that you might need to delete these registry entries

O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe

for example http://www.security-forums.com/forum...&view=previous

NatanielKlug · July 5th, 2004, 10:13 AM

John e LeftCoast,

Thanks for your help. That programs I have already used and did not work for that what I want.

I read all messagens in forum and they where all diferent kinds of Media Tickets problem. I will try to learn it by my self and them I will post the results.

Thnks again.

Att,

Nataniel Klug