"Media Ticket Viewer" Hijacker

Discussion in 'adware, spyware & hijack cleaning' started by TomJG, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. TomJG

    TomJG Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    2
    I hope someone can please help me. I have run Ad-aware and Spybot search and destroy. These programs did not fix the problem I keep encountering. My browser starts up automatically and asks me to download something about media tickets...I believe the site it directs me to is "ekoote", however I could be mistaken. Below is a copy of the hijack this file run on my system. I thank everyone in advance for any and all help they can provide, and any time spent regarding this matter.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:11:23 PM, on 7/11/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\eM\Bay Reader\Shwicon2k.exe
    C:\WINDOWS\System32\msnmsgr.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\alg.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Documents and Settings\Tom\My Documents\My Downloads\Programs\HijackThis.exe

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
    O4 - HKLM\..\Run: [msn] msnmsgr.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [msn] msnmsgr.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1089163333609
    O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, for starters you certainly have some malware; check, and have Hijack This fix the following items:

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [msn] msnmsgr.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe

    O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe

    O4 - HKCU\..\Run: [msn] msnmsgr.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe

    Restart your computer, and delete the C:\WINDOWS\System32\msnmsgr.exe file:

    http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_RBOT.QA

    The file could possibly have the "Hidden" attribute. Here's how to show hidden and operating system files

    Tell us how that goes.

    Cheers,
     
  3. TomJG

    TomJG Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    2
    Thank you for your help. I think the problem may be fixed...dare I speak too soon. I have restarted the computer and have yet to have a problem. The only thing I couldn't find after restarting was the msnmsgr.exe file in the System 32 folder. I included hidden files in my search, but no luck. Thank you again for taking the time to help me with this problem.

    Sincerely
    T Grace
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    The msnmsgr.exe file is listed among your Running Processes, so unless you removed it it will still be there.

    Do you have hidden files set to show??
     
Thread Status:
Not open for further replies.