Jump to content


Photo

Please help? Mediatickets/angelfire


  • Please log in to reply
1 reply to this topic

#1 relish

relish

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 July 2004 - 04:15 PM

Hello, this is my Hijackthis log.. there's something in my computer that makes periodically pops up a browser going to an angelfire.com site, then there's a MediaTickets install thingy popping out :/ Can you guys help me? I'd greatly appreciate it :/ Thanks in advance.

Here's the log,

Logfile of HijackThis v1.97.7
Scan saved at 5:10:41 PM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
e:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
e:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\mysql\bin\mysqld-nt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\taskmngrs.exe
C:\WINDOWS\System32\ctfmon.exe
G:\mysql\bin\winmysqladmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\SNDVOL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19E5C3C7-88D2-904B-C726-F1AE66EF3E95} - (no file)
O2 - BHO: (no name) - {1EDD4ABB-7FFA-7AE7-2EE1-CAFAB2F1005B} - (no file)
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {4D1C4EAC-A430-DBE2-2610-2619907F1D5A} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F06B63C-F828-32BF-5401-7C1C86A704C9} - (no file)
O2 - BHO: (no name) - {651457CA-8E83-8FA3-AEA9-9372821A1A51} - (no file)
O2 - BHO: (no name) - {66E07AD0-5435-6A17-2F75-DA98D6E9D21E} - (no file)
O2 - BHO: (no name) - {6B4EE7B2-A794-244F-ADD0-EE44131BFC5D} - (no file)
O2 - BHO: (no name) - {772A6985-125B-1505-70C1-C5D01EB853C7} - (no file)
O2 - BHO: (no name) - {789E6ACA-7D9C-0143-CDA9-054F4543DB2C} - (no file)
O2 - BHO: (no name) - {7A92AD2B-4A2B-E681-180C-852F9B4A3BB4} - (no file)
O2 - BHO: (no name) - {7FCAB6C6-3F6D-FD6C-EC10-B2B511B05C73} - (no file)
O2 - BHO: (no name) - {84B24A78-E175-AED1-512C-CFF226F9C0DB} - (no file)
O2 - BHO: (no name) - {883EDD1C-FC42-B1BC-75A1-920AD1D28523} - (no file)
O2 - BHO: (no name) - {88B9E4D2-1DFD-E365-CABB-E7124F455F33} - (no file)
O2 - BHO: (no name) - {8A98241B-FE20-D008-805C-5BC0B7C14266} - (no file)
O2 - BHO: (no name) - {8BD83B7D-5449-6BE0-8A30-69CEB9CF5FA1} - (no file)
O2 - BHO: (no name) - {8E8B1F25-4CAA-C9AE-CFE9-AF4A518E8A52} - (no file)
O2 - BHO: (no name) - {8EDD33F5-EF01-A69D-26EB-E5AAF6F683E2} - (no file)
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - (no file)
O2 - BHO: (no name) - {98521EA9-B1EC-9ED8-ED9D-681CA0FF7674} - (no file)
O2 - BHO: (no name) - {99E0B23D-A95C-D9EE-CAF3-1F57FBD4D83D} - (no file)
O2 - BHO: (no name) - {A47DCE7F-A687-0E75-A0E5-69DB2A5B5055} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AAEAC5DA-FA2B-5970-0FD6-082372B1F61F} - (no file)
O2 - BHO: (no name) - {ADEAA3B6-9276-09CD-04E3-6EF1F7854839} - (no file)
O2 - BHO: (no name) - {B56233F4-AAE8-569E-8370-CAB92BF74D19} - (no file)
O2 - BHO: (no name) - {B856C014-733A-E7C2-BA3A-B880A9541D36} - (no file)
O2 - BHO: (no name) - {B9D983AE-7FD4-D020-7FF8-D4F96DD34618} - (no file)
O2 - BHO: (no name) - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - (no file)
O2 - BHO: (no name) - {CF1C66A5-22A7-AA44-A767-EB79B05C5F1B} - (no file)
O2 - BHO: (no name) - {D22869A8-8A72-A198-1150-D6A2F741CA3A} - (no file)
O2 - BHO: (no name) - {D5644845-15E3-4EE8-36E2-C0A98CC373FC} - (no file)
O2 - BHO: (no name) - {DBD17118-557D-6A66-C881-9D6BA43E91D2} - (no file)
O2 - BHO: (no name) - {DCB7C15D-EDDB-30CD-B3F3-D2CE2AA0CC25} - (no file)
O2 - BHO: (no name) - {DDF69936-9289-A3BA-6911-C5BB49DC85D8} - (no file)
O2 - BHO: (no name) - {E7B7CDD4-4537-5090-F6CC-5CC180B3DD91} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows cfg] ascv.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Microsoft Update] winfix3.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\Run: [winfb.exe] C:\WINDOWS\system32\winfb.exe
O4 - HKLM\..\RunServices: [Windows cfg] ascv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winfix3.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update] winfix3.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - Startup: WinMySQLadmin.lnk = G:\mysql\bin\winmysqladmin.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49...m::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com...m::/newhelp.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8046.8917824074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{264729F7-2E82-4FBF-A126-EFDB13F053F3}: NameServer = 206.47.244.137 206.47.244.107

#2 CalamityJane

CalamityJane

    SWI Junkie

  • Emeritus
  • PipPipPipPip
  • 313 posts

Posted 10 July 2004 - 04:01 PM

Hi relish

First advice, don't go to that website without some protection and securing your OS and your browser. You don't show that you have SP 1 installed on your WinXP and you will continue to get infected over and over (as you have evidenced by your log) until you go to Windows updates and get ALL the critical security updates needed for XP and for IE
Windows Update
http://v4.windowsupd.../en/default.asp

Next, go here and get some additional protection and fix the settings for your browser here:

Prevent Browser Hijacking
http://www.spywarein...ked/prevent.php
...................................
1. Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

2. You will need this free tool called CWShredder

Download CWShredder here:
http://www.majorgeek...wnload4086.html

or here
http://www.computerc...s-file-349.html

Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it (not the scan button). Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

3. Save these last sets of instructions so you will have them handy as the next steps need to be done in safe mode.

Reboot your PC into safe mode
How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

4. Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

O2 - BHO: (no name) - {19E5C3C7-88D2-904B-C726-F1AE66EF3E95} - (no file)
O2 - BHO: (no name) - {1EDD4ABB-7FFA-7AE7-2EE1-CAFAB2F1005B} - (no file)
O2 - BHO: (no name) - {2B91E7DA-0139-CAF2-705A-DC5942CF0C87} - (no file)
O2 - BHO: (no name) - {4D1C4EAC-A430-DBE2-2610-2619907F1D5A} - (no file)
O2 - BHO: (no name) - {5F06B63C-F828-32BF-5401-7C1C86A704C9} - (no file)
O2 - BHO: (no name) - {651457CA-8E83-8FA3-AEA9-9372821A1A51} - (no file)
O2 - BHO: (no name) - {66E07AD0-5435-6A17-2F75-DA98D6E9D21E} - (no file)
O2 - BHO: (no name) - {6B4EE7B2-A794-244F-ADD0-EE44131BFC5D} - (no file)
O2 - BHO: (no name) - {772A6985-125B-1505-70C1-C5D01EB853C7} - (no file)
O2 - BHO: (no name) - {789E6ACA-7D9C-0143-CDA9-054F4543DB2C} - (no file)
O2 - BHO: (no name) - {7A92AD2B-4A2B-E681-180C-852F9B4A3BB4} - (no file)
O2 - BHO: (no name) - {7FCAB6C6-3F6D-FD6C-EC10-B2B511B05C73} - (no file)
O2 - BHO: (no name) - {84B24A78-E175-AED1-512C-CFF226F9C0DB} - (no file)
O2 - BHO: (no name) - {883EDD1C-FC42-B1BC-75A1-920AD1D28523} - (no file)
O2 - BHO: (no name) - {88B9E4D2-1DFD-E365-CABB-E7124F455F33} - (no file)
O2 - BHO: (no name) - {8A98241B-FE20-D008-805C-5BC0B7C14266} - (no file)
O2 - BHO: (no name) - {8BD83B7D-5449-6BE0-8A30-69CEB9CF5FA1} - (no file)
O2 - BHO: (no name) - {8E8B1F25-4CAA-C9AE-CFE9-AF4A518E8A52} - (no file)
O2 - BHO: (no name) - {8EDD33F5-EF01-A69D-26EB-E5AAF6F683E2} - (no file)
O2 - BHO: (no name) - {9628735E-23FD-B2AE-7639-B629310C3C05} - (no file)
O2 - BHO: (no name) - {98521EA9-B1EC-9ED8-ED9D-681CA0FF7674} - (no file)
O2 - BHO: (no name) - {99E0B23D-A95C-D9EE-CAF3-1F57FBD4D83D} - (no file)
O2 - BHO: (no name) - {A47DCE7F-A687-0E75-A0E5-69DB2A5B5055} - (no file)
O2 - BHO: (no name) - {AAEAC5DA-FA2B-5970-0FD6-082372B1F61F} - (no file)
O2 - BHO: (no name) - {ADEAA3B6-9276-09CD-04E3-6EF1F7854839} - (no file)
O2 - BHO: (no name) - {B56233F4-AAE8-569E-8370-CAB92BF74D19} - (no file)
O2 - BHO: (no name) - {B856C014-733A-E7C2-BA3A-B880A9541D36} - (no file)
O2 - BHO: (no name) - {B9D983AE-7FD4-D020-7FF8-D4F96DD34618} - (no file)
O2 - BHO: (no name) - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - (no file)
O2 - BHO: (no name) - {CF1C66A5-22A7-AA44-A767-EB79B05C5F1B} - (no file)
O2 - BHO: (no name) - {D22869A8-8A72-A198-1150-D6A2F741CA3A} - (no file)
O2 - BHO: (no name) - {D5644845-15E3-4EE8-36E2-C0A98CC373FC} - (no file)
O2 - BHO: (no name) - {DBD17118-557D-6A66-C881-9D6BA43E91D2} - (no file)
O2 - BHO: (no name) - {DCB7C15D-EDDB-30CD-B3F3-D2CE2AA0CC25} - (no file)
O2 - BHO: (no name) - {DDF69936-9289-A3BA-6911-C5BB49DC85D8} - (no file)
O2 - BHO: (no name) - {E7B7CDD4-4537-5090-F6CC-5CC180B3DD91} - (no file)
O4 - HKLM\..\Run: [Windows cfg] ascv.exe
O4 - HKLM\..\Run: [Microsoft Update] winfix3.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\Run: [winfb.exe] C:\WINDOWS\system32\winfb.exe
O4 - HKLM\..\RunServices: [Windows cfg] ascv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] winfix3.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft Update] winfix3.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49...m::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111111111171} - ms-its:mhtml:file://c:\\nosuch.mht!http://line-plus.com...m::/newhelp.exe
........................................
Stay in safe mode and delete the following (if found)

ascv.exe
winfix3.exe
taskmngrs.exe
C:\WINDOWS\system32\winfb.exe
.......................................
5. Reboot your PC back into normal mode.

6. Update your HJT program to version 1.98.0
Open HijackThis.exe and press *config* {bottom right corner} and then press *Misc. Tools* at the top. Next press *check for online update* and you should see version 1.98.0 available. Download that.

P.S. If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from this link.
http://www.spywarein.../HijackThis.exe

or here:
http://www.majorgeek...a8baee6434cfc13

Now scan once more with the new version of HijackThis and post a fresh log please.
Microsoft MVP Windows-Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button