Jump to content


Photo

MediaTicket Browser hijack


  • Please log in to reply
5 replies to this topic

#1 nash02

nash02

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 06:35 AM

Help needed please!!!

I cant get rid of MediaTicket browser download. i've gone through FAQs on the site and spent last 24 hours trying to get rid of it.

many thanks in advance

My hijackthis log is below

Logfile of HijackThis v1.97.7
Scan saved at 12:34:19, on 14/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\r_server.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\NAVSCAN32.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 8 for 1188084.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yellowtag.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7926F0FA-F41D-4109-B506-2E3E330AE991}: NameServer = 194.72.9.34 194.74.65.68

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 June 2004 - 08:53 AM

Hi,
Looks like you have several issues ...
However I want to confirm a few things.

First go to: Kaspersky Test one file:
http://www.kaspersky...teviruschk.html

Click Browse, navigate to the following, highlight each (one at a time)
Click Submit, any copy and report back with any info.

C:\WINDOWS\System32\r_server.exe <--this file
C:\WINDOWS\System32\NAVSCAN32.exe <--this file
VTTimer.exe <--this file

Note: locate "VTTimer.exe" via Start > Search
Right-click and select: Properties | Version
Copy and report back with any info there (if exists)

Do not attempt to fix anything at this point.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 nash02

nash02

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 09:43 AM

Thanks Mark!

Found one infected file - but i've not done anything yet!!

Scanned file: r_server.exe

r_server.exe - OK


Statistics:
Known viruses: 90915 Updated: 14-06-2004
File size (Kb): 236 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0





Scanned file: VTTimer.exe

VTTimer.exe - OK


Statistics:
Known viruses: 90915 Updated: 14-06-2004
File size (Kb): 36 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0





Scanned file: NAVSCAN32.exe

NAVSCAN32.exe - packed with PE-Shield
NAVSCAN32.exe - infected by Backdoor.Rbot.gen


Statistics:
Known viruses: 90915 Updated: 14-06-2004
File size (Kb): 227 Virus bodies: 1
Files: 2 Warnings: 0
Archives: 0 Suspicious: 0

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 June 2004 - 10:40 AM

Hi,

r_server.exe - OK
VTTimer.exe - OK
NAVSCAN32.exe - infected by Backdoor.Rbot.gen

r_server.exe = TROJ_RADMIN.A [or] Remacc.Radmin :alarm:
Note: is "r_server.exe" something you installed?

VTTimer.exe = where is this located (folder)
Was there any info from "Properties | Version"?
Provide this info into your next post.

NAVSCAN32.exe = W32/Sdbot-DO :alarm:

Paste the below into the IE Address Bar, hit "Go" or press Enter

java script:navigator.appMinorVersion

Copy and paste the info into your next post.


Do you have the XP Firewall enabled? (you should!)
http://www.microsoft...xp/firewall.asp

After the above we can determine the best course of action.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 nash02

nash02

    Member

  • New Member
  • Pip
  • 3 posts

Posted 14 June 2004 - 12:07 PM

hi mark

IE copy and paste result - ;SP1;Q837009;Q832894;Q831167;

r_server.exe looks like a valid file as i have Remote admin installed

VTTimer is in c;windows/system32 - version 1.2.0.507 - from S3 Graphics inc

Firewall is enabaled NOW :-(

just disconnected other 2 pcs that are on network.

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 June 2004 - 03:34 PM

Hi,
Ok, so it looks like all you need to deal with is "NAVSCAN32.exe"

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

NAVSCAN32.exe <--this file (locate via Start > Search)

Restart normally and then ...

(As mentioned in the above "W32/Sdbot-DO" article above)

Start | Run (type) regedit
Click Edit (up top) select: Find
(type) NAVSCAN32.EXE click "Find Next"

Remove any instances found, highlight, right-click and select: Delete (ok the prompt)

Press "F3" to continue, repeat as needed, until you see the "completed" message.
Close Regedit and reboot.

Last Step:

"Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button