Fed up with Mediatickets

[er_gurpreet]

Hi
My system is infected with the Adware/Spyware called 'Mediatickets'. I tried removing it using various tools but no luck so far. It has slowed down my systems performance and everytime i connect to internet, a page opens automatically for mediatickets.com...

Can somebody suggest a remedy(permanent one pls)?

looking forward to some fruitful responses..

Thanks

Gurpreet

[Keith Sebastian]

Download and run HijackThis.
http://www.merijn.org/files/hijackthis.zip

Post the text from the log file here.

-Keith

[er_gurpreet]

Logfile of HijackThis v1.99.1
Scan saved at 7:41:52 PM, on 6/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
C:\SVCHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.D LL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_2_0.D LL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\WINDOWS\SYSTEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [Windows DLL Services] C:\SVCHOST.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MSNIA] C:\PROGRA~1\MSN\MSNIA\MSNIASVC.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkCnv.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/262f0dc2...p/RdxIE601.cab

[Keith Sebastian]

It's hard to spot the culprit/s when you have this many apps running in the background. You need to disable all apps from loading at startup. Also run AdAware to get rid of easy to clean malware. Then run HijackThis.

Anyway, these entries look suspicious. You can get rid of them by searching and noting down their locations (remember to unhide hidden files and "search within hidden files" in windows search). Reboot into safe mode (F8), and delete them. Remember most malware is extremely intelligent. Even if you miss cleaning 1 file, most probably it'll replicate all files you just deleted.

These entries look suspicious -

C:\WINDOWS\SYSTEM\MPREXE.EXE ---> ok to have on win9x. But in your case I reckon it's the trojan Win32.Banker.B. Look for files lds_f3.dll, iesprt.sys in windows/ or windows/system or windows/system32 to spot infection. Mark them for delettion using the above safe mode boot method.

Also check for programfilesdir+\common files\wintools\wtoolsb.dll----> if it exists, mprexe.exe is a pest.

C:\SVCHOST.EXE ---------> gotcha, this is mediatickets hiding behind a false name. Many spyware/malware programs use filenames of usual, non-malware programs. This is an excellent example.

C:\WINDOWS\SYSTEM\PSTORES.EXE ------>The pstores.exe process is used by Internet Explorer and Outlook in order to store sensitive information in your computer's registry securely. Anyway, AdAware will get rid of it if it's malware using an innocent name. Run a scan.

Following entries need to be cleaned using HijackThis AFTER deleting the above threats and rescanning with HijackThis

Suspect-

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Doubt -

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Definitely malware -

O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

Doubt -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/262f0dc2...p/RdxIE601.cab

Also, I found these instructions at - http://www.spywareremove.com
It should work if you're infected with ONLY mediatickets and not a combination of malware (which happens most of the time)

MediaTickets Removal Instructions

Before you can delete files, you must first stop all the MediaTickets processes that are running in memory.
Do this by ending all processes from the Task Manager.
Press CTRL+ALT+DELETE to open the Windows Task Manager. If you see multiple
"tabs," click on the "Processes" tab. For each process that you would like
to kill, find the process name in the list, click it to select it, and click
the "End Process" button.

Delete registry values Instructions:
Open the Windows Registry Editor by clicking on the Windows "Start" button,
clicking "Run," and typing "regedit" into the box in the Window that appears. Click "OK".
Once the Registry Editor is open, navigate through the registry tree to the
location of the key that you wish to delete. When you find the key or
value to be deleted, click on it to highlight it and press the "DELETE" key.

Delete Registry Values:
{81EB72D7-3949-450F-B035-DE599959814F}
{20F13844-04BC-4987-9964-2502F0DA54D3}
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
Software\Microsoft\Windows\Current\Version\Interne t Settings\ZoneMapDomainsmt-download.com

Unregister DLL Instructions:
To un-register a DLL file, first locate the file on your hard drive.
Open a command prompt window by clicking on the Windows "Start" button,
clicking "Run," and typing "cmd" into the box in the Window that appears. Click "OK."
Next type "regsvr32 /u " and press the "ENTER" key.
For example, to un-register a file called "myDll.dll" which is located in
the "C:\windows\system32" folder, your would type
"regsvr32 /u C:\windows\system32\myDll.dll" and press the "ENTER" key.

Delete File Entries:
MediaTicketsInstaller.inf
MediaTicketsInstaller.ocx


Best of Luck and upgrade to SP2, run AdWare regularly.

Cheers,
Keith

[er_gurpreet]

hey keith

thanks for your inputs..pardon my ignorance but can i delete the SVCHOST.exe?? is it safe to delete this exe file?

[Keith Sebastian]

Quote:

Originally Posted by er_gurpreet

hey keith

thanks for your inputs..pardon my ignorance but can i delete the SVCHOST.exe?? is it safe to delete this exe file?

YES if -
It's located in a folder OTHER than C:\Windows\System32. This one is necessary for XP to function.

Your's is in C:\. This is malware.

YES if -
in Task Manager (CTRL+ALT+DEL, Processes) you see SVCHOST.exe running under your username (win logon name).

If it's running with credentials such as "NETWORK SERVICE", "SYSTEM", "LOCAL SERVICE" it's OK. All others are fakes.

-Keith