Anyone no how to clean win32adware\mediatickets ?
have tryed everything and it still coming back… i have disabled system restore…
i have tryed http://forum.avast.com/index.php?topic=14273;prev_next=next
using nod32 1.14 and spyware doctor 3.5… and win xp.
log from nod32:
C:\Programfiler\W?nSxS?ti2evxx.exe is infected and c:\windows\system32\m?dtc.exe a variant of Win32/Adware.MediaTickets application
Hi mEhE,
There is a lot of this infection with the mediatickets going around lately, because we get a lot of postings for this malware.
Read about it here, also for removal instructions:
http://www.spywareguide.com/product_show.php?id=813
and read here:
http://www.intermute.com/spyware/MediaTickets.html
polonus
Hi mEhE,
This is really the avast! forum, but since you’re here anyway, welcome, and try running these programs in safe mode: (Tap F8 while booting.)
Ewido (XP’Win2000 only) http://www.ewido.net/en/
and/or a-Squared [url]http://www.emsisoft.com/en/[/url]
Ad-Aware: http://www.lavasoft.de/
Spybot Search & Destroy: http://www.safer-networking.org/
Also try the free trial version of Webroot Spysweeper if the above don’t work.
Good luck!
Hi All :
There is a NOD32 Forum at wilderssecurity.com .
now i have tryed everything you wrote… Ewido anti malware 3.5 found 31 020 infected ??? but all cleaned…
most of them was cookies…
but the win32adware\mediatickets is still popping up on nod32…
i posted a tread on nod32 forum but no help so far…
btw: what is avast! ? i search on the win32adware virus in google and i found this forum
avast is an anti-virus program and this forum is part of its program support.
http://www.avast.com/eng/desktop_protection.html
Welcome to our forums ;D
Can you post a HijackThis! log for us?
hm… The message exceeds the maximum allowed length (10000 characters). i can not write the hijackthis log here…??
Please split the log into two parts!
here is the log:
Logfile of HijackThis v1.99.1 Scan saved at 17:21:19, on 18.04.2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe
C:\Programfiler\NetLimiter\NetLimiter.exe
C:\Programfiler\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programfiler\DAEMON Tools\daemon.exe
C:\Programfiler\Winamp\winampa.exe
C:\Programfiler\Eset\nod32kui.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\TGTSoft\StyleXP\StyleXP.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\W?nSxS?ti2evxx.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe
C:\Programfiler\Bluetooth-programvare\BTTray.exe
C:\PROGRA~1\FELLES~1\PCSuite\Services\SERVIC~1.EXE
C:\Programfiler\Bluetooth-programvare\bin\btwdins.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\ewido anti-malware\ewidoguard.exe
C:\Programfiler\Eset\nod32krn.exe
C:\Programfiler\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe
C:\Programfiler\BitComet\BitComet.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Nero\Nero 7\Core\nero.exe
C:\Programfiler\Fellesfiler\Ahead\lib\NMIndexStoreSvr.exe
C:\Programfiler\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\SKRIVEBORD\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {21CCD69C-1C0F-648B-73E6-6F834CAA999B} - (no file) O2 - BHO: (no name) - {3EBB263E-BEAC-917C-D18A-CC69318A8E9E} - (no file) O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programfiler\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O2 - BHO: (no name) - {6C994F3C-DCA6-A92E-D82E-A67F106AD5CE} - (no file) O2 - BHO: (no name) - {6E1B3AB2-F777-8EF5-5B15-85ED9912D49F} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {8AC27E9A-E107-9FDC-7977-C3891F7A64C4} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {9E3AC264-5EFE-7322-DA9D-7D82BF1F28C3} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FB761138-D1FE-A121-D39F-AD0FA4E64D92} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Programfiler\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FELLES~1\PCSuite\DATALA~1\DATALA~1.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [NetLimiter] C:\Programfiler\NetLimiter\NetLimiter.exe /s O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Programfiler\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [NVMixerTray] "C:\Programfiler\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [STYLEXP] C:\Programfiler\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Bjf] C:\Documents and Settings\Administrator\Mine dokumenter\??stem32\?srss.exe O4 - HKCU\..\Run: [Sivjrrb] C:\Programfiler\W?nSxS\?ti2evxx.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global User Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global User Startup: BTTray.lnk = ? O8 - Extra context menu item: Send til &Bluetooth - C:\Programfiler\Bluetooth-programvare\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth-programvare\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programfiler\Bluetooth-programvare\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\MSMSGS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programfiler\Bluetooth-programvare\bin\btwdins.exe O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Programfiler\dopewars-1.5.10\dopewars.exe O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programfiler\ewido anti-malware\ewidoguard.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programfiler\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: StyleXPService - Unknown owner - C:\Programfiler\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
is that the log you need?
That’s the one!
Your analysis is saved here:
http://hijackthis.de/logfiles/990993e373fe3e38fbe9ecb133a07733.html
I can see a few nasties. I’ll post again when I’ve had a good look!
First of all, you seem to be running NOD32 and Norton Anti-Virus. Running two AV’s at the same time is not a good idea, as they will fight over files like two dogs over a bone and cause problems.
Your main problem seems to be a PurityScan infection. It obviously has some some of self-protection going on. The easiest way to remove it would be to use the removal tool from the PurityScan website. I don’t really trust uninstallers from adware companies, but as it’s recommended on the Symantec site, I guess it’s safe:
http://securityresponse.symantec.com/avcenter/venc/data/adware.purityscan.html
http://www.purityscan.com/uninstall.html
Do you have BitComet peer-to-peer network, because this can be a worm if it’s not the peer-to-peer network.
C:\Programfiler\BitComet\BitComet.exe
The following entries have been highlighted as nasty, but you should decide if you want to keep them: they are IE start and search pages.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
The following entries can be fixed: this is just a ‘clean-up’ process.
O2 - BHO: (no name) - {21CCD69C-1C0F-648B-73E6-6F834CAA999B} - (no file)
O2 - BHO: (no name) - {3EBB263E-BEAC-917C-D18A-CC69318A8E9E} - (no file)
O2 - BHO: (no name) - {6E1B3AB2-F777-8EF5-5B15-85ED9912D49F} - (no file)
O2 - BHO: (no name) - {8AC27E9A-E107-9FDC-7977-C3891F7A64C4} - (no file)
O2 - BHO: (no name) - {9E3AC264-5EFE-7322-DA9D-7D82BF1F28C3} - (no file)
O2 - BHO: (no name) - {FB761138-D1FE-A121-D39F-AD0FA4E64D92} - (no file)
This entry I do not believe is nasty and I do not recommend fixing it:
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programfiler\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
This entry seems to be adware: I recommend you do some research and decide if you want to keep it.
O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Programfiler\dopewars-1.5.10\dopewars.exe
You need to check that you have the latest version of IE.
Please run the PurityScan uninstaller and then check with HijackThis! that the following entries have gone:
C:\Programfiler\W?nSxS?ti2evxx.exe
O4 - HKCU..\Run: [Bjf] C:\Documents and Settings\Administrator\Mine dokumenter??stem32?srss.exe
O4 - HKCU..\Run: [Sivjrrb] C:\Programfiler\W?nSxS?ti2evxx.exe
hallo again…
i am running firfox version 1.0.7 and i am not using IE(it is the old version included with ms xp)
norton antivirus is not working and i can`t uninstall it…
here is a logfile after i runned purityscan http://hijackthis.de/logfiles/e0165bc35aca53c03e2f74b192f343e9.html
Run the Symatec removal tool:
http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
You should update IE even if you don’t use it because malware can still install through IE.
The latest version of Firefox is 1.5.0.2. You should consider updating to this version: the bugs have been ironed out now. If you have extensions installled, some of them may not work with 1.5 until they are updated.
If you want to stick with Firefox 1.x, you should update to 1.0.8 as this includes several important security fixes:
damn…my computer i shutting down and a bluescreen coming up,
i dont now what i have done…
i write in safemode with network now…
Now you are running NOD32 and avast!
You really should just stick to one AV!
I suspect this entry is a worm:
O4 - HKCU..\Run: [Bjf] C:\Documents and Settings\Administrator\Mine dokumenter??stem32?srss.exe
I thought it might be part of PurityScan but obviously not.
I think the ? characters in the filename might be an attempt to hide or protect the file.
We need to try and remove it.
Boot into safe mode. (Tap F8 while rebooting.)
Start HijackThis!
Close all other windows.
Tick the box next to the above entry.
Click ‘Fix’ and reboot.
Reboot into safe mode and check that the entry has gone. Delete the file if you can find it. (You made need to enable ‘show hidden files and folders’- Tools>Folder Options>View.)
If this doesn’t work, I suggest running a few online scans to see if any of them identify or remove the worm.
Here are some good ones to try. (Disable your AV before running as you may get some false positives otherwise!)
http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://support.f-secure.com/enu/home/ols.shtml
Re the BSOD, I should try uninstalling avast! until you have removed NOD32.