Re: Log file
It's hard to spot the culprit/s when you have this many apps running in the background. You need to disable all apps from loading at startup. Also run AdAware to get rid of easy to clean malware. Then run HijackThis.
Anyway, these entries look suspicious. You can get rid of them by searching and noting down their locations (remember to unhide hidden files and "search within hidden files" in windows search). Reboot into safe mode (F8), and delete them. Remember most malware is extremely intelligent. Even if you miss cleaning 1 file, most probably it'll replicate all files you just deleted.
These entries look suspicious -
C:\WINDOWS\SYSTEM\MPREXE.EXE ---> ok to have on win9x. But in your case I reckon it's the trojan Win32.Banker.B. Look for files lds_f3.dll, iesprt.sys in windows/ or windows/system or windows/system32 to spot infection. Mark them for delettion using the above safe mode boot method.
Also check for programfilesdir+\common files\wintools\wtoolsb.dll----> if it exists, mprexe.exe is a pest.
C:\SVCHOST.EXE ---------> gotcha, this is mediatickets hiding behind a false name. Many spyware/malware programs use filenames of usual, non-malware programs. This is an excellent example.
C:\WINDOWS\SYSTEM\PSTORES.EXE ------>The pstores.exe process is used by Internet Explorer and Outlook in order to store sensitive information in your computer's registry securely. Anyway, AdAware will get rid of it if it's malware using an innocent name. Run a scan.
Following entries need to be cleaned using HijackThis AFTER deleting the above threats and rescanning with HijackThis
Suspect-
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Doubt -
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
Definitely malware -
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
Doubt -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - *software-dl.real.com/262f0dc2d007c8745305/netzip/RdxIE601.cab
Also, I found these instructions at - *www.spywareremove.com
It should work if you're infected with ONLY mediatickets and not a combination of malware (which happens most of the time)
MediaTickets Removal Instructions
Before you can delete files, you must first stop all the MediaTickets processes that are running in memory.
Do this by ending all processes from the Task Manager.
Press CTRL+ALT+DELETE to open the Windows Task Manager. If you see multiple
"tabs," click on the "Processes" tab. For each process that you would like
to kill, find the process name in the list, click it to select it, and click
the "End Process" button.
Delete registry values Instructions:
Open the Windows Registry Editor by clicking on the Windows "Start" button,
clicking "Run," and typing "regedit" into the box in the Window that appears. Click "OK".
Once the Registry Editor is open, navigate through the registry tree to the
location of the key that you wish to delete. When you find the key or
value to be deleted, click on it to highlight it and press the "DELETE" key.
Delete Registry Values:
{81EB72D7-3949-450F-B035-DE599959814F}
{20F13844-04BC-4987-9964-2502F0DA54D3}
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
Software\Microsoft\Windows\Current\Version\Internet Settings\ZoneMapDomainsmt-download.com
Unregister DLL Instructions:
To un-register a DLL file, first locate the file on your hard drive.
Open a command prompt window by clicking on the Windows "Start" button,
clicking "Run," and typing "cmd" into the box in the Window that appears. Click "OK."
Next type "regsvr32 /u " and press the "ENTER" key.
For example, to un-register a file called "myDll.dll" which is located in
the "C:\windows\system32" folder, your would type
"regsvr32 /u C:\windows\system32\myDll.dll" and press the "ENTER" key.
Delete File Entries:
MediaTicketsInstaller.inf
MediaTicketsInstaller.ocx
Best of Luck and upgrade to SP2, run AdWare regularly.
Cheers,
Keith
