Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

How to delete Trojan :Mediaticketinstaller?


  • Please log in to reply

#1
bugs

bugs

    Member

  • Member
  • PipPip
  • 60 posts
I ran AntiVir program which detecetd mediaticketsinstaller.obx in an archive and said it could not be deleted. Please advise on how I might be able to delete this trojan. Thanks! Dave
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you post a HijackThis log.
I think it will be listed under O16, but post the full path to the archive that AntiVir reports as being infected.

Regards,
  • 0

#3
bugs

bugs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here is report from AntiVir:



C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TQRSPM7
MediaTicketsInstaller[1].cab
ArchiveType: CAB (Microsoft)
--> MediaTicketsInstaller.ocx
[DETECTION] Is the Trojan horse TR/Dldr.PurScan.B.1


Thanks for helping :-)!

Dave
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
In IE click Tools > Internet Options > General tab > click delete Files and put a checkmark in the include Offline content box.

That should do it.

Regards,
  • 0

#5
bugs

bugs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Thanks for the info! I tried that twice without any success. Any other suggestions?

Thank! Dave
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders. (Including the Temp Internet Files)

Regards,
  • 0

#7
bugs

bugs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Hi: I did the reboot in safe mode and deleted all temp files including temp internet files. AntVir is still detecting it??? What should I try next?

Thank you.

Dave
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Now I will really have to see a HijackThis log.

Regards,
  • 0

#9
bugs

bugs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Here is the log:



Logfile of HijackThis v1.99.1
Scan saved at 9:45:56 AM, on 5/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\PLook\Plook.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Iomega\Iomega Backup\dtsc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\iTouch\kbdtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\msniasvc.exe
C:\Documents and Settings\David Bugden\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Plook] C:\Program Files\PLook\Plook.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Plook] C:\Program Files\PLook\Plook.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Time Clock.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BFB9201-4F75-4CA0-BE2F-9FDDFAD961F8}: NameServer = 198.6.100.125 198.6.1.125
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I see no sign of it being installed or in use. :tazz:

In HijackThis click Config > Misc Tools > Delete a file on reboot
Show it the way to MediaTicketsInstaller[1].cab

and reboot when prompted to.

Let me know if that gets rid of it.

Regards,
  • 0

#11
bugs

bugs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
I tried that and I got as far as system profile and opened that folder and there was not "local settings" there to open next???

I did a search and found the file. Would it be safe to just delete the file from the search utility? Would that get rid of it? Thanks! Dave
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Safe it is, but I'm afraid it won't work. For the same reason it didnt work when you emptied your Temp folders and the Temp Internet Files.

But it certainly won't hurt to try.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP