MediaTickets

[BagEnd Bubba]

MSA finds <MediaTickets CDT> Spyware but ignores it when
requested to remove it. Threat = Severe. MSA lists 6
files under <MediaTickets CDT>:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains|*.com*

How do I get this Spyware off my machine, and how do I
keep it off?

BEB

 

[Andre Da Costa]

Here is a link to removal instructions:
http://www.scanspyware.net/info/MediaTickets.htm

 

[Randy Knobloch]

MSA finds <MediaTickets CDT> Spyware but ignores it when
requested to remove it. Threat = Severe. MSA lists 6
files under <MediaTickets CDT>:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Internet Settings\ZoneMap\Domains|*.com*

How do I get this Spyware off my machine, and how do I
keep it off?

Your Spyware Pest >
<http://www.doxdesk.com/parasite/MediaTickets.html>

Run "HijackThis";
<http://www.mvps.org/winhelp2002/unwanted.htm>
Post your log here, for expert analysis;
http://aumha.net/viewforum.php?f=30

How do I keep it off?
See, Setting the Internet Zone.
http://www.mvps.org/winhelp2002/restricted.htm
Run a "HOSTS" file;
http://www.mvps.org/winhelp2002/hosts.htm

How did I get Infected in the first place?
http://boards.cexx.org/viewtopic.php?t=957

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security (AH-VSOP)
__________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[Bill Sanderson]

Except that I don't think he actually has the pest. He has an innoculation
in the restricted sites list--and perhaps an improperly coded one at
that--that is being called out by Microsoft Antispyware.

There's either nothing to fix, or there's something whatever program created
the innoculation needs to fix.

 

[Randy Knobloch]

Except that I don't think he actually has the pest. He has an innoculation in the
restricted sites list--and perhaps an improperly coded one at that--that is being
called out by Microsoft Antispyware.

There's either nothing to fix, or there's something whatever program created the
innoculation needs to fix.

Meaning a third-party app has put the item in that zone and MSAS is flagging it?
Gone chance, Bill. I've seen Ad-aware and WinPatrol false-flag items that way.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains

Silj


--
siljaline

MS - MVP Windows (IE/OE) & Security (AH-VSOP)
__________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

(Reply to group, as return address
is invalid - that we may all benefit)

 

[Bill Sanderson]

Right. There's another post here somewhere stating that, I believe, Spybot
Search & Destroy with the current (march something) updates has some bad
coding in this area. I'll have to find the reference and go read the
forum--not sure this is the same issue. A number of people are hitting this
same MediaTickets issue--so there's something going on, but I don't think it
is the real deal--I think its a mishap of some kind involving several
anti-spyware apps.

 

[Steve Moss]

I have encountered a MediaTickets CDT report by MSAS today, using the
5699 definitions. I am certain this is a false positive, as all the
threat locations reported by MSAS are in fact sites specified in my IE
Restricted Sites list. Also, I can categorically report that these
sites are added by IE-SPYAD, whose updated list I downloaded and
installed yesterday.

It seems that MSAS is not taking into account the context of the
registry values: if the values were in the Trusted Sites list they
would indeed be a severe threat, but they are not.

 

[Bill Sanderson]

Thanks, Steve--looks like this one is still not fixed.

 

[Steve Dodson [MSFT]]

Steve,

When you ran IE-SPYAD, what option did you choose to get the false positive?

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Steve Moss]

When you ran IE-SPYAD, what option did you choose to get the false
positive?

There was no FP on installing IE_SPYAD - the FPs occurred when
performing the subsequent MSAS scan.

 

[Bill Sanderson]

Can you give us a step by step?

assume a clean install of the os, and go from there?

 

[Steve Dodson [MSFT]]

I could not repro this. Here is what I did:

1) Verify MWAS was at 5699 Sig.
2) Download and run install.bat for IE-SPYAD
3) Select number 2 to Install the New IE-SPYAD List
4) Perform a full scan with MWAS
5) I get 0 threats detected with MWAS

Can you provide a step by step repro?
--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Steve Moss]

Bill, Steve:

1. I downloaded and installed the IE_SPYAD2 installer released 20th
March (Note that is IE_SPYAD2, not IE_SPYAD).
2. I uninstalled the existing version, using it's install.bat
3. I installed the 20th March version, using it's install.bat. MSAS was
running, with the 5699 definitions in place. No threat reports were
encountered at that time.
4. On 21st March I next ran an MSAS scan - this is when I encountered
the threat reports.

I'm sorry, but I'm not currently in a position to repro this, as I no
longer run the MSAS beta on the machine concerned. If I get the chance,
I will try to repro it on another machine and report back here (don't
hold your breath, though).

 

[Bill Sanderson]

Thanks, Steve--I'm downloading from:

http://netfiles.uiuc.edu/ehowes/www/res/ie-spyad2.exe

with the intent of testing this now. (or at least by tomorrow some time!)

 

[Bill Sanderson]

And here's my result:

MediaTickets CDT

Type: Spyware

Threat Level: Severe

Author: CDT inc. / Integrated Search Technologies

Description: Mediatickets is a spyware program that displays advertisements,
reduces the security settings for the Trusted Sites zone in Internet
Explorer, and attempts to fraudulently install trusted publishers.

Advice: Severe-risk items have an extreme potential for adverse effect, such
as a security exploit, and should be removed.

About Spyware: Software that collects information, such as the websites a
user visits, without adequate consent. This may include installing without
prominent notice or running without a clear method to disable.

---------------------------------------------------------------------

The detailed results are only available via balloons from which I can't
copy/paste. I'll retype the first one--I think I have 18.

They are all of the form:

Registry key/value:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\........

Looks like there's a pattern--for example: blazefind.com, followed by
blazefind.com*4








--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Thanks, Steve--I'm downloading from:

http://netfiles.uiuc.edu/ehowes/www/res/ie-spyad2.exe

with the intent of testing this now. (or at least by tomorrow some time!)

 

[Bill Sanderson]

I've now run the uninstall for IE-SPYAD2, but will wait for tomorrow to do
another scan and see what the result is.

 

[Steve Moss]

Hi Bill,

OK, it seems you have been able to confirm the FP. I'll leave it with
you (and MS) then ;-)

 

[Bill Sanderson]

Yep--thanks very much for keeping us looking at this one--I'll make sure
that reproducable steps are available to Microsoft.

FWIW, I uninstalled IE-SPYAD2, and the MediaTickets issue went away.

And, interestingly enough, I also found a PoeBOT (also a false positive)
sitting in quarantine, although not reflected in the stats for any of the
scans. It is too bad that you cannot see the detailed locations and files
for items in quarantine--I was certain that Poebot was a false positive, but
there was no choice but to either blow it away or restore it--blindly.

 

[Bill Sanderson]

A succeeding scan, after removing IE-Spyad2, removes the MediaTickets
detection.

--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I've now run the uninstall for IE-SPYAD2, but will wait for tomorrow to do
another scan and see what the result is.