|I too have seen this particular file and folder on several computer systems where I work. It totally walks around and all over antivirus protection. Seems that there are a few things that happen with this. First, on client systems we noticed system slowdowns, IE wouldn't perform right, sometimes users would log on only to get dumped to an "iconless" empty desktop (meaning the Explorer shell got corrupted I believe), then network traffic would cease, and you would also lose your ability to run Task Manager (but you could still run tasklist or taskkill if need be from the DOS cmd line on XP machines). We also got alerts about our firewall showing HIGH activity (I mean ABUSE) of port 445 and 6101 traffic. 445 being AD Dir Svc and 6101 is known for Veritas BackupExec (from what I hear). Seems this MediaPass garbage comes in paired with something else...you have MediaPass.exe and MediaPassK.exe sitting in C:\Program Files\Media Pass as well as a registry entry in HKLM\Software...and then you have a partner in crime as we've labelled it in the form of a fake iTunes file called "itunes.exe" that puts itself right into the C:\windows\system32 directory. Another piece of spyware/adware that seems to come with this is "salm.exe". All of these appear in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and the iTunes and Media Pass have also appeared in the HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices. The ONLY thing we have found effective is to do one of two things...on XP use System Restore and go back a couple of weeks if possible (far back as reasonable for you) or the other method we have used to rid ourselves of this stuff is to reboot into SAFE MODE (without networking). Once in SAFE MODE go to Add/Remove Programs. If you have the REAL iTunes software, then you do NOT need to uninstall it. The bogus itunes is just one file with a few registry entries sprinkled in the reg, NOT the real deal not even a b---tardized version of it so don't worry. In Add/Remove Programs...uninstall Media Pass and also look for anything else that looks "off" and remove anything that you know isn't supposed to be there...especially if you KNOW or think you KNOW that you did NOT install it. (We have found out that MediaPass.exe is a malware/adware/spyware conduit through which bad software can be pulled down and installed to a computer system (XP/2003 mainly) totally WITHOUT user intervention!!). After Add/Remove cleanup, check the registry, specifically the keys mentioned above. Looks for ANY mention of itunes.exe, salm.exe, Media Pass, MediaPass.exe, MediaPassK.exe, Ctxlsp (or something like that), and anything else that looks amiss...and KILL IT. BUT BEWARE...if you are NOT comfortable mucking around in the Windows registry - stay out or seek help in doing so! One false key press or delete...and blam! Windows is dead, maybe for good. With the registry hacks out of the way, move on to your hard drive...look for itunes.exe sitting in your \system32 directory - kill it. Also, look for C:\Program Files\Media Pass - kill the contents of the folder, then kill the entire Media Pass folder. Look for ANYTHING else in C:\Program Files that looks "off" and eliminate it...even if you already did Add/Remove and the reg hacks. Now after having done that, you should get a copy of both AdAware 1.05SE and Microsoft AntiSpyware beta. IN SAFE MODE...Install AdAware, run a FULL SCAN, doing a reboot scan if you are asked, again reboot into SAFE MODE ONLY! After that, yes, reboot into SAFE MODE again. This time install MSFT Antispyware beta, run it, let it clean what it finds, configure it to do automatic updates. The last part is VERY important...you need to update your Windows XP/2003 machine with ALL available critical updates AND you need to turn on your firewall! If you have a 3rd party firewall, good for you. TURN IT ON! It will save you from this thing attacking you again through port 6101 or 445 (if you are in an AD environment). As I said above, this thing comes in attacking from dynamic ports to specific dest ports TCP 445 and 6101...if you have a complex sw or hw firewall, I suggest writing a rull to KILL 445 and 6101 from doing business externally from your computer...besides why would you need your computer to share port 445 (AD Directory Services) and port 6101 (known for Veritas BE use) to share traffic with the Internet world???|
Hope this helps! And I hope SOMEBODY out there at one of the antivirus companies finds out just WHAT THE #@%#$%#%#$%$#%$# this thing is and comes up with a better, faster, cleaner way to kill this thing off!! In the meantime, shields up, red alert! And I'm not kidding unless you want to get reinfected by this crap! And for God's sake, stay aware from anything Esquire magazine offers in the way of a download *if* it is really true that they are offering Media Pass bundled with any downloads they offer!