[Katfeesh]

When my computer is idle an instance of the IE will come up pointing to the following URL: http://69.50.160.100...lick/popup2.php

I've seen this problem listed on the board before, but I have done all I can as a lurker and need your assistance.

Here is my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 8:00:48 PM, on 12/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\anvshell.exe
C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Documents and Settings\michael\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://services.hmk...tsweb/msrdp.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/p...12/invinstl.exe
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcaf...0,2/mcmysec.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup154.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...411/mcfscan.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - http://fdl.msn.com/p...10/investor.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Advertisements]

Did I post this incorrectly? I tried to follow the directions listed here.

I'm just a lowly newbie trying to get a problem solved...can anyone help?

Please

[Katfeesh]

Did I post this incorrectly? I tried to follow the directions listed here.

I'm just a lowly newbie trying to get a problem solved...can anyone help?

Please

[admin]

Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here.

How to use Lavasoft's VX2 Cleaner plug-in

• Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
• Install the VX2 Cleaner
• Start Ad-Aware SE build 1.05
• Go to “Plug-ins”
• Select the VX2 Cleaner plug-in and click “Run Plugin”
• If your computer isn't infected, click "close"

If your computer is infected:

• Select “Clean System”
• Reboot your computer
• Scan your computer with Ad-Aware
• Remove any VX2 objects detected
• Reboot your computer again
• Run a second scan to make sure the files have been removed from your computer

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

[Katfeesh]

Thank you for the reply!
OK. Installed and ran VX2 cleaner, and it came back "clean". Which is good, but unfortunately this strange little popup is still showing up on my PC.

Any other suggestions? I can re-run HJT and post the log, but it's the same as I posted earlier.

This little bugger is a toughie! I have Spybot S&D, Spyware Blaster, Ad-Aware, HJT and Norton AV (all updated to the most current revisions) and yet at least twice a day I get the popup.



(BTW: Happy holidays to you and yours)

[PollutedPaladin]

Try deleting your cookies by going to C:\Documents and Settings\user\Cookies and delete your cookies (you can't delete the index).

[PollutedPaladin]

Or you can launch Internet Explorer, click on Tools, then click on Internet Options. Click on the General tab, then click on Delete Cookies and click on OK.

[Katfeesh]

I actually do that on a regular basis.
I've gone so far as to use Spybot's "Secure Shredder" utility as well (adding IE cookies, files and temp folder files).

Alas, to no avail. This insidious little popup remains.

[coachwife6]

Please post another log.

[Metallica]

Katfeesh,

I assumed you were following the other thread about these popups.

Check if you can find this file:
C:\WINDOWS\system32\msvcrta.dll

If so:
Copy the part in bold below into notepad and save it as webcheck.reg
(Set filetype to "All files")


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
@="WebCheck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"



Then doubleclick the file you made and confirm you want to merge it with the registry.

Reboot and let me know if you can delete C:\WINDOWS\system32\msvcrta.dll

Regards,

Pieter

[Katfeesh]

Metallica,

Created the file to add the registry key. Merged the file into the registry, found C:\WINDOWS\system32\msvcrta.dll, rebooted...still could not delete msvcrta.dll.
(Although I checked and the keys looked fine).

So I got 'clever' and went into an MS-DOS prompt and even though I couldn't erase the file there, I renamed it to msvcrta.old.
Rebooted again and then deleted the C:\WINDOWS\system32\msvcrta.old file.

It's been 8 hours, and so far no return of the infamous pop-up!
Not sure if we've affected a cure yet, but I'm hopeful.
I will keep an eye on this for another day and see if the problem returns (or not) and post an update.

A couple of questions arise:
1) What was that file?
2) If it was picked up from a website how did it 'slip by' Spybot S&D, Ad-aware, NAV 2004 & Spyware Blaster?
3) How did was the file able to create an instance of IE when all the processes running seemed to be 'legit' (i.e. how were these pop-ups created when there seemed to be no 'bad' processes running?).

Thanks for the help! As I mentioned before I will post an update in a day regarding this problem.
-Feesh

[Metallica]

Hi Katfeesh,

That was excellent thinking.

Can you see if you have a entry for 0cat Yellowpages under Add/remove Software.
We have reason to believe it was bundled with that.

If you have that entry don't do anything with it yet.

Regards,

Pieter

[Katfeesh]

Yes I saw the 0Cat software awhile ago when I was working on this problem alone.
Of course I removed it back then sorry.

Looks like msvcrta.dll is the culprit (12 hours, no popup) but I'm still curious how it got by all the aforementioned defenses.

[Metallica]

I'm not sure when the CLSID for the installer was added to SpywareBlaster, but I think we can rule the ActiveX install out.

I am not sure where and how 0cat is installed, but we have very good reasons to believe it is a side-effect (or maybe even their main reason of existence) of that.

Regards,

Pieter

[omniviz]

Thanks Metallica!

I have been trying to figure out how to get rid of these pop ups for weeks now. Just this morning I noticed the a[1].com file in my temporary internet files directory (after having cleared the directory last night). I just googled the IP address inside the file and found this thread.

I have followed your directions and hopefully, like Katfeesh, I will be rid of these pests.

[Metallica]

Just this morning I noticed the a[1].com file in my temporary internet files directory (after having cleared the directory last night). 

Could you send me a copy of that file?

pieterATwilderssecurity.org (replace AT with @)

TIA,

Pieter