[vangogh]

Hi Guys, I think you're doing great work and i'm following the topic with interest, since I have exactly the same problem. Maybe I can help with some more info:
First of all I don't think automatic windows update has anything to do with it. When my pop-ups started I had Win XP sp1 (with updates turned off). I tried to install SP2, but that didn't solve the problem (I also have tried everything you guys have done plus lots and lots of firewalls, spyware stuff (also Giant anti Spyware, recently aquired by Microsoft [somehow i think that's connected with this]). SP2 slows down my internet surfing so much that I removed it again. Now I'm back at Win XP SP1, automatic updates turned off, and stilol the pop ups!
It all started with a virus like application 0catyellowpages.com. But the the problem seems to be polymorphic since it has changed over the last 4 days.

My pc connects to these webpages when teh pop-up shows: http://69.50.160.100...php?acc=acc0001 (custblock.intercage.com)
and: xlstcache.alexa.com

This is the log of the windows firewall:

2004-12-22 22:49:00 OPEN TCP xxx.xxx.x.x 207.46.157.124 1043 80 - - - - - - - - -
2004-12-22 22:49:01 CLOSE TCP xxx.xxx.x.x 207.46.157.124 1043 80 - - - - - - - - -

2004-12-22 22:49:37 OPEN TCP xxx.xxx.x.x 69.50.160.98 1044 5556 - - - - - - - - -
2004-12-22 22:49:38 CLOSE TCP xxx.xxx.x.x 69.50.160.98 1044 5556 - - - - - - - - -


2004-12-22 22:50:39 OPEN TCP xxx.xxx.x.x 69.50.160.100 1046 80 - - - - - - - - -
2004-12-22 22:50:54 CLOSE TCP xxx.xxx.x.x 69.50.160.100 1046 80 - - - - - - - - -


I will try to rinstall IE 6.0 like you did. It's the only thing I haven't tried yet.

[Advertisements]

Can you guys do me a favor and see if you can find a file matching this description:
http://secunia.com/v...ecurityadvisor/

Regards,

Pieter

[Metallica]

Can you guys do me a favor and see if you can find a file matching this description:
http://secunia.com/v...ecurityadvisor/

Regards,

Pieter

[JeffR]

Pieter,

I think I may know what it is! Since yesterday, I've been having several emails back and forth with another person suffering from this. He's been running Wintask 5 Professional, and solved his problem by removing some keys from his registry, after he noticed a process running msvcrta.dll just prior to the popups.

These are the registry keys he removed:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\WIN2000\system32\msvcrta.dll
ThreadingModel Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\WIN2000\system32\msvcrta.dll

Now that my popups are gone (hopefully due to reloading IE6), the data in my registry for those keys is webcheck.dll, not msvcrta.dll, but I do find a msvcrta.dll file in my \system32 folder. And I do not find it on my other (notebook) Win2K machine.

And I just found something (in Italian unfortunately) about it at http://www.virit.com...eda.asp?num=356

I haven't spent much time yet with your Win32.Holax.A suggestion. But a quick look at that link you just sent talks about .dll files that start with MS. And this one does. This may be another blind alley, but I'm really getting suspicious about this msvcrta.dll file. I'll email a copy to you now.

Jeff

[vangogh]

I read the discription, but it doens't give anything that I can specifically look for. I have searched for ms*.dll files in the system32 directory, and there a lot of these, but none with a recent date. (My pc is running Norton AntiVirus 2004, has Symantec already signitures for this virus?)

[JeffR]

vangogh,

Do you have a file named msvcrta.dll?

[vangogh]

I still have these keys in my registry

[size=1]HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\Windows\system32\msvcrta.dll
ThreadingModel Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\Windows\system32\msvcrta.dll


Also the msvcrta.dll file (and lot's with similar names: msvcrtd.dll, msvcrt20.dll msvcrt40.dll etc.)

[vangogh]

the file dates form 17-6-2004 11kb

[vangogh]

wait a sec. It sys the file is created dec 16, 2004 and changed in 17-6-2004 ???

[JeffR]

Vangogh,

I am no expert. But I've been learning a lot more than I ever wanted to know about this stuff. But I strongly suspect that the msvcrta.dll file is the killer. All the other msvcrtxx.dll files are probably good legitimate (important!) files.

If you do any changes to the registry, be sure to export a backup first, in case you need to import it again. And I take no responsibility for anything bad that happens. (Although I'm happy to take credit for good stuff ;-) Pieter (Metallica) is the expert ... not me.

That being said, you may want to try either deleting those registry entries with the msvcrta.dll data. Or change the msvcrta.dll to webcheck.dll. (That's what mine now say, and that's what it says in my other (non-infected) PC.)

Good luck!

Jeff

[vangogh]

There is another file with the same date that is having that strange date thing: openbl32.dll

Do think deleting de msvcrta.dll file + registry is the solution to the problem? It looks like the problem is bigger than just the file (reading the secunia description).

[vangogh]

The strange thing is that I haven't been having pop-ups since yesterday. And I haven't changed anything to my system (even de reinstall of IE6 wouldn't go because I had a newer version (still form SP2 I think).

[JeffR]

Vangogh,

Again, I'm no expert, but ...

If I were you (or you were me), I'd be so frustrated and eager to fix it, that I'd probably go ahead and (make a registry backup first!) change those registry entries to the data is webcheck.dll instead of msvcrta.dll. And see if that stops the popups. But ... one more time ... I'm not an expert. I don't even play one on TV.

I have the same date anomaly on my msvcrta.dll file. I think the creation date is the date it got "created" on our PC's. Possibly when the trojan loaded it on our PC's. The modified date is when the bad guys really created it(?)

Jeff

[JeffR]

Oh ... I didn't get your post about not getting popups anymore, until after my last post. That's too bad. I'm afraid maybe we all think we solved it, when actually the bad guys just turned it off for Christmas. :-(

I'll wait for Pieter to take a look at the msvcrta.dll file I emailed him. He's the real expert.

Jeff

[vangogh]

another thing: When I do an agent ransack search for containing text 'msvcrta.dll', I get a lot of results in the index.php files in ...temporary internet files\content.ie directories.

Ransack is still searching...

[vangogh]

I think I will leave de msvcrta.dll and see if any more pop-ups will come