Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups - I need help from an expert


  • Please log in to reply

#46
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
Hi Guys, I think you're doing great work and i'm following the topic with interest, since I have exactly the same problem. Maybe I can help with some more info:
First of all I don't think automatic windows update has anything to do with it. When my pop-ups started I had Win XP sp1 (with updates turned off). I tried to install SP2, but that didn't solve the problem (I also have tried everything you guys have done plus lots and lots of firewalls, spyware stuff (also Giant anti Spyware, recently aquired by Microsoft [somehow i think that's connected with this]). SP2 slows down my internet surfing so much that I removed it again. Now I'm back at Win XP SP1, automatic updates turned off, and stilol the pop ups!
It all started with a virus like application 0catyellowpages.com. But the the problem seems to be polymorphic since it has changed over the last 4 days.

My pc connects to these webpages when teh pop-up shows: http://69.50.160.100...php?acc=acc0001 (custblock.intercage.com)
and: xlstcache.alexa.com

This is the log of the windows firewall:

2004-12-22 22:49:00 OPEN TCP xxx.xxx.x.x 207.46.157.124 1043 80 - - - - - - - - -
2004-12-22 22:49:01 CLOSE TCP xxx.xxx.x.x 207.46.157.124 1043 80 - - - - - - - - -

2004-12-22 22:49:37 OPEN TCP xxx.xxx.x.x 69.50.160.98 1044 5556 - - - - - - - - -
2004-12-22 22:49:38 CLOSE TCP xxx.xxx.x.x 69.50.160.98 1044 5556 - - - - - - - - -


2004-12-22 22:50:39 OPEN TCP xxx.xxx.x.x 69.50.160.100 1046 80 - - - - - - - - -
2004-12-22 22:50:54 CLOSE TCP xxx.xxx.x.x 69.50.160.100 1046 80 - - - - - - - - -


I will try to rinstall IE 6.0 like you did. It's the only thing I haven't tried yet.
  • 0

Advertisements


#47
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you guys do me a favor and see if you can find a file matching this description:
http://secunia.com/v...ecurityadvisor/

Regards,

Pieter
  • 0

#48
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Pieter,

I think I may know what it is! Since yesterday, I've been having several emails back and forth with another person suffering from this. He's been running Wintask 5 Professional, and solved his problem by removing some keys from his registry, after he noticed a process running msvcrta.dll just prior to the popups.

These are the registry keys he removed:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\WIN2000\system32\msvcrta.dll
ThreadingModel Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\WIN2000\system32\msvcrta.dll


Now that my popups are gone (hopefully due to reloading IE6), the data in my registry for those keys is webcheck.dll, not msvcrta.dll, but I do find a msvcrta.dll file in my \system32 folder. And I do not find it on my other (notebook) Win2K machine.

And I just found something (in Italian unfortunately) about it at http://www.virit.com...eda.asp?num=356

I haven't spent much time yet with your Win32.Holax.A suggestion. But a quick look at that link you just sent talks about .dll files that start with MS. And this one does. This may be another blind alley, but I'm really getting suspicious about this msvcrta.dll file. I'll email a copy to you now.

Jeff
  • 0

#49
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I read the discription, but it doens't give anything that I can specifically look for. I have searched for ms*.dll files in the system32 directory, and there a lot of these, but none with a recent date. (My pc is running Norton AntiVirus 2004, has Symantec already signitures for this virus?)
  • 0

#50
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
vangogh,

Do you have a file named msvcrta.dll?
  • 0

#51
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I still have these keys in my registry

[size=1]HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\Windows\system32\msvcrta.dll
ThreadingModel Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(Default) C:\Windows\system32\msvcrta.dll


Also the msvcrta.dll file (and lot's with similar names: msvcrtd.dll, msvcrt20.dll msvcrt40.dll etc.)
  • 0

#52
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
the file dates form 17-6-2004 11kb
  • 0

#53
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
wait a sec. It sys the file is created dec 16, 2004 and changed in 17-6-2004 ???
  • 0

#54
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Vangogh,

I am no expert. But I've been learning a lot more than I ever wanted to know about this stuff. But I strongly suspect that the msvcrta.dll file is the killer. All the other msvcrtxx.dll files are probably good legitimate (important!) files.

If you do any changes to the registry, be sure to export a backup first, in case you need to import it again. And I take no responsibility for anything bad that happens. (Although I'm happy to take credit for good stuff ;-) Pieter (Metallica) is the expert ... not me.

That being said, you may want to try either deleting those registry entries with the msvcrta.dll data. Or change the msvcrta.dll to webcheck.dll. (That's what mine now say, and that's what it says in my other (non-infected) PC.)

Good luck!

Jeff
  • 0

#55
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
There is another file with the same date that is having that strange date thing: openbl32.dll

Do think deleting de msvcrta.dll file + registry is the solution to the problem? It looks like the problem is bigger than just the file (reading the secunia description).
  • 0

Advertisements


#56
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
The strange thing is that I haven't been having pop-ups since yesterday. And I haven't changed anything to my system (even de reinstall of IE6 wouldn't go because I had a newer version (still form SP2 I think).
  • 0

#57
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Vangogh,

Again, I'm no expert, but ...

If I were you (or you were me), I'd be so frustrated and eager to fix it, that I'd probably go ahead and (make a registry backup first!) change those registry entries to the data is webcheck.dll instead of msvcrta.dll. And see if that stops the popups. But ... one more time ... I'm not an expert. I don't even play one on TV.

I have the same date anomaly on my msvcrta.dll file. I think the creation date is the date it got "created" on our PC's. Possibly when the trojan loaded it on our PC's. The modified date is when the bad guys really created it(?)

Jeff
  • 0

#58
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Oh ... I didn't get your post about not getting popups anymore, until after my last post. That's too bad. I'm afraid maybe we all think we solved it, when actually the bad guys just turned it off for Christmas. :-(

I'll wait for Pieter to take a look at the msvcrta.dll file I emailed him. He's the real expert.

Jeff
  • 0

#59
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
another thing: When I do an agent ransack search for containing text 'msvcrta.dll', I get a lot of results in the index.php files in ...temporary internet files\content.ie directories.

Ransack is still searching...
  • 0

#60
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I think I will leave de msvcrta.dll and see if any more pop-ups will come
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP