Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups - I need help from an expert


  • Please log in to reply

#61
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Those could be just the references to that file that are in these (my) posts on this topic. You looked at them this morning, so they are in your Temporary Internet Files.
  • 0

Advertisements


#62
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
It really bugs me that those guys of the multinational companies haven't tackled this problem yet. Symantec should have had virussignatures by now.
  • 0

#63
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
Oh my God, ransack has find hundreds off msvcrta.dll strings in all the windows prefetch files!!!!!!!!!
I'm sure that's not good! will it have attached itself to all these executables?

Metellica where are you?
  • 0

#64
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Well ... according to the Secunia link that Pieter posted, the first report was just December 20. I've been having the popup problem since December 5, but I guess it takes a while for the antivirus companies to get a sample and figure it out. I don't know how they do that, actually. Do they have a bunch of computer people in a room trying to get viruses?

I'm afraid in this case we may be the pioneers who happened to stumble on this one pretty early in the process. I guess it always has to be somebody who gets the disease first.
  • 0

#65
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I can't quarantine msvcrta.dll in Norton Antivirus. It says it's in use.
  • 0

#66
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
There you go, the dll file is also in the log of startuplist.exe:

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\msvcrta.dll
SysTray: C:\WINDOWS\System32\stobject.dll
  • 0

#67
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I was the one that sent in the files to every Anti-Virus vendor I know.

Found it here:
http://castlecops.co...ite90091-&.html

At first I thought your case was different since the file wasn't hidden (locate.com didn't find it)

angogh, can you mail me a copy of the dll?
pieterATwilderssecurity.org

I will have a look at the one Jeff sent me and report back.

Regards,

Pieter
  • 0

#68
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
Wow, look at the results from ransack (text contaning 'mscrta.dll':


C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\0LURKHYV\index[5].php (53 KB, 26-12-2004 13:13:05)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\41Q7GP2F\index[4].php (39 KB, 26-12-2004 13:12:17)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\45ABSDMZ\index[6].php (41 KB, 26-12-2004 13:04:59)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\81WTSJAJ\index[5].php (41 KB, 26-12-2004 12:50:28)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\81WTSJAJ\index[6].php (39 KB, 26-12-2004 13:19:10)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\8TUZWX6N\index[5].php (46 KB, 26-12-2004 13:08:44)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\G9QJCLUN\index[6].php (57 KB, 26-12-2004 13:17:55)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\GXINCPAN\index[4].php (49 KB, 26-12-2004 13:10:24)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\S1ERGPE3\index[3].php (40 KB, 26-12-2004 13:09:45)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\STAN05I3\index[4].php (39 KB, 26-12-2004 12:56:02)
C:\Documents and Settings\xxxxxx\Local Settings\Temporary Internet Files\Content.IE5\STAN05I3\index[5].php (61 KB, 26-12-2004 13:23:09)
C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf (30 KB, 25-12-2004 22:47:24)
C:\WINDOWS\Prefetch\AGENTRAN.EXE-2BF029EE.pf (15 KB, 25-12-2004 0:29:35)
C:\WINDOWS\Prefetch\AGENTRANSACK.EXE-09E3AA2C.pf (20 KB, 26-12-2004 13:16:19)
C:\WINDOWS\Prefetch\CONTROL.EXE-013DBFB5.pf (21 KB, 26-12-2004 12:25:18)
C:\WINDOWS\Prefetch\DESHELP.EXE-2686DDD9.pf (15 KB, 24-12-2004 13:00:39)
C:\WINDOWS\Prefetch\DESSEARCHAPP.EXE-0C54BA3D.pf (26 KB, 24-12-2004 12:58:45)
C:\WINDOWS\Prefetch\DESSERVER.EXE-3170E849.pf (19 KB, 24-12-2004 13:08:15)
C:\WINDOWS\Prefetch\DESSERVER.EXE-3289C3F8.pf (35 KB, 24-12-2004 12:46:25)
C:\WINDOWS\Prefetch\DESSER~1.EXE-210ADAFE.pf (22 KB, 24-12-2004 13:11:37)
C:\WINDOWS\Prefetch\DLLCOMPARE.EXE-13D4E263.pf (14 KB, 25-12-2004 0:24:52)
C:\WINDOWS\Prefetch\GCASDTSERV.EXE-1274D90D.pf (27 KB, 24-5-2005 16:02:23)
C:\WINDOWS\Prefetch\GCASINSTALLHELPER.EXE-2B16062B.pf (9 KB, 24-12-2004 16:58:42)
C:\WINDOWS\Prefetch\GCASNOTICE.EXE-0A43BFB6.pf (13 KB, 24-5-2005 16:02:32)
C:\WINDOWS\Prefetch\GCASSERV.EXE-140716E4.pf (36 KB, 24-12-2004 21:31:27)
C:\WINDOWS\Prefetch\GCASSERVALERT.EXE-02EC774E.pf (25 KB, 26-12-2004 12:16:10)
C:\WINDOWS\Prefetch\GIANTANTISPYWARE.EXE-056A4C82.pf (17 KB, 24-12-2004 16:58:08)
C:\WINDOWS\Prefetch\GIANTANTISPYWAREMAIN.EXE-073F66F6.pf (17 KB, 24-5-2005 16:02:22)
C:\WINDOWS\Prefetch\HELPCTR.EXE-3862B6F5.pf (74 KB, 24-12-2004 13:03:13)
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-016EC01E.pf (59 KB, 25-12-2004 10:04:02)
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-1AFBDC5F.pf (60 KB, 25-12-2004 0:14:11)
C:\WINDOWS\Prefetch\IDRIVER.EXE-078074A8.pf (49 KB, 24-12-2004 12:45:34)
C:\WINDOWS\Prefetch\IDRIVER.EXE-0CAABA1F.pf (52 KB, 24-12-2004 12:34:00)
C:\WINDOWS\Prefetch\IDRIVER.EXE-250C05D5.pf (28 KB, 23-12-2004 22:19:24)
C:\WINDOWS\Prefetch\IE6WZD.EXE-1BFDEFE4.pf (18 KB, 26-12-2004 12:24:35)
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf (120 KB, 24-5-2005 16:04:37)
C:\WINDOWS\Prefetch\IS-JL4FU.TMP-26777ECE.pf (19 KB, 25-12-2004 0:29:38)
C:\WINDOWS\Prefetch\KAZAALITE.KPP-1788916A.pf (67 KB, 25-12-2004 23:25:54)
C:\WINDOWS\Prefetch\KERIO-PF-4.1.2-EN-WIN.EXE-228227B7.pf (16 KB, 23-12-2004 22:19:10)
C:\WINDOWS\Prefetch\KLRUN.EXE-38BFC3FB.pf (24 KB, 25-12-2004 23:25:43)
C:\WINDOWS\Prefetch\KPF4GUI.EXE-2F166019.pf (70 KB, 24-12-2004 21:33:29)
C:\WINDOWS\Prefetch\Layout.ini (399 KB, 25-12-2004 19:33:34)
C:\WINDOWS\Prefetch\LDMCONF.EXE-2E2A6E1D.pf (10 KB, 24-12-2004 19:02:21)
C:\WINDOWS\Prefetch\LHTTSDUN.EXE-30E31B30.pf (10 KB, 25-12-2004 23:28:57)
C:\WINDOWS\Prefetch\LUALL.EXE-30AC8E48.pf (63 KB, 26-12-2004 12:52:06)
C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf (64 KB, 26-12-2004 13:14:12)
C:\WINDOWS\Prefetch\MMC.EXE-15688AA5.pf (32 KB, 24-12-2004 13:05:47)
C:\WINDOWS\Prefetch\MSHTA.EXE-331DF029.pf (58 KB, 25-12-2004 10:05:24)
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf (58 KB, 25-12-2004 23:39:04)
C:\WINDOWS\Prefetch\MSINFO32.EXE-29BA7538.pf (22 KB, 24-12-2004 13:03:03)
C:\WINDOWS\Prefetch\MSPAINT.EXE-11CBB631.pf (46 KB, 24-12-2004 12:31:48)
C:\WINDOWS\Prefetch\MSWORKS.EXE-31812CA4.pf (32 KB, 24-12-2004 12:25:00)
C:\WINDOWS\Prefetch\NAVW32.EXE-24F56911.pf (64 KB, 26-12-2004 13:23:33)
C:\WINDOWS\Prefetch\NMAIN.EXE-2BA406E0.pf (63 KB, 26-12-2004 13:23:24)
C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf (59 KB, 25-12-2004 0:44:43)
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf (1129 KB, 26-12-2004 12:20:33)
C:\WINDOWS\Prefetch\PATCH.EXE-04A62CEF.pf (14 KB, 24-12-2004 17:00:59)
C:\WINDOWS\Prefetch\PATCH.EXE-07B1D0B1.pf (12 KB, 24-12-2004 16:59:23)
C:\WINDOWS\Prefetch\PHOTOED.EXE-0F3CAA01.pf (27 KB, 24-12-2004 12:21:24)
C:\WINDOWS\Prefetch\PIP.EXE-248E8BDE.pf (54 KB, 24-12-2004 12:22:18)
C:\WINDOWS\Prefetch\REGCLEANER (TWEAKNOW).EXE-08B56458.pf (13 KB, 25-12-2004 0:27:15)
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf (44 KB, 26-12-2004 12:58:59)
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf (48 KB, 26-12-2004 12:17:53)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-150CA838.pf (38 KB, 24-12-2004 13:05:42)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-19DAABDF.pf (14 KB, 25-12-2004 23:31:46)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1DA0AA57.pf (14 KB, 25-12-2004 10:05:14)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf (12 KB, 24-12-2004 13:06:50)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-26DA8C9B.pf (72 KB, 24-12-2004 12:28:16)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3214CC02.pf (28 KB, 25-12-2004 23:40:33)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-32240B45.pf (17 KB, 24-12-2004 17:05:39)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-36AA6503.pf (24 KB, 25-12-2004 23:45:10)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3A002667.pf (16 KB, 24-12-2004 13:05:26)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3FA7EA68.pf (63 KB, 26-12-2004 12:25:19)
C:\WINDOWS\Prefetch\RUNDLL32.EXE-42C4EDF2.pf (36 KB, 26-12-2004 11:42:21)
C:\WINDOWS\Prefetch\SAPISVR.EXE-3241C9C4.pf (60 KB, 25-12-2004 23:40:24)
C:\WINDOWS\Prefetch\SETUP.EXE-2328F93B.pf (19 KB, 25-12-2004 23:38:51)
C:\WINDOWS\Prefetch\SETUP.EXE-38248460.pf (17 KB, 24-12-2004 12:45:18)
C:\WINDOWS\Prefetch\SETUP_WM.EXE-3135CBE0.pf (24 KB, 24-12-2004 21:29:01)
C:\WINDOWS\Prefetch\SHMGRATE.EXE-1BA69E68.pf (35 KB, 26-12-2004 12:25:28)
C:\WINDOWS\Prefetch\SPEECHSDK51.EXE-1ACBB3A6.pf (13 KB, 25-12-2004 23:34:44)
C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf (67 KB, 25-12-2004 22:46:53)
C:\WINDOWS\Prefetch\SYSOCMGR.EXE-31169C54.pf (74 KB, 26-12-2004 12:25:14)
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf (18 KB, 24-12-2004 23:41:58)
C:\WINDOWS\Prefetch\UE32.EXE-1BEC132F.pf (48 KB, 24-12-2004 12:17:55)
C:\WINDOWS\Prefetch\UNREGMP2.EXE-07CACB61.pf (47 KB, 24-12-2004 21:30:19)
C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf (76 KB, 26-12-2004 12:45:56)
C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf (30 KB, 24-12-2004 16:56:18)
C:\WINDOWS\Prefetch\WKSCAL.EXE-10AB18FB.pf (31 KB, 24-5-2005 16:01:46)
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf (39 KB, 25-12-2004 23:15:11)
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA6.pf (71 KB, 25-12-2004 23:14:28)
C:\WINDOWS\Prefetch\WUPDMGR.EXE-2F30BEAB.pf (21 KB, 26-12-2004 12:25:55)
C:\WINDOWS\Prefetch\ZCLIENTM.EXE-25C31104.pf (12 KB, 26-12-2004 12:25:29)
C:\WINDOWS\system32\Restore\rstrlog.dat (1084 KB, 20-12-2004 23:25:56)
D:\Backup\Utils\Hijack This\startuplist.txt (6 KB, 22-12-2004 21:15:58)
  • 0

#69
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I have sent the file to you, peter. Thanks a lot for time.
  • 0

#70
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Darn. I'll need a pro to unravel this one.
I'll send it on but they are probably enjoying the holidays.

I'll have to infect myself to see what it does.

Let me get my testbox set up.

Regards,

Pieter

Attached Thumbnails

  • failure.jpg

  • 0

Advertisements


#71
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
Ok - pop-ups are still there! Just got an ad for Valium (I might actually want some of that)

I'm going to quarnatine the dll file and delete the registry keys now.
  • 0

#72
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Hang on a sec.

I think I can make this easy for you.

Your files are identical, so that should give some of the other victims hope.

Regards,

Pieter
  • 0

#73
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
vangogh,

Copy the part in bold below into notepad and save it as webcheck.reg
(Set filetype to "All files")


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
@="WebCheck"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,77,\
65,62,63,68,65,63,6b,2e,64,6c,6c,00
"ThreadingModel"="Apartment"



Then doubleclick the file you made and confirm you want to merge it with the registry.

Reboot and let me know.

Regards,

Pieter
  • 0

#74
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Can you guys check if you have a file called: acc0000.exe

Regards,

Pieter
  • 0

#75
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
No ... Nobody by that name (acc0000.exe) on my computer. I checked with both the Windows search and Agent Ransack.

Jeff
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP