Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups - I need help from an expert


  • Please log in to reply

#76
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
It's the installer I think. Could be an old version, since it only changes this:

(MAP) C:\WINDOWS\system32
(+)(BESTAND) msvcrta.dll = 09:03 04-08-04 8704 bytes
(MAP) C:\WINDOWS\system32\config
(*)(BESTAND) software.LOG
15:03 26-12-04 1024 bytes ==> 15:05 26-12-04 1024 bytes

(REG SLEUTEL) HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
(*)(REG WAARDE) (Standaard)
%SystemRoot%\System32\webcheck.dll. ==> C:\WINDOWS\system32\msvcrta.dll

Or maybe the dll does the rest after it's been activated.

I found that file in a log here:
http://board.protecu...12154&pagenum=4
(look at the O16)

Regards,

Pieter
  • 0

Advertisements


#77
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
Sorry I was away for a while.

I havent found the acc0000.exe either. I did got rid of the reg keys and the dll file. I still have it in Norton quarantine.
  • 0

#78
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
OK. Good job. Clean out your prefetch folder:
http://www.tweakxp.com/tweak525.aspx

Should you find anything interesting, let me know.

If the file I found is anyway nearly the same as the one that infected you this should be it.
I'll try out my fix on some forums, but I'm pretty sure it will work.

You guys have been an enormous help in solving this for others. :tazz:

Regards,

Pieter
  • 0

#79
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
just before removing msvcrta.dll I got this notification from GIANT AntiSpyware:

The user, has decided to remove the spyware threat Alexa Toolbar that has been detected by real-time protection trying to run the program C:\WINDOWS\web\related.htm.

the htm file is still there. I'm sure it's related since the pop-up connected me not only to 69.50.160.100 , but also xlstcache.alexa.com

another .exe file wich was logged by my Kerio firewall around the time of infection(apart from 0catyellowpages.exe) was: a~nsisu_.exe

I had found the string a~nsisu also in a startuplist (I already deleted that one, it was something with winint.ini PendingFileRename)
  • 0

#80
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Pieter,

I did an Agent Ransack search for anything containing text msvcrta.dll, and all it found were Temp Internet Files and Registry Backup files. And I did a Registry search for msvcrta, and all it found were histories of my searches. So ... Do you think I am clean now?

(I renamed the msvcrta.dll file to something else, and moved it to a different folder.)

Is there anything we can do to keep from catching this again?

Jeff
  • 0

#81
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
One more thing I forgot to mention ... I think vangogh has something there when he mentioned the 0catyellowpages. When I first got these popups, one of my antispyware programs found the 0catyellowpages and removed it. And I think I went to a 0cat site once when I tried some variant of the 69.50.160.100. So I think those 0cat guys have something to do with this.

Jeff
  • 0

#82
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
The protection against acc0000.exe was in SpywareBlaster: http://www.javacools...areblaster.html

Did you reset the keys to point to webcheck.dll ?(the regfile I posted does that)
I found one victim that could no longer access any sites that required the .NET passport.

I hopefully will learn some more when I get the unpacked versions back from the people I sent them to.

I'll submit the files to the Anti-spyware industry as well.

Regards,

Pieter
  • 0

#83
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts

One more thing I forgot to mention ... I think vangogh has something there when he mentioned the 0catyellowpages.  When I first got these popups, one of my antispyware programs found the 0catyellowpages and removed it.  And I think I went to a 0cat site once when I tried some variant of the 69.50.160.100.  So I think those 0cat guys have something to do with this.

Jeff

View Post


That makes three of you:
http://amazingtechs....showtopic=19838

Unfortunately almost all the useful info about 0cat Yellowpages was on Spynet (which went offline when MicroSoft bought the firm)

Regards,

Pieter
  • 0

#84
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts

just before removing msvcrta.dll I got this notification from GIANT AntiSpyware:

The user, has decided to remove the spyware threat Alexa Toolbar that has been detected by real-time protection trying to run the program C:\WINDOWS\web\related.htm.

the htm file is still there. I'm sure it's related since the pop-up connected me not only to 69.50.160.100 , but also xlstcache.alexa.com

another .exe file wich was logged by my Kerio firewall around the time of infection(apart from 0catyellowpages.exe) was: a~nsisu_.exe

I had found the string a~nsisu also in a startuplist (I already deleted that one, it was something with winint.ini PendingFileRename)

View Post



I still have this C:\WINDOWS\web\related.htm

I have done a hijackthis scan and I found to new things:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  • 0

#85
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
This was the info about 0cat yellowpages on spynet:

=======================================
Threat type: Spyware - Spyware's primary purpose is to collect demographic and usage information from your computer, usually for advertising purposes. Spyware usually that 'sneaks' onto a system or performs other activities hidden to the user. Spyware programs are usually bundled as a hidden component and downloaded from the Internet. These modules are almost always installed on the system secretively and try to run secretively as well.

Threat category: Browser Plug-in - A browser plug-in is an application that can be installed within a user's web browser. Plug-ins can come in the form of a toolbar that is included in your web browser or a search or navigation feature to extra task buttons on the browser. Although most plug-ins are designed to perform necessary functions, many plug-ins are harmful to you computer because they have complete access to your web browser and can modify, spy and redirect any task you perform.
Threat risk:
High Risk
High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Description: 0cat yellowpages is a spyware application that is known to hijack Internet Explorer as well as Active Desktop.
Advise: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.



Detection and Removal
GIANT AntiSpyware detects 0cat yellowpages
GIANT AntiSpyware removes 0cat yellowpages


0cat yellowpages Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with 0cat yellowpages, you can clean your machine of this spyware threat for free by downloading GIANT Antispyware now (Download the GIANT AntiSpyware Free trial).

File Signatures:
>> file: stiebar.dll : MD5 hash: 41e5e89418b0fe9c2b5...
>> file: %program_files%\0cat yellowpages\stiebar.dll
>> file: stiebar.dll : MD5 hash: 6d7b154d4ffb1c771eb...


Registered Dll (Dynamic Link Library) Signatures:
>> dll: stiebar.dll : MD5 hash: 41e5e89418b0fe9c2b5...
>> dll: %program_files%\0cat yellowpages\stiebar.dll
>> dll: stiebar.dll : MD5 hash: 6d7b154d4ffb1c771eb...


Internet Explorer Integration:
>> Browser Helper Object: {d797ad6c-6447-4db4-91d0-090344408e72}
>> IE Toolbar: {679695bc-a811-4a9d-8cdf-ba8c795f261a}


Registry Signatures:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D797AD6C-6447-4DB4-91D0-090344408E72}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar {679695BC-A811-4A9D-8CDF-BA8C795F261A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{47FE5D70-9AA2-40F1-9C6B-12A255F085EA}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping {47FE5D70-9AA2-40F1-9C6B-12A255F085EA}
*The signatures in the files list above includes standard MD5 hashed signatures. The GIANT AntiSpyware proprietary signatures, known as a Genetic Fingerprints and LSH signatures, are not included in the list above.
====================================

I downloaded Giant Spyware but it didn't find anything. I did block that alexa toolbar though.
  • 0

Advertisements


#86
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Those Alexa keys are relatively harmless. Installing the Alexa Toolbar is an entirely different matter, but you will see more then just those two if you do that.

Some spyware-removers consider those "related" keys which are normal in a Windows install important enough to flag them, but in my opinion they are not.

Regards,

Pieter
  • 0

#87
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Pieter,

How many forums do you monitor??!! :thumbsup: Looks like you're the expert in all of them! :tazz:

Thanks so much for your help with this! I always wondered who were those poor people who got the viruses before they got discovered and fixed and put into the antivirus databases. Now I know. Sometimes it can be me. ;)

Regarding keeping this from coming back ... I do have SpywareBlaster (now), and I keep it updated. I just looked at SpywareBlaster's (huge) list of IE protection, and I don't immediately see this acc0000.exe protection in the list. What name is it under? And ... if you have time ... how does that protection work? Does SpywareBlaster just place this in some IE list of blocked activities (like it seems to do with its list of restricted sites), or does SpywareBlaster actually monitor what IE is doing all the time?
  • 0

#88
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
SpywareBlaster blocks certain CLSID's from getting activated.
You can find a lot of info here:
http://www.wildersse...ead.php?t=13684
Even on how to add CLSID's yourself and what they are.

One of them was the {11010101-1001-1111-1000-110112345678} I found in that German log
SpywareBlaster has it listed as a Adult Content Dialer (which I doubt), but it would have stopped it anyway.

How many forums? I lost track a while ago.
In languages: about 10 Dutch ones, 2 German boards and an awfull lot of English ones. I'm a Moderator at 2 of those.
I've just been around so long evryone thinks I'm an expert. :tazz:

Regards,

Pieter
  • 0

#89
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts

The protection against acc0000.exe was in SpywareBlaster: http://www.javacools...areblaster.html

Sorry to keep bothering you Pieter, but just to satisfy my compulsive anxieties ... How do I know what the CLSID is for this particular (acc0000.exe) problem is? So I can look and be sure it is in my SpywareBlaster list of blocked activities?
  • 0

#90
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
You're not bothering me. Dont worry about that. :tazz:

I think our posts crossed.

The CLSID for the activeX that distributed acc0000.exe is {11010101-1001-1111-1000-110112345678}

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP