Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups - I need help from an expert


  • Please log in to reply

#91
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Pieter!

You're probably way ahead of me here ... and probably way past this stage ... but just in case ...

I was just looking through my PestPatrol program, and I see they have an "Analyze File" feature. So I asked it to analyze my msvcrta.dll file. (I had renamed it to "msvcrta (suspicious!).dll".) In case it's of any use to you, I'll paste the results below. Looks like it references a couple of other dll files. And it seems to reference the registry key where it was placed. So maybe it is active in its own installation.

File: C:\Spyware-Adware Files\msvcrta (suspicious!).dll
Size: 390,656 bytes
Pest: Not a known pest
MD5: 476d8b31bfd01f2d264f2133c47a3d37
Running/Active?: No.
Creation Date: 11/29/2004
Last Write: 6/21/2004
DLLs Referenced: \msvcrta.dll ADVAPI32.dll ole32.dll OLEAUT32.dll USER32.dll
Text: 'Rich 'Rich PE A mwutE 9qu u/s qla rke 5ZFI aabbddgghhkkmmnnppssuu DES part of OpenSSLv May li es GSor6 wo a vFE A ment9ThreadingMode SOFTWARE\Classes LSID\ E6F B5E20-DE35-11CF-9C87-00AA 27ED \InProcServ WINDIR SystemRoot TEMP NUL o7 p.tmpacc aF nel GetWindowsDirectoryA Path Slee essHea Fi Size MultiByteToO deChar De SExitC a lo balF A iAl nTimG WrieP seHa PoY Rion Tick -u ov iv Ad a KERNEL32.DLL LoadLibraryA GetProcAddress RegOpenKeyA free CoInitialize SetWindowPos
File Type: .dll file.
Compression: No compression or unknown compression method.
Language: Unknown Language.
Caution: Use this automated file analysis with caution. Please do not substitute these results for good judgment.
  • 0

Advertisements


#92
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

or unknown compression method

View Post


The idea is good, but what you get is "garblegook", because the unpacker doesn't work.

I looked inside the file using FileSnoop and you can recognize some parts but others are completely scrambled, so I'll have to wait for a unpacked version.

Regards,

Pieter
  • 0

#93
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thanks again Peter!

As I've mentioned on several posts ... I'm learning much more than I ever wanted to know about this stuff. Someday ... when things calm down ;) , I'd love to learn from you how these things make their way from a newly developed and spreading "threat" (for lack of a better word) all the way to the implementation of the fix at the large antivirus shops. (Symantec, McAfee, etc.) I now realize that people like you are a critical and vital part of that process. But I don't understand your incentive/motivation. Are you in it for the challenge? Or are you a professional who does this for the experience? Or to discover these pests and sell the info to Symantec? :tazz: Or to test your fixes? I find it intriguing that people like you exist, and provide this excellent service for (what seems to be) no charge, for people all over the world! And you spent most of Christmas on it too! (I guess you're kind of like Santa Claus.)

If you ever do find the time to fill me in on as little or as much as you feel like sharing, I would love to hear from you. You can email me if you would rather do it that way. (You have my email address from the files I sent you.)

Best regards,

Jeff Rubenstein
  • 0

#94
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Jeff,

I like the Santa Claus story best. ;)

But if anyone would like to pay me to do this stuff I'm willing to at least lend them an ear.
It could double my capacity if I didnt have to work for a living. :tazz:

One question on topic. Where you able to delete msvcrta.dll without problems?

I have someone on a German board that couldn't delete it after applying the regfix I thought up.

Regards,

Pieter
  • 0

#95
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I did not try to delete it. But I did cut and paste it to a different folder, and then renamed it. So I'm sure I can delete it. I just wanted to keep it around in case you (or anybody) needed to see it again.

And I never did apply your regfix. I didn't need to, because by the time I learned about the msvcrta.dll file issue (from another post on another forum), my registry did not reference that file. I'm assuming my registry must have gotten fixed when I re-downloaded and installed IE6 SP1, and all the critical updates.

I'm only a novice, but I assume that after applying your regfix the user would have to be sure to reboot. If he didn't, then the msvcrta.dll file may still be in use, and the system wouldn't let him delete it(?) Does that make sense? Or ... maybe his msvcrta.dll also appears somewhere else in his registry?
  • 0

#96
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Makes perfect sense. (Re-)Installing the service pack will probably have renewed the registry keys.

If you cut and pasted you did in fact remove it from the folder where it would be in use. So you can remove it at will.

I told that user to reboot, but my German is not what it used to be.
I'll have him do another registry search to make sure.

Thanks,

Pieter
  • 0

#97
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

I'd love to learn from you how these things make their way from a newly developed and spreading "threat" (for lack of a better word) all the way to the implementation of the fix at the large antivirus shops.  (Symantec, McAfee, etc.)

View Post


On the subject of learning:
http://www.geekstogo...?showtopic=2792

I'm sure you'd make a great addition.

Regards,

Pieter
  • 0

#98
solofara

solofara

    New Member

  • Member
  • Pip
  • 2 posts
Guys,

I've been following this thread with earnest since I discovered it a couple days ago as I too have the same affliction. It's one of the most persistent I've seen in a long time.

My two cents worth is that I don't think the spyware/adware daemon/bot/whatever has anything to do with Internet Explorer. I removed any and all references to Intenet Explorer (exe's, help, pif, whatever - all of it) and it still claimed it was "Intenet Explorer" on the next popup (It also gave me a good reason to start using Firefox).

I know the display and presentation classes (among other things) of IE are part of the OS itself now, but it's likely a windows widget designed to look like it's launched from Internet Explorer, and probably has it's own HTTP parsing engine and therefore doesn't use IE at all.

Anyway - so what was the verdict? Removal of msvcrta.dll or the registry hack, or both?

Can't wait to lose the popups.

Thanks for all the help and effort!

Solofara
  • 0

#99
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Solofara,

Pieter (Metallica) is still waiting for analysis of the suspect msvcrta.dll file from his high-level connections. But at this point we believe that some web site(s) utilizes the MHTMLRedir exploit to install a trojan executable, which plants the killer msvcrta.dll file into the system folder. (See the newly discovered Win32.Holax.A description at http://www3.ca.com/s...s.aspx?id=41046 ) Then it gets itself placed into some registry keys, in place of the "webcheck.dll" data.

Pieter posted a registry fix for it at
http://www.geekstogo...indpost&p=30122

Give it a try, and see if it stops the popups. Mine (finally!) stopped 58 hours ago! :tazz:
  • 0

#100
vangogh

vangogh

    Member

  • Member
  • PipPip
  • 23 posts
I eventually removed the msvcrta.dll by booting in safe mode. In normal mode the file wound't go away (even with a fileshredder). As long as the dll file is there the registerkeys keep comming back. I applied the registeryfix of metellica, but only after deleting the file and the keys manually. The fix did put the values back to 'webcheck', so it worked fine.

About IE: when a pop-up appeared, the kerio firewall did show that iexplore.exe was connecting to 69.50.160.100. So the pop-up was using IE in my case.

Deleting the msvcrta.dll and the registery key did solve the problem, I haven't had any pop-ups since.
  • 0

Advertisements


#101
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Thank you for the extra info vangogh.

I posted my fix to every victim I could find on the net, but sofar only one responded. He was unable to remove the file as well.

I wonder what else is keeping it occupied

Regards,

Pieter
  • 0

#102
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I never actually applied Pieter's registry fix, because (I assume) my registry got fixed when I re-downloaded and re-installed IE6 SP1 from the Microsoft site, and then re-downloaded and re-installed all the suggested MS critical updates. My popups stopped, and I can delete the msvcrta.dll file. (Not in safe mode.)

Pieter, do you think it would be a more rigorous and cleaner solution to just suggest that the victim reload and reinstall IE and the updates? Is there any downside to that? I seem to have retained my Favorites and my History entries.

Jeff
  • 0

#103
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Jeff,

I would happily have everyone get updates they don't have yet, but in my experience uninstalling and re-installing updates can make problems worse then what you started out with.

Can you look under Add/Remove Sopftware if there is still a entrie for 0cat yellowpages?

Let me know. Don't do anything with it yet.

Regards,

Pieter
  • 0

#104
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Pieter,

The 0cat yellowpages does not show in my add/remove programs list. It definitely was there at one point in my popup "adventure", though. I clearly remember, early in my efforts to kill the popups, that a scan (either AdAware or SpyBot S&D - I can't remember) found the 0cat Toolbar as spyware, and I told it to fix that. Then, later I looked at the add/remove Programs list, and I saw the 0cat yellowpages program there. (It's easy to see, because alphabetically it shows at the top of the list.) And I removed that at that time. I really thought that would fix my popups. (3 weeks ago I was young and naive.)

I still think there is a relationship between this msvcrta.dll popup problem and that 0cat thing. At some point in my detective work I'm pretty sure I remember finding some connection between our famous 69.50.160.100 IP and 0cat. The 0cat people may be just accomplices in this crime ... hosting and/or selling the popup ads maybe.

I know what you mean about updates often causing more problems than they fix. When I was in business some of my younger IT people would always want to upgrade software to the latest greatest version as soon as it was released. I would always (strongly) recommend that we wait a (long) while until others get the bugs out. "The early bird catches the worm. But it's the second mouse that gets the cheese." But sometimes they'd get so excited by the promises of the new features in the new version that they'd go ahead and install it anyway. Then we'd often find that (seemingly) totally unrelated bad things started to happen after the upgrade.

Jeff
  • 0

#105
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The relationship between 0cat en these popups is pretty clear.
Try pinging 0cat.com and you will see it goes to 69.50.160.98

But we can safely assume that using the uninstall doesn't remove msvcrta.dll

Thanks for that info.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP