Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Popups - I need help from an expert


  • Please log in to reply

#106
uzi

uzi

    New Member

  • Member
  • Pip
  • 5 posts

The relationship between 0cat en these popups is pretty clear.
Try pinging 0cat.com  and you will see it goes to 69.50.160.98

But we can safely assume that using the uninstall doesn't remove msvcrta.dll

Thanks for that info.

Regards,

Pieter

View Post


  • 0

Advertisements


#107
uzi

uzi

    New Member

  • Member
  • Pip
  • 5 posts
It is save to say that 0cat.com is connected to 69.50.160.100 because I found the IP with a disassembler in the I guess it was the stiebar.dll, so Ocat.com running on 69.50.160.98 is connected to 69.50.160.100. Also here after removing msvcrta.dll no more popups.
The msvcrta.dll supports functions as creating a winsock and launch windows. In addition the symbols --==-- are found in the msvcrta.dll as you can see always on the windows title bar like --=:Spyware Removal:=--
  • 0

#108
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Hi uzi,

Great to see you here.
How did you manage to disassemble that file?

I also have the installer if you want to have a go at that, PM me your email address and I will send it to you later today when I get home.

Regards,

Pieter
  • 0

#109
uzi

uzi

    New Member

  • Member
  • Pip
  • 5 posts
Hi Metallica

If you could snd me the following files: stiebar.dll and A~NSISu_.exe
The A~NSISu_.exe exists only during the install proc. of OCatYellowpages.exe. It;s written to the TEMP folder and then deleted. So if you can tell me where exactly catch the bug (what Site) I want to set the permissions on my temp folder so files can not be deleted, that should allow me to take a look at all the chicago bull files installing this bug as the A~NSISu_.exe and wininit.ini

I will send you my e-mail address. Remame all files with a .txt extension before attaching them to the e-mail.
Also, I W/R perfect German and will relay all findings to the German message board HJ.de

Thank's to you and all guys for working on "oneclick/popup2.php
  • 0

#110
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
uzi,

I sent you what I have on this one. I'll ask around for the installer for the 0cat toolbar, but I don't know if that will be succesfull.

My German is not as bad as it seems. Just writing all the signs that are not on my keyboards .... sometimes I don't bother. :tazz:

Regards,

Pieter
  • 0

#111
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
I just stumbled on this topic after the Holidays. I wish I had more to contribute. ;) Incredible work by everyone involved. This thread is a shining example of the resource I hoped this site would become, and more. Great teamwork guys. :tazz:

Pieter, for those of us playing catch-up. How do we recognize this infection, and has your reg-fix been a successful repair?
  • 0

#112
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts

I just stumbled on this topic after the Holidays. I wish I had more to contribute. :thumbsup: Incredible work by everyone involved. This thread is a shining example of the resource I hoped this site would become, and more. Great teamwork guys. :tazz:

Pieter, for those of us playing catch-up. How do we recognize this infection, and has your reg-fix been a successful repair?

View Post



Hi boss :cheers:

You are right: these guys were incredible. If all victims were like that, spyware would have another time coming. ;)

What I know I posted here:
http://www.wildersse...ead.php?t=59940

I think the msvcrta.dll will have to be removed from DOS or using Killbox or Hijackthis' option to "Delete a file on reboot"
Stiil looking into that.

Regards,

Pieter
  • 0

#113
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi Pieter!

Now that my popups are gone, and my machine is (hopefully) clean now, I haven't posted much here lately, but I'll continue to watch this topic vigilantly until the end. (Hopefully an antivirus update, antispyware update, or even a MS critical update!) When I started this a couple of weeks ago, I felt like the Lone Ranger, as all the early suggested fixes/diagnoses didn't help. And I had posted this problem to several other help forums, with very few responses. As Admin said, this is exactly how a forum like this should work. And for the other newbies out there ... if you have a weird problem, don't be reluctant to post it. You may not be the only one.

In your earlier post today, I went to your link (http://www.wildersse...ead.php?t=59940). I expected to find your (now famous) registry script and instructions, but instead I see you are now recommending a VBS script. I'm not familiar with how to run that. I assume it's simple ... but I guess so am I. And (although I don't know VBS) it seems to only address one registry key, while your previous fix dealt with three. (Including HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32) But again, I don't know VBS.

So, my questions are:

1) How would I run the VBS script? (Hopefully I no longer need it, but just in case ...)
2) Is this VBS script "better" than the regedit routine you were suggesting?
3) Does this VBS script not address all 3 registry keys?

Thanks again for the terrific work!

Best regards,

Jeff
  • 0

#114
ncjohnboy

ncjohnboy

    New Member

  • Member
  • Pip
  • 8 posts
Last time I posted, I was premature in declaring victory. The [bleep] popups came back like stink on you know what. This thing must have nine lives.

But I do have good news. Hopefully, this time it will stick. The popups have been gone for over a day so far. I saw a post on another board that identified the culprit as as a file named msvcrta.dll that can be found in the Windows\System32 folder, at least in Win XP.

The path on my computer was C:\Windows\System32\msvcrta.dll

I was unable to delete this file directly because it was in use, but I was able to rename it to msvcrta.old and then reboot. I was able to delete after rebooting. Then I did a regedit search for msvcrta and deleted all instances (I think there were two) and rebooted.

If you are unable to delete this file, try using a great little freeware application called MoveOnBoot which can be downloaded for free at the following link:

http://www.snapfiles...moveonboot.html

Then I deleted another new 69.50.160.100/oneclick cookie and cleared my IE history and rebooted again. As I said, the popups finally seem to be gone.

I think this popup is related to something called 0cat yellowpages toolbar. The 0 in 0cat is a zero, not the letter O. Has anyone else had the 0cat problem in conjunction with the popups? My problem with the popups began when my computer aquired the 0cat yellowpages toolbar, which hijacked my browser's home page. I did a Google search for 0cat and found the following link containing removal instructions.

http://www.scanspywa...YellowPages.htm

I was able to remove the 0cat crap a couple days ago, but was left with the popups. Be sure to search your registry for 0cat and stiebar, as a couple instances of each had reappeared in my registry at the time I searched for msvcrta.

Good luck!

John
  • 0

#115
ncjohnboy

ncjohnboy

    New Member

  • Member
  • Pip
  • 8 posts
I feel a little stupid because I posted without reading the most recent posts first. I've spent so much time on various boards trying to find a popup remedy that I can't remember what's on what board.

Let me simply say that I can confirm that deleting mvvcrta.dll along with the other steps seems to solve the problem.

John
  • 0

Advertisements


#116
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts

I've spent so much time on various boards trying to find a popup remedy that I can't remember what's on what board.

Welcome to the club, John!

Now that Pieter found and offered a solution (with the help of lots of contributor/victims), I don't know what I'll do with all my spare time. :tazz:
  • 0

#117
ncjohnboy

ncjohnboy

    New Member

  • Member
  • Pip
  • 8 posts
Jeff,

After leaving my "I feel stupid post" I feel even stupider because I've discovered that I missed several pages of posts on this topic, and I'm wondering if I got everything off my machine. There are so many posts containing bits and pieces of what to remove from the registry, that it would be nice if someone could post a definitive step by step manual removal guide. All the VBS script stuff is way over my head.

Bottom line is that the popups are still gone, but now I'm paranoid. :tazz:

John
  • 0

#118
JeffR

JeffR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Hi John!

Actually, the jury is still out on a "final" solution. As I understand it, Pieter is still waiting for a comprehensive analysis of the killer msvcrta.dll file, as well as the 0cat installer executable. (And perhaps other related bad stuff.) I assume he'll get back to us when he learns more. Pieter's elegant little reg-fix utility instructions are in the following post (on page 5 of this topic):

http://www.geekstogo...indpost&p=30122

That fix seems to solve the popup problem. As far as I know, it is still a mystery as to why, even after using his suggestion to fix the registry entries, most people still cannot delete the msvcrta.dll file from the system folder. But several people seem to have been successful removing it using DOS (renaming it actually), HJT (remove on next boot), or other utilities.

I've been "popup-free" for 50 hours now, and it feels great! :tazz: I'm sure you understand my elation, but my wife and friends don't seem to appreciate it.

Regards,

Jeff
  • 0

#119
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
About the vbs file.

For those that don't know Mosaic1 who wrote that script.
She, TonyKlein and FreeAtlast thaught me everything I know about troubleshooting unwanted invaders on your PC.

What it does is simple. It checks if the Webcheck is done by the dll that should do it (webcheck.dll)
If it is, it just reports you're OK.
If not, it finds and registers webcheck.dll
Which is a far more effective way of resetting everything to how it should be.

All that needs to be done after that is get rid of msvcrta.dll

I am still looking for the most effortless way to delete it. We know that from DOS works everytime but we can probably use HijackThis' "Delete a file on reboot" option as well, which is much easier to explain and less accident-prone.

Sofar I have submitted the files to AdAware, Intermute and Symantec
Samples were also sent to DiamondCS and BoClean.

Most AV vendors will probably not be interested since it is "merely" adware.

Regards,

Pieter
  • 0

#120
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I got this file from another victim.
He posted here: http://www.geekstogo...opic=6366&st=0#

He found a[1].com in his temporary internet files.
That file contains:

document.write('<a href="http://partner.alexa.com/amzn/redirect_to_detail?url=http://69.50.160.100/oneclick/popup2.php?acc=acc0001">');document.write('<img border="0" src="http://xsltcache.alexa.com/site_stats/gif/t/a/NjkuNTAuMTYwLjEwMA==/s.gif" width="120" height="65"  alt="Alexa Certified Traffic Ranking for 69.50.160.100" >');document.write('</a>');

Regards,

Pieter

Edited by Metallica, 28 December 2004 - 01:58 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP