[vangogh]

I once spoke on the phone to one of my a colleagues. At that time I was working in a callcenter for one of the big antivirus companies. We were discussing the damage that the loveletter virus could bring to our customers. I remember saying that the worst it could do is overwriting our precious holiday pictures. My colleague agreed, but after a pause he added: "It could also be some files that contain medical information which a docter in a third world country is trying to access". I felt a little embarased that I had only been thinking of my own situation, my own pc with my holiday pictures and my important essays.
Watching the news of the disastrous events and suffering in south east Asia, I rembered this.


For those that are creating virusses and other malicious software, the stuff that this forum is trying to stop: You might want to consider that people have enough to deal with, and there is no need to make things worse. Think of people that can't own and operate pc's instead.

[Advertisements]

Pieter,

How does an ordinary mortal with no programming knowledge or tools execute the VBS script? If I already used the registry fix you prescribed earlier, do I still need the VBS script?

Also, I just made a small PayPal donation on your web page:

http://home.planet.n....html#voorkomen

Pieter is too polite to ask for money on this forum, but I think everyone who he has helped should consider leaving a tip through the PayPal donation button on his web page listed above.

John

[ncjohnboy]

Pieter,

How does an ordinary mortal with no programming knowledge or tools execute the VBS script? If I already used the registry fix you prescribed earlier, do I still need the VBS script?

Also, I just made a small PayPal donation on your web page:

http://home.planet.n....html#voorkomen

Pieter is too polite to ask for money on this forum, but I think everyone who he has helped should consider leaving a tip through the PayPal donation button on his web page listed above.

John

[JeffR]

Sofar I have submitted the files to AdAware, Intermute and Symantec
Samples were also sent to DiamondCS and BoClean.

Most AV vendors will probably not be interested since it is "merely" adware.

I would argue that this is not necessarily a "victimless" crime, just because it is "merely" adware. In this case, the bad guys chose to exploit this method to force the user's PC to go to web pages advertising (relatively) harmless products (Cialis, Valium, Online Poker, some kind of [probably bogus] anti-spyware software, etc.), at seemingly random intervals ... often when the desktop was idle. But they could just as well have chosen to randomly pop up web pages that would be very objectionable (porn, etc.), or even sites containing other malicious code to exploit other Windows and/or IE security holes.

Enough venting. I'm still very very happy it's fixed!

Pieter, I too would like to know how to execute the VBS script. Is it simply a matter of running the .vbs file? (i.e. double-clicking on it?)

Jeff

[Metallica]

I added the script as webcheck.txt to this post.
Rename it to webcheck.vbs and doubleclick to execute.

If you already applied the registry fix it will not do anything.

Jeff, although I would agree that it is annoying and invading, in my experience the AV vendors are not interested in malware that "only" displays ads.
Maybe the method used will draw some interest.

I'll try and get it across since it is hard to diagnose and clearly affiliated with the "Russian mob" that is generally referred to as CWS.
(They already have a few files classified as trojans)

Regards,

Pieter

Attached Files

•  webcheck.txt   744bytes   304 downloads

[JeffR]

I just ran the webcheck.vbs script. My Norton Antivirus stopped it, told me it was doing potentially bad things, and asked me if I wanted to allow it. (Which I did.) Interesting... Too bad Norton didn't stop the bad guys when they messed with the registry in the first place.

Kind of like a security guard who stops the rescue team when they try to come in through the front door. 'Hey ... you can't go in there ... it's a restricted area!" But he should have stopped the bad guys three weeks ago when they snuck in through the back door.

The important thing is ... I'm clean! No more popups! And I learned a lot about anti-spyware software and techniques, registry edits, and even a little bit about vbs scripts. Pieter, your web site is terrific, and I already sent that link to a few people who could really use it. (http://home.planet.n...wareinfoen.html)

Thanks again,

Jeff

[vangogh]

It looks like the first spyware vendors are comming with solutions. The guys of GIANT AntiSpyware just pushed out new signatures an hour ago. I did a complete scan and for the first time it came up with a notice that I have the Ocat.yellowpages Browser plug-in. I did lots of scans before but it never found the problem before.

[machale]

I've been living with this adware for quite some time (since late November?). At the time I was unable to find much useful info about it, but I found this thread after the holidays. Hallelujah! Thanks so much to Pieter and everyone else.

One problem I had was trying to piece together the various steps from the different posts here. Also, I did have the same two registry entries others had, but I could not get either of Pieter's scripts (webcheck.reg and webcheck.vbs) to work. I reviewed the .vbs script and saw it really came down to re-registering webcheck.dll.

This whole episode was a minor nightmare to figure out but, in the end, my clean-up was pretty easy.

Here's a summary of what worked for me under Windows XP SP1 (I assume this would also work under SP2):

1. Disable/remove msvcrta.dll. I used Security Task Manager (free trial http://www.neuber.com/taskmanager/) to "Remove -> Move file to quarantine" and then rebooted. I ran Security Task Manager again to confirm the msvcrta.dll process was gone.
2. Clean out the Prefetch folder. I just used Windows Explorer to go to C:\WINDOWS\Prefetch and deleted everything there, and then rebooted again.
3. Clean up the registry entries. I opened a Cmd prompt (Start -> Run -> cmd) and entered the command "regsvr32 webcheck.dll" (without quotes). I then rebooted a third time.

I seem to be clean now and have not seen the pop-ups since running through these 3 steps. The msvcrta.dll process is not running, and searching for "msvcrta.dll" in regedit finds it only in the context of Security Task Manager. Yippee!

Thanks again to everybody who helped.

[Metallica]

You didn't have to get Task manager for that (although it is a handy program)

In HijackThis click Config > Misc Tools > Delete a file on reboot will do the trick as well.

The script was written in case the "bad guys" decide to start using random names instead of msvcrta.dll

But your method covers all bases, so you did great.

Regards,

Pieter

[machale]

Actually, since I had no luck finding info on this before the holidays, I was just digging around again. I came across Security Task Manager and decided to try it out. msvcrta.dll was sitting there right at the top of the "bad guys" list. I Googled it, and found this forum thread. You made it easy from there!

BTW, I have a 45 MB .rtf file with all my notes about this thing, including screen shots, process lists, some analysis of files in my IE cache, some research on the various IPs and DNS names involved, etc. If you or one of your contacts would find this useful, let me know and I can send it to you.

Thanks again, Pieter.

Mac

[solofara]

It works!

I followed Machale's procedure, coupled with Metallica's addendum and I'm now add-free for the first time in months! Yippee.

I'm so grateful to Metallica (Pieter), JeffR, machale, and the others for their efforts in seeing this through to completion!

Thanks again-
Solofara

[DJOHNSEN]

hi,

I had the same problem, thanks to you people i have been
pop up free for 4 whole hours

thank you so very much