Pieter_Arntz
December 27th, 2004, 03:03 PM
Shows up in a HijackThis log as:
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll
What doesn't show up is that it leaves behind a file called msvcrta.dll in the system(32) directory. This file is used to take the place of webcheck.dll
It fetches popups from 69.50.160.100 everytime it gets activated.
If at one time you were infected with this toolbar and you are getting popups from there, use the following script, kindly made by Mosaic1.
Webcheck.vbs
Dim Wshshell, result, fso, sysfol, nasty
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("scripting.FileSystemObject")
sysfol = fso.GetSpecialFolder(1)
Result = Wshshell.RegRead ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\")
Result = LCASE(WshShell.ExpandEnvironmentStrings(Result))
If Result <> LCase(sysfol) &"\webcheck.dll" then
Set nasty = fso.CreateTextFile("filename.txt",True)
nasty.Writeline Now
nasty.writeline Result
nasty.close
Wshshell.Run "regsvr32 webcheck.dll" , , true
Else MsgBox "Registry entry normal"
Wscript.quit
End IF
set nasty = nothing
If fso.FileExists("filename.txt") Then Wshshell.Run "filename.txt"
For now the only filename we have seen is msvcrta.dll
In HijackThis click Config > Misc Tools > Delete a file on reboot >
Choose the path to the file (f.e. C:\WINDOWS\system32\msvcrta.dll)
and reboot when prompted to.
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll
What doesn't show up is that it leaves behind a file called msvcrta.dll in the system(32) directory. This file is used to take the place of webcheck.dll
It fetches popups from 69.50.160.100 everytime it gets activated.
If at one time you were infected with this toolbar and you are getting popups from there, use the following script, kindly made by Mosaic1.
Webcheck.vbs
Dim Wshshell, result, fso, sysfol, nasty
Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set fso = Wscript.CreateObject("scripting.FileSystemObject")
sysfol = fso.GetSpecialFolder(1)
Result = Wshshell.RegRead ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\")
Result = LCASE(WshShell.ExpandEnvironmentStrings(Result))
If Result <> LCase(sysfol) &"\webcheck.dll" then
Set nasty = fso.CreateTextFile("filename.txt",True)
nasty.Writeline Now
nasty.writeline Result
nasty.close
Wshshell.Run "regsvr32 webcheck.dll" , , true
Else MsgBox "Registry entry normal"
Wscript.quit
End IF
set nasty = nothing
If fso.FileExists("filename.txt") Then Wshshell.Run "filename.txt"
For now the only filename we have seen is msvcrta.dll
In HijackThis click Config > Misc Tools > Delete a file on reboot >
Choose the path to the file (f.e. C:\WINDOWS\system32\msvcrta.dll)
and reboot when prompted to.