0cat yellowpages

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Dec 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Shows up in a HijackThis log as:

    O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll

    O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll

    What doesn't show up is that it leaves behind a file called msvcrta.dll in the system(32) directory. This file is used to take the place of webcheck.dll

    It fetches popups from everytime it gets activated.

    If at one time you were infected with this toolbar and you are getting popups from there, use the following script, kindly made by Mosaic1.

    Dim Wshshell, result, fso, sysfol, nasty
    Set WshShell = Wscript.CreateObject("Wscript.Shell")
    Set fso = Wscript.CreateObject("scripting.FileSystemObject")
    sysfol = fso.GetSpecialFolder(1)
    Result = Wshshell.RegRead ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\")
    Result = LCASE(WshShell.ExpandEnvironmentStrings(Result))
    If Result <>  LCase(sysfol) &"\webcheck.dll" then
    Set nasty = fso.CreateTextFile("filename.txt",True)
    nasty.Writeline Now
    nasty.writeline Result
    Wshshell.Run "regsvr32 webcheck.dll" , , true
    Else MsgBox "Registry entry normal"
    End IF
    set nasty = nothing
     If fso.FileExists("filename.txt") Then Wshshell.Run "filename.txt"
    For now the only filename we have seen is msvcrta.dll

    In HijackThis click Config > Misc Tools > Delete a file on reboot >
    Choose the path to the file (f.e. C:\WINDOWS\system32\msvcrta.dll)
    and reboot when prompted to.
    Last edited: Dec 30, 2004
Thread Status:
Not open for further replies.