0cat yellowpages

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Dec 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Shows up in a HijackThis log as:

    O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar.dll

    O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar.dll

    What doesn't show up is that it leaves behind a file called msvcrta.dll in the system(32) directory. This file is used to take the place of webcheck.dll

    It fetches popups from 69.50.160.100 everytime it gets activated.

    If at one time you were infected with this toolbar and you are getting popups from there, use the following script, kindly made by Mosaic1.

    Webcheck.vbs
    Code:
    Dim Wshshell, result, fso, sysfol, nasty
    Set WshShell = Wscript.CreateObject("Wscript.Shell")
    Set fso = Wscript.CreateObject("scripting.FileSystemObject")
    sysfol = fso.GetSpecialFolder(1)
    
    Result = Wshshell.RegRead ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\")
    Result = LCASE(WshShell.ExpandEnvironmentStrings(Result))
    
    If Result <>  LCase(sysfol) &"\webcheck.dll" then
    Set nasty = fso.CreateTextFile("filename.txt",True)
    nasty.Writeline Now
    nasty.writeline Result
    nasty.close 
    Wshshell.Run "regsvr32 webcheck.dll" , , true
    Else MsgBox "Registry entry normal"
    Wscript.quit
    End IF
    
    set nasty = nothing
    
     If fso.FileExists("filename.txt") Then Wshshell.Run "filename.txt"
    For now the only filename we have seen is msvcrta.dll

    In HijackThis click Config > Misc Tools > Delete a file on reboot >
    Choose the path to the file (f.e. C:\WINDOWS\system32\msvcrta.dll)
    and reboot when prompted to.
     
    Last edited: Dec 30, 2004
Thread Status:
Not open for further replies.