The Huns Had Yellow Pages?

stoneking · Joined: Apr 26, 2003 Posts: 22

Oh great techno-wizards, once again I request your wise advice. (Can you tell I'm really stumped? )

Okay- not too long ago my machine was slammed by a virus/worm/something nasty. I'm back up and running, but I noticed that I now have some unusual things in the registry.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer]

"ChannelLocale"="0000"
"Build"="62600.0000"
"Version"="6.0.2600.0000"
@=""
"IntegratedBrowser"=dword:00000001
"MkEnabled"="Yes"
"IVer"="103"
"SearchURL"="http://www.the-huns-yellow-pages.com/sp.html"

In that same thread I also have 31 of these:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd]
"MPlayer2.Set"="yes"
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

I purchased the Registry Mechanic and it doesn't find anything wrong. Is there? Why would it need to have 31 of the exact same thing? Can I just change/delete the 'huns-yellow-pages'? I'm running Win98se.

Thanx in advance!

Buster2058 · Joined: Mar 12, 2003 Posts: 709

I went to that huns yellow page site. It's full of links for porno.

Try running spybot or some of the other spyware remover programs and see if they don't remove it. Spybot-S&D
Otherwise if nothing removes it I would be tempted to delete the entry's by hand.

dgiese01 · Joined: Mar 12, 2003 Posts: 139

:ph34r: Cute little spybot. I think you will find that all your friends are getting popups from them now. It tracks you when you are connected to the net. it also seems to track your emails or at least the IP's. . If it finds the reciepient uses an acceptable browser it pops there too.
very small package. 137 bytes initially, in a strange way I like it.
Send me an email. if you haven't erased it I should then recieve a tracking bot embedded. I then can check it out.
But here is the info you need....

To get rid of it:
Del all references of :
"[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd]
"MPlayer2.Set"="yes"
@="clsid:05589fa1-c356-11ce-bf01-00aa0055595a"

and

"SearchURL"="http://www.the-huns-yellow-pages.com/sp.html"

or

To deactivate it :

just change the "yes" in line"MPlayer2.Set"="yes" to "no"

but I would be wondering what also has been embedded elsewhere. I am not good enough really for that. I just get rid of it. Maybe one of our fellow Gnomies would be willing to be infected to track it.

I went to the site...nothing. and then I turned off my firewalls and A/V protection and I allowed the site to lock on to my browser and embed I noted that my browser speed went down by a bit. I then restored orignal settings. and speed went back up. I compared the two registries and extracted all information and programming that was different between the two time periods. Found almost 100 lines of code different . I am not good enough to read it though. Cute. Now I would like to see if the two instances are the same (yours and mine) or configured per instance. If the same then easy to rid. simple. if different then each system must be individually cleaned.

The mutation per system is designed for the express purpose of concealment. This way antiviruses cannot see it. The inoculation code is designed to look for xxxx code. if the virus mutates based on certian registry values then my system might be XXXy and yours xxxy and someone elses xxxz. The only way to track it is to compare a previous registry and the present. The problem is to know acceptable changes in the registry and virus induced changes. I also suspect that the actual parent code is in the website and only it's step child resides on your system.

:angry:

I have written viruses based on certian registry entries just for fun a while back. But to have it mutate, per system, now that's cute. Do not take my calling it cute for condoneing it (virus embedding) , in fact, the totally opposite. I dislike any program or code that I have not expressly allowed in my system. I very often delete any program that does not delineate the changes in my system or does it for no other purpose of concealment.

Please let me know your solution.

:ph34r:

stoneking · Joined: Apr 26, 2003 Posts: 22

I knew that something was wrong!

I run AdAware after every net session (and have updated it faithfully) but it didn't catch this one. I've been to Trend and Nortons free scanning sites and neither have found this one. I sent off the same info I posted (above) to the Symantec folks- I wonder if they'll bother to answer?

I bought that Registry Mechanic Sunday (hoping it could tell me what was happening) but, aside from some broken links and some references to programs on the (CD) E drive, it didn't see anything wrong either.

I also resent programs that don't bother to tell you they're going to be making changes. Blessings on you both for taking the time to answer. I'll be heading to that Spybot site and let you know what happens.

Thanx again for your help.

Sluggo · Joined: Jan 07, 2003 Posts: 98

stoneking · Joined: Apr 26, 2003 Posts: 22

I sure appreciated the Spybot tip. The program has an option to change the URLs, so I was able to easily change the huns-yellow-pages.

Sadly, the majority of the spies on my machine are from Creative Labs. I have their Audigy Platnium sound card and their external CD-RW (and the Nero Burning SW [no longer accessable- it thinks my trial offer has expired]).

I was amazed at the companies who write spies- and most of them are in the high dollar programs. If they are so interested in what/where I'm going, they should have to pay me for the priviledge of finding out.

Thanx again for your help!

dgiese01 · Joined: Mar 12, 2003 Posts: 139

:ph34r:
To the question of how. There are more than a few commerical programs for that.
But this is how I did it about 4 or 5 years ago.
first make a pdf copy of reg. ...infect...copy that reg as pdf....restore....open pdf of infected reg. ..change all font color to red...overlay on orignal reg. pdf. and note differences. crude but doable.

There is an easier way without paying. without warez. Freeware.

To the last response. If you check the EULA of most programs that are free or shareware then you will find that you gave your permission for this. The acceptance of the EULA in the installation procedure is where you gave permission. As long as the spybots are known I have no problem. The program has to be paid for somehow. But the instance you have brought to the table is not of that ilk. I take umbrage with the spybots that do not ask permission and there are myriad.

:ph34r:

Sluggo · Joined: Jan 07, 2003 Posts: 98

Mikey1 · Joined: Dec 05, 2002 Posts: 202

You've been hijacked. If you haven't gotten this fixed yet, read this and follow the directions
http://www.spywareinfo.com/articles/hijacked/

DarkStar · Joined: Dec 24, 2002 Posts: 1603

I agree about spywareinfo.com, It's a good site. They have a good newsletter too.

stoneking · Joined: Apr 26, 2003 Posts: 22

I think I need a larger case- then I could have an extra HD just for all of the programs I need to keep the others running smoothly!

*mutter/grumble* Hijackers- what jerks! Thanx for the link- I'll check it out too. I'm afraid I've dinked enuf w/ it that a utility won't help much but at least I'll have it for any future use.

Has anyone heard of an aggressive anti-spy? So when I found a spy I could go, 'Sic 'em' and my anti-bot could speed out over web and crash them? It would certianly serve them right! I've spent at least a month researching and trying to fix the mess that was made of my machine. I'd love to send someone a bill.

When I finished running Spybot last nite I was so ticked that I sent Creative Labs a note asking how to get all of their flippin' spies off my system. I was amazed when I got this reply:

At this point, which software are you referring to specifically? The
CD-RW Blaster comes usually bundled with more than one software utility.

I'm going to reply, "How about ALL of them in Nero, InCD and Creative Labs." I don't get a prompt to disconnect unless I quit out of the sound card program. Gee, I wonder if it is a spy too?

Thanx once again for all of your help. It is much appreciated!

Mikey1 · Joined: Dec 05, 2002 Posts: 202