YANDEX cookie

Andy wrote:
So what is it and how did you get rid of it?

Kerry

I dont know what it is or what its called but it is acvtivated (and
reactivated) by pulling those little gif images down from a handful of
sites including Yandex.ru and nix.ru. The gif is then executed
(thanks a lot MS!) and it appears to continue to pull updated info
from those sites (and a couple of others).

It creates smss.exe in the /windows dir also winlogon.exe in /windows
but deletes the later after its done its work. Explore process is
spawned by the dodgy smss so it can connect to web sites quietly.
Other processes are spawn and they look for all manner of files
including windows.exe in the "Program Files" dir... I could go on for
hours, it is nasty, it is hard to identify with "normal tools" and is
tricky to remove.

Every so often it will send screen captures and data to a remote
host.... bank passwords, email passwords, domain passwords.... you get
the idea.

I dont want to encourage script kiddies so I'll stop talking about it
now.... but if anyone has had the same symptoms and wants to know what
data of theirs is moving around the planet then let me know (your
infected machine name via email) and I'll check for it (if and/or when
I can).

Andy.

Thanks, I have seen similar. It can be a real pain to get rid of. The only
sure way is to kill the system and start again. It's impossible to be 100%
certain you got it all any other way.

Kerry

I am having the same exact problem. I can clear cookies and delete files
until I am blue in the face. Everytime I launch Explorer and then look in the
histroy folder, it tells me that I have gone to some Russian site
(c893.narod.ru) and then there is a subpage in Russian that I have supposedly
visited. I then look in cookies and the YANDEX cookie is there. I also have
scanned my ssytem with Symantec, Adaware, Microsoft Anti Spyware, Ewido and
SpyBot. Nothing kills this thing. Can you please tell me how you got rid of
it? You mention that you changed your hosts file but I do not know how to do
this. Help - this is driving me crazy.

"Tom Leylan" wrote:

Something is up but after searching the Internet for the last couple of days
I can find nothing mentioning this specifically. Your may want to check
your computer to see if you have the same thing going on. And if anybody
can shed some light on the problem I'd be grateful.

For some reason IE won't hold on to cookies any longer even those I
need/want, giving me access to support sites and such. I cleared all the
cookies to see if I could spot something and sure enough one cookie remains.
It's named (where myaccount is my computer
account) and no matter what I do (including deleting the cookie) that file
returns.

These are the contents:

yandexuid
330739451136519475
yandex.ru/
1024
685931392
30492323
1909715872
29758068
*

Note the reference to a Russian site (the .RU) and YANDEX is apparently a
large Russian ISP. Point is I don't go anywhere near them, I can delete all
the cookies and this one just keeps reappearing. I've scanned my system a
couple of times and found a couple of trojans but these have been removed
yet my cookie problem remains.

So I'm wondering if anybody else has this persistent cookie and/or knows
where it comes from and how to get rid of it. I also need to find whatever
it is that is stopping legitimate cookies from remaining on my machine.

Thanks,
Tom

"Scott" wrote...
I am having the same exact problem. I can clear cookies and delete files
until I am blue in the face. Everytime I launch Explorer and then look in
the
histroy folder, it tells me that I have gone to some Russian site
(c893.narod.ru) and then there is a subpage in Russian that I have
supposedly
visited. I then look in cookies and the YANDEX cookie is there. I also
have
scanned my ssytem with Symantec, Adaware, Microsoft Anti Spyware, Ewido
and
SpyBot. Nothing kills this thing. Can you please tell me how you got rid
of
it? You mention that you changed your hosts file but I do not know how to
do
this. Help - this is driving me crazy.

Oh good people are starting to notice :-) Here is what I did and would
suggest you consider...

Locate your "hosts" file.
It should be at C:\Windows\System32\drivers\etc\hosts

Add the following entries:
127.0.0.1 bs.yandex.ru
127.0.0.1 c893.narod.ru

and while you are there you can add the following to block a bunch of stupid
ads
127.0.0.1 ad.doubleclick.net

At that point requests to those sites are redirected to your machine which
clearly will fail. Erase the crazy cookies and empty the temporary folder
to get rid of anything that came from those Russian sites.

I think that alone takes care of it but I also dl'd the McAfee software. I
can't tell who knows what, when or where these days but this software
reported a number of problems and it did appear to remove them. Since then
I've had no weird cookies, my browser behaves normally and I never have
files from those sites appear again.

Best of luck... in fact if it works perhaps you could post a follow-up.

HTH,
Tom