Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Need help removing virus

Reply
Thread Tools

Need help removing virus

 
 
Mrs Beeble Brock
Guest
Posts: n/a
 
      10-08-2005
Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
Internet Explorer were both acting strangely and opening to a "****
portal" homepage no matter how many times I reset the homepage to
another site.

Ran an AVG scan and found two problems in docs & settings here:
\myname\jpi_cache\jar\1.0\javainstaller.jar4514e5e a-3b1d3340.zip
and
\myname\jpi_cache\jar\1.0\javainstaller.jar4514e5e a-3b1d3340.zip\javainstaller\InstallerApplet.class

AVG quarantined the first one in its vault but said it couldn't heal the
second. Clicking on "more details" gives no further information.

Tried to run Xtra'x McAfee free scan but that and Sun Microsystems free
scan also require IE and as soon as I clicked on McAfee's description of
the virus, my whole system froze and I had to reboot. Is there another
browser that these scans will run on?

I'd be really grateful if someone could help me resolve this problem.

Thanks in advance,
Jo
 
Reply With Quote
 
 
 
 
S Roby
Guest
Posts: n/a
 
      10-08-2005
In article <BSE1f.16660$(E-Mail Removed)>, Mrs Beeble Brock <(E-Mail Removed)> wrote:
>Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
>Internet Explorer were both acting strangely and opening to a "****
>portal" homepage no matter how many times I reset the homepage to
>another site.


Empty the recycle bin & disable system restore
Run Win in safe mod & run the scan
 
Reply With Quote
 
 
 
 
Mrs Beeble Brock
Guest
Posts: n/a
 
      10-08-2005
S Roby wrote:
> In article <BSE1f.16660$(E-Mail Removed)>, Mrs Beeble Brock <(E-Mail Removed)> wrote:
>
>>Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
>>Internet Explorer were both acting strangely and opening to a "****
>>portal" homepage no matter how many times I reset the homepage to
>>another site.

>
>
> Empty the recycle bin & disable system restore
> Run Win in safe mod & run the scan


Thanks for your reply. Would you mind clarifying "disable system
restore" - where is this setting?
Jo
 
Reply With Quote
 
Mrs Beeble Brock
Guest
Posts: n/a
 
      10-08-2005

>
> Thanks for your reply. Would you mind clarifying "disable system
> restore" - where is this setting?
> Jo


Never mind - found it.
 
Reply With Quote
 
E. Scrooge
Guest
Posts: n/a
 
      10-08-2005

"Mrs Beeble Brock" <(E-Mail Removed)> wrote in message
news:lKF1f.16676$(E-Mail Removed)...
>
>>
>> Thanks for your reply. Would you mind clarifying "disable system
>> restore" - where is this setting?
>> Jo

>
> Never mind - found it.


Good luck but a bugger of program doesn't have to be a virus. You've been
hijacked with some crap that's changed your homepage and if you click on
"customize" on your IE icon menu bar (right click for that) you'll probably
see new search icons in there for sex sites and what ever else the program
has chosen to add.

Download Hijack This and run it.
Your registry has most likely had crap added to it. Especially for the
homepage settings.

E. Scrooge


 
Reply With Quote
 
Mrs Beeble Brock
Guest
Posts: n/a
 
      10-08-2005
Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
in case you or anyone else here can advise me on what to do next:


Logfile of HijackThis v1.99.1
Scan saved at 14:35:03, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Winfax\WFXMOD32.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\Winfax\WFXSWTCH.exe
C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Yankee Clipper\YankClip.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Winfax\WFXCTL32.EXE
C:\Program Files\EZ-TV Multimedia\TVP3XP Remote Control\ECSRmte.exe
C:\Program Files\FreeWheel\FreeWheel.exe
C:\Program Files\TrayCal\TRCAL.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\AdAware\Ad-Aware.exe
C:\Program Files\FileBX 1 9 05\FileBX.exe
E:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.****-portal.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = localhost
R3 - URLSearchHook: Cram Toolbar -
{01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
Toolbar\untitled.dll
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.xtra.co.nz/"); (C:\Documents and Settings\Jo
Weir\Application Data\Mozilla\Profiles\default\hv670ayk.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea
rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jo
Weir\Application Data\Mozilla\Profiles\default\hv670ayk.slt\prefs.j s)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} -
C:\PROGRA~1\CRAMTO~1\untitled.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7}
- c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} -
C:\Program Files\Cram Toolbar\untitled.dll
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\Winfax\WFXSWTCH.exe
O4 - HKLM\..\Run: [ShowIcon_The Company_MP3 Flash Drive Driver
v2.08r022] "C:\Program Files\MP3 Flash Drive Driver
v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program
Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common
Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YankClip] C:\Program Files\Yankee Clipper\YankClip.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [UltraMon] C:\Program Files\UltraMon\UltraMon.exe
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [EPSON Stylus C80 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE /P23 "EPSON
Stylus C80 Series" /O6 "USB001" /M "Stylus C80"
O4 - HKCU\..\Run: [FileBX] C:\Program Files\FileBX 1 9 05\FileBX.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
O4 - Startup: Tray Calendar.lnk = C:\Program Files\TrayCal\TRCAL.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\Winfax\WFXCTL32.EXE
O4 - Global Startup: EZ-TV TVP3XP Remote Control.lnk = C:\Program
Files\EZ-TV Multimedia\TVP3XP Remote Control\ECSRmte.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MS Office
XP\Office10\OSA.EXE
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MSOFFI~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/i...598/mcfscan.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{0A61F76A-56CC-4AF9-939D-93F279F95778}:
NameServer = 202.27.184.3,192.168.1.254
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program
Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. -
C:\WINDOWS\system32\mgabg.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. -
C:\WINDOWS\system32\Tablet.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation -
C:\WINDOWS\system32\WFXSVC.EXE
>

 
Reply With Quote
 
E. Scrooge
Guest
Posts: n/a
 
      10-08-2005

"Mrs Beeble Brock" <(E-Mail Removed)> wrote in message
news:IjJ1f.16716$(E-Mail Removed)...
> Mr Scrooge, thank you for your reply. I'll post my Hijack this log just in
> case you or anyone else here can advise me on what to do next:


Been a while since I needed to use it, and that was on the old PC.

The version you've downloaded probably has some changes as well.
From memory when it cleans out any odd looking files from the registry, it
can shove them in a backup folder so that you can restore any if some
program no longer works properly.
If all is working well then after a while you can delete those files.

All the Microsoft info should be safe.
Your problem sounded like a malicious program that just directs you to
certain websites - you might have seen some new search icons in the
customize menu with sex related descriptions or something related to a
certain search, it might be able to few other Net related things. If it
doesn't have a virus or one known to AVG then it wouldn't be detected by it.

Hijack This is reliable enough with plenty of recomendations from those
that's used it. If you've done what you can with it, your homepage
shouldn't have that sex site or whatever. You might have to select the
homepage you used to use again.

E. Scrooge


 
Reply With Quote
 
Craig Sutton
Guest
Posts: n/a
 
      10-08-2005

"Mrs Beeble Brock" <(E-Mail Removed)> wrote in message
news:IjJ1f.16716$(E-Mail Removed)...
> Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
> in case you or anyone else here can advise me on what to do next:
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.****-portal.com
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
> Settings,ProxyOverride = localhost
> R3 - URLSearchHook: Cram Toolbar -
> {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
> Toolbar\untitled.dll


You have a spyware/virus

This one
http://securityresponse.symantec.com...amtoolbar.html



 
Reply With Quote
 
MsCynic
Guest
Posts: n/a
 
      10-09-2005
Craig Sutton wrote:

> "Mrs Beeble Brock" <(E-Mail Removed)> wrote in message
> news:IjJ1f.16716$(E-Mail Removed)...
>
>>Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
>>in case you or anyone else here can advise me on what to do next:
>>
>>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
>>http://www.****-portal.com
>>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
>>Settings,ProxyOverride = localhost
>>R3 - URLSearchHook: Cram Toolbar -
>>{01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
>>Toolbar\untitled.dll

>
>
> You have a spyware/virus
>
> This one
> http://securityresponse.symantec.com...amtoolbar.html
>
>
>

Thanks Craig. My PC is now dead and in the shop getting its PSU
replaced, hopefully. Maybe the tech can also fix the virus.
Cheers,
Jo
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing GPO setting from XP machine after removing from Domain Piet Slaghekke Computer Support 4 01-02-2007 08:58 PM
removing a namespace prefix and removing all attributes not in that same prefix Chris Chiasson XML 6 11-14-2006 05:08 PM
Need help removing a Trojan virus MrandMrs J3 Computer Support 3 08-10-2005 03:41 AM
Virus, Virus, Virus..... Phil B Computer Support 2 09-22-2003 05:02 PM



Advertisments