Need help removing virus

Discussion in 'NZ Computing' started by Mrs Beeble Brock, Oct 8, 2005.

  1. Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
    Internet Explorer were both acting strangely and opening to a "****
    portal" homepage no matter how many times I reset the homepage to
    another site.

    Ran an AVG scan and found two problems in docs & settings here:
    \myname\jpi_cache\jar\1.0\javainstaller.jar4514e5ea-3b1d3340.zip
    and
    \myname\jpi_cache\jar\1.0\javainstaller.jar4514e5ea-3b1d3340.zip\javainstaller\InstallerApplet.class

    AVG quarantined the first one in its vault but said it couldn't heal the
    second. Clicking on "more details" gives no further information.

    Tried to run Xtra'x McAfee free scan but that and Sun Microsystems free
    scan also require IE and as soon as I clicked on McAfee's description of
    the virus, my whole system froze and I had to reboot. Is there another
    browser that these scans will run on?

    I'd be really grateful if someone could help me resolve this problem.

    Thanks in advance,
    Jo
     
    Mrs Beeble Brock, Oct 8, 2005
    #1
    1. Advertising

  2. Mrs Beeble Brock

    S Roby Guest

    In article <BSE1f.16660$>, Mrs Beeble Brock <> wrote:
    >Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
    >Internet Explorer were both acting strangely and opening to a "****
    >portal" homepage no matter how many times I reset the homepage to
    >another site.


    Empty the recycle bin & disable system restore
    Run Win in safe mod & run the scan
     
    S Roby, Oct 8, 2005
    #2
    1. Advertising

  3. S Roby wrote:
    > In article <BSE1f.16660$>, Mrs Beeble Brock <> wrote:
    >
    >>Hi guys, I'm a bit stuck with what to do about this problem. Maxthon and
    >>Internet Explorer were both acting strangely and opening to a "****
    >>portal" homepage no matter how many times I reset the homepage to
    >>another site.

    >
    >
    > Empty the recycle bin & disable system restore
    > Run Win in safe mod & run the scan


    Thanks for your reply. Would you mind clarifying "disable system
    restore" - where is this setting?
    Jo
     
    Mrs Beeble Brock, Oct 8, 2005
    #3

  4. >
    > Thanks for your reply. Would you mind clarifying "disable system
    > restore" - where is this setting?
    > Jo


    Never mind - found it.
     
    Mrs Beeble Brock, Oct 8, 2005
    #4
  5. Mrs Beeble Brock

    E. Scrooge Guest

    "Mrs Beeble Brock" <> wrote in message
    news:lKF1f.16676$...
    >
    >>
    >> Thanks for your reply. Would you mind clarifying "disable system
    >> restore" - where is this setting?
    >> Jo

    >
    > Never mind - found it.


    Good luck but a bugger of program doesn't have to be a virus. You've been
    hijacked with some crap that's changed your homepage and if you click on
    "customize" on your IE icon menu bar (right click for that) you'll probably
    see new search icons in there for sex sites and what ever else the program
    has chosen to add.

    Download Hijack This and run it.
    Your registry has most likely had crap added to it. Especially for the
    homepage settings.

    E. Scrooge
     
    E. Scrooge, Oct 8, 2005
    #5
  6. Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
    in case you or anyone else here can advise me on what to do next:


    Logfile of HijackThis v1.99.1
    Scan saved at 14:35:03, on 08/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\mgabg.exe
    C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\system32\WFXSVC.EXE
    C:\Program Files\Winfax\WFXMOD32.EXE
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\PROGRA~1\Winfax\WFXSWTCH.exe
    C:\Program Files\MP3 Flash Drive Driver v2.08r022\shwicon.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\Yankee Clipper\YankClip.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\MSGTAG\MSGTAG.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Program Files\Winfax\WFXCTL32.EXE
    C:\Program Files\EZ-TV Multimedia\TVP3XP Remote Control\ECSRmte.exe
    C:\Program Files\FreeWheel\FreeWheel.exe
    C:\Program Files\TrayCal\TRCAL.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\AdAware\Ad-Aware.exe
    C:\Program Files\FileBX 1 9 05\FileBX.exe
    E:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.****-portal.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    Settings,ProxyOverride = localhost
    R3 - URLSearchHook: Cram Toolbar -
    {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
    Toolbar\untitled.dll
    N3 - Netscape 7: user_pref("browser.startup.homepage",
    "http://www.xtra.co.nz/"); (C:\Documents and Settings\Jo
    Weir\Application Data\Mozilla\Profiles\default\hv670ayk.slt\prefs.j s)
    N3 - Netscape 7: user_pref("browser.search.defaultengine",
    "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea
    rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Jo
    Weir\Application Data\Mozilla\Profiles\default\hv670ayk.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} -
    C:\PROGRA~1\CRAMTO~1\untitled.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    - c:\program files\google\googletoolbar2.dll
    O2 - BHO: AcroIEToolbarHelper Class -
    {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
    C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} -
    C:\Program Files\Cram Toolbar\untitled.dll
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\Winfax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [ShowIcon_The Company_MP3 Flash Drive Driver
    v2.08r022] "C:\Program Files\MP3 Flash Drive Driver
    v2.08r022\shwicon.exe" -t"The Company\MP3 Flash Drive Driver v2.08r022"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
    IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program
    Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common
    Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [YankClip] C:\Program Files\Yankee Clipper\YankClip.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [UltraMon] C:\Program Files\UltraMon\UltraMon.exe
    O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
    O4 - HKCU\..\Run: [EPSON Stylus C80 Series]
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC 2.EXE /P23 "EPSON
    Stylus C80 Series" /O6 "USB001" /M "Stylus C80"
    O4 - HKCU\..\Run: [FileBX] C:\Program Files\FileBX 1 9 05\FileBX.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: FreeWheel.lnk = C:\Program Files\FreeWheel\FreeWheel.exe
    O4 - Startup: Tray Calendar.lnk = C:\Program Files\TrayCal\TRCAL.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Controller.LNK = C:\Program Files\Winfax\WFXCTL32.EXE
    O4 - Global Startup: EZ-TV TVP3XP Remote Control.lnk = C:\Program
    Files\EZ-TV Multimedia\TVP3XP Remote Control\ECSRmte.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MS Office
    XP\Office10\OSA.EXE
    O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O8 - Extra context menu item: &Google Search - res://c:\program
    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program
    files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program
    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program
    Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program
    Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MSOFFI~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program
    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English -
    res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
    http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
    http://download.mcafee.com/molbin/i...598/mcfscan.cab
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{0A61F76A-56CC-4AF9-939D-93F279F95778}:
    NameServer = 202.27.184.3,192.168.1.254
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
    Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program
    Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: MGABGEXE - Matrox Graphics Inc. -
    C:\WINDOWS\system32\mgabg.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program
    Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
    O23 - Service: TabletService - Wacom Technology, Corp. -
    C:\WINDOWS\system32\Tablet.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation -
    C:\WINDOWS\system32\WFXSVC.EXE
    >
     
    Mrs Beeble Brock, Oct 8, 2005
    #6
  7. Mrs Beeble Brock

    E. Scrooge Guest

    "Mrs Beeble Brock" <> wrote in message
    news:IjJ1f.16716$...
    > Mr Scrooge, thank you for your reply. I'll post my Hijack this log just in
    > case you or anyone else here can advise me on what to do next:


    Been a while since I needed to use it, and that was on the old PC.

    The version you've downloaded probably has some changes as well.
    From memory when it cleans out any odd looking files from the registry, it
    can shove them in a backup folder so that you can restore any if some
    program no longer works properly.
    If all is working well then after a while you can delete those files.

    All the Microsoft info should be safe.
    Your problem sounded like a malicious program that just directs you to
    certain websites - you might have seen some new search icons in the
    customize menu with sex related descriptions or something related to a
    certain search, it might be able to few other Net related things. If it
    doesn't have a virus or one known to AVG then it wouldn't be detected by it.

    Hijack This is reliable enough with plenty of recomendations from those
    that's used it. If you've done what you can with it, your homepage
    shouldn't have that sex site or whatever. You might have to select the
    homepage you used to use again.

    E. Scrooge
     
    E. Scrooge, Oct 8, 2005
    #7
  8. Mrs Beeble Brock

    Craig Sutton Guest

    "Mrs Beeble Brock" <> wrote in message
    news:IjJ1f.16716$...
    > Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
    > in case you or anyone else here can advise me on what to do next:
    >
    > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    > http://www.****-portal.com
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    > Settings,ProxyOverride = localhost
    > R3 - URLSearchHook: Cram Toolbar -
    > {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
    > Toolbar\untitled.dll


    You have a spyware/virus

    This one
    http://securityresponse.symantec.com/avcenter/venc/data/adware.cramtoolbar.html
     
    Craig Sutton, Oct 8, 2005
    #8
  9. Mrs Beeble Brock

    MsCynic Guest

    Craig Sutton wrote:

    > "Mrs Beeble Brock" <> wrote in message
    > news:IjJ1f.16716$...
    >
    >>Mr Scrooge, thank you for your reply. I'll post my Hijack this log just
    >>in case you or anyone else here can advise me on what to do next:
    >>
    >>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    >>http://www.****-portal.com
    >>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
    >>Settings,ProxyOverride = localhost
    >>R3 - URLSearchHook: Cram Toolbar -
    >>{01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\Program Files\Cram
    >>Toolbar\untitled.dll

    >
    >
    > You have a spyware/virus
    >
    > This one
    > http://securityresponse.symantec.com/avcenter/venc/data/adware.cramtoolbar.html
    >
    >
    >

    Thanks Craig. My PC is now dead and in the shop getting its PSU
    replaced, hopefully. Maybe the tech can also fix the virus.
    Cheers,
    Jo
     
    MsCynic, Oct 9, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?SmFtZXM=?=

    Need Help Removing Wireless Networking Taskbar Icon

    =?Utf-8?B?SmFtZXM=?=, Feb 18, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    563
    =?Utf-8?B?SmFtZXM=?=
    Feb 18, 2005
  2. =?Utf-8?B?QQ==?=

    Need help removing infection

    =?Utf-8?B?QQ==?=, Apr 19, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    781
    Malke
    Apr 19, 2006
  3. Phil B

    Virus, Virus, Virus.....

    Phil B, Sep 22, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    609
    DaveW
    Sep 22, 2003
  4. MrandMrs J3

    Need help removing a Trojan virus

    MrandMrs J3, Aug 4, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    1,277
    MrandMrs J3
    Aug 10, 2005
  5. Piet  Slaghekke
    Replies:
    4
    Views:
    1,155
    John Holmes
    Jan 2, 2007
Loading...

Share This Page