A curious nastie

Discussion in 'other security issues & news' started by aliwiseman, Feb 3, 2005.

Thread Status:
Not open for further replies.
  1. aliwiseman

    aliwiseman Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    19
    Location:
    Planet Wiseman currently Wolves Uk
    I had a strange infection t'other day on pc.

    Upon opening any area on xp, firefox would boot up to the page j0r.biz which was a yahoo start page clone. This never showed up on my start up programs, nor on HJT log, there was no sign of it in my registry, nor via an win explorer search for a prog containing that text.

    Google had 2 entries for it both in german which didnt help me.

    On the off chance i had a look at the source code for the page, and it was linked to Crazywinnings.com and was informed on another forum that it was an os platform hijack, not a browser, and would have booted into IE if that was my default browser.

    I ran a trend scan, and it threw up 4 java intrusions which apparently are related to yahoo's online games, which trend couldnt delete, due to java bieing active, but were deletable manually from the pathway C:\Documents and Settings\USERNAME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar . Unfortunately i never kept the file name records

    Curiously Spybot then detected Callinghome.biz (it hadn't picked it out before) and removed it. I doubt its coincidence that the extension Biz is the same.

    Google still isnt displaying an english language way to remove this problem, so heres hoping it picks this up :)

    Alistair
     
  2. aliwiseman

    aliwiseman Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    19
    Location:
    Planet Wiseman currently Wolves Uk
    Forgot to add... a persistant file which DID reappear was n3vasap which had embedded itself in the registry and needed to be removed in safe mode... as it just regenerated otherwise. This did appear in the HJT log.. 3 times! If this was part of it i can only assume removal of the Java probs stoped its regenerating.
     
Thread Status:
Not open for further replies.