UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> help fixing browser after n-case removal    
 
   
popUPh4ater
post Feb 5 2004, 04:50 PM
Post#1



Posts: 14
Joined: 5-February 04



I recently removed n-case and all its [censored], i used this forums help on that to remove it. thank you all for the instructions on getting rid of that.
But since then, i have 2 search bars that keep coming up when i open my IE and everytime i shut them off they come back on. I've tried removing the 1 thru the remove programs thing that windows has but it still shows up.
also there are sites i cant access such as ebay, it takes me to incredifind.com when i enter the ebay address into my address bar. other times i get to a page and click a link, but it will bring me to a black page with the address http:\\\, i never had the problems until recently.
can anyone help me fix my problems. if so it'd be much appreciated.
Go to the top of the page
 
dana
post Feb 5 2004, 05:54 PM
Post#2


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


Hi, and welcome to UtterAccess! smile.gif
You didn't say what steps you took to get rid of n-Case and what steps you've recently taken to address the current problem. Spybot S&D, maybe? Or perhaps you removed it manually?
My suggestion would be to try the steps in this post for using Spybot S&D and/or Ad-Aware to identify what spyware you may still have on your system. If you go through the steps in that post and still have problems, feel free to refer to this post for how to use the HijackThis utility and how to post for additional help.
Go to the top of the page
 
popUPh4ater
post Feb 8 2004, 12:19 PM
Post#3



Posts: 14
Joined: 5-February 04



hi and sry for my delay i've been very busy. thanx for the welcome.

the methods i took to remove it where, first i removed files manual by deleting them. i followed wut this link told me to do http://www.pchell.com/support/ncase.shtml

then i ran norton anti virus(after live update) and found 11 viruses which i deleted, and finally i ran adware 6.o and spybot. adware found 123 things and delted them, spybot found 20 something and i deleted them, but it came aross 2 thazt it couldnt remove unless i restarted, so i restarted and let spybot run b4 any other processes and it fixed the 2.

that's where im at now. i figured that would fix it. it got rid of ncase but still there's these weird bars and the other problems i mentioned above. anyhelp here in getting rid of them would be much appreciated.
Edited by: popUPh4ater on 02.08.04.
Go to the top of the page
 
dana
post Feb 8 2004, 02:46 PM
Post#4


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


Eleven viruses? Which ones? They range from the simple to the nearly impossible in terms of how successful a cleanup can be. Let us know which viruses you had, and maybe we can advise you better.
You may possibly be overdue for a repartition/reformat adventure...
Go to the top of the page
 
popUPh4ater
post Feb 8 2004, 10:48 PM
Post#5



Posts: 14
Joined: 5-February 04



the virus names i do not know, but i do know they were all .dat files and im assuming they came from my brothers friggin' kazaa.
Personally i think it has something to do with this incredifind.com bull. i also recently noticed in my programs list something called "ultimate browser enhancer" i dont know wut that is.
Go to the top of the page
 
roxz72
post Feb 9 2004, 09:21 AM
Post#6


UtterAccess VIP
Posts: 1,324
Joined: 19-October 01
From: Relocated to


Norton keeps a log of previous scans. Check the log and see what it found. You should be able to view the logs from the interface.
HTH
Go to the top of the page
 
popUPh4ater
post Feb 9 2004, 01:45 PM
Post#7



Posts: 14
Joined: 5-February 04



ill give u a list of the viruses i have found since the begining of the month, i just conducted a new full scan today and found 2 more.
/9/2004 12:18:35 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Dummy.class,Description: The compressed file Dummy.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch23648.jar-16bec5ff-2225614e.zip is infected with the Trojan.ByteVerify virus."
2/9/2004 12:18:35 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Parser.class,Description: The compressed file Parser.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch23648.jar-16bec5ff-2225614e.zip is infected with the Trojan.ByteVerify virus."
2/8/2004 11:41:22 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Dummy.class
2/8/2004 11:41:22 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Parser.class
2/6/2004 10:46:15 AM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Dummy.class
2/6/2004 10:46:15 AM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Parser.class
2/5/2004 2:54:13 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Dummy.class
2/5/2004 2:54:13 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Program Files\Lavasoft\Ad-aware 6\Cache\Parser.class
2/4/2004 5:21:13 PM,Auto-Protect,W32.Yaha.K@mm,Access denied,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Documents and Settings\Jim Wiora\Local Settings\Temporary Internet Files\Content.IE5\5WXSL3YE\bin00783[1].bin
2/4/2004 5:21:13 PM,Auto-Protect,W32.Yaha.K@mm,Repair failed,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\Documents and Settings\Jim Wiora\Local Settings\Temporary Internet Files\Content.IE5\5WXSL3YE\bin00783[1].bin
2/3/2004 11:46:53 AM,Auto-Protect,Downloader.MSCache,Access denied,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\16495116078
2/3/2004 11:46:53 AM,Auto-Protect,Downloader.MSCache,Repair failed,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\16495116078
2/3/2004 1:58:29 AM,Auto-Protect,Downloader.MSCache,Repair failed,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\164911274859
2/3/2004 1:58:29 AM,Auto-Protect,Downloader.MSCache,Access denied,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\164911274859
2/3/2004 1:42:58 AM,Auto-Protect,Downloader.MSCache,Access denied,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\164910344125
2/3/2004 1:42:58 AM,Auto-Protect,Downloader.MSCache,Repair failed,File,N/A,N/A,Jim Wiora,DH908921,Source: C:\DOCUME~1\JIMWIO~1\LOCALS~1\Temp\164910344125
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Dummy.class,Description: The compressed file Dummy.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch10213.jar-71d8e3fb-142e3ebf.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Parser.class,Description: The compressed file Parser.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch12802.jar-7d3db11f-66327873.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Dummy.class,Description: The compressed file Dummy.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch12802.jar-7d3db11f-66327873.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Parser.class,Description: The compressed file Parser.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch10213.jar-71d8e3fb-142e3ebf.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: VerifierBug.class,Description: The compressed file VerifierBug.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\ar3.jar-586bddde-2e7d1429.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: VerifierBug.class,Description: The compressed file VerifierBug.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\a.jar-66f3eebb-6a1e2591.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Parser.class,Description: The compressed file Parser.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch22776.jar-68c62f3c-182b95d0.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Dummy.class,Description: The compressed file Dummy.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\arch22776.jar-68c62f3c-182b95d0.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: C:\Documents and Settings\Jim Wiora\JPI_CA~1\jar\1.0\WebCounter.jar-23e87f56-795481e2.zip,Description: The file C:\Documents and Settings\Jim Wiora\JPI_CA~1\jar\1.0\WebCounter.jar-23e87f56-795481e2.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: C:\Documents and Settings\Jim Wiora\JPI_CA~1\jar\1.0\WebCounter.jar-53ebf3b-44130f73.zip,Description: The file C:\Documents and Settings\Jim Wiora\JPI_CA~1\jar\1.0\WebCounter.jar-53ebf3b-44130f73.zip is infected with the Trojan.ByteVerify virus."
2/2/2004 10:19:05 PM,Virus scanner,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,Jim Wiora,DH908921,"Source: Dummy.class,Description: The compressed file Dummy.class within C:\Documents and Settings\Jim Wiora\.jpi_cache\jar\1.0\a.jar-66f3eebb-6a1e2591.zip is infected with the Trojan.ByteVerify virus."
those are straight from Nortons Log.
also i've noticed that opening explorer and my documents takes a few seconds before it gets going. and i started up today and my system32 folder kept opening on its own. i ran chkdsk and it deleted some files but the thing kept opening on its own till i deleted these 2 folders titels CatRoot and CatRoot2. they had text files that catalogued my activity.
I hope this helps ur diagnosis.
Go to the top of the page
 
dana
post Feb 9 2004, 02:06 PM
Post#8


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


It appears to all be pretty much the same virus. Trojan.ByteVerify takes advantage of an old vulnerability in Windows (discussed in this MS security bulletin). Until you properly patch your system, you may continue receiving attempts at infection with this same trojan.

Run Windows Update immediately to get this and other security patches released by Microsoft. You may have to run Windows Update many times in order to get them all, as some of the updates have to be installed alone. On most systems, you can access Windows Update by clicking Start --> Windows Update.

After you get all available updates, you should update and run Norton again in order to thoroughly clean your system.

If this were my system, however, I would back up my important documents and actually repartition and reformat the whole hard drive. A trojan of this nature allows a hacker to pretty much do anything he wants with your system, and there's really no way to tell what's already been done to it. Norton can clean the trojan itself, but Norton would not be able to correct any damage that's been done by the trojan. If a hacker has gotten in, he may have left himself some other backdoors into your system that you're not aware of or may have altered your system in other ways. The fact that folders are opening on their own and system performance seems to have gone down are possible indicators that this is a legitimate concern. Repartitioning and reformatting is the only truly secure thing to do in this case, in my opinion.

You will need to run Windows Update even if you reformat (and regularly thereafter to stay updated). You will also want to install a personal firewall. There are some free personal firewalls available for home use. Zonelabs make an extremely popular one called ZoneAlarm, and there is Kerio Personal Firewall, which is also free to home users. You will need a firewall whether or not you reformat your computer, as a firewall is pretty much a necessity in these days of Internet use.

Good luck...
Go to the top of the page
 
popUPh4ater
post Feb 9 2004, 02:44 PM
Post#9



Posts: 14
Joined: 5-February 04



ok well thank you for your help. i thought i was being hacked as well and backed up my files immediatly when this began happening. I'll run windows up date right now.
Is for the firewall i had black ice but it would crash my computer. My stepfather (being the genius he is) thought that the built in firewall with windows would secure the computer. I told him we needed a better firewall and look where it has gotten me. Anyway thank you for you're advice. I'm going to make sure I have all the files I want from here and then probably reformat. we'll see what happens.
Go to the top of the page
 
dana
post Feb 9 2004, 02:47 PM
Post#10


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


Best of luck! Feel free to come back if you need us...
Go to the top of the page
 
popUPh4ater
post Feb 9 2004, 11:41 PM
Post#11



Posts: 14
Joined: 5-February 04



my god, so my system32 thing is still popping up and those 2 folders catroot 1 and 2 are back
and my windows folder opens. wtf is going on? i installed that firewall zonealarm but my [censored] brother deleted it. i need some serious help now
Go to the top of the page
 
popUPh4ater
post Feb 9 2004, 11:53 PM
Post#12



Posts: 14
Joined: 5-February 04



a quick update on the situation, i reinstalled zone alert and those folders stopped poppin up.

also i've gotten alerts that say, the firewall has blocked internet access to my computer from (udp port 3013) from ns14attbi.com as well as udp port 3039. i dunno wut that means. if its just an add or somebody.
Edited by: popUPh4ater on 02.09.04.
Go to the top of the page
 
popUPh4ater
post Feb 10 2004, 07:45 PM
Post#13



Posts: 14
Joined: 5-February 04



yea so that system folder pops up for like 5minutes then stops, those catroot folders keep coming back, even with the firewall installed and when i run adware it finds a trojan and a norton alertpops up saying its deleted it automatically, but everytime i run adware it finds thatsame virus.
Any wisdom on this?
Go to the top of the page
 
dana
post Feb 10 2004, 08:51 PM
Post#14


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


Well, we never said the firewall alone would take care of the problem, so I have to ask - did you do any of the following from my previous post?
Remember, we said...
Go to the top of the page
 
popUPh4ater
post Feb 11 2004, 10:23 AM
Post#15



Posts: 14
Joined: 5-February 04



yes i followed everything your post said to do.
Go to the top of the page
 
dana
post Feb 11 2004, 11:32 AM
Post#16


UA Admin + Auntie Virus
Posts: 2,671
Joined: 15-July 02
From: USA


Since that virus takes advantage of one particular vulnerability in Windows, running Windows Update over and over to get all the latest patches should have prevented it from re-entering your system. Then you should have been able to run Norton and have it clean any leftovers from your system for good.

If that didn't work, then your system has most likely been tampered with by a malicious third party in a way that prevents you from removing the virus via normal means. Either that, or something less likely like your operating system or Norton is damaged. Regardless, I'd say the only real option you have at this point to fix the problem is to reformat and start from scratch.

Be sure to run Windows Update after you reformat, update your antivirus program, and reinstall your firewall as soon as possible to protect yourself from further attacks.

Sorry the news isn't better, but repartitioning and reformatting is really the safest way to go in this case anyway.

Good luck!
Go to the top of the page
 
popUPh4ater
post Feb 11 2004, 01:55 PM
Post#17



Posts: 14
Joined: 5-February 04



AH HA! good news, i found the problem! its a bunch of garbage files that are in the system32 folder. im gonna have to remove them all manually but it should fix it. the folder doesnt pop up at the start up anymore either. i stopped that thru msconfig.
o this should do the trick, but thank you so much for you insite and help. i appreciate it deeply.
Go to the top of the page
 


Custom Search


RSSSearch   Top   Lo-Fi    9th December 2019 - 03:33 PM