Internet warning message from my ISP, due to a virus.

[geno2k3]

Hi, i closed my firefox window and opened another one. Only to find that my ISP (time warner cable) has a message or letter of some sort on the home page instead of google.com. It said my computer is infected with a virus and i will have to take steps to take the virus off or else my connection will be terminated. I clicked the little button that made me agree to taking steps to removing the virus.

First off, im scared.

How can i remove this virus that i never knew existed. Im downloading the FREE avg anti-virus right now. The other computers on my home network are actually working fine. Is it just on my computer? Will my internet service get terimnated? What is going on! What steps should i take.

 

[LuckyM]

the hijacked homepage thing sounds suspicious for me. are you sure the message came from your ISP? well i know they alert people if they notice that some computer is acting strange, but are you sure the message you saw wasn't a scam. yeah, i know, i sound paranoid, but that might be part of a scam. you should be careful about following some 'removal steps'.

however, there is a possibility that you've been infected and you had no clue about it, cos most of those malicious programs sneak in secretly and work in a background. you should scan all your computer with anti virus and anti spyware scans just in cases.

 

[AlbertLionheart]

If this message only appears on one PC then the home page setting has been compromised. Download and run hijackthis.exe from www.majorgeeks.com - read the instructions about the home directory and renaming the program before running it, Save the log and post it here - if you are lucky, Howard will look at it!

 

[geno2k3]

Thanks for the replies, i havent restarted my computer like its telling me to because i looked online and it says the virus (if i have one) might take full effect upon startup.

Also i ran AVI anti virus (free one) and avi anti spyware (trial). The anti virus didnt find anything but the spyware one found 236 files that were a medium threat (tracking cookies?). I deleted those and still i have this problem.


Heres the log i got from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 7:05:03 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgvv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\OCZ Technology\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

[AlbertLionheart]

This looks clean enough except for the PunkBuster file at 023 PnkBstrA - fix this.
Then reset your home page to what you want it to be and restart - and let us know what happens.

 

[geno2k3]

TY agian for replies. I restarted my computer and everything seemed fine, i opened up my firefox window and boom i can go on google.com again. I guess it was a real warning from my ISP that i do have a virus. I didnt delete the punkbuster file cause i researched it and its for my punkbuster games and anti-virus usually pick it up as a virus but it really isnt. So im guessing everything is fine now... exept i have a virus that wasnt detected? Thanks alot for the help, i will keep you posted if anything else happends.

 

[DelJo63]

I guess it was a real warning from my ISP that i do have a virus.

snow balls in H*** are more likely that TWC issuing warnings via homepages --

Empty your browser cache, delete all temporary files; quit the browser and relaunch it.

get Spywareblaster and install/update it.

 

[evilfantasy]

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Reply With Quote

The 023 Packet Sniffer is possibly what is being flagged as a virus/malware.

=====

Your Java is out of date
Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version of Java components and update

Updating Java:
* Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
* Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
** The latest version is Java 6 Update 3. Remove all other entries.
* Click the Remove or Change/Remove button.
* Repeat as many times as necessary to remove each of the Java versions.
* Reboot your computer once all Java components are removed.

* Download the latest version of Java Runtime Environment (JRE) 6
* Click the Free Java Download button.
* Click the Download Now button.
* When the Software Installation dialog box opens. Click on the Install Now button.
* Follow the prompts to complete installation.

 

[DelJo63]

>the Hijack log contains:
>Java\jre1.6.0_02

the log shows he's already at 6.0.2, so there's not a big jump here in support,
rather just the last incremental update itself

 

[DelJo63]

>the Hijack log contains:
>Java\jre1.6.0_02

the log shows he's already at 6.0.2, so there's not a big jump here in support,
rather just the last incremental update itself

 

[evilfantasy]

rather just the last incremental update itself

So the security bug updates are no big deal?

 

[DelJo63]

yes and no. If you read the update description you can determine for yourself how important the fix may be. If you're not familiar with the interal technologies then perhaps it's better to just accept the updates and move on. Java is not a primary technology in the real world so your exposure is not so huge.

frankly, for myself (see my profile), I never perform automatic updates but
periodically perform them when I wish to update my system(s).

Many people were upset that MS force IE 7 on the community using autoupdate when IE 6 was just fine with them. In particular with MS and for this reason I validate update requirements (from by point of view) before allowing MS to install ANYTHING. [sorry for the personal rant ].

 

[evilfantasy]

I understand where you are coming from. And yes some updates are unstable for some machines (and users sanity lol)

The java 6 update 3 has been out for a while now and showing no signs of problems. I did find one thread in the java forums but I think it was deeper then just a java problem.

Ultimately though, since this is a security forum and there was a security update in the last update, shouldn't it be addressed?

 

[DelJo63]

probably. However, the thread started with one of those lousy popup warnings
>It said my computer is infected with a virus and i will have to take steps to take the virus off or else my connection will be terminated.<
which imo is totally bogus. Java didn't cause this and TWC didn't issue this warning.

Some software vendors use this technique to get there products installed
and the ethics therein is equally bogus.

There's a bugger in the wood shed somewhere and a full scan is warranted.
(see Howards suggestions).

 

[evilfantasy]

There's a bugger in the wood shed somewhere

Service: Remote Packet Capture Protocol v.0

Most likely there. The antivirus is seeing something suspicious and reporting it.