keep getting j0r.biz page online

Wondered if you could help.

When I go online after a few seconds the page I am on will transfer into http://j0r.biz/ It then trys to download wallpaper. The only way you can exit is the ctrl Alt Del method

I have run all the instructions on the How to: Basic Spyware Trojan and Virus removal but still no joy.

I am unable to spot it in the logfiles from HijackThis

Internet searches for this page with help seems to bring up 2 spyware forums, one is in German the other in French!

Any advise would be welcome

P.S. On a side note run all instructions on the 'How to' for another computer with Cool Web Search / About Blank problems and so far 7 free days from this virus! Has taken 3 months to get rid of finally, so fingers crossed. Thanks for such a good article majorgeeks.

 

Hi

Have done a logfile but seem to be unable to upload it in the manage attachments section. This just jams when I try to use it. Perhaps I have missed something?

Also the j0r.biz keeps cutting into my current page.

Is it possible to cut and paste into this area instead?

 

Hi
The file extension is correct. Unfortunately I cannot get to the upload stage, it is freezing when I press the browse!

Sorry for posting the logs in here, turning out to be one of those days!


Edit by chaslang: Inline log change to attachment

 

Hi

Still can't get into the manage attachments browse! May be a problem I have had installing Service pack 2 during the week which crashed and I had to remove it. Still suffering from the odd remnants!

So sorry to paste the log in AGAIN!

Couldn't find the piece in C:\\WINDOWS\System32\n3vasap23.exe in Safe mode, but it appears to be gone in the log.

So far so good with the internet pages no diversions as yet so thank you. The true test will come during tommorrows usage so i will let you know.

Thank you very very very much oh wonderful chaslang. Brilliant

Here is the log:

Edit by chaslang: Inline log change to attachment

 

Hi

I'm afraid I have just logged on this morning (UK time) and it is back again.

Its really persistant.

Why oh why!!!

Any ideas?

I will check my logs to see if those bits have reappeared.

 

Hi

It has reappeared in the logs again. I have removed them again following your directions and also run ad-aware and spybot in safe mode to clean out, but unfortunately every time I restart it reappears

Any further ideas?

 

Hi,

I have ordered norton firewall which I will install as soon as I get it and take it from there.
Thanks for your advice, I shall let you know what happens

 

I too have had a similar experience with j0r.biz

The file n3vasap was a pain to get rid of, but was removable manually in safe mode.

A couple of things to add to whats been put here. I run AVG and this got by undetected. This problem attacked me running firefox so browser isnt an issue. I ran a trend micro housecall scan and it detected 4 java infiltrations, which apparently come from runing yahoo games and leave an open doorway. Trend could not delete these but they were removable in safe mode via windows explorer at the pathway C:\Documents and Settings\USERNAME\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar

I then ran a spybot SnD scan and it picked up CallingHome.biz and removed it, although before the removal of the java files this problem was not found. Seems likely that the two were related.

I only noticed the problem as when logging into my xp area Firefox opened automatically, and i dont have it set like that. The j0r page was a copy of Yahoo's start page, but i looked at the source code and it was linking to crazywinnings which shows what it really was.

The removal of these files has stopped the problem, but id not be suprised if norton misses it if it's still there. I used norton for 6 months and got rid.

Hope this helps

Alistair Wiseman

 

No.. the only place it showed was the call from the script in the View > Page Source , so i assume that firefox was blocking this.
I never entered a thing in the fake yahoo page so im wondering if it would have been initiated on entering / clicking on the page, ie like an auto redirect where irrespective as to what you type, you get sent to there?
Since posting my first post (on a diff forum) and googling the problem there are now several pages appearing with this problem floating around.
I feel sure that the sudden appearence of it must be connected with the java breach which was related to playing yahoo's version of FreeCell (as this was the only yahoo game i played) and with the removal of the files found by trend the failure of the re initialisation would be a remarkable coincidence.

Hopefully this thread will be picked up by google and the solution be made available to all

Alistair

 

lol... well i reckon your right to do so n Trend seem to think so too. All i wanted was a timed version of Freecell to play! lol