infected w/ java_bytever.A-1,help please?

methadon3000 · May 4, 2004

Hi there

First time here,and with a problem of course.This morning I was running a usual Ad-aware scan when I got a message that PCcillin found a file infected w/ java_bytever.A-1.
I deleted the infected file,cleaned all the dirt Ad-aware found and ran Hijack.
Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:39 AM, on 5/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCMAIN.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Bogdan\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083647908812
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB2842CC-B03F-44F3-AE5C-6AD5A8F8C58A}: NameServer = 151.202.0.84 151.203.0.84

I ran PCcillin once again before I left home and found nothing but I'm not sure it should have been that easy.
Please let me know what's up.
Many thanks,
Bogdan

dvk01 · May 4, 2004

nothing showing but

First download CWshredder from either http://www.thespykiller.co.uk or https://www.wilderssecurity.com/showthread.php?t=14086 then Run it
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

Reboot After running cwshredder and as soon as possible follow this advice:
Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

methadon3000 · May 5, 2004

Did everything-still the same message every time I run Ad-aware.But I was looking around and read this on the Lavasoft forum:

"This is a normal thing that will happen when running Ad-aware 6 when you have had an infection.
Ad-aware 6 makes a local copy of the files it is about to scan (not executing them, of course), and while doing this, if your AntiVirus pops up a warning about an infected file as Ad-aware 6 is scanning, this means that the file was infected before, and this is that file.

Take NAV autoprotect for example. If you have NonActive viruses on your system, the autoprotect feature will not alert to its presence unless one or both of the following occur:
1) The virus is loaded into active memory or,
2) you perform a scan of the folder containing the file.

You are Not at any risk here"

The name of the file that keeps showing up as infected is
VerifierBug.class (C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\ar3[1].jar)
which made me think maybe that's true..

dvk01 · May 5, 2004

trend is finding the file in adaware cache, which is a copy of the file that is already in trend quarantine

best solution is to
empty trend quarantine and then go to
C:\Program Files\Lavasoft\Ad-aware 6\Cache

select everything in that folder and delete it

adaware normally deletes the cache folder contents when it closes but if an antivirus locks the file it can't

methadon3000 · May 5, 2004

I actually did it last night after I posted the last message,everything quiet now.
Thanks for the help and hope you won't here from me soon.
Be good,
Bogdan

methadon3000 · May 6, 2004

And I'm back.And so it's the bytever scum.
You said I should delete everything in the C:\Program Files\Lavasoft\Ad-aware 6\Cache folder-can't find any cache folder for Ad-aware.What I actually did is I went in C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE and there I found the VDOC\ar3[1].jar file,which I deleted.
But the bastard is back..
Where should I look for it?

methadon3000 · May 6, 2004

I just ran a PCcillin manual scan,who found this file infected this time:

C:\RECYCLER\S-1-5-21-3689853989-2649289507-2167395947-1005\Dc392\PCCVDOC.ZIP

Pieter_Arntz · May 6, 2004

Oh joy, the path would indicate that the file is in the trashcan of one of the other (Administrator) accounts on your computer.

Regards,

Pieter

Log in or Sign up

infected w/ java_bytever.A-1,help please?

methadon3000 Registered Member

dvk01 Global Moderator

methadon3000 Registered Member

dvk01 Global Moderator

methadon3000 Registered Member

methadon3000 Registered Member

methadon3000 Registered Member

Pieter_Arntz Spyware Veteran

Log in or Sign up

infected w/ java_bytever.A-1,help please?

methadon3000 Registered Member

dvk01 Global Moderator

methadon3000 Registered Member

dvk01 Global Moderator

methadon3000 Registered Member

methadon3000 Registered Member

methadon3000 Registered Member

Pieter_Arntz Spyware Veteran

Useful Searches