Log review/Java_Bytever.A

Hi,
I am new to this forum. I came across a post about not being able to get rid of the Java_Bytever.A trojan and I am having that problem. I followed the instructions given and am now posting the log.
I am running Windows 98SE and I use V-Com's System Suites as my virus checking program. This program has found 7 virus' all Java_Bytever.A but the location they say is bogus. I used Housecall from Trendmicro and it didn't find anything. System Suites said they are gone. Then they RETURN!
I have follow the instruction that are given at Trendmicro, by resetting my internet settings to the default, I have emptied my cache, delete all my .tmp files.
I ran Sypbot S&D, I ran Ad-aware version 6.0 and they are still there. If I run System Suites it finds them when I try to clean or delete them the screen freezes.
Now, I have just run the HiJackThis program and my log is below: Hope someone can help.
Logfile of HijackThis v1.97.7
Scan saved at 1:29:43 PM, on 06/13/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
D:\UTILITIES\SHORTKEYS2\SHORTKEY.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\UTILITIES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bottomlinewholesaler.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=2&bar_id=0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - D:\PROGRAM FILES\DRAGON\NATURALLYSPEAKING\PROGRAM\WEB_IE.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPVIEWER\FPLAUNCH.DLL
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: BADDA - {C10A16B7-70FE-4CE3-A261-6FBA7CC3DD5B} - C:\PROGRAM FILES\BBLING\BBLING.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: Resource Meter.lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: ShortKeys 2.lnk = D:\UTILITIES\SHORTKEYS2\SHORTKEY.EXE
O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=1
O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=2
O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=3
O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=4
O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=5
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.5636805556
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} (WebImageCtl Object) - http://www.flipviewer.com/exe/ftpfbmsGen.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipping.net/fvlite22/fvlite.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - http://www.stamps.com/download/us/registration/2_0_0_745/sdcregie.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A} (FViewerLoading Class) - http://www.flipviewer.com/exe/fvgen1.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

Donna aka gramme

 

I don't see any signs of Java.Byte.Verify in the log. Most likely it is a falso positive. It would help to know the file that is causing the alert. If you can locate it, submit it to Kaspersky Labs for analysis here: http://www.kaspersky.com/scanforvirus

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search....FIHBzQNXDBHTHTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=2&bar_id=0
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll

O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} (WebImageCtl Object) - http://www.flipviewer.com/exe/ftpfbmsGen.cab

Close all windows except HijackThis and click Fix checked:


Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

1. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

2. Download and install the following free programs]
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index.php?showtopic=9857