infected w/ java_bytever.A-1,help please?

Discussion in 'adware, spyware & hijack cleaning' started by methadon3000, May 4, 2004.

Thread Status:
Not open for further replies.
  1. methadon3000

    methadon3000 Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Hi there

    First time here,and with a problem of course.This morning I was running a usual Ad-aware scan when I got a message that PCcillin found a file infected w/ java_bytever.A-1.
    I deleted the infected file,cleaned all the dirt Ad-aware found and ran Hijack.
    Here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:39 AM, on 5/4/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\System32\WScript.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    c:\progra~1\Support.com\client\bin\tgcmd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCMAIN.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Bogdan\My Documents\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083647908812
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DB2842CC-B03F-44F3-AE5C-6AD5A8F8C58A}: NameServer = 151.202.0.84 151.203.0.84

    I ran PCcillin once again before I left home and found nothing but I'm not sure it should have been that easy.
    Please let me know what's up.
    Many thanks,
    Bogdan
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    nothing showing but

    First download CWshredder from either http://www.thespykiller.co.uk or https://www.wilderssecurity.com/showthread.php?t=14086 then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
     
  3. methadon3000

    methadon3000 Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    Did everything-still the same message every time I run Ad-aware.But I was looking around and read this on the Lavasoft forum:

    "This is a normal thing that will happen when running Ad-aware 6 when you have had an infection.
    Ad-aware 6 makes a local copy of the files it is about to scan (not executing them, of course), and while doing this, if your AntiVirus pops up a warning about an infected file as Ad-aware 6 is scanning, this means that the file was infected before, and this is that file.

    Take NAV autoprotect for example. If you have NonActive viruses on your system, the autoprotect feature will not alert to its presence unless one or both of the following occur:
    1) The virus is loaded into active memory or,
    2) you perform a scan of the folder containing the file.

    You are Not at any risk here"

    The name of the file that keeps showing up as infected is
    VerifierBug.class (C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\ar3[1].jar)
    which made me think maybe that's true..
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    trend is finding the file in adaware cache, which is a copy of the file that is already in trend quarantine

    best solution is to
    empty trend quarantine and then go to
    C:\Program Files\Lavasoft\Ad-aware 6\Cache

    select everything in that folder and delete it

    adaware normally deletes the cache folder contents when it closes but if an antivirus locks the file it can't
     
  5. methadon3000

    methadon3000 Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    I actually did it last night after I posted the last message,everything quiet now.
    Thanks for the help and hope you won't here from me soon.
    Be good,
    Bogdan
     
  6. methadon3000

    methadon3000 Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    And I'm back.And so it's the bytever scum.
    You said I should delete everything in the C:\Program Files\Lavasoft\Ad-aware 6\Cache folder-can't find any cache folder for Ad-aware.What I actually did is I went in C:\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE and there I found the VDOC\ar3[1].jar file,which I deleted.
    But the bastard is back..
    Where should I look for it?
     
  7. methadon3000

    methadon3000 Registered Member

    Joined:
    May 4, 2004
    Posts:
    5
    I just ran a PCcillin manual scan,who found this file infected this time:

    C:\RECYCLER\S-1-5-21-3689853989-2649289507-2167395947-1005\Dc392\PCCVDOC.ZIP
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Oh joy, the path would indicate that the file is in the trashcan of one of the other (Administrator) accounts on your computer.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.