JAVA_BYTER.A

Discussion in 'malware problems & news' started by Sella, Oct 22, 2004.

Thread Status:
Not open for further replies.
  1. Sella

    Sella Registered Member

    Joined:
    May 22, 2004
    Posts:
    9
    HELP! I've been trying to remove this crap from my computer and it's not working. I tried with ad-aware and a virus-remover and still it comes back. I don't know what to do cause it keeps reinstalling itself. PLEASE HELP ME!! :p Thank you so muuuuch!

    (it makes my homepage a page from "c:\WINDOWS.1\_h.html")
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    you might want to go to the link and follow the instructions and see if it won't cure your problem link
     
  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Troj/Femad-B is what you have. also called Java byte verifiy and a few other aliases.

    It is programed in java [.jar]

    to remove;

    1. Log on as Administrator.
    2. Right-click the My Computer icon on the desktop and click Properties.
    3. Click the System Restore tab.
    4. Select Turn off System Restore.
    5. Click Apply > Yes > OK.
    6. Scan with your Anti virus
    7. Re-enable System Restore by clearing Turn off System Restore.

    If your Av does not remove it after this please post again and i will give you manual removal instructions.
     
  4. Sella

    Sella Registered Member

    Joined:
    May 22, 2004
    Posts:
    9
    Hi, I used to have pc-cillin but it became a pain ...and now that I'm using ZoneAlarm I can't quite figure out how to do a system scan? Would you happen to know how I could do that?

    Thanks, I really appreciate the help :)
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Sella, do you have a Anti-Virus program?

    If you follow the link that BigC provided above you will find very comprehensive instructions, including installing a free anti-virus program, if you don't currently have one.

    Just to be sure that link is here and here it is again https://www.wilderssecurity.com/showthread.php?t=50662

    Let us know how you go...

    Cheers :D
     
  6. Sella

    Sella Registered Member

    Joined:
    May 22, 2004
    Posts:
    9
    It seems to have worked!
    THANK YOU SO MUCH!!!!!!!:)

    Oh just a quick question... I heard "avast.com" has a good anti-trojan program.. do you guys know anything about it? I'm using that Trojan-Hunter one now but unfortunately it's only one of those trial-period-ones so.. <=(
     
  7. Sella

    Sella Registered Member

    Joined:
    May 22, 2004
    Posts:
    9
    Oh, I spoke too soon. It seems to be back! :((((((( ....

    ...there's a link at the bottom of the homepage.. "uninstall" .. I know I shouldn't trust it but it's just wishful thinking, I guess. =P I hate this craaaaaap.... :( :( :( :( :( :( :mad: :mad: :mad: :mad: :mad: :rolleyes:
     
  8. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, this Trojan can damage your system, manual removal is not possible.

    Your best options are:

    Get all Critical Windows updates [Start - All programs - in the list up top is the link.]

    Get a good Anti virus & update it. [Nod32 & Kaspersky both execellent, free trials are available]

    Turn off System restore, reboot in safe mode [Start - Run - Type 'msconfig' hit enter - Click 'boot.ini' - Tick box 'safe boot' and press ok - you will be promted to restart - after restart you will be in safe mode.

    Run a full system scan with the Anti Virus - Delete anything found.

    Turn system restore back on.

    To get out of safe mode untick the box 'safe boot' and restart.
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Sella,

    With this type of hijacker, there are usually other malware files installed (some may even be super hidden) and this is probably the reason it is reinstalling itself shortly after you've ran the scans with your security apps. I would suggest that you consider posting a HijackThis log for a more indepth analysis by an experienced Hijackthis log Analyst.

    As we no longer provide hijackthis log review here at Wilders, you can find a list of sites that still do perform this type of log analysis and system cleaning in this link: http://a-sap.org/

    Regards,

    snap
     
  10. Sella

    Sella Registered Member

    Joined:
    May 22, 2004
    Posts:
    9
    Why don't you guys check out Hijackthis logs anymore? <=(

    And thanks Sweetie.. I'll try that as soon as possible

    -- by the way, how is it dangerous to my system? <=((((
     
  11. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, the Trojan you have is know by a few aliases; JAVA_FEMAD.B, JAVA_BYTEVER.A-1, TROJAN JAVA FEMAD, EXPLOIT-BYTE VERIFY.

    It uses the byte verifier vulnerability in unpatched versions of Internet Explorer to drop and execute the file C:\web.exe.

    From there the infected PC can be accessed via backdoor connections.
    Detections of this Trojan do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Although malicious code may have been run, which could result in any number of modifications to the system.

    Problems I’m aware of;
    Create a registry script file, and merge it into the system registry.
    Allow attacks from certain web sites.
    Further downloads of dialer programs.

    Once deleted it redirects IE to a malicious web site, where a dialer program is installed. [Various names, depends on the variant of Trojan]
    It can be quite difficult to get rid of this, First you need to identify and delete the host Trojan > then through Anti Spyware pro delete the dialer program/s.

    Recommended steps for removal;

    · Preform OFF LINE
    · Clear IE temp files
    · Turn off system restore
    · Boot into safe mode
    · Run up to date AV that recognizes this threat
    · After scan delete anything found
    · Run up to date Anti Spyware pro [I would run two]
    · Delete anything found
    · Reboot into normal mode
    · Scan Again with AV & Anti Spyware



    If the problem is still there run High Jack This, post log file here

    http://hijackthis.de/index.php?langselect=english
     
  12. Sellaa

    Sellaa Guest

    Thanks guys, I was able to take it off. =)
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see Sellaa, as you have had an infected computer, you may want to take a look here for further discussion on security and how to make your system that much stronger, and here for more discussions.

    Let us know how you go...

    Cheers :D
     
  14. Sellaa

    Sellaa Guest

    Thanks =)
    Since I didn't see them listed there, I used PestPatrol and trendmicro.com (the online scan) which were really useful in helping me get rid of these viruses (I had TONS!!!!!!!!!!)
    :)
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    What security do you now have on your computer? As in what Anti-virus program, what Firewall program? etc etc.

    Cheers :D
     
  16. Sellaa

    Sellaa Guest

    PestPatrol and ZoneAlarm.. I have some other programs like Spybot, Spyware Blaster, Ad-aware, and TrojanHunter (which will probably expire soon..) but PP and ZoneAlarm are the only one that run on my computer while it's on...
    How does that sound? =P
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Not very good at all I’m afraid.


    As a MINIMUM I would suggest you download and install the following FREE programs to protect your computer, or your system WILL get infected again, and unfortunately I can guarantee that ;)


    1. Avast (FREE) – Anti-Virus from here:
    http://www.avast.com/eng/down_home.html


    2. Spyware Blaster (FREE) – Spyware Prevention from here:
    http://www.javacoolsoftware.com


    3. Spyware Guard (FREE) – Real time scanner for Browser Hijack prevention.
    http://www.javacoolsoftware.com


    4. Spybot Search and Destroy (FREE) – Spyware removal and protection, with registry monitor. If running the above 2 programs, your system should remain fairly clean.
    http://beam.to/spybotsd


    5. AdAware (FREE) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    6. Ewido (FREE) – Anti-Trojan. I currently use Ewido though I do NOT use the active file scanner as it slows my system down to much.
    http://www.ewido.net/en/

    Let me know how you go…

    Cheers :D
     
  18. Sellaa

    Sellaa Guest

    Uh oh, I think I read about this one today and "it seems almost impossible to remove" came along with it.

    124787.exe

    <=(
    Do you know anything about this?
    Damnit. This stuff is so frustrating.
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you followed EVERY single step found here https://www.wilderssecurity.com/showthread.php?t=50662 ? ? ?


    Have you installed the software I advised is an ABSOLUTE MINIMUM in post number 17 above your latest post ? ? ?

    Cheers :D
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    124787.exe , inst.exe and hooks.dll all three will be there most probably, a porndialer, can raise your phonebills if it can run! Get rid of it.
     
  21. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    To try and give you a little understanding of the essential and minimalist approach that I have suggested above I will go through and explain each product and its purpose:


    1. ZoneAlarm – Is a Firewall, designed to make your system invisible on the internet, prevent intrusion from the internet, and will also advise you of programs trying to access the internet. It is like having your own personal security guard to keep your system safe and advise you of who is coming and going through the door between your computer and the internet.


    2. Avast Anti-Virus – Is an Anti-Virus program that protects your computer from Viruses, Trojans and Worms, though they are more designed for Viruses, hence the name Anti-Virus. To upgrade to a PAID Anti-Virus program, I would suggest Nod32 from www.nod32.com


    3. Spyware Blaster – Is a Spyware Prevention program. Spyware is similar to a virus, it is a technology that gathers information about a person or organization without their knowledge and is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window.

    Further information on Spyware and Adware can be found here http://searchcrm.techtarget.com/sDefinition/0,,sid11_gci214518,00.html


    4. Spyware Guard – Is a Prevention program that uses a Real time scanner for Browser Hijack prevention, this is the homepage or first page that you see when you first go onto the internet, it is designed to advise you if something is try to change your “Home Page”.


    5. Spybot Search and Destroy – Spyware removal and protection program, with registry monitor. If running the above 2 programs, your system should remain fairly clean.


    6. AdAware – Spyware removal program. What Spybot Search and Destroy doesn’t pick up, this will.


    7. Ewido – Is an Anti-Trojan program designed to prevent and remove Trojans, as apposed to viruses. To upgrade to a PAID Anti-Trojan program, I would suggest TDS-3 from http://www.diamondcs.com.au


    If you have any questions whatsoever, please ask us and we will be more than happy to try and answer them...


    Hope this helps.

    Cheers :D
     
  22. sellaa

    sellaa Guest

    thanks guys :)

    I got rid of that 127-.exe program, plus the "hooks.dll" and "inst.exe" as soon as I found them, and they seem to have disappeared. ZoneAlarm blocked the 127-.exe's access to the internet as well.

    All seems okay:)

    Blackspear: I have those programs except Ewido (which I'll get now) and Sypware Blaster. I had it on my computer but I just removed it because it didn't really seem to be working. (wouldn't scan or I don't know...) but I also have PestPatrol and TrojanHunter. I also tried TDS-3 but it was only an evaluation.

    Thanks for the help:]
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Spyware Blaster, is a PREVENTION program, it is REALLY important to have, as I tried to explain above, this is MINIMUM security, it is NOT even close to maximum security.

    Further information on Spyware Blaster can be found here https://www.wilderssecurity.com/showthread.php?t=18132

    Let us know what security you ended up with. If you are not sure about how to use any of the program, we can walk you through it...

    Hope this helps...

    Cheers :D
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad you got rid of those three and hope your phonebill was not affected by that dialler.
    Hope you did a full scan for instance at http://housecall.antivirus.com to see if you are a bit cleaner now.

    TDS-3 is an evaluation but fully functional for 30 days, so if you like it just get a license and look in the TDS forum here for further instructions and support. No need to re-install, only put the license key inside the directory and you can continue keeping your system at least a bit cleaner, together with the programs Blackspear mentions.
     
    Last edited: Oct 30, 2004
Thread Status:
Not open for further replies.