Log review/Java_Bytever.A

Discussion in 'adware, spyware & hijack cleaning' started by gramme, Jun 13, 2004.

Thread Status:
Not open for further replies.
  1. gramme

    gramme Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    4
    Location:
    Barefoot Bay, Florida
    Hi,
    I am new to this forum. I came across a post about not being able to get rid of the Java_Bytever.A trojan and I am having that problem. I followed the instructions given and am now posting the log.
    I am running Windows 98SE and I use V-Com's System Suites as my virus checking program. This program has found 7 virus' all Java_Bytever.A but the location they say is bogus. I used Housecall from Trendmicro and it didn't find anything. System Suites said they are gone. Then they RETURN!
    I have follow the instruction that are given at Trendmicro, by resetting my internet settings to the default, I have emptied my cache, delete all my .tmp files.
    I ran Sypbot S&D, I ran Ad-aware version 6.0 and they are still there. If I run System Suites it finds them when I try to clean or delete them the screen freezes.
    Now, I have just run the HiJackThis program and my log is below: Hope someone can help.
    Logfile of HijackThis v1.97.7
    Scan saved at 1:29:43 PM, on 06/13/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    D:\UTILITIES\SHORTKEYS2\SHORTKEY.EXE
    C:\WINDOWS\RSRCMTR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    D:\UTILITIES\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search.php?lang=1&bar_id=BADBADFIHBzQNXDBHTHTM
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bottomlinewholesaler.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=2&bar_id=0
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
    O2 - BHO: (no name) - {2843DAC1-05EF-11D2-95BA-0060083493D6} - D:\PROGRAM FILES\DRAGON\NATURALLYSPEAKING\PROGRAM\WEB_IE.DLL
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRAM FILES\E-BOOK SYSTEMS\FLIPVIEWER\FPLAUNCH.DLL
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: BADDA - {C10A16B7-70FE-4CE3-A261-6FBA7CC3DD5B} - C:\PROGRAM FILES\BBLING\BBLING.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Fix-It AV] C:\VCOM\SYSTEM~1\MEMCHECK.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
    O4 - Startup: Resource Meter.lnk = C:\WINDOWS\RSRCMTR.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Global Startup: ShortKeys 2.lnk = D:\UTILITIES\SHORTKEYS2\SHORTKEY.EXE
    O8 - Extra context menu item: Link Popularity - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=1
    O8 - Extra context menu item: Keyword Density - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=2
    O8 - Extra context menu item: Position Reporter - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=3
    O8 - Extra context menu item: SE Submission - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=4
    O8 - Extra context menu item: SE Optimizer - http://route.mouseclickapplication....ter.cgi?partner=edwood&version=1&set=1&tool=5
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.5636805556
    O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} (WebImageCtl Object) - http://www.flipviewer.com/exe/ftpfbmsGen.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipping.net/fvlite22/fvlite.cab
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - http://www.stamps.com/download/us/registration/2_0_0_745/sdcregie.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A} (FViewerLoading Class) - http://www.flipviewer.com/exe/fvgen1.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab

    Donna aka gramme
     
  2. LoPhatPhuud

    LoPhatPhuud Spyware Fighter

    Joined:
    Jul 19, 2003
    Posts:
    45
    Location:
    Albuquerque, NM
    I don't see any signs of Java.Byte.Verify in the log. Most likely it is a falso positive. It would help to know the file that is causing the alert. If you can locate it, submit it to Kaspersky Labs for analysis here: http://www.kaspersky.com/scanforvirus

    Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine.

    Check the following items in HijackThis.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pbar.net/PBar/custom_search....FIHBzQNXDBHTHTM
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://pbar.net/PBar/custom_search.php?lang=2&bar_id=0
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll

    O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} (WebImageCtl Object) - http://www.flipviewer.com/exe/ftpfbmsGen.cab


    Close all windows except HijackThis and click Fix checked:


    Here are some simple steps you can take to reduce the chance of infection in the future.

    1. Visit Windows Update:
    Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
    a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

    1. Adjust your security settings for ActiveX:
    Go to Internet Options/Security/Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

    2. Download and install the following free programs]
    a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
    c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

    1. Install Spyware Detection and Removal Programs:
    You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
    a. AdAware: http://www.lavasoft.de/
    b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download


    For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index.php?showtopic=9857
     
Thread Status:
Not open for further replies.