Trojan.byteVerifyer is back

Discussion in 'adware, spyware & hijack cleaning' started by Gio, May 2, 2004.

Thread Status:
Not open for further replies.
  1. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    I had a look at the services pages and followed their suggestions such as update the Lava Virtual Machine close the port5000 etc. and scanned the system on-line. But during this scanning, Norton Antivirus updated the virus definitions and then advised that the virus was deleted and that was confirmed by the result of the on-line scanning: no virus detected. Now I'm a little bit confused and don't know what to do. According to NA2003 The Trojan is in the folder C:\windows\temporary internet files\Content.IE5\E9XU3A1K again and can't remove or isolate it! o_O :'(
    This is my log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 11.30.04, on 02/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAMMI\FILE COMUNI\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAMMI\STOPDIALERS\STOPDIALER.EXE
    C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
    C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\DOWNLOADS\SOFTWARE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [IrMon] irmon.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [KEYMAP] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [CcApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [CcRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [CcEvtMgr] "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Stop_Dialer] C:\\Programmi\\StopDialers\\StopDialer.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: getright - tray icon.lnk = C:\Programmi\GetRight\getright.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
    O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Programmi\AutoCAD 2002 Ita\InstFred.ocx
    O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - file://C:\Programmi\AutoCAD 2002 Ita\SysVerChk.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7981.1274537037
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

    Help me please, I really don't know what to do!
    Sorry for my ignorance, but refferring to the Java Virtual Machine, it's enough to update it to avoid troubles, or it's better to delete definitely it. And in the second case, how to remove it in Win ME?
    Thanks
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Gio :)

    The trojan is in your temporary internet files

    Just delete these. Here's how,

    http://www.pchell.com/support/privacy.shtml

    There may be more Malware in your log. Stay tuned for more advice from the experts.


    snowbound
     
  3. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Sorry Paul,
    it's the first time I post in a forum, so I have to learn a lot about its rules.
    Anyway could you or someone else help me know what's wrong with my PC.
    Norton 2003 continue to advice me that the trojan is still there. As I said, I've just disabled System restore, cleaned the temporary internet files and cookies, launched other detectors such as SpyBot S&D and updated the virus scanners. Indeed I followed your suggestion and those ones in the services pages, but nothing seems to solve this problem.
    Please give more suggestions.
    Thanks a lot. :)
     
  4. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Thank you for your answer snowbound,
    but I've just done it and nothing have changed.
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Ok,

    just be patient and one of the experts will be along to give u recommendations on your HijackThis log.


    snowbound
     
  6. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Anyone colud help me?
    I woludn't disturb you but I'm afraid that this problem could be damnous
    for my PC and I use it to work. I use essentially cad programs, editors digitalizers etc. and the other common programs. The trouble is that I continously send and receive files by mail and surf the web with a dsl connection.
     
  7. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Gio,

    Can you please give us the exact location wher it's found again?

    Thnx

    Cheers,
     
  8. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Hi unzy,
    The folder is :
    C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab.
    It seem to be a simple file located in the temporary internet file folder, but nor the manual eliminination by using the IE6 commands neither the Norton 2003 have been successful. Anyway I think Norton means C:\windows\temp\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab, cause in the firs path I can't find these folders. Sorry, I know it's a bit confused but it respect my actual status :rolleyes: :D
    Tank you unzy
     
  9. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    ok,

    First make sure you have enabled all hidden files and folders to show : Here's How

    Then restart PC in Safe Mode : Here's How and manually navigate to and remove :

    C:\windows\temporary internet files\Content.IE5\E9XU3A1K\ <- this folder

    Restart again in normal mode and make sure you have all the essential updates for IE at windowsupdate.com.

    Keep us posted

    Cheers,
     
  10. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Thanks Unzy,
    you'r very kind!
    I'm going to try that.
     
  11. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Sorry Unzy,
    but you have to help me again :'(
    I followed your reccomendations but I didn't find the right folder.
    I found only 4 of the variuos folders that Norton let me se when I browse to search the one I want to be scanned, moreover I found them not in C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab,
    but in C:\windows\temp\temporary internet files\Content.IE5\.....
    They are : 6INMJ0RP; QJ8JK70X; S12RWPEZ; U1Q9MB2T
    All contain a file named desktop.ini
    Thanks again
     
  12. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Do a search for :

    popsong1[1].cab <- this file

    Via start -> search -> files/folders

    Cheers,
     
  13. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    It seems these folders doesen't exist, but Norton scans them and finds the trojan. I tried every kind of research but nothing. Perhaps it's necessary to change some other setting to view them.
     
  14. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Hi, I found no way to solve my problems. It seems this folder C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab where the trojan is, doesen't exist even enabling all hidden files and folders, and neither the Norton2003 nor Spybot S&D nor SpywareGuard or any other software suggested in this forum have been successful. I thought it was the right solution deleting that folder in safe mode, but I say again it's impossible to find it. Please help me!
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    1) Open Internet Explorer and click on Tools
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
     
  16. Gio

    Gio Registered Member

    Joined:
    May 2, 2004
    Posts:
    10
    Location:
    Calabria, Italy
    Hi dvk01,
    you're very kind! On the other side I'm so stupid! I tried everything to get out this trouble, but reading with more attention your reply I've realized that using the IE commands to delete the temporary internet files I didn't checked the box "Delete all offline content"! :blink: :oops: .
    I'm so ashamed that I'm going to hide somewhere.
    Thank you again. Congratulation for this Forum, all of you are great ;)
     
Thread Status:
Not open for further replies.