Trojan.byteVerifyer is back

I had a look at the services pages and followed their suggestions such as update the Lava Virtual Machine close the port5000 etc. and scanned the system on-line. But during this scanning, Norton Antivirus updated the virus definitions and then advised that the virus was deleted and that was confirmed by the result of the on-line scanning: no virus detected. Now I'm a little bit confused and don't know what to do. According to NA2003 The Trojan is in the folder C:\windows\temporary internet files\Content.IE5\E9XU3A1K again and can't remove or isolate it!
This is my log file:

Logfile of HijackThis v1.97.7
Scan saved at 11.30.04, on 02/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAMMI\FILE COMUNI\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAMMI\STOPDIALERS\STOPDIALER.EXE
C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
C:\PROGRAMMI\GETRIGHT\GETRIGHT.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\SOFTWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [KEYMAP] C:\WINDOWS\SYSTEM\Keymap.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [CcApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CcRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [CcEvtMgr] "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Stop_Dialer] C:\\Programmi\\StopDialers\\StopDialer.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Startup: getright - tray icon.lnk = C:\Programmi\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-9600-000000000000} - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Programmi\AutoCAD 2002 Ita\InstFred.ocx
O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - file://C:\Programmi\AutoCAD 2002 Ita\SysVerChk.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7981.1274537037
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

Help me please, I really don't know what to do!
Sorry for my ignorance, but refferring to the Java Virtual Machine, it's enough to update it to avoid troubles, or it's better to delete definitely it. And in the second case, how to remove it in Win ME?
Thanks

 

Hi Gio

The trojan is in your temporary internet files

Just delete these. Here's how,

http://www.pchell.com/support/privacy.shtml

There may be more Malware in your log. Stay tuned for more advice from the experts.


snowbound

 

Sorry Paul,
it's the first time I post in a forum, so I have to learn a lot about its rules.
Anyway could you or someone else help me know what's wrong with my PC.
Norton 2003 continue to advice me that the trojan is still there. As I said, I've just disabled System restore, cleaned the temporary internet files and cookies, launched other detectors such as SpyBot S&D and updated the virus scanners. Indeed I followed your suggestion and those ones in the services pages, but nothing seems to solve this problem.
Please give more suggestions.
Thanks a lot.

 

Thank you for your answer snowbound,
but I've just done it and nothing have changed.

 

Ok,

just be patient and one of the experts will be along to give u recommendations on your HijackThis log.


snowbound

 

Anyone colud help me?
I woludn't disturb you but I'm afraid that this problem could be damnous
for my PC and I use it to work. I use essentially cad programs, editors digitalizers etc. and the other common programs. The trouble is that I continously send and receive files by mail and surf the web with a dsl connection.

 

Hi Gio,

Can you please give us the exact location wher it's found again?

Thnx

Cheers,

 

Hi unzy,
The folder is :
C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab.
It seem to be a simple file located in the temporary internet file folder, but nor the manual eliminination by using the IE6 commands neither the Norton 2003 have been successful. Anyway I think Norton means C:\windows\temp\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab, cause in the firs path I can't find these folders. Sorry, I know it's a bit confused but it respect my actual status
Tank you unzy

 

ok,

First make sure you have enabled all hidden files and folders to show : Here's How

Then restart PC in Safe Mode : Here's How and manually navigate to and remove :

C:\windows\temporary internet files\Content.IE5\E9XU3A1K\ <- this folder

Restart again in normal mode and make sure you have all the essential updates for IE at windowsupdate.com.

Keep us posted

Cheers,

 

Thanks Unzy,
you'r very kind!
I'm going to try that.

 

Sorry Unzy,
but you have to help me again
I followed your reccomendations but I didn't find the right folder.
I found only 4 of the variuos folders that Norton let me se when I browse to search the one I want to be scanned, moreover I found them not in C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab,
but in C:\windows\temp\temporary internet files\Content.IE5\.....
They are : 6INMJ0RP; QJ8JK70X; S12RWPEZ; U1Q9MB2T
All contain a file named desktop.ini
Thanks again

 

Do a search for :

popsong1[1].cab <- this file

Via start -> search -> files/folders

Cheers,

 

It seems these folders doesen't exist, but Norton scans them and finds the trojan. I tried every kind of research but nothing. Perhaps it's necessary to change some other setting to view them.

 

Hi, I found no way to solve my problems. It seems this folder C:\windows\temporary internet files\Content.IE5\E9XU3A1K\popsong1[1].cab where the trojan is, doesen't exist even enabling all hidden files and folders, and neither the Norton2003 nor Spybot S&D nor SpywareGuard or any other software suggested in this forum have been successful. I thought it was the right solution deleting that folder in safe mode, but I say again it's impossible to find it. Please help me!

 

Hi dvk01,
you're very kind! On the other side I'm so stupid! I tried everything to get out this trouble, but reading with more attention your reply I've realized that using the IE commands to delete the temporary internet files I didn't checked the box "Delete all offline content"! .
I'm so ashamed that I'm going to hide somewhere.
Thank you again. Congratulation for this Forum, all of you are great