# Trojan.ByteVerify



## Delta Lady (Mar 29, 2002)

Recently my NAV 2003 found and deleted about 12 files that contained the Trojan.ByteVerify virus.

When I checked the log file it also had this information:

Description: The compressed file Beyond.class within C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-27b6d963-645500c7.zip is infected with the Trojan.ByteVerify virus. 

Does this mean that this file is still infected and if so how do I deal with it? I couldn't find anything on the Symantic web site that could help me.

BTW I always have AutoProtect enabled and don't open email attachments so I don't know how these files got downloaded and infected.

Many thanks


----------



## KeithKman (Dec 29, 2002)

Navigate to *C:\WINDOWS\.jpi_cache\jar\1.0\archive.jar-27b6d963-645500c7.zip* and delete the file.

Next do this in order:

1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.

2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button followed by OK and then click the Immunize button in the right pane.

3) Run one of the following free Anti-Virus programs here:

http://housecall.trendmicro.com - I found this to work the best.

http://www.pandasoftware.com/activescan

http://www.ravantivirus.com/scan

4) Read http://www.tomcoyote.org/hjt then download and install HiJackThis. Open up HiJackThis and click "Scan". After you do so, click "Save Log" and save it to your desktop. Exit HiJackThis and open the log you created on your desktop and copy everything in the log and post it here.


----------



## Delta Lady (Mar 29, 2002)

I did some searching and came up with this site:

http://www.java.com/en/download/help/cache_virus.jsp

QUOTE:
*Virus found in Java Plug-in cache directory*

This error applies to you if you are using any of the following platforms: 
Windows 98, ME, NT, 2000, XP, 2003.

SYMPTOMS
Malicious applets have been discovered in the Java Plug-in cache directory. Anti-virus programs have detected such malicious applets in the following directory:
C:\Documents and Settings\<username>\Application Data\Sun\Java\Deployment\cache\javapi\v1. 0\jar\

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011 http://www.microsoft.com/technet/treeview/default.asp?

If you are using the Sun JVM as your default virtual machine these malicious applets cannot cause any harm to your computer.

CAUSE
When the browser runs an applet, the Sun JVM stores all the downloaded files into its cache directory for better performance. We have received reports of the following malicious applets in the Java Plug-in cache directory:
Trojan.ByteVerify 
VerifierBug.class 
Java.JJBlack worm 
Java.Shinwow trojan 
However, in this instance, storing these applets in the cache directory can not cause any harm to your computer because they are designed to exploit a vulnerability in the Microsoft VM, not the Sun JVM.

SOLUTION
If you find one of these malicious applets on your computer, please use an anti-virus program to delete the applet, or you can clean the cache directory manually.

Here are the instructions on how to manually remove these malicious applets from the Java Plug-in cache directory:
From the Start button, click Settings > Control Panel 
In the Control Panel, open the Java Plug-in Control Panel 
Select the Cache Tab 
Click the Clear button inside the Cache Tab, which will clear your Java Plug-in cache directory

MORE TECHNICAL INFORMATION
Norton / Symantec has posted information about the Trojan.ByteVerify virus on their Web site.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

Microsoft provides information about the flaw in the Microsoft VM on their web site:
Microsoft Security Bulletin MS03-011 http://www.microsoft.com/technet/treeview/default.asp?


----------



## Delta Lady (Mar 29, 2002)

Hi Keith

As I use Sun Java by default I followed their instructions to clear the Cache.
Then I followed your instructions (1) (2) (3)
Everthing seems to be OK
Here's the log of HIJACKTHIS that you reqested in (4)

Logfile of HijackThis v1.92.0

Scan saved at 11:38:22, on 28/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: NF Timer.lnk = C:\Program Files\NFT\nft.exe
O4 - Startup: StayLive.lnk = C:\Program Files\Software by Design\StayLive.exe
O4 - Startup: Clipcase.lnk = C:\Program Files\ClipCase\CLIPCASE.EXE
O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - Startup: CiDial.lnk = C:\Program Files\CiDial\CiDial.exe
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.5909837963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

Many thanks for your help


----------



## Delta Lady (Mar 29, 2002)

Hello again

If Keith's not about just wondered if anyone else can check this log for me.

Thanks


----------



## KeithKman (Dec 29, 2002)

Look below...


----------



## KeithKman (Dec 29, 2002)

...Rescan with HiJackThis and put a check next to the following (make sure you didn't miss any entries). Now close all browser and outlook windows and click "Fix Checked". After you do so, restart your computer and then post a fresh HiJackThis log.

*O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe*
(The above file is a virus)

1) To delete cookie.exe, remove it using HiJackThis.

2) Restart in safe mode, if you don't know how to reboot in safe mode, read this:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

3) Once in Safe mode, search for cookie.exe and delete it.

4) Reboot in normal mode.

Info on cookie.exe:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


----------



## E815 (Oct 29, 2003)

Keith -
I followed your steps 123 - Got to step 4 and realized I need to post my Hijack results.

Please help me out - I've got this trojan and I've been trying to remove it. I need some help.

The scan found the virus - 
TROJ_FEMAD.A - Non-cleanable - C:\msdos.exe

Heres the results below.

flrman1 & Keith - U guys rock - 4real 
Thanks for the Help

E815


----------



## Flrman1 (Jul 26, 2002)

E815

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net

O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta

O4 - HKCU\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta

Note: there are two of the entries above.

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\WINDOWS\FONTS\msoffice.hta file

Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished put a check by and let it fix everything it finds.

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent future attacks. 
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.


----------



## KeithKman (Dec 29, 2002)

E815, flrman1 has you covered!


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by KeithKman:_
> *...Rescan with HiJackThis and put a check next to the following (make sure you didn't miss any entries). Now close all browser and outlook windows and click "Fix Checked". After you do so, restart your computer and then post a fresh HiJackThis log.
> 
> O4 - Startup: cookie.lnk = C:\Program Files\AnalogX\CookieWall\cookie.exe
> ...


This IS NOT a virus it is a legitimate program to manage your cookies

That is the problem with advising people when you DON'T KNOW

Many viruses use legitimate program names, you cannot just go by the name of the .exe you have to look at where the file is and which program is starting it.


----------



## Delta Lady (Mar 29, 2002)

> _Originally posted by dvk01:_
> 
> Info on cookie.exe:
> http://[email protected]
> ...


I did wonder whether this was an actual virus, seeing that it "belonged" to my CookieWall program.
I was about to query the instruction whether to delete it or not...so thanks for that *dvk01* 
I presume all the other entries on my HiJackThis Log are all OK..?


----------



## dvk01 (Dec 14, 2002)

delta lady

I can't see any problems with your log,


----------



## Delta Lady (Mar 29, 2002)




----------



## patrickjv (Nov 7, 2003)

Been trying like hell to get ByteVerfify of my system... no luck, 
I used spybot, Norton, Adaware, but still I get some porn as IE start page every time I restart...

Below my HijackThis log; ( know the 3 IE porn entries don't belong, I left them as is to show)

Logfile of HijackThis v1.97.3
Scan saved at 17:48:48, on 7-11-03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ANIR MOUSE\AMSSERVE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\KAZAA LITE\KAZAA.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MACOPENER\MACNAME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
D:\PROGS 8\OTHER\VIRUS - TROJAN - SPYWARE ETC\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sexycat.adult-host.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sexycat.adult-host.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sexycat.adult-host.org/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Anir Mouse] C:\PROGRA~1\ANIRMO~1\AmsServe.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA LITE\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: MacName.lnk = C:\Program Files\MacOpener\MacName.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .exe: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\Intern~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## dvk01 (Dec 14, 2002)

Run CWshredder from 
http://www.spywareinfo.com/~merijn/cwschronicles.html
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection


----------



## patrickjv (Nov 7, 2003)

tnx for the help
CWshredder seems to got rid of ByteVerify.

Tried the link to 'this MS security bulletin' ( http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp ), followed 'Windows Update' (http://windowsupdate.microsoft.com ) and I get redirected to http://v4.windowsupdate.microsoft.com/nl/default.asp

I only can't get the windows patch / update to work... afraid i might get reinfected again...

It says "error in windows update" etc.. 
I'm running Win 98 SE Dutch,

any sugestions?
P


----------



## darkwing22 (Nov 18, 2003)

my sister got this virus on her computer, she deleted all the infected files, but her homepage still changes and porn favorites are still added. can anyone help? here is the log file from hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 1:45:28 PM, on 11/18/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\sstray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSupdate.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\InetKb\Inetkb.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Documents and Settings\Andy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://auto.ie.searchforge.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://auto.ie.searchforge.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://auto.ie.searchforge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://auto.ie.searchforge.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://auto.ie.searchforge.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://auto.ie.searchforge.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\mswsc10.dll
O1 - Hosts: 216.200.3.32 worldsex.com
O1 - Hosts: 216.200.3.32 www.worldsex.com
O1 - Hosts: 216.200.3.32 sexocean.com
O1 - Hosts: 216.200.3.32 www.sexocean.com
O1 - Hosts: 216.200.3.32 easypic.com
O1 - Hosts: 216.200.3.32 www.easypic.com
O1 - Hosts: 216.200.3.32 free6.com
O1 - Hosts: 216.200.3.32 www.free6.com
O1 - Hosts: 216.200.3.32 al4a.com
O1 - Hosts: 216.200.3.32 www.al4a.com
O1 - Hosts: 216.200.3.32 thumbnailpost.com
O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
O1 - Hosts: 216.200.3.32 drbizzaro.com
O1 - Hosts: 216.200.3.32 www.drbizzaro.com
O1 - Hosts: 216.200.3.32 hoes.com
O1 - Hosts: 216.200.3.32 www.hoes.com
O1 - Hosts: 216.200.3.32 absolut-series.com
O1 - Hosts: 216.200.3.32 www.absolut-series.com
O1 - Hosts: 216.200.3.32 elephantlist.com
O1 - Hosts: 216.200.3.32 www.elephantlist.com
O1 - Hosts: 216.200.3.32 ah-me.com
O1 - Hosts: 216.200.3.32 www.ah-me.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\2.1.23\MOUSE32A.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MSupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v54/cubis/cubis.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37901.5621296296
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4302/mcfscan.cab
O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt


----------



## dvk01 (Dec 14, 2002)

Run CWshredder from 
http://www.spywareinfo.com/~merijn/cwschronicles.html
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection

then reboot &

*Download Spybot - Search & Destroy from http://security.kolla.de*

After installing, first press Online, press search for updates, then tick the updates it finds, then

press download updates. Beside the download button is a little down pointed arrow, select one of

the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot

remove all it finds that is marked in RED.

then reboot & 
*download AdAware 6  
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".*
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives"

,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL"

and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized

processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use

at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then post a new hijackthis log to check what is left


----------



## Gardengirl12 (Nov 19, 2003)

OK, I am totally new to this tech chat stuff, so bear with me. My pc has the "Trojan.byteVerify" virus and my IE is driving me crazy! I no longer can search for anything - I just get more search engines.

I've read a number of the other post on this virus and I am clueless on what "hijack this" is? 

In layman terms, what to I need to do to get rid of this virus? I've tried to download the critical security update from MS but since I've got a "copy" of XP Pro, it won't let me. I've tried Norton, McAfee, & SpyHunter.

HELP!!!

Thanks!!!


----------



## maxspeed (Nov 26, 2003)

here is my hijackthis.log please could u check it.

Logfile of HijackThis v1.97.7
Scan saved at 20:49:53, on 26/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\MYIE2\myie.exe
C:\Program Files\SuperScan\scanner.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\IFACE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\PAVJOBS.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.your.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
F1 - win.ini: run=C:\WINDOWS\system32\ .bat;C:\WINDOWS\system32\ .exe;C:\WINDOWS\system32\ .com;C:\WINDOWS\system32\ .scr;C:\WINDOWS\system32\ .vbs;C:\WINDOWS\ .bat;C:\WINDOWS\ .exe;C:\WINDOWS\ .com;C:\WINDOWS\ .scr;C:\WINDOWS\ .vbs;C:\WINDOWS\system32\WBEM\ .bat;C:\WINDO
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.0100694444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/English/bin/npseatools.cab

thanks


----------



## Auron4_2 (Dec 13, 2003)

dude ive treid alot of your alls stuff and none of it works i cant find the file with nortan antivirus found it once and got rid of it but the file is still doing the stuff to me just like i had not delted it so please i need some ideas here.


----------



## dvk01 (Dec 14, 2002)

Auron4_2

please post a hjt log into a new thread, as I'm asking for this one to be closed as it's far to long to deal with now 
go to http://www.merijn.org/files/hijackthis.zip , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.


----------



## Rollin' Rog (Dec 9, 2000)

And others with this problem should do the same. Thread will be closed now.


----------

