JAVA BYTEVER.A-1 and other spyware

NYfile · #1 02-01-2005, 05:05 PM

Hi,

I ran Housecall from Trend Micro from their web site and got this file as a result:

JAVA BYTEVER.A-1 Non cleanable. Anyone know how to deal with this ? I am going to attach the HiJackThis log.

Here is some other info. The computer is not running slow or anything. Adaware SE picked up a lot of stuff, and then picked up some more about 2 hours later. Unless I missed something, but I don't think I did. Same for Spybot, only not to the same extend. Spyware Nuker found some additional stuff, but I then needed to purchase it to clean them up.

The second time I ran Housecall, a second file called TROJ DYFUCA.K was also reported. But after Adaware, and Spybot, it went away in more runs of Housecall.

Also, I have some sportsinteration.com icon on my desktop now. some kind of sports betting thing.

Norton found no viruses

Got any thoughts ? Here is the HiJackThis log:

Thanks.
------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 11:13:19 AM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H 1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\VSTASCAN\vsaccess.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ron\gotomypc.exe
C:\DOCUME~1\Ron\LOCALS~1\Temp\G2_314\g2viewer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Temp\SAHAgent.exe
C:\DOCUME~1\Ron\LOCALS~1\Temp\bundle.exe
C:\temp\CXTPLS~1.EXE
C:\Program Files\Internet Optimizer\actalert.exe
c:\temp\salm.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DLs\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H 1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Ron\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CreataCard Plus 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Plus\fmrmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c46.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097615407843
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
------------------------------------------------

vidster · #2 02-01-2005, 07:38 PM

Java ByteVaryfy is not a virus NY file

. It is a weakness in your Java that could be exploited. Microsoft have a small patch that will fix this problem (unfortunately my browser is refusing to connect to Microsoft at the moment so i can't provide the link).

If you connect to Microsoft and just type it into the search, you will be directed to the patch straight away

NYfile · #3 02-02-2005, 06:34 PM

Thanks vidster. I went to microsoft.com, and type in Java ByteVaryfy, and Java ByteVer.1-a, and Bytever, and got noresults each time. What am I doing wrong ?

Thanks.

Quote:

Originally Posted by vidster

Java ByteVaryfy is not a virus NY file

. It is a weakness in your Java that could be exploited. Microsoft have a small patch that will fix this problem (unfortunately my browser is refusing to connect to Microsoft at the moment so i can't provide the link).

If you connect to Microsoft and just type it into the search, you will be directed to the patch straight away

NYfile · #4 02-10-2005, 05:57 PM

I still need some help with this if anyone can give advice.

Thanks.

ShhDragon · #5 02-11-2005, 03:04 PM

Quote:

Originally Posted by NYfile

I still need some help with this if anyone can give advice.

Thanks.

I'd like help on the same issue...

Tyrae · #6 02-11-2005, 05:18 PM

http://java.com/en/download/help/cache_virus.xml

NYfile · #7 02-12-2005, 09:32 AM

You can try this one too. This is what worked for me:

http://www.pandasoftware.com/actives..._principal.htm

Quote:

Originally Posted by Tyrae

http://java.com/en/download/help/cache_virus.xml

pen · #8 02-14-2006, 01:00 PM

Many virus files cannot be "cleaned," in that there is nothing to salvage. Instead, the proper "cleaning" is to delete the file entirely.

If the patch mentioned in Microsoft Security Bulletin MS03-011 has been applied, then downloading this malicious file cannot effect you.

You should get rid of this junk that is effecting you:
C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Temp\SAHAgent.exe
C:\DOCUME~1\Ron\LOCALS~1\Temp\bundle.exe
C:\temp\CXTPLS~1.EXE
C:\Program Files\Internet Optimizer\actalert.exe
c:\temp\salm.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\temp\CXTPLS~1.EXE" /PC=CP.CDT3 /ShowLegalNote=nonbranded /ForSupportedBrowsers
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Ron\LOCALS~1\Temp\bundle.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe