[Resolved] Java_bytever.a

Hi. After running Adaware 6 pro, PC-cillin kicked in saying it found JAVA_BYTEVER.A, locked it and quarantined it. I'm not sure why it kicks in when adaware is running, but still. This is what the popup box says:




' PC-cillin detected a virus

Infected file: Intaller.class[C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\classload.jar-238ada3c-7b1161ff.zip]

Virus name: JAVA_BYTEVER.A

Action when virus found: Unable to clean/quarantine compressed file.'

It's found this a few times, and so each time, I've gone to PC-cillin quarantine and deleted it. After rebooting today and before going online, I decided to run Adaware again, and it was found again by PC-cillin, the same classload.jar string exactly. I've got Adaware setup exactly as a member here called mobo told me a few weeks ago, when Adaware found and fixed some other things. My ActiveX is disabled. In the sun java folder, I can find the exact classload.jar string, only it's an .idx file and not a .zip file. Should I remove the idx file, or, should I uninstall sun java, and reinstall it? Would that clear this malware? Also, this is what Trend Micro say about JAVA_BYTEVER.A

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A


All it really says is to delete all files detected as JAVA_BYTEVER.A. Well, I did that from quarantine, but it doesn't remove it, it comes back, or, it never gets deleted properly. I'm not getting redirected anywhere like the last problem I had, and my hijackthis! log is clean as far as I can see. I just wonder if something like this residing in my system would slow things down a bit?


Any suggestions what to do next? Thanks. Here's my hijackthis log.

Logfile of HijackThis v1.98.2
Scan saved at 20:30:37, on 10/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\SK2690DM.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\svcnxp32.exe
C:\Program Files\ATI Technologies\Rage3DTweak\RegTwk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ati technologies\rage3dtweak\gameutil.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lee\My Documents\My Received Files\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\ATI Technologies\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WindowsXPserv] svcnxp32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2628054D-0639-4297-AFB3-3568ABF57BBD}: NameServer = 194.168.4.100 194.168.8.100

 

I don't know whether it's the source of the problem, but it looks like you have a trojan file running here:

C:\WINDOWS\system32\svcnxp32.exe


O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe

O4 - HKCU\..\Run: [WindowsXPserv] svcnxp32.exe

You should restart in Safe Mode, run HijackThis and check and "fix" the 04 entries. Then find and delete the file itself.

The "kernelfaultcheck" entry is not malicious, just a debugging file run after a crash. It can be fixed.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

If the Ad-aware problem continues, you might want to post on their forum and see if there are any similar experiences:

http://www.lavasoftsupport.com/

In fact you should update to Ad-Aware SE and see if the problem continues with the new version.

 

Thanks very much for the information, rollin' rog. I did exactly as you said in safe mode, fix checked those 3 x 04 things, and deleted the file from windows\system32. Rebooted as normal, ran adaware and the trojan reappeared. Rebooted again and ran the scan again just to be sure, and yes, it's still there. The PC-cillin notification box appears after adaware has gotten to scanning 100,000 objects. Here's the screenie:





And here's the file sitting in PC-cillin quarantine.


I'm going to do as you suggest and show them this at lavasoft, see if they can thow any light on it. By the way, those fixed files in hijackthis have remained gone, so that's something I guess. Thanks for your help

 

You're welcome; it's almost certanly a false detection. If you haven't already you can try getting a second opinion from another scanner, such as one of the online ones:

HouseCall
Panda

You could also notify Trend, since they seem to be the ones producing the message. It may just be an issue with a particular virus definition file and could well change at any update.

 

Heh, well I could do. Looking at the bottom of my hijackthis log, I've got pretty much all the main online scanner softwares installed ready to go.
In spybot a while ago, I had false detection with DS-Exploit coming up on every scan I did. It was a microsoft security hole which needed patching, so I found out how to change certain registry files to patch it up, and it never came back. Dunno if this one is the same type of thing. The classload.jar file being quarantined seems to be to do with files from sun java, and I only installed sun java a few weeks ago. I'm not sure this virus was detected before I had java on my system. But heyho, I'll check it out with lavasoft.

 

It sounds like you are seeing this, I'm just not sure how Ad-Aware is getting hold of it...


http://java.com/en/download/help/cache_virus.jsp

 

Hey Rollin' Rog, I found it. Yes, before your reply, I'd read about someone else that had this virus, and he deleted inside the sun java cache. So I did that. Still there. Then I deleted the whole sun folder, having uninstalled it. Still there. Well, in that address,.... > Intaller.class[C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\classload.jar-238ada3c-7b1161ff.zip]


...it mentions VDOC. So I looked in my trend micro folder, then PC-cillin, then quarantine, and then VDOC, and inside that there's a zip called PCCVDOC.zip. Inside the zip... was classload.jar blah blah, dated 31st august 2004. So adaware was picking up on that, hence why it finds it. Because as soon as I clicked on that classload.jar when I found it, that same notification came up. So adaware triggers that as it scans. So I deleted that classjar of course, and now adaware doesn't pick it up I don't know why that old dated classload.jar was even in there considering I'd deleted subsequent classload.jar files found from quarantine. But anyway, that's gone now.

 

Oh and thanks again for your help rollin' rog.