1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Java_bytever.a

Discussion in 'Virus & Other Malware Removal' started by Roman5, Sep 10, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Roman5

    Roman5 Thread Starter

    Joined:
    Aug 15, 2004
    Messages:
    57
    Hi. After running Adaware 6 pro, PC-cillin kicked in saying it found JAVA_BYTEVER.A, locked it and quarantined it. I'm not sure why it kicks in when adaware is running, but still. This is what the popup box says:




    ' PC-cillin detected a virus

    Infected file: Intaller.class[C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\classload.jar-238ada3c-7b1161ff.zip]

    Virus name: JAVA_BYTEVER.A

    Action when virus found: Unable to clean/quarantine compressed file.'

    It's found this a few times, and so each time, I've gone to PC-cillin quarantine and deleted it. After rebooting today and before going online, I decided to run Adaware again, and it was found again by PC-cillin, the same classload.jar string exactly. I've got Adaware setup exactly as a member here called mobo told me a few weeks ago, when Adaware found and fixed some other things. My ActiveX is disabled. In the sun java folder, I can find the exact classload.jar string, only it's an .idx file and not a .zip file. Should I remove the idx file, or, should I uninstall sun java, and reinstall it? Would that clear this malware? Also, this is what Trend Micro say about JAVA_BYTEVER.A

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A


    All it really says is to delete all files detected as JAVA_BYTEVER.A. Well, I did that from quarantine, but it doesn't remove it, it comes back, or, it never gets deleted properly. I'm not getting redirected anywhere like the last problem I had, and my hijackthis! log is clean as far as I can see. I just wonder if something like this residing in my system would slow things down a bit?


    Any suggestions what to do next? Thanks. Here's my hijackthis log.

    Logfile of HijackThis v1.98.2
    Scan saved at 20:30:37, on 10/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zoom\CnxDslTb.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\system32\SK2690DM.EXE
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\svcnxp32.exe
    C:\Program Files\ATI Technologies\Rage3DTweak\RegTwk.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\ati technologies\rage3dtweak\gameutil.exe
    C:\Program Files\Roxio\GoBack\GBTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Lee\My Documents\My Received Files\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\ATI Technologies\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WindowsXPserv] svcnxp32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: gameutil.exe.lnk = ?
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2628054D-0639-4297-AFB3-3568ABF57BBD}: NameServer = 194.168.4.100 194.168.8.100
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't know whether it's the source of the problem, but it looks like you have a trojan file running here:

    C:\WINDOWS\system32\svcnxp32.exe


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe

    O4 - HKCU\..\Run: [WindowsXPserv] svcnxp32.exe

    You should restart in Safe Mode, run HijackThis and check and "fix" the 04 entries. Then find and delete the file itself.

    The "kernelfaultcheck" entry is not malicious, just a debugging file run after a crash. It can be fixed.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

    If the Ad-aware problem continues, you might want to post on their forum and see if there are any similar experiences:

    http://www.lavasoftsupport.com/

    In fact you should update to Ad-Aware SE and see if the problem continues with the new version.
     
  3. Roman5

    Roman5 Thread Starter

    Joined:
    Aug 15, 2004
    Messages:
    57
    Thanks very much for the information, rollin' rog. I did exactly as you said in safe mode, fix checked those 3 x 04 things, and deleted the file from windows\system32. Rebooted as normal, ran adaware and the trojan reappeared. Rebooted again and ran the scan again just to be sure, and yes, it's still there. The PC-cillin notification box appears after adaware has gotten to scanning 100,000 objects. Here's the screenie:


    [​IMG]


    And here's the file sitting in PC-cillin quarantine.
    [​IMG]

    I'm going to do as you suggest and show them this at lavasoft, see if they can thow any light on it. By the way, those fixed files in hijackthis have remained gone, so that's something I guess. Thanks for your help :)
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You're welcome; it's almost certanly a false detection. If you haven't already you can try getting a second opinion from another scanner, such as one of the online ones:

    HouseCall
    Panda

    You could also notify Trend, since they seem to be the ones producing the message. It may just be an issue with a particular virus definition file and could well change at any update.
     
  5. Roman5

    Roman5 Thread Starter

    Joined:
    Aug 15, 2004
    Messages:
    57
    Heh, well I could do. Looking at the bottom of my hijackthis log, I've got pretty much all the main online scanner softwares installed ready to go.
    In spybot a while ago, I had false detection with DS-Exploit coming up on every scan I did. It was a microsoft security hole which needed patching, so I found out how to change certain registry files to patch it up, and it never came back. Dunno if this one is the same type of thing. The classload.jar file being quarantined seems to be to do with files from sun java, and I only installed sun java a few weeks ago. I'm not sure this virus was detected before I had java on my system. But heyho, I'll check it out with lavasoft. :)
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  7. Roman5

    Roman5 Thread Starter

    Joined:
    Aug 15, 2004
    Messages:
    57
    Hey Rollin' Rog, I found it. Yes, before your reply, I'd read about someone else that had this virus, and he deleted inside the sun java cache. So I did that. Still there. Then I deleted the whole sun folder, having uninstalled it. Still there. Well, in that address,.... > Intaller.class[C:\Program Files\Lavasoft\Ad-aware 6\Cache\Program 6\Cache\Program Files\Trend Micro\PC-cillin 2002\QUARANTINE\VDOC\classload.jar-238ada3c-7b1161ff.zip]


    ...it mentions VDOC. So I looked in my trend micro folder, then PC-cillin, then quarantine, and then VDOC, and inside that there's a zip called PCCVDOC.zip. Inside the zip... was classload.jar blah blah, dated 31st august 2004. So adaware was picking up on that, hence why it finds it. Because as soon as I clicked on that classload.jar when I found it, that same notification came up. So adaware triggers that as it scans. So I deleted that classjar of course, and now adaware doesn't pick it up :) I don't know why that old dated classload.jar was even in there considering I'd deleted subsequent classload.jar files found from quarantine. But anyway, that's gone now. (y)
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  9. Roman5

    Roman5 Thread Starter

    Joined:
    Aug 15, 2004
    Messages:
    57
    Oh and thanks again for your help rollin' rog. ;)
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272480

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice