Jump to content


Photo

Downloader.Agent.BR, Java/Byte Verify


  • Please log in to reply
7 replies to this topic

#1 maxreturn

maxreturn

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 June 2004 - 12:42 PM

I've read the FAQ and followed instructions, including running Ad-aware 6 and AVG Virus software several times. I have also stopped using IE6 and am now using Mozilla for my browser. However, I still have these three problems:

1) When running Ad-Aware 6 I get the folloinwg message: "Virus Identified, Java/Byte Verify is found in C:\Program Files\Lavasoft\Ad-Aware 6\Cache\Counter.class & Parser.class." I've looked for the "Cache" folder in the above directory structure...figuring I could delete the necessary files but I couldn't find it.

2) Seemed like each time I use the computer I had to run AVG several times to get heal/move to virus vault all the infected files caused by Trojan Horse Downloader.Agent.BR. Most, if not all of these files were in the Windows/System32 directory. I'm finally to the point where I only have only one infected file but AVG won't heal it OR allow me to move it to the viruse vault. That file is C:\Windows\System32\IEUG.exe.

3) Now when rebooting the computer I get the following error messages: "Windows cannot find C:\Windows\ntuj.exe" and "Windows cannot find C:\Windows\adduj32.exe"

I have downloaded hi-jack this following all of the instructions. Following are the results. Would greatly appreciate your help:

Logfile of HijackThis v1.97.7
Scan saved at 1:20:34 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\S4F\Filter7.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Chuck\Programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wbeux.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wbeux.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wbeux.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {94B2E5E6-2FEA-EBB4-4D29-017632FCAE96} - C:\WINDOWS\javayj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crku.exe] C:\WINDOWS\crku.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [ieug.exe] C:\WINDOWS\system32\ieug.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8051.6951967593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marketdelta....bex/ieatgpc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

#2 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 11 July 2004 - 08:54 AM

Hi maxreturn,

Since it's been awhile since we saw a hijackthis log, can you please download the latest version of hijackthis and post a fresh log?
http://www.spywarein.../HijackThis.exe

Once we get ya cleaned up, those errors and problems you are having should go away. :)

#3 maxreturn

maxreturn

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 July 2004 - 09:12 PM

Thanks OSC. Downloaded latest version and ran another log. Here it is:

Logfile of HijackThis v1.98.0
Scan saved at 10:09:49 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\S4F\Filter7.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Chuck\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wbeux.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wbeux.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wbeux.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {94B2E5E6-2FEA-EBB4-4D29-017632FCAE96} - C:\WINDOWS\javayj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crku.exe] C:\WINDOWS\crku.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [ieug.exe] C:\WINDOWS\system32\ieug.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marketdelta....bex/ieatgpc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

#4 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 12 July 2004 - 08:40 PM

Hi maxreturn,

Run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {94B2E5E6-2FEA-EBB4-4D29-017632FCAE96} - C:\WINDOWS\javayj.dll
O4 - HKLM\..\Run: [crku.exe] C:\WINDOWS\crku.exe
O4 - HKLM\..\Run: [ieug.exe] C:\WINDOWS\system32\ieug.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab


Download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log.

Now log onto the computer with the other account(s) you have. Run about:buster in each account. Post the about:buster logs along with a new Hijack this logs back into this thread.

#5 maxreturn

maxreturn

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 12 July 2004 - 10:24 PM

OSC. I think I may have messed up with the "About:Buster" program. When I first ran on my account I looked somewhere for a log but couldn't find it. So I ran the program again. The second time I simply did a ctrl-c and pasted to a notepad file. NOTE: I get the same result from scanning the other account. Following is the results:

-- Scan 1 --------
About:Buster Version 1.27
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

Following is the result of the latest hi-jack scan:

Logfile of HijackThis v1.98.0
Scan saved at 11:18:01 PM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\S4F\Filter7.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\Chuck\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marketdelta....bex/ieatgpc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab

#6 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 14 July 2004 - 07:48 AM

Hi maxreturn,

Well, if you messed up, it's okay, because that CWS infection seems to be gone from this account. :) It's clean now.

Do you use PalTalk?? You may want to consider uninstalling PalTalk based on this article:
http://www.pestpatro...o/P/PalTalk.asp

Are there other accounts on this computer?? If so, please post a hijackthis log for those accounts.

#7 maxreturn

maxreturn

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 17 July 2004 - 08:41 AM

Hi OSC. Wasn't aware that I needed to run Hijack this on other account. Below is the log for that account but first I have a question. Up until now I've only been running AVG & Ad-Aware when logged onto my account figuring that it would clean up all problems in both accounts. Is this correct or should Jenny (other user) be running the same two programs while logged onto her account? Thank you!

Logfile of HijackThis v1.98.0
Scan saved at 9:30:49 AM, on 7/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\S4F\Filter7.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Chuck\Programs\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S4F] "C:\Program Files\S4F\Filter7.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://marketdelta....bex/ieatgpc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab

#8 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 19 July 2004 - 07:01 PM

Hi maxreturn,

You can run those programs on 1 account. It should get everything. It won't hurt to run ad-aware on her account every once in awhile just to be sure it's getting everything when it's run under your account. :thumbsup:

From Jenny's account, run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
<---Not needed to run at startup, but is taking up resources. It's associated with the newer versions of nVidia graphics cards drivers. Allows you to immensely improve desktop layouts by setting preferences and optimizations. However, this isn't necessary for the operation of your system.

How are things going with that computer??




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button