exploit-byteverify

Hi

I'm a beginner when it comes to sorting out nasties on my pc, and I seem to have got a very nasty at the moment

I have Macafee which notified me of a trojan which it says it cleaned, but on a routine scan, it seems it didn't

Came to my attention when it kept crashing out on me everytime I tried to start photoshop or illustrator.

When the scan found it it said it couldn't clean it so gave me the option to delete it which I did. It then wiped out my modem in it's entirety

So, have reinstalled the hard and software for it, still can't get ps or illustrator to behave.

The file i deleted was called:

classload.jar-1F5b6b54-5e28d929.zip

Hope you guys can help me and that the prognosis isn't too dire

Thanks

Allison

 

Make sure you have the up-to-date versions of Spybot (v1.3), Ad-aware (build 6.181) CWShredder (v1.59.1) and HijackThis. All are free and available bellow.

Open CWShredder and with ALL other windows closed, click fix. Then update and run Spybot. Delete all it finds that is prechecked. Then update and configure Ad-aware for a custom full scan and run, deleting all it finds. Reboot and scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.
http://www.safer-networking.org/en/download/index.html (SpyBot)
http://www.ravantivirus.com/scan/ (RAV)

 

allibee - LD is like the rest of us here - so used to people having already run the Hijackthis program that he told you to just run a new one. But since it will be your first and since we know each other from elsewhere, I'll give you specifics like I promised.

Download Hijack this along with the other three recommended programs. You need to install and run them as indicated above before messing with Hijackthis so save it for last.

I'd suggest you make a new folder for yourself to hold all these programs. C:\security would work.

Put Hijackthis into a folder (not on the desktop and not in a temp folder) and open it then click on the Scan button. After it finishes, Scan will change names and become Save Log. Click on that, save the log file to wherever you put the Hijackthis program, and it will open in notepad. Select all, copy, and paste the log file here. It will allow folks to see what you have running now and spot any remaining bad stuff that needs to go.

 

classload.jar-1F5b6b54-5e28d929.zip
That file was part of your Java Virtual Machine. Due to security vulnerabilities found in the Sun Java prior to version 1.4.2_05, you should upgrade it from Sun.
http://java.sun.com/j2se/1.4.2/download.html
I am not real familiar with photoshop or illustrator, but these may depend on an operational JVM.

 

Oops....
Sorry allibee
Thanks Newt

Markp62. I saw that will doing a Google but wasn't sure if I should suggest she download it.

allibee, you are in good hands with Newt and Markp62. Sorry if I made the issue worse. I should have looked at your post better.

 

LD - she is in good hands with markp62. Not with me for sure. She posted the problem to another forum we both use and I directed her here since this whole area isn't one I'm comfortable with.

But your suggestions were certainly helpful and not harmful in any way so don't be put off posting. If you goof (or post incomplete advice), someone will correct it (as they have done with me on numerous occasions ).

 

I'm bettin that infected file was in the Java cache folder, and could have easily been deleted by clearing the cach in the control panel plug-in, then emptying the recycle bin. Common place for that type of infected file. Also thinking something else took out the modem. IMO, a HJT log is in order, in case something else is present that didn't show up in the AV scan. Furthermore, a log precleaned with Spybot and Ad-aware is always preferred over an uncleaned one. Good suggestions LD.

 

Right guys

I seem to have my modem back up for a while so I will get cracking on this

Thank you, all of you, nice there are such helpful people out there

Thanks again

alli

 

OK, rav produced this:

Scan started at 17/07/2004 19:07:28

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\SYSTEM32\MSA64CHK.dll - TrojanDownloader:Win32/Perfiler.B -> Infected

Scanned
============================
Objects: 46540
Directories: 2912
Archives: 3288
Size(Kb): -1092957
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 53




Now the HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 19:45:05, on 17/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\new security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0015BDE4-1A77-459A-A69B-A696040D1ACE}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CCS\Services\Tcpip\..\{221DDF0D-7BE5-4460-BE42-6F9842E8C810}: NameServer = 195.93.48.134
O17 - HKLM\System\CS2\Services\Tcpip\..\{0015BDE4-1A77-459A-A69B-A696040D1ACE}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS3\Services\Tcpip\..\{0015BDE4-1A77-459A-A69B-A696040D1ACE}: NameServer = 152.163.0.26 205.188.64.153


Hope some of it means something to you all coz it's all greek to me

 

Here's some info on the infected file.
http://www.spywareguide.com/product_show.php?id=716
Doesn't appear to be on a run key though. If you disabled it at any time in msconfig, it will be on a run- key instead. May not be there at all. You should disable system restore before booting to safe mode to delete the file. Instructions below for that and a few other things to do.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Now in safe mode, you will need to show hidden files and folders.

Delete the registry entries outlined in the link.

Open C:\WINDOWS\system32 and delete the file MSA64CHK.dll .
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Renable system restore and you should be good to go. Unfortunately, I can't tell you what happened to your modem drivers, unless thid dialler caused it, which defeats it's purpose. Shouldn't have happened IMO.

 

I did notice another oddity in the log. These can be removed as they are doing nothing, and one is misnamed.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
Msjava.Dll is part of the Microsoft Java Virtual Machine, don't know why it is referred to as part of the Sun Java above. You do have XP SP1, and it does have the MS Java VM, while XP SP1a doesn't. Your MSJVM seems to be gone as far as that file is concerned.

This line is not doing what it is supposed to do. I had this version of Sun [1.4.2_03] and had it check for updates, said there was none. But 1.4.2_05 is available.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

 

Mark, the new version of HJT is still reporting alot of 09's as file missing. Won't hurt to remove as they're just extra buttons, but files probably are there. I did notice also with the update feature, that auto update time is 5:00 A.M. on the 15th or something, so most people would miss the scheduled update anyway, but manually updating thru the plug-in is as you said, not working right either.

allibee,

Update your Java from the Sun Java website.