Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud And Exploit.byteverify Found


  • Please log in to reply
8 replies to this topic

#1 boo-boo-79

boo-boo-79

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:35 AM

Posted 20 November 2006 - 11:08 AM

Firstly I'd like to say I'm a complete novice and don't have a clue about how to fix this so your help is crucial to me right now, and I'll need taking through any process in simple easy to understand steps please. Sorry if I'm not following the right protocol for this board, I'm a new user and quite clueless! :thumbsup:
Last night I lost all my MSN and messenger settings, couldn't get into any of my emails or any msn secure pages. So naturally realised something was wrong. To begin with I did a system restore to take the pc back to when I knew that the settings for MSN were there and I now have all that working, but I knew something must've made it go wrong.
I ran norton av (I have Norton AV {updated before each use}, Int.Sec and Prot.Centre and I run regular AV checks twice a week) which found nothing. I ran adaware and spybot. Spybot found something called smitfraud and between them they found dozens of threats and instances of spyware and adware which needed attention. I dealt with it, and ran them again, but some of the problems still showed up. So then I ran panda scan which found it again and also found exploit.byteverify and dialer.hcc, but didn't eradicate them, so since then I've run AVG Anti-Spyware and SuperAntiSpyware but these haven't fixed my problems either.

Can or more to the point will one of you please help me to sort this? I am dreading having to wipe my OS out and start again.

Edited by boo-boo-79, 20 November 2006 - 11:21 AM.


BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:08:35 PM

Posted 20 November 2006 - 11:24 AM

The first step that I would recommend would be to download superantispyware look here:

http://www.bleepingcomputer.com/forums/topic3616.html

completely update the program, run a full scan, restart the program to let it remove any problems that it finds, then post a hijack this log here:

http://www.bleepingcomputer.com/forums/topic3616.html

these are the instructions on what to do before you post the log, how to post, etc.


The team members are very busy, so do not post any replies

until one of them answers your post. If you have not had an answer after five days post here:

http://www.bleepingcomputer.com/forums/topic3616.html

sas updates constantly, so updating is important, as are the restarts (dont worry about protocol, all of us were new at one time)

OF

Edited by oldf@rt, 20 November 2006 - 11:30 AM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 20 November 2006 - 11:24 AM

Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

Follow the instructions here to clean your JAVA cache.
Follow the instructions here to clean your your Web Browser Cache: IE, Netscape, Mozilla, Opera, AOL.

When done, I suggest you follow the generic instructions in How to remove the Smitfraud.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 boo-boo-79

boo-boo-79
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:35 AM

Posted 20 November 2006 - 11:40 AM

Thank you both, have done the Java and Web Browser leaning, now going off to try the smitfraud bit, just saw someone elses post which says about Vundo, mine mentioned that too. So I may find I will need more help than I first thought.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 20 November 2006 - 11:53 AM

How To Remove Winfixer/Virtumonde/Msevents/Trojan.vundo
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 boo-boo-79

boo-boo-79
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:35 AM

Posted 20 November 2006 - 06:31 PM

I've done the java cache and the web browser cache cleaning, which seems to have sorted the byteverify problem - but now its asking me to update my java applets, do I accept this or shouldn't I touch the updates?

I ran all the adware and spyware software I mentioned before and they've all said they are clear

I've tried running panda again but it won't let me do it, it is asking me for a password but I don't have one.

Then I've got a message saying Windows Updates are ready to be installed, so I accepted this on a custom install so I could see what was there, all looked normal so I downloaded all it wanted me to download.

I don't know if my pc is still infected with anything.
I've completed the first of the vundo removers but not the second should I run it? If so when I've done this, as I still seem to have problems using the internet and using Panda should I post a hijack this report? I've never used it before so don't want to do it without your support and guidance.

#7 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:08:35 PM

Posted 20 November 2006 - 09:14 PM

boo-boo-79,

I have some questions about your version of Panda?

How long have you had Panda on the computer?

Asking for the password is to set up the account for updates or to start updates.

Has your version of Panda been set up completely yet?

If not, you will need the original CD sleeve, as this has the original code that you need to set up the program.

You will also need to have IE6 fully functional to access the Panda web site and create the account so that you can receive updates.

please r click on the panda icon in the system tray, and l click on the menu item to activate panda.

IE should open directly to the correct page at panda's site.

once you put in the code from the cd sleeve at the web site , you will find out if the code has been used before, or not.

OF.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#8 boo-boo-79

boo-boo-79
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:35 AM

Posted 21 November 2006 - 07:23 AM

Ok, I've sorted out the panda now.

I seem to be sorted, all except for knowing whether or not to download the java updates it's wanting to install?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 21 November 2006 - 08:07 AM

You should be using Java 5.0 update 9. Older versions of Java have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9. Alternate download site here.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users