Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Problems..


  • Please log in to reply
4 replies to this topic

#1 RickyC12345

RickyC12345

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 19 May 2007 - 10:28 PM

One day i seem to have gotten these files on my desktop for no reason, and i cannot delete it or anything and i also don't know whether its important or not on my comp...
CA2ZWR3W.
CA14Y597.
CASXW3S7.
CARQ61N3.
CAA34H2V.
CA7AM5JZ.
CA67QNAT.
CAQ789IJ.
CAE7A72T.
CA7U8J3L.
CA4P010R.

Also when i use any search engine i seem to get advertisements such as mate1... Canadianmedsworld... monstermarketplace on the links below... i have seen a similar post and the solutions however the infected files were different so i am not sure what to do any help would be greatly appreciated...

I have tried using adware and spybot but neither seem to have helped

Thanks

Edited by RickyC12345, 19 May 2007 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:01:37 PM

Posted 20 May 2007 - 01:12 AM

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.


Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
Bitdefender ad post back the results of the above

#3 RickyC12345

RickyC12345
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 21 May 2007 - 09:34 AM

Scanned File

Bit Defender
Status

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66bc63a1-43831780.RB0=>Dummy.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66bc63a1-43831780.RB0=>Dummy.class


Disinfection failed

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66bc63a1-43831780.RB0=>Dummy.class


Deleted

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-66bc63a1-43831780.RB0


Updated

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-533b1dbb-16e219d6.zip=>Dummy.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-533b1dbb-16e219d6.zip=>Dummy.class


Disinfection failed

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-533b1dbb-16e219d6.zip=>Dummy.class


Deleted

C:\Cindy\Documents and Settings\Ricky\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-533b1dbb-16e219d6.zip


Updated

C:\Documents and Settings\user\Desktop\Shortcut\NetLimiter_2_Pro.rar=>NetLimiter 2 Pro\破解程式.exe


Infected with: Backdoor.Pcclient.GV

C:\Documents and Settings\user\Desktop\Shortcut\NetLimiter_2_Pro.rar=>NetLimiter 2 Pro\破解程式.exe


Disinfection failed

C:\Documents and Settings\user\Desktop\Shortcut\NetLimiter_2_Pro.rar=>NetLimiter 2 Pro\破解程式.exe


Deleted

C:\Documents and Settings\user\Desktop\Shortcut\NetLimiter_2_Pro.rar


Update failed

C:\Documents and Settings\user\Desktop\Shortcut\nl\NetLimiter 2 Pro\7D12~1.EXE


Infected with: Backdoor.Pcclient.GV

C:\Documents and Settings\user\Desktop\Shortcut\nl\NetLimiter 2 Pro\7D12~1.EXE


Disinfection failed

C:\Documents and Settings\user\Desktop\Shortcut\nl\NetLimiter 2 Pro\7D12~1.EXE


Deleted

C:\System Volume Information\_restore{22875A95-D436-473F-AA27-ADA065D8372C}\RP912\A0047559.exe


Infected with: Backdoor.Pcclient.GV

C:\System Volume Information\_restore{22875A95-D436-473F-AA27-ADA065D8372C}\RP912\A0047559.exe


Disinfection failed

C:\System Volume Information\_restore{22875A95-D436-473F-AA27-ADA065D8372C}\RP912\A0047559.exe


Deleted

Dr.Web
slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;Moved.;
perfc000.dat.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Proxy.1800;Deleted.;
A0046064.exe;C:\System Volume Information\_restore{22875A95-D436-473F-AA27-ADA065D8372C}\RP899;Trojan.Proxy.1798;Deleted.;
CacheManager.ocx;C:\WINDOWS\Downloaded Program Files;Adware.Cashman;Moved.;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/20/2007 at 08:41 PM

Application Version : 3.7.1018

Core Rules Database Version : 3241
Trace Rules Database Version: 1252

Scan type : Complete Scan
Total Scan Time : 01:48:24

Memory items scanned : 513
Memory threats detected : 0
Registry items scanned : 4845
Registry threats detected : 5
File items scanned : 39211
File threats detected : 29

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@adbrite[2].txt
C:\Documents and Settings\user\Cookies\user@2o7[2].txt
C:\Documents and Settings\user\Cookies\user@ads.adbrite[1].txt
C:\Documents and Settings\user\Cookies\user@perf.overture[1].txt
C:\Documents and Settings\user\Cookies\user@revsci[2].txt
C:\Documents and Settings\user\Cookies\user@adcentriconline[1].txt
C:\Documents and Settings\user\Cookies\user@data3.perf.overture[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.euroclick[1].txt
C:\Documents and Settings\user\Cookies\user@cpvfeed[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@accelerator-media[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@ad.hinet[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@adknowledge[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@ath.belnk[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@atwola[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@belnk[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@burstnet[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@dist.belnk[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@i.screensavers[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@image.checkmystats.com[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@interclick[1].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@mxadx.atnext[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@server.cpmstar[2].txt
C:\Cindy\Documents and Settings\Ricky\Cookies\ricky@www.screensavers[1].txt
C:\Cindy\Documents and Settings\Ricky\Local Settings\Temp\Cookies\ricky@ad.pdbox.co[1].txt
C:\Cindy\Documents and Settings\Ricky\Local Settings\Temp\Cookies\ricky@ath.belnk[2].txt
C:\Cindy\Documents and Settings\Ricky\Local Settings\Temp\Cookies\ricky@belnk[1].txt
C:\Cindy\Documents and Settings\Ricky\Local Settings\Temp\Cookies\ricky@dist.belnk[2].txt
C:\Documents and Settings\NetworkService\Cookies\user@ads.adbrite[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.Downloader-GRDMgr
C:\WINDOWS\SYSTEM32\GRDMGR.EXE

* dont know if it helps but the Adware Tracking Cookies seem to keep coming back because i have removed ones with same name before

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:37 AM

Posted 21 May 2007 - 10:20 AM

Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

When a browser runs an applet, the Java Runtime Environment (JRE) stores all the downloaded files into its cache directory for better performance. Microsoft stores the applets in the Temporary Internet Files.

The Java.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code...Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality. See here.

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. See: here.

AVG, eTrust EZ Antivirus, Pest Patrol and others will find Java/ByteVerify but cannot get rid of them. If you have the Java-Plugin installed, then deleting them from the Java cache should eliminate the problem. The Java Plug-In in the Control Panel is only present if you are using Sun's Java. If you don't have the Java-Plugin installed then just delete the files manually. The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
If your using IE, Netscape, Mozilla, Opera, or AOL, follow the instructions for Clearing your Web Browser Cache.

Rescan with BitDender when done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 buddy215

buddy215

  • Moderator
  • 13,101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:37 AM

Posted 21 May 2007 - 10:51 AM

You can keep those cookies from ever installing on your computer by using the settings shown in the link below. After changing the settings you will have to delete the existing cookies one last time.
http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/

Check your Java for latest update. You can do this thru your control panel. Double click on the coffee cup Java Icon and select the update tab.
Check Windows update and update.
Due to the infections you had/have I suggest strongly that you post a Hijack This log.
Follow the directions in the link below. DO NOT Post the log in this forum. Post the log in the Hijack This Forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

I also wanted to warn you that some of the malware you had/have can collect all of your personal info such as passwords, credit card, banking info. You may want to notify banks, credit cards, paypal, etc. and monitor your accounts.

Edited by buddy215, 21 May 2007 - 10:57 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users