JAVA OPENSTR.A & Trojan.ByteVerify

Hi. I was on my laptop and I have had Trend Micro's program about a month now. Everything has been fine. I never took the Norton Anti off though. So all the sudden Trend Micro is popping up alerts like mad that a virus called JAVA OPENSTR.A is appearing in a bunch of files under C:\Windows\TEMP. Now Norton is doing the same but listing the virus Trojan.ByteVerify in that same folder. I ran Trend Micro to see if it could pick up the source. Picked up nothing. So I went to Norton's site and it said run Norton in safe mode. I did that and nothing was picked up. I ran Spybot it picked up Viewpoint and fixed it. Still didn't help. Now I had seen some previous posts where the virus was atleast picked up in a virus scan. I don't know if JAVA OPENSTR.A and Trojan.ByteVerify are one in the same or what. I just finished Trojan Hunter which found nothing as well. I'm going to try running Ad-Aware. What else can I do? :sad: Any help would be GREATLY appreciated. Thank you.

Stephanie

To remove trojans there is a tool which needs to be downloaded and run.

1. Please download Stinger and save it to your desktop

2. Double-click on the stinger.exe file and open the tool

3. Choose your entire hard drive to scan.

4. Choose Scan Now

5. Stinger will fix anything that it finds

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

STINGER

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Reboot to SAFE mode to delete files
How to start computer in safe mode

delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Wow fast response! Thanks Caper. I'll do that now.

Wow fast response! Thanks Caper. I'll do that now.

It might help,!:)

I went to save the log and it just says what it says at the start up and says Number of clean files: 141948 . Panda Active Scan said it found 3 infected files but it froze before I could get the results. Both were running at the same time. I'm running Panda Active Scan again it has brought up 2 of the 3 already. I'll post when its done.

Okay here is a report from Panda Active Scan and the only log Stinger gave me.

Stingers Log:

Scan initiated on Fri Mar 04 06:10:02 2005

Number of clean files: 142755

Panda's Log:

Incident Status Location

Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/SuperSpider No disinfected Windows Registry
Adware:Adware/Index-se No disinfected C:\Program Files\Sonic\Express Labeler\stax.ENU
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Temp\tmpA89F.tmp
I hope this is helpful in fixing it. I'm going to clear the folders that you said to now.

What operating system do you have? Please reply before doing the following;

Reboot into safe mode following the instructions here and Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Windows XP. Okay to do the steps?

Yes. Do this too please.

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Reboot before scanning with silent runners.

"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"bacstray" = "BacsTray.exe" ["Broadcom Corporation"]
"PRONoMgr.exe" = "C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" ["Intel(R) Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"" ["Trend Micro Incorporated."]
"THGuard" = "C:\Program Files\TrojanHunter 4.2\THGuard.exe" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "DriveLetterAccess" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2005\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2005\VBProp.dll" ["Trend Micro Incorporated."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! Sebring\DLLName = "C:\WINDOWS\system32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Network Provisioning Service, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Pml Driver, Pml Driver, "C:\WINDOWS\system32\HPHipm09.exe" ["HP"]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
RegSrvc, RegSrvc, "C:\WINDOWS\system32\RegSrvc.exe" ["Intel Corporation"]
SAVScan, SAVScan, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe"" ["Symantec Corporation"]
ScriptBlocking Service, SBService, "C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe" ["Symantec Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\system32\S24EvMon.exe" ["Intel Corporation "]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Password Validation, ccPwdSvc, ""C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe" ["Trend Micro Inc."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

There is nothing bad in that log :). Are you still having problems?

Been signed on my account on Windows for about 5 minutes. *Crosses fingers* Nothing bad yet. Is there maybe some settings or programs I need to add or remove to prevent it from happening again? Thank you both for your help I really appreciate it alot.

Check the *How you got infected* link in my signature below.

Is microsoft's antispyware worth having or should I stick with the others? and should I have trojanguard on?

A lot of ppl recommend M$ antispyware, but because it is Beta, I cannot recommend it myself :).

Thanks very much to crunchie and caper. No problems coming up. Thanks for the spyware guide crunchie. I have installed all those programs.

A lot of ppl recommend M$ antispyware, but because it is Beta, I cannot recommend it myself :).

Hi Chrunchie ,I too cant recomend it but i have it running on my system now and so far i like it .
Whats that Opera Beta link doing in your sig!:) HeHEHE

It's actually not a link :D just advertising what browser I am using.
I have the MS antispyware on my PC too, although I have all the scanners inactive as I do not use IE. I scan maybe once a month with it. For the last 3-4 months I have scanned with Adaware, Spybot, my AV and now MS and not even a cookie has been found :mrgreen:. MS did mis-identify two legitimate programs though.