Exploit-ByteVerify Trojan

Please check out these links on the same issue

http://delltalk.us.dell.com/supportforums/search?type=Message&q=ByteVerify+&page_size=20

>is there any other programs that I need on my computer to keep it safe?

Well...the critical Microsoft patch from last year for one thing. *;-) If you don't have it you will keep getting infected. If you have it you will still get Java exploits of this type, but they won't do any damage and can be emptied in your IE temp folder.

http://securityresponse.symantec.com/avcenter/venc/data/trojan.byteverify.html

http://vil.nai.com/vil/content/v_100261.htm

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Hey Texruss,

 

I didn't restart my computer in safe or vga mode after I turned off System Restore and then continued to delete the infected files, do you think this caused any harm?

Also my computer has been running very slow while on the internet lately and the "cannot display this page" comes up numerous times (If I hit the refreshg button the page will come up though). I ran another virus scan and it came up clean. Do you think something is wrong?

Thanks for all your help

Tony

> didn't restart my computer in safe or vga mode after I turned off System Restore and then continued to delete the infected files, do you think this caused any harm?

No.

>Also my computer has been running very slow while on the internet lately and the "cannot display this page" comes up numerous times (If I hit the refreshg button the page will come up though). I ran another virus scan and it came up clean. Do you think something is wrong?

Yes...


We need you to download and install an analysis and repair tool called Hijackthis.

Go here and download the file: http://tomcoyote.com/hjt

Please unzip Hijackthis.zip into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. (don't unzip it into a temp folder or run the file from a temp folder, or the Windows Desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See my entire Hijackthis FAQ (Frequently Asked Questions) at:

http://russelltexas.com/malware/faqhijackthis.htm

After downloading, and unzipping the hijackthis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run Hijackthis, click on the 'scan' button and then 'save log' button.

Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt

Special Notice! Hijackthis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the Hijackthis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. Hijackthis should identify the vast majority of your problems and enable us to help you clean them off your system.


Stay in this thread for continuity. Reply to this message.

HTH (Hope that Helps)

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Guess I could be wrong...doesn't look too shabby.

Couple of orphan entries you can fix check in Hijackthis:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Exit Hijackthis.

The Canon web printer stuff may be interfering with your system...my guess anyway...the dump memory line indicates to me some OS aberation.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

The IE display problems could be interrelated or it could be damage from the previous problems you had. Check with your ISP to see if they have had problems...then if it continues you might try an IE repair:

See Reinstall or Repair IE / OE in Windows XP on this page:

http://www.mvps.org/sramesh2k/IEFAQ.htm#Reinstall

HTH,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss,
Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Logfile of HijackThis v1.97.7
Scan saved at 10:05:15 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\ehome\ehSched.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin.com/cab/wabctrl.cab

 

>Thanks for all your help! I turned the power off to my cable modem and then turned it back on and have found my previous internet problems to be gone.

Sometimes it's the simplest things. *;-)

 How do I go about deleting those orphan entries in the registry using the Hijack this program?

Open Hijackthis, scan, check those line items in the boxes to left, then click on fix checked button. Reboot and run a fresh log to see they are gone.

>Also do you suggest that I download ad-aware or any other adware software?

Yes..

You look clean and hearty congratulations! Now to stay that way:

Cleanup Programs and Procedures

(the four free programs in Items 2, 3, and 4 bolded below are a MUST in my opinion)

1. Spybot Search&Destroy, Ad-aware Run weekly - or after a heavy internet session. Download at the following link.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware and print it out as a hard copy. It will take five minutes to set up the custom scanning options for Adaware, but it's worth it as these settings will be retained and you won't have to re-enter them again.

http://www.cjwd.demon.co.uk/spybot-adaware.html

Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr

If you have problems with Disk Cleanup hanging and not completing see this page for XP users:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

From MS Help: "Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."

I check all the selected categories and click OK at the end of Disk Cleanup.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. MVPS Hosts file at: http://mvps.org/winhelp2002/hosts.htm

The MVPS Hosts file replaces your current HOSTS file with one that prevents your computer from connecting to hostile sites by redirecting them to 127.0.0.1 which is your local computer. This is an easy way to prevent one of the most common hijackings computer users will face on the Internet! Do it now.

5. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!

If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!

6. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

7. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.

http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120

A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

8. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

9. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.bleepingcomputer.com

Good luck and safe computing!

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Hey Texruss,

Thanks for all your help! I turned the power off to my cable modem and then turned it back on and have found my previous internet problems to be gone. How do I go about deleting those orphan entries in the registry using the Hijack this program? Also do you suggest that I download ad-aware or any other adware software?

Thanks again,

Tony

Hola...Help

 

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Backdoor.Trojan
File:  C:\WINDOWS\SYSTEM32\WINAE.DLL
Location:  C:\WINDOWS\SYSTEM32
Computer:  DB0PM631
User:  Marta Ross
Action taken:  Clean failed : Quarantine failed : Access denied
Date found: Mon Jul 19 22:10:17 2004

yellow09: Please post your starter topic in the Main Index as a NEW TOPIC. We want to help and we can help best by seeing your message in its own thread.

One person per thread...that's the policy we must insist on as too many victims in one thread makes for a disjointed and confusing mess nobody can understand now or later. We are volunteers and need some control over the threads.

Click on the link below for the Main Index and post your message with a new topic.

http://forums.us.dell.com/supportforums/board/post?board.id=si_virus

We'll be glad to help you when you repost. Be aware we have only a handful of Hijackthis experts here (all volunteers with "real" jobs elsewhere *;-) for suggested fixes for Hijackthis logs and we answer posts in chronological order starting back with the oldest unanswered posts. Be patient as it may be a while before your turn comes up.

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, pskelley, and cghost.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general, Windows operations, and many specific items in Hijackthis logs: jimw, ddeerrff, and redwolfe_98 and msgale. Please follow their advice when they respond to your problems. They have a proven track record here.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.