Question:
Oh golly, well, I've got a mean virus on my computer that I just can't shift. The virus is Trojan.ByteVerify (so Norton AV tells me) or its called JAVA_BYTEVER.A or JAVA_BYTEVER.C according to PC-cillin and its located in this directory:
C:\WINDOWS\TEMP
And it calls itself something like tmp6B.tmp. Now that's all and well since I know where it is you'd think I could delete it. Wrong. Well, I can delete it but I think this virus is self replicating because a new one is created after the old one is deleted, but it calls itself something slightly different like tmp7B.tmp or tmp6C.tmp.
It's really starting to annoy me now because I can't get rid of it and the pop ups from Norton saying that a new virus has been found are not fun. What I want to know is what is creating these .tmp files, is there some kind of .exe program buried in my computer somewhere which is churning them out?
Any help and advice on how to delete this virus for good would be a real help, thanks in advance…
Stervo
Answers:
I’m assuming you have Norton Anti-Virus and your definitions are up to date. If not then do an update first. Go to the link below and read the notes on Trojan.ByteVerify then follow the instructions for its removal - these are listed briefly below. The detailed notes describe how to disable System Restore and start in Safe Mode (Windows XP). It will not be removed unless you are in Safe Mode.
Then do the following….
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as Trojan.ByteVerify.
Hope this helps.
Answers:
My son's computer has had this and has got it clear but then it came back, he plays a lot of games so could it be that you are downloading it again?
Answers:
Same as Fran, have removed only to find it back again. Have just removed again as per Norton instructions. Son insists he's not downloading/playing anything dodgy but I'm not convinced!
Answers:
OK. This is a nasty nuisance that tucks itself away in hidden files. Norton probably won't do it on its own.
Try this.
First you need to reveal the hidden files & folders.....
1. Go to Start > Settings > Control Panel > double click "Folders Options"
2. Click on "View" tab at the top
3. Click "Show hidden files and folders"
4. Click on "Apply" then on "OK"
Next the removal.....
5. Open "Windows Explorer".....if you're on XP it's right click the Start button, left click "Explore all users".
6. In the left hand pane click once through each of the following.... C drive > Documents & Settings > Owner > Application Data > Sun > Java > Deployment > Cache.
7. left click on the Cache folder and inside you will find two more folders...."tmp" and "javapi". Empty/clear everything out of both these folders so they are empty.
That's where the java bytever virus usually hides.
I'm not guaranteeing it will stay away but remember this post so you can fix it in a few clicks if it return.
To get rid of all that other "temporary" stuff your PC accumulates when you are surfing etc. download CleanUp! here…..
*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility
Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.
Let us know how you get on.
Answers:
Thank you GreenFingers for your help, I'll do all those things in a second and post back the results after the scan... I have a fear that the manual scans, eg. full system scans don't find it for some reason... But I'll give it another go in safe mode.
Fran - I'm not downloading it again so I don't know how it comes back as I'm not connected to the Internet.
Anyways thank you all for your comments, I'll go and have another go, so fingers crossed
Stervo
Answers:
Funnily enough AVG wont touch this one but Avast will
Answers:
Thank you all for your help. Well I followed GreenFingers advice and did everything according to the instructions, Norton found the virus and deleted it, but as soon as it deleted it, the virus made a new copy of itself so its still here.
Thank you pchelpman for your help, very nice clear instructions, I emptied those folders but it did nothing, the virus is still popping up in C:\WINDOWS\TEMP then I delete it and a new copy is made
So... I'm still thinking there is some little .exe file somewhere on my comp that is making all these new copies, or am I totally wrong?
Thanks again - Stervo
Answers:
I am surprised that clearing out the java deployment cache didn't work. It usually does.
Did you also use CleanUp! as I suggested? That program cleans out all your temp files for you.
If that doesn't work download the fully working trial version of Trojanhunter here......
Install it, scan your PC and have it fix anything it finds "bad". I did know of one instance where Trojanhunter killed off java bytever.
Let us know how you get on.
I'll keep thinking.
Answers:
Maybe do a clean/scan with system restore off as it could also hide in their.
Answers:
Thanks again mr pchelpman, I'll try CleanUp! and TrojanHunter and I'll let you know how I get on ...
Mr Skint - GreenFingers already advised me to disable system restore, but thank you for your advice anyways
I'll post back my findings.. I hope its gunna be good news
Thanks again - Stervo
Answers:
Nope CleanUp! cleaned very well and deleted about 175MB of junk which was nice, virus still remains.. TrojanHunter took about 4 hours to scan with no sign of finishing, so I might leave it running while I'm asleep, doubt it will find anything though..
I just want to know what is creating the virus copies or is it the virus itself? Do you think I would need to go into the registy and delete some files from there?
I don't know what to do anymore, usually I'm pretty good with this sorta thing, but I really don't know where to start with this one.
Just so you know, the computer with the virus on is not conected to the internet at the moment so it can't download new copies of the virus or anything like that.
I fear I may have to reformat but I've got about 100GB of stuff and it would be a shame to lose it all...
Thanks again for all your time and effort - Stervo
Answers:
Are you using Microsoft VM (virtual machine) by any chance? To find out, type JVIEW at a command prompt. If you get an error saying the command isn't recognized it means MS VM isn't installed on your system. Otherwise the top line of the output displays the VM version and depending on the version there are vulnerabilities which are exploited by Trojan.ByteVerify. See for more information.
Also, make sure you're fully up to date with .
Answers:
Mr Skint - off where? You are such a useful person on techie problems, and we don't want to lose you!!
Answers:
Ah...java. Don't you just love it! What a mess it can cause/allow.
OK. Two more thoughts. Both mean you are going to have to get more invasive to dig this one out.
To answer your question about what is causing the self replication - this could be an ".exe" file somewhere on your system that has managed to hide itself well. Not likely, given the java bytever virus, but possible.
Now on to the suggestions.
FIRST
Chippy_Minton hints at a possible answer. I recommend you uninstall/remove any MS VM (or Sun Java if you have that instead) then go back online here....
....and re-install Sun Java
--> WARNING...Don't forget to have your antivirus and firewall up & running when you connect this PC back to the net.
If you have a fast internet connection (Broadband) run online scans here….
…and here…..
.
When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. I do NOT want the default spyXposer scan.
Once it has finished save the Activescan log. Then post that log in your next post.
Please run ALL the free scans offered by Housecall.
Make sure they both perform full system scans.
If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details back to this thread.
SECOND
IF this doesn't improve the situation I will take a look at your HijackThis ["HJT"] log.
Please download and install the latest version by going HERE....
After you install HJT make sure it's running from a permanent location by moving the HJT folder to a permanent place on your hard drive such as C:\HJT. This will ensure that any backups made are not lost.
Double click the HJT file and you will be presented by a window wIth several options. Chose the top one "Do a system scan and save a log file".
Two things will happen....a system scan will take place (probably a few seconds) then a Notepad logfile will open on top of the system scan. Copy & paste the results of that logfile to this thread. PLEASE DON'T DO ANYTHING ELSE WITH HJT.
Answers:
Mr pchelpman,
I thank you for all of your advice as it is much appreciated... Firstly I re-installed Sun Java, and the online Panda scan has only just finished (I started the scan early Friday evening) and it only found some adware:
C:\WINDOWS\SYSTEM32\ustart.exe
and 3 deleted viruses that came in an email and were deleted by Norton automatically;
Virus:W32/Sober.AH.worm - Personal Folders\Deleted Items\*name of email goes here*\*name of zip file*.zip[File-packed_dataInfo.exe]
So the virus still remains.. I think I will do all the scans offered by now and report back if it finds anything, and I will also post the HJT log when I get it done.
Thanks again - Stervo
Answers:
Oooh another thing that I forgot to mention is that my CPU usage is always at 100% now where the 'Image Name' is System and that process is using all my resources. The memory usage for this process is only 240 K.
Hmmm... thanks - Stervo
Answers:
Morning Stervo
If I read you right that "System" shouldn't be using almost anything....well, only a couple of % points from time to time. Certainly NOT 100%.
Let us know what happens after you've scanned with all 3 scanners at Housecall.
One more thing....do you have/use Spybot Search & Destroy? If not it's free, good and it's here....
Download it, install and scan (scan could take a fair while first time round). Have it fix anything it finds "bad".
Again let us know what happens.
If you get any more notifications of viruses etc. please post here the full location address.
I would be interested to see your HJT log also.
Will await developments.............
Answers:
Hello there pchelpman,
The Housecall virus and spy-ware combo scan is still running on my computer and its been going for 24 hours and 17 minutes with no sign of finishing soon
100% CPU all the way. I HATE it.
Thanks again - Stervo
Answers:
if the virus is resident in memory, you may have to kill it using task manager (CTRL ALT DEL) before you can clean it using a virus scanner. Go into task manager, sort it into CPU utilisation order, and try end task on the processor hogging exe's. Make a note of what you have killed, and see if it calms the machine down, if it does, you may have identified the exe responsible.
Autoruns from sysinternals.com is an easy way to spot and disable rogue programs and browser helper objects that run at startup.
Regarding those online scanners, even the reputable one's don't seem to clean up after themselves, and leave all sorts of rubbish on your system, which you have to manually delete. I prefer to stick with either Mcafee or Norton, and make sure the dat's and engines are upto date.
- download superdat, or liveupdate for Norton.
Same thing applies to Spybxx, it's bloated.. Lavasoft's ad-aware is a much cleaner spyware scanner in my opinion.
IF you have XP, the Microsoft anti-spyware beta is also something to try (after running Windows update).
If you haven't already disabled system restore, and cleaned up the restore points, then you could try to use system restore to correct the problem - i.e. restore to a time before you got infecteed.