Exploit/Byteveify, Need Help

[Buzz]

Hi, Everyone.
I wonder if any bright spark could help me. I am running XP with Panda antivirus on. I recently got a virus that Panda identified as Exploit/Byteveify. Panda then informed me that it could not do anything about it because 'The partition is in read only mode and therefore no action can be taken against it. The location file is ..91.zip(dummy.class]--> The computer will sometimes boot up to OS, othertimes it just gets as far as checking RAM and stops and other times it does all the bios checks and stops. It is driving me crackers. Any sugestions as how to get rid of it or what part to replace would be gratefuuly recieved. regard BUZZ

 

[edifier]

Try disabling Panda so it doesn't run at startup and see if your loading problems disappear.

 

[Buzz]

Hi, Thanks for that. It boots up ok now. I have run another check on it and it comes up clean with the panda, the only thing, there is an anoying ballon keeps coming on the screen from Microsoft saying my computer is infected and I should download some of their software. any ideas about how to get rid of it ?? Buzz

 

[edifier]

I asked you to do that because alot of people (including myself) have had compatibility issues with Panda Antivirus. I trialed it but once windows began loading, my system would completely lockup. You might be experiencing similiar issues. Anyway, the popup you just described sounds like a SmitFraud infection. Do the following.

Download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.Please install it there.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.

Download SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/SmitfraudFix.zip to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post this log also.

 

[Buzz]

Hi, Thanks for that. please find log from scan as follows. just thought should I have done the scan without Panda being installed there seems to be a lot of Panda files on the log, let me know I can always do another one withouyt Panda on. regards Buzz

Logfile of HijackThis v1.99.1
Scan saved at 4:12:52 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\wuauclt.exe
A:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wpabaln.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://service.pandasoftware.com/rol
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

 

[edifier]

It appears the malware is hiding itself from HijackThis. Please do the following.

Go to 'C/Program Files' and create a folder called 'HijackThis' and put the HijackThis.exe there. Right click on 'HijackThis.exe' and select 'Rename', type in Show.exe and hit enter. Doulble click on Show.exe and post the log. Also, you were supposed to run option #1 of the SmitFraudFix and post that log also.

 

[Buzz]

HI, yes thanks for that. I am having problems downloading smitfraud for some reason will try again. many thanks Buzz

 

[Buzz]

HI again, I have done as you requested with Hijack but ghaving problems opening smitfraud on my computer, just sit there , does nothing. ANyway hijack this new log is below hope it makes sense. regards Buzz

Logfile of HijackThis v1.99.1
Scan saved at 4:12:52 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\wuauclt.exe
A:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wpabaln.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://service.pandasoftware.com/rol
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

 

[edifier]

You are not following directions. Do this.

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Run HijackThis and put a check by the following entry, close all open windows and browsers except HijackThis and click 'Fix Checked'

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Open HijackThis again. Select 'Misc.Tools/Delete a File on Reboot"

Navigate to - C:\winstall.exe

Click open.Okay.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system must reboot now.

Once back in windows, i will ask you to do this Again.!

Go to 'C/Program Files' and create a folder called 'HijackThis' and put the HijackThis.exe there. Right click on 'HijackThis.exe' and select 'Rename', type in Show.exe and hit enter. Doulble click on Show.exe and post the log.

As for the SmitFraudfix, for now, completely disable all of your security programs- Panda, if you have Spybot S&D, etc, and try running option #1 of SmitFraudFix again and post the log from that also.