Scan Results

Did a scan per Mr. Blackspear's recommendations. Got about 40 plus red entries in the log along with a zillion blue ones. The only option open in the dialog boxes for these items was "leave." What does all this mean?

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-40fdd9b9.zip »ZIP »Dummy.class - Java/Exploit.Bytverify trojan

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter2.jar-642f09e-266b9302.zip »ZIP »counter.class - Java/ClassLoader.B trojan

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\WebCounter.jar-645176f1-3202a1f7.zip »ZIP »a.class - Java/Shinwow.A trojan

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-6bb41746-4b1926c2.zip »ZIP »Dummy.class - JS/IEStart trojan

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-620a9ba0.zip »ZIP »Installer.class - Java/OpenConnection.F trojan

 

By the looks of things, your computer has a trojan virus. With the only option as leave, my GUESS would be that they are locked in the memory somewhere and are currently being used by the system, thus NOD is not able to remove them right now.

My recommendation would be to get trojanhunter (free trial version found at http://www.trojanhunter.com/ ), turn off system restore (WinME/XP), delete your cache and temp files and then run both NOD and trojan hunter.

Neil

 

Actually, the programs you will need to remove the virus are CWShredder found at: http://www.intermute.com/spysubtract/cwshredder_download.html and HiJackThis found at: http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

It is recommended that you post the log produced by HiJackThis BEFORE you delete anything so others in the know can help you along.

Neil

 

Actually, the easy way to get rid of this trojan, since it is located in your java application, is to go to the Control Panel, click on Java Plug In, click on cache tab, and click on Clear. It will clear the cache of java and will delete the trojans. Also, if you are using MS Java Machine, there was an update posted not too long ago that will block this exploit. If you are using Sun Java (which you must be), the trojan is trapped in the cache files, and you can delete it by using the above directions.
Also, if you disable cacheing, you will not be reinfected by the same trojan anymore.

 

The Blue ones are ok, nothing wrong there. The Red ones need fixing. There are further very comprehensive cleaning instructions in post number 2 here: https://www.wilderssecurity.com/showthread.php?t=47830

There is a thread here for tweaking Nod32: https://www.wilderssecurity.com/showthread.php?t=37509

Hope this helps...

Let us know how you go...

Cheers

 

Yeah, well my first recommendation would be to pull the plug (i.e. kill the internet connection completely) on the infected system, like NOW, not after screwing around with anything else.

Then, as the Eset moderator Marcos has requested before, send a HijackThis log to support@nod32.com.

 

Well, after reviewing all the replies to my original post, I took the easy way out and tried Mr. Jayt's suggestion. It was painless and quick to do.

Scanned again. This time NOD32 found ZERO viruses. Apparently Mr. Jayt knows of what he speaks (no offense intended to anyone else who tried to help me).

I'm a little bummed out that NOD32 let me down on this one. Up to now there has NEVER been an invader on my system, at least to the best of my knowledge there hasn't been. Of couse this is the first time that I've used that "in depth" scan feature, too.

Do you think that trojan was actually active on my system?

 

If it was active AMON would have pounced on it. With Trojans, they are generally injected into memory and as such require a reboot into Safe Mode and a scan by Nod32, in order for it to be removed.

Do you have the latest version of Nod32 2.12.3?

Cheers

 

Well, I can't take any credit for originality in solving the problem with java. There is a thread--where else? In Wilders Security Forums dated August 29,2003 that gives the solution. You can read it here:

https://www.wilderssecurity.com/showthread.php?t=13039