Java Byte/Verify and Trojan Java/Classloader

I'm not sure what kind of information I need to provide to get help with these viruses/trojans, but I hope someone will be able to help me.

I recently scanned my computer with AVG, and it came back with 4 infected files...

Trojan Horse Java/Classloader
Virus Indentified Java/ByteVerify
Virus Indentified Java/ByteVerify
Trojan Horse Java/Classloader

It doesn't allow me to delete or heal any of them.

I have read some of the topics here about the Java/ByteVerify virus that tells me to click Start > Settings > Control panel > Java Plugin > Choose Cache and Click remove JAR Cache.

I attempted to do this, but my computer doesn't have a "Java Plugin", so I'm stumped. Maybe its just because I'm computer illiterate and can't find the Java Plugin, I'm not sure.

Any help would be appreciated thanks

 

Hi lana,

It depends on your system and the type of Java you're using. If you have XP you will need to click 'other control Panel Icons', in the Control Panel, to see the Java icon. Alternatively you can click 'switch to classic view'.

When you click that icon, you follow these instructions for Sun Java 1.5:-

http://www.java.com/en/download/help/5000020300.xml

If you've got 1.4, then you must click the cache tab on the panel and click within that to delete the cache contents (as you indicate above).

If you've still got MS VM for Java, then you just delete temp internet files.
But in this case you should upgrade to Sun Java.

 

I have Windows XP, and when I open the control panel, there are no icons for a Java Plugin or 'other control Panel Icons'.

But I have cleared the temporary internet files, so I will scan my computer once again

thanks

 

The 'other control Panel Icons' option should appear in the left hand pane of the XP control panel, under 'See Also' - you may have to 'expand' this section by clicking the arrow appearing by the 'See Also'. The icon you need to click will just say 'Java', without referrence to 'Plugin'.

You should be able to see what type of Java you are using by going to Internet Explorer and clicking Tools/Internet Options, then clicking the Advanced Tab and scrolling down until you see referrence to Sun Java and/or Microsoft VM. If it doesn't mention Sun Java there then you are not running it - let me know in that case and I will explain how to install Sun Java.

You can see how it should look from here (though this is instructions for uninstalling MS-VM):- http://www.java.com/en/download/help/uninstall_msvm.xml

 

In the advanced internet options, there is nothing that mentions "Java".

 

Can you please look in AVG's reports section and find out the full and exact file path of the malware AVG found. We were both assuming the bugs were in your Java cache, but it seems you may not have Java installed at all!

Did you do another scan and if so what was the result of that?

Another thing you could try is an online scan here:- http://www.kaspersky.com/service?chapter=161739400

If it finds anything it can't delete, please post the full and exact file path together with the name given to the malware.

Without knowing where these nasties are located it is not possible to advise on removal.

 

Took forever, but the online scan finally finished.
Ends up AVG wasn't showing me all the viruses.
Here's the info it gave me...


-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Sunday, July 24, 2005 02:46:34
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/07/2005
Kaspersky Anti-Virus database records: 131788
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 64583
Number of viruses found: 7
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 9187 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/BlackBox.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v

C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip Infected: Trojan-Downloader.Java.OpenConnection.v

C:\WINDOWS\rmaou.dll/data0001.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll/data0002.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll/data0003.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll/data0004.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll/data0005.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll/data0006.html Infected: Trojan-Downloader.Win32.WinShow.u

C:\WINDOWS\rmaou.dll Infected: Trojan-Downloader.Win32.WinShow.u

 

Well, one thing we can say for certain is that you do have Sun Java installed - even if you can't find it!

But if you can't find it I know something that will; download, install and run CCleaner from here:- http://www.ccleaner.com/
That will clean out your Java cache for you and get rid of the bugs AVG is finding.

The other problem is likely to be more tricky though, was Kaspersky unable to delete it? If not you may have to locate it in Windows Explorer and delete manually.

First of all, though, there is a removal tool that may help; you can get that here:- http://securityresponse.symantec.com/avcenter/venc/data/adware.iefeats.html#removalinstructions

If that is no good you could try Lavasoft's AdAware from here:- http://www.lavasoftusa.com/software/adaware/
You would need to install it, update the definitions, and do a full system scan, which should be done in 'Safe Mode' (a link on how to go into 'safe' is given below).

Failing all that, you will need to try manual removal. The file you need to delete is rmaou.dll, which is located at C:\WINDOWS.

i.e. the file path is C:\WINDOWS\rmaou.dll

To be sure of finding it you first need to bring up Windows Explorer and then:-

1. Select "Tools" from the menu on top.
2. Select "Folder Options".
3. Select the "View" tab.
4. Scroll down and Select "Show hidden files and folders".
5. Unselect "Hide extentions for known file types".
6. Unselect "Hide protected operating system files".
7. If you get a "warning" prompt, say yes you want to do it anyway.
8. Click Apply and Ok.

Once you've done that you should attempt to locate and delete the file. If it will not delete you should first attempt to 'unregister' the .dll. as follows:-

To unregister rmaou.dll:-
Click the Start button, and select Run
Type in this command line:

regsvr32 /u C:\WINNT\system32\rmaou.dll

(Note the spaces are also important - these are between '32' and '/' and between 'u' and 'C'). Finally click O.K.

Now you must reboot into 'Safe Mode' as per here:- http://www.bleepingcomputer.com/forums/tutorial61.html

Once your in 'safe' you should once more locate and attempt to delete rmaou.dll.

If even that fails, I will give some alternate ideas.

 

I ran CCleaner, and it cleared out a lot of files, so hopefully that got rid of some.

I used the AdAware yesterday before I ran the virus scan, and it had cleared out 10 new objects.

Kaspersky didn't give me the option to delete the files.

I don't really understand the removal tool from recurityresponse.symatec.com, so I don't think I will be able to do that.

There is no file called "rmaou.dll" under the WINDOWS folder. Is it in a sub folder?

I will run the Kaspersky scanner again to see if the CCleaner really cleared the viruses.

 

Don't bother with the Symantec tool if you don't understand it, it may not have worked anyway.

When you do the KAV scan, do look at the options before you start and see if one of them enables you to 'clean' rather than just 'report' findings; 'cos if KAV can get rid of the 'bug' it will save a lot of bother.

I've got my fingers crossed that the reason you couldn't find "rmaou.dll" is 'cos AdAware got rid of it!

BTW - you did 'unhide' your 'hidden' files when you looked for "rmaou.dll" didn't you?

 

There is no choice that enables me to "clean" instead of just "report", on KAV.

Yes, I did unhide hidden files.

I scanned again, and the viruses are still on my computer.

 

Just use a couple of the free scanners in my signature instead, Like Trend-Micro & Panda.

 

I just used PAS, and it cleared most of the infected files off of my computer.

It says there is still AdAware on my computer, so I am once agian running AdAware.

Do you know of any other Spyware programs T can try?

 

Use Housecall it also removes spyware. You could also try Micosoft antispyware:http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en and use a hostfile:http://www.mvps.org/winhelp2002/hosts.htm which should be updated when new versions appear.

 

After doing all of this, 6 viruses still remain on my computer.
And even more unwanted ads are popping up.
They are called "yeildmanager" or something.

 

U may want to post a HijackThis log over here,

http://gladiator-antivirus.com/forum/index.php?showtopic=10517

for analysis by the experts on the remaining malware on your system.

Just follow the instructions first before u post a log.


snowbound

 

A2 free has a very large almost daily updated database. this will find and clean also.

 

The online scanner at Computer associates is very fast and very good.

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

has to be ran in internt explorer. Good Luck

 

Ok, I am at my wits end rite about now . I just scanned my computer with AVG and came up wid 6 viruses (two of each):

Trojanhorse java/classloader - infected/embedded object
Java/ByteVerify
Trojanhorse BackDoor.Generic.GGB.

Now, I ran a Spybot and a Stinger which but it ain't help AVG ain't helping not one bit except 2 tell me I have viruses, I don't need 2 hear dat I need 4 it 2 remove the stupid tings from my computer

Can somebody please please please help me out in my misery and tell me what else is there to do

 

Hi Boo!

Welcome to Wilders.

Might be best to post a HijackThis log over at this forum,

http://gladiator-antivirus.com/forum/index.php?showforum=170

and let the experts there give u recommendations on any malware found.

If u choose to, read the rules first before u post your log.


snowbound

 

lol,

guess i should look up a few posts as to not dupe myself.

Oh well...never hurts to repeat yourself once and a while.


snowbound

 

I had the same problem, and cleared it using Trend Micro Housecall online scan http://housecall.trendmicro.com/

 

Hi Dellboy, I did the Trend Micro Housecall but got a pop up askin 2 install ActiveX control 'Xscan60.cab' from Trend Micro, Inc...Did u get the same pop up?

Boo

 

I read that if you open the java plugin in your control panel and uncheck enable caching box. and do this in IE also. The infection cannot return. Is this true?
I did it and have not had the java byte verify exploit return yet.

 

I use Opera and FireFox and always use this site in the UK for Trend Micro online scan,

http://uk.trendmicro-europe.com/consumer/housecall/housecall_pre.php


snowbound