Java Byte/Verify and Trojan Java/Classloader

Discussion in 'malware problems & news' started by Lana, Jul 23, 2005.

Thread Status:
Not open for further replies.
  1. Lana

    Lana Guest

    I'm not sure what kind of information I need to provide to get help with these viruses/trojans, but I hope someone will be able to help me.

    I recently scanned my computer with AVG, and it came back with 4 infected files...

    Trojan Horse Java/Classloader
    Virus Indentified Java/ByteVerify
    Virus Indentified Java/ByteVerify
    Trojan Horse Java/Classloader

    It doesn't allow me to delete or heal any of them.

    I have read some of the topics here about the Java/ByteVerify virus that tells me to click Start > Settings > Control panel > Java Plugin > Choose Cache and Click remove JAR Cache.

    I attempted to do this, but my computer doesn't have a "Java Plugin", so I'm stumped. Maybe its just because I'm computer illiterate and can't find the Java Plugin, I'm not sure.

    Any help would be appreciated :) thanks
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Hi lana,

    It depends on your system and the type of Java you're using. If you have XP you will need to click 'other control Panel Icons', in the Control Panel, to see the Java icon. Alternatively you can click 'switch to classic view'.

    When you click that icon, you follow these instructions for Sun Java 1.5:-

    http://www.java.com/en/download/help/5000020300.xml

    If you've got 1.4, then you must click the cache tab on the panel and click within that to delete the cache contents (as you indicate above).

    If you've still got MS VM for Java, then you just delete temp internet files.
    But in this case you should upgrade to Sun Java.
     
  3. Lana

    Lana Guest

    I have Windows XP, and when I open the control panel, there are no icons for a Java Plugin or 'other control Panel Icons'.

    But I have cleared the temporary internet files, so I will scan my computer once again :)

    thanks
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The 'other control Panel Icons' option should appear in the left hand pane of the XP control panel, under 'See Also' - you may have to 'expand' this section by clicking the arrow appearing by the 'See Also'. The icon you need to click will just say 'Java', without referrence to 'Plugin'.

    You should be able to see what type of Java you are using by going to Internet Explorer and clicking Tools/Internet Options, then clicking the Advanced Tab and scrolling down until you see referrence to Sun Java and/or Microsoft VM. If it doesn't mention Sun Java there then you are not running it - let me know in that case and I will explain how to install Sun Java.

    You can see how it should look from here (though this is instructions for uninstalling MS-VM):- http://www.java.com/en/download/help/uninstall_msvm.xml
     
    Last edited: Jul 23, 2005
  5. Lana

    Lana Guest

    In the advanced internet options, there is nothing that mentions "Java".
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Can you please look in AVG's reports section and find out the full and exact file path of the malware AVG found. We were both assuming the bugs were in your Java cache, but it seems you may not have Java installed at all!

    Did you do another scan and if so what was the result of that?

    Another thing you could try is an online scan here:- http://www.kaspersky.com/service?chapter=161739400

    If it finds anything it can't delete, please post the full and exact file path together with the name given to the malware.

    Without knowing where these nasties are located it is not possible to advise on removal.
     
  7. Lana

    Lana Guest

    Took forever, but the online scan finally finished.
    Ends up AVG wasn't showing me all the viruses.
    Here's the info it gave me...


    -------------------------------------------------------------------------------
    KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
    Sunday, July 24, 2005 02:46:34
    Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
    Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 24/07/2005
    Kaspersky Anti-Virus database records: 131788
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 64583
    Number of viruses found: 7
    Number of infected objects: 16
    Number of suspicious objects: 0
    Duration of the scan process: 9187 sec

    Infected Object Name - Virus Name
    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/BlackBox.class Infected: Exploit.Java.ByteVerify

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-3deaa5c9.zip Infected: Trojan-Downloader.Java.OpenConnection.aa

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v

    C:\Documents and Settings\Lana\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7e4efb10.zip Infected: Trojan-Downloader.Java.OpenConnection.v

    C:\WINDOWS\rmaou.dll/data0001.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll/data0002.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll/data0003.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll/data0004.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll/data0005.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll/data0006.html Infected: Trojan-Downloader.Win32.WinShow.u

    C:\WINDOWS\rmaou.dll Infected: Trojan-Downloader.Win32.WinShow.u
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Well, one thing we can say for certain is that you do have Sun Java installed - even if you can't find it!

    But if you can't find it I know something that will; download, install and run CCleaner from here:- http://www.ccleaner.com/
    That will clean out your Java cache for you and get rid of the bugs AVG is finding.

    The other problem is likely to be more tricky though, was Kaspersky unable to delete it? If not you may have to locate it in Windows Explorer and delete manually.

    First of all, though, there is a removal tool that may help; you can get that here:- http://securityresponse.symantec.com/avcenter/venc/data/adware.iefeats.html#removalinstructions

    If that is no good you could try Lavasoft's AdAware from here:- http://www.lavasoftusa.com/software/adaware/
    You would need to install it, update the definitions, and do a full system scan, which should be done in 'Safe Mode' (a link on how to go into 'safe' is given below).

    Failing all that, you will need to try manual removal. The file you need to delete is rmaou.dll, which is located at C:\WINDOWS.

    i.e. the file path is C:\WINDOWS\rmaou.dll

    To be sure of finding it you first need to bring up Windows Explorer and then:-

    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Once you've done that you should attempt to locate and delete the file. If it will not delete you should first attempt to 'unregister' the .dll. as follows:-

    To unregister rmaou.dll:-
    Click the Start button, and select Run
    Type in this command line:

    regsvr32 /u C:\WINNT\system32\rmaou.dll

    (Note the spaces are also important - these are between '32' and '/' and between 'u' and 'C'). Finally click O.K.

    Now you must reboot into 'Safe Mode' as per here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    Once your in 'safe' you should once more locate and attempt to delete rmaou.dll.

    If even that fails, I will give some alternate ideas.
     
    Last edited: Jul 24, 2005
  9. Lana

    Lana Guest

    I ran CCleaner, and it cleared out a lot of files, so hopefully that got rid of some.

    I used the AdAware yesterday before I ran the virus scan, and it had cleared out 10 new objects.

    Kaspersky didn't give me the option to delete the files.

    I don't really understand the removal tool from recurityresponse.symatec.com, so I don't think I will be able to do that.

    There is no file called "rmaou.dll" under the WINDOWS folder. Is it in a sub folder?

    I will run the Kaspersky scanner again to see if the CCleaner really cleared the viruses.
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Don't bother with the Symantec tool if you don't understand it, it may not have worked anyway.

    When you do the KAV scan, do look at the options before you start and see if one of them enables you to 'clean' rather than just 'report' findings; 'cos if KAV can get rid of the 'bug' it will save a lot of bother.

    I've got my fingers crossed that the reason you couldn't find "rmaou.dll" is 'cos AdAware got rid of it!

    BTW - you did 'unhide' your 'hidden' files when you looked for "rmaou.dll" didn't you?
     
  11. Lana

    Lana Guest

    There is no choice that enables me to "clean" instead of just "report", on KAV.

    Yes, I did unhide hidden files.

    I scanned again, and the viruses are still on my computer.
     
  12. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Just use a couple of the free scanners in my signature instead, Like Trend-Micro & Panda. :)
     
  13. Lana

    Lana Guest

    I just used PAS, and it cleared most of the infected files off of my computer.

    It says there is still AdAware on my computer, so I am once agian running AdAware.

    Do you know of any other Spyware programs T can try?
     
  14. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Use Housecall it also removes spyware. You could also try Micosoft antispyware:http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en and use a hostfile:http://www.mvps.org/winhelp2002/hosts.htm which should be updated when new versions appear.
     
  15. Lana

    Lana Guest

    After doing all of this, 6 viruses still remain on my computer.
    And even more unwanted ads are popping up.
    They are called "yeildmanager" or something.
     
  16. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U may want to post a HijackThis log over here,

    http://gladiator-antivirus.com/forum/index.php?showtopic=10517

    for analysis by the experts on the remaining malware on your system.

    Just follow the instructions first before u post a log.


    snowbound
     
  17. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    A2 free has a very large almost daily updated database. this will find and clean also.
     
  18. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
  19. Boo

    Boo Guest

    Ok, I am at my wits end rite about now :mad: . I just scanned my computer with AVG and came up wid 6 viruses (two of each):

    Trojanhorse java/classloader - infected/embedded object
    Java/ByteVerify
    Trojanhorse BackDoor.Generic.GGB.

    Now, I ran a Spybot and a Stinger which but it ain't help :mad: AVG ain't helping not one bit except 2 tell me I have viruses, I don't need 2 hear dat I need 4 it 2 remove the stupid tings from my computer :mad:

    Can somebody please please please help me out in my misery and tell me what else is there to do o_O
     
  20. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  21. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    lol,

    guess i should look :rolleyes: up a few posts as to not dupe myself. :p

    Oh well...never hurts to repeat yourself once and a while. ;) :D


    snowbound
     
  22. dellboy

    dellboy Registered Member

    Joined:
    Sep 11, 2004
    Posts:
    2
  23. Boo

    Boo Guest

    Hi Dellboy, I did the Trend Micro Housecall but got a pop up askin 2 install ActiveX control 'Xscan60.cab' from Trend Micro, Inc...Did u get the same pop up?

    Boo
     
  24. Beefcarver

    Beefcarver Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    263
    Location:
    michigan
    I read that if you open the java plugin in your control panel and uncheck enable caching box. and do this in IE also. The infection cannot return. Is this true?
    I did it and have not had the java byte verify exploit return yet.
     
  25. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I use Opera and FireFox and always use this site in the UK for Trend Micro online scan,

    http://uk.trendmicro-europe.com/consumer/housecall/housecall_pre.php


    snowbound
     
Loading...
Thread Status:
Not open for further replies.