Problem cleaning a virus

Discussion in 'NOD32 version 2 Forum' started by DanL, Jan 22, 2005.

Thread Status:
Not open for further replies.
  1. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Last night during a scheduled scan NOD32 found an infiltration, actually 2 java viruses.

    C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv200.jar-28004791-598ad0aa.zip »ZIP »Dummy.class - Java/Dummy trojan

    NOD32 said the infiltration could not be cleaned.
    I tried to quarantine but got an error message.

    Thinking it could possibly be a false alarm I went to Trend Micro online scan and it also picked up
    the problem but with a different name.

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JAVA_BYTEVER.A

    Trend Micro also claimed the virus could not be cleaned.
    When I tried to delete, I got the message "file in use can not be deleted".

    Any suggestions?

    How did this get in with NOD32 running? It's only been a few days since my last clean scan.
    I'm using Blackspears advanced settings.

    Thanks

    Dan
     

    Attached Files:

  2. Atangel

    Atangel Registered Member

    Joined:
    Aug 29, 2004
    Posts:
    53
    It's in the applet cache...

    Clean your browser and Java cache (for Java 2 > Control Panel > Java Plug-in > Cache Tab (varies slightly) > Click Clear Cache )
     
  3. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Thanks for the reply! I also found another thread on this but when I go to control panel
    I don't see any option for java.

    Dan
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Switch to the classic mode in control panel.
     
  5. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    I disabled system restore and cleared the java cache. Re-boot and re-scan.
    That seems to have fixed the problem. Thanks!

    Now, how did it get there with NOD32 running and what do I need to do,
    so this won't happen again?

    I'm running NOD32 with Blackspears extra settings, Trojan Hunter, Spysweeper, Spybot S&D, Lavasoft Ad-Aware SE Plus, ZA Pro, Window Washer automatically cleans at browser close.

    Dan
     
  6. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    Since you're running the more common Sun Java instead of the now-unsupported (I think) Microsoft Java, this exploit poses no threat to you. It exploits the Microsoft Java Virtual Machine to allow those malicious files onto your computer through a usually hidden malicious Java applet. This is an old and common problem, but has yet to die out because of unsecure and unknowing users.

    Oh, and these exploits, like many others, usually come from pornographic websites :ninja:
     
  7. DanL

    DanL Registered Member

    Joined:
    Nov 25, 2004
    Posts:
    159
    Is there any way to stop it from getting in the system?
    Wondering if the Firefox browser would be immune to this?
     
  8. Atangel

    Atangel Registered Member

    Joined:
    Aug 29, 2004
    Posts:
    53
    Not a browser issue, per se (unless you are using MS Java) but a Java issue. If you disable Java in FF, then Java won't work and any related Java issues disappear, as does any legit Java functionality :(

    With the newer java, it downloads the malicious applet, but the applet is impotent.
     
  9. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi DanL:

    This may be part of the answer you were seeking. The Java/Dummy was just added here:

    NOD32 - v.1.977 (20050120)
    Virus signature database updates:
    IRC/SdBot.CVB, IRC/SdBot.CVC, IRC/SdBot.CVD, Java/Dummy

    Setting up a Scheduled Scan using the Execution of an external application starting @ Post #20 here and having it scan when the virus signature database is updated, will assist with new detections.

    I generally add the /delete switch in addition to the /clean so archives (which can not be cleaned) will be deleted. It depends upon how comfortable you are with automation. Using the Execution of an external application at this time does not place a copy in quarantine (option not available). No recovery is possible from within NOD32 using this method (in the case of a false positive), System Restore perhaps.

     
Thread Status:
Not open for further replies.