Scan Results

Discussion in 'NOD32 version 2 Forum' started by Just visiting, Nov 24, 2004.

Thread Status:
Not open for further replies.
  1. Did a scan per Mr. Blackspear's recommendations. Got about 40 plus red entries in the log along with a zillion blue ones. The only option open in the dialog boxes for these items was "leave." What does all this mean?

    C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-22500802-40fdd9b9.zip »ZIP »Dummy.class - Java/Exploit.Bytverify trojan

    C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter2.jar-642f09e-266b9302.zip »ZIP »counter.class - Java/ClassLoader.B trojan

    C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\WebCounter.jar-645176f1-3202a1f7.zip »ZIP »a.class - Java/Shinwow.A trojan

    C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\a.jar-6bb41746-4b1926c2.zip »ZIP »Dummy.class - JS/IEStart trojan

    C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-620a9ba0.zip »ZIP »Installer.class - Java/OpenConnection.F trojan
     
  2. Gauthreau

    Gauthreau Guest

    By the looks of things, your computer has a trojan virus. With the only option as leave, my GUESS would be that they are locked in the memory somewhere and are currently being used by the system, thus NOD is not able to remove them right now.

    My recommendation would be to get trojanhunter (free trial version found at http://www.trojanhunter.com/ ), turn off system restore (WinME/XP), delete your cache and temp files and then run both NOD and trojan hunter.

    Neil
     
  3. Gauthreau

    Gauthreau Guest

  4. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Actually, the easy way to get rid of this trojan, since it is located in your java application, is to go to the Control Panel, click on Java Plug In, click on cache tab, and click on Clear. It will clear the cache of java and will delete the trojans. Also, if you are using MS Java Machine, there was an update posted not too long ago that will block this exploit. If you are using Sun Java (which you must be), the trojan is trapped in the cache files, and you can delete it by using the above directions.
    Also, if you disable cacheing, you will not be reinfected by the same trojan anymore.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The Blue ones are ok, nothing wrong there. The Red ones need fixing. There are further very comprehensive cleaning instructions in post number 2 here: https://www.wilderssecurity.com/showthread.php?t=47830

    There is a thread here for tweaking Nod32: https://www.wilderssecurity.com/showthread.php?t=37509

    Hope this helps...

    Let us know how you go...

    Cheers :D
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Yeah, well my first recommendation would be to pull the plug (i.e. kill the internet connection completely) on the infected system, like NOW, not after screwing around with anything else.

    Then, as the Eset moderator Marcos has requested before, send a HijackThis log to support@nod32.com.
     
  7. Well, after reviewing all the replies to my original post, I took the easy way out and tried Mr. Jayt's suggestion. It was painless and quick to do.

    Scanned again. This time NOD32 found ZERO viruses. Apparently Mr. Jayt knows of what he speaks (no offense intended to anyone else who tried to help me).

    I'm a little bummed out that NOD32 let me down on this one. Up to now there has NEVER been an invader on my system, at least to the best of my knowledge there hasn't been. Of couse this is the first time that I've used that "in depth" scan feature, too.

    Do you think that trojan was actually active on my system?
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If it was active AMON would have pounced on it. With Trojans, they are generally injected into memory and as such require a reboot into Safe Mode and a scan by Nod32, in order for it to be removed.

    Do you have the latest version of Nod32 2.12.3?

    Cheers :D
     
  9. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
Thread Status:
Not open for further replies.