Author Topic: Trojan: Ewido and Avast  (Read 4958 times)

0 Members and 1 Guest are viewing this topic.

jhiker

  • Guest
Trojan: Ewido and Avast
« on: April 19, 2006, 09:28:55 PM »
I have a persistant trojan Win32:Dialer-520[Trj]
Avast detects it's attempts to connect and I can abort the connection.
I have just installed Ewido and run it and it found several infections which it duly quarantined.
Among those 'infections' were several files in the Avast4/Data/moved/ folder, including..
GetAcces.class.vir
GetAcces.class.2.vir
InsecureClassLoader.class.2.vir
InsecureClassLoader.class.vir
Installer.class.2.vir
Installer.class.vir
PopCapLoader.dll
VerifierBug.class.vir
Dummy.class.vir
these are now quarantined....
Are they false positives or did I do right to quarantine them?
Will Avast work without these files?
Should I restore them?

Any advice would be appreciated.





jhiker

  • Guest
Re: Trojan: Ewido and Avast
« Reply #1 on: April 19, 2006, 09:31:21 PM »
No sooner had I posted this than I got an alert...!

File name: http://www.impotato.com/a412/a571.php?m=1&b=779&c=3\[UPX]
Malware:  Win32:Dialer-520[Trj]

How the hell do I get rid of it...

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11657
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Trojan: Ewido and Avast
« Reply #2 on: April 19, 2006, 09:34:54 PM »
If they were in Avast4/Data/moved, it simply means that avast previously found them and you told it to move them there...

So, they're indeed real, that is, avast detects them as well.
If at first you don't succeed, then skydiving's not for you.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojan: Ewido and Avast
« Reply #3 on: April 19, 2006, 09:45:28 PM »
Hi jhiker,

This problem has been dealt with before:

http://forum.avast.com/index.php?topic=20503.0

One of the anti-spyware/anti-Trojan programs I recommended there must have removed it.

The malware you mention in your post looks like Java exploits: clean out you Java cache and make sure you have the latest version of Java:

http://www.java.com/en/download/help/cache_virus.xml

http://www.java.com/en/download/index.jsp

avast! Webshield should prevent this malware getting onto your computer in the future.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jhiker

  • Guest
Re: Trojan: Ewido and Avast
« Reply #4 on: April 19, 2006, 10:12:54 PM »
Cheers!

When I open the Java application I dont see a 'cache' button but I do see a 'Temporary Internet Files' button and an option to delete them.
Is that what you're referring to?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojan: Ewido and Avast
« Reply #5 on: April 19, 2006, 10:31:54 PM »
That's correct. In newer versions of Sun Java, 'Cache' is replaced by 'Temporary Internet Files'.

It's also critical to remove older versions of Java from Add/Remove programs (if present) because malware can exploit older, vulnerable versions if present.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan: Ewido and Avast
« Reply #6 on: April 19, 2006, 10:36:39 PM »
As an addition the default cache setting is 1000Mb I'd suggest bringing that down to about 20

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Trojan: Ewido and Avast
« Reply #7 on: April 20, 2006, 02:49:07 AM »
It's also critical to remove older versions of Java from Add/Remove programs (if present) because malware can exploit older, vulnerable versions if present.
Yes... installing the new one versions does not remove the old ones  :-\ :'(
The best things in life are free.

Spiritsongs

  • Guest
Java
« Reply #8 on: April 20, 2006, 06:15:27 PM »
 :)  Hi JHiker :

     We could advise you better about your Java "situation" IF
     you would go to Internet Options, click the "Advanced" tab
     and look through the listing until you see a "Java" and
     post here what it says !?

jhiker

  • Guest
Re: Trojan: Ewido and Avast
« Reply #9 on: April 20, 2006, 10:13:59 PM »
It says..
Use JRE 1.5.0_05 for <appelet> requires restart

JIT compiler for virtual machine enabled (requires restart)

Threw me for a moment there - I use Firefox by default and couldn't find the tab!

Spiritsongs

  • Guest
Java's
« Reply #10 on: April 21, 2006, 12:17:31 AM »
 :)  Hi JHiker :

     The "JIT compiler for virtual machine" is for the now
     abandoned Microsoft "Virtual Machine" and that setting
     should be turned "OFF" ; the "JRE 1.5.0_05" is for Sun's ;
     however, it indicates you are 1 update behind, which
     happens to be a serious security risk. Therefore, I
     recommend you uninstalled ALL your Sun Java version(s),
     then go to www.java.com/en & get their latest ( Update 6 ).
    You currently have "Update 5 " . Since you MAY have
    Microsoft's "Virtual Machine" on your computer, it would be
    advisable to read the info at :
    http://www.bleepingcomputer.com/tutorials/tutorial97.html

drhayden1

  • Guest
Re: Trojan: Ewido and Avast
« Reply #11 on: April 21, 2006, 12:44:07 AM »
i just read this post and uninstall the old java and put on version 06 and went back to java.com to verify installation(ok)and went to internet options advanced and its there.....how can i tell if i have microsoft virtual machine on here and if yes.....should it be removed?????????
« Last Edit: April 21, 2006, 12:49:06 AM by drhayden1 »

Spiritsongs

  • Guest
Microsoft Virtual Machine
« Reply #12 on: April 21, 2006, 01:33:54 AM »
 :)  Hi DrHayden :

      There are several ways to discover if one has Microsoft's
      Virtual Machine ( "VM" ) on their computer : 1 ) To see if
      "JIT compiler for virtual machine.." is listed under "Java"
      in the Internet Options > Advanced menu, like it is in
      jhiker ; 2 ) Check your Add/Remove Programs for a listing
      similar to "Microsoft VM, Micro virtual machine ", etc ;
      3 ) Use your computer's "Search > All files and folders"
      using search "terms" like the ones stated above .

       DEFINITELY, Microsoft's Virtual Machine AND Sun's Java
       should NOT be on the same computer; the
       bleepingcomputer site I listed has the removal guide .

drhayden1

  • Guest
Re: Trojan: Ewido and Avast
« Reply #13 on: April 21, 2006, 01:45:57 AM »
thanks spiritsongs........i remember when i had java 05.....VM was in my internet options advanced but when i took 05 off and java 06 on........VM is nowhere in sight.........have a good bleeping one ;D :o