Virus in Java program files?

[Hubbaman]

Hi,
I have been using Avast Free Antivirus for some time, but this is my first serious (?) infection. On this system, I have had Avast installed since May 2010. This weekend, Avast reported three threats found among my Java program files:

C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\12670d29-5ec793ee|>gogol\Emailer.class
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\12670d29-5ec793ee|>gogol\Familie.class
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\12670d29-5ec793ee|>gogol\PhonBook.class

Here is what I did:
1. I chose to let Avast move the files to the virus chest.
2. I downloaded and ran Malwarebytes' Anti-Malware. It found no threats, except Trojan.Downloader which was located on a storage drive where I had dumped all files from an old computer. (The file was \I386\WUAUENG.DLL). This file was successfully quarantined and deleted by MBAM.
3. Ran full Avast scan again, no threats found.
4. Ran full MBAM scan again, no threats found.

Then I wanted to find out what this threat was, and started searching the web. That soon made me want to look at the Avast log file, but the log file from the scan that reported the threats is now gone. Is there any reasonable explanation for this? I find it hard to understand how I could have deleted it accidentally. Under Maintenance, I have the default auto-cleanup setting that temporary logs older than 1 day are to be deleted. Does it mean that the log I saw was just a temporary one? That's the most interesting log I have seen so far, why would it be just a temporary one?

When I check the Avast chest, I see only two entries, not three:

12670d29-5ec793ee.idx - original location C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\

gogol\Emailer.class - original location C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\12670d29-5ec793ee

So my questions are:
1. Where is the missing log file?
2. Why are there only two items in the virus chest, when I chose the same action for three threats?
3. Should I consider my system to be safe now?

Thanks in advance for your advice!

[DavidR]

They aren't JAVA program files, they are just in the java cache location. These are normally exploits in old versions of JAVA.

What was the malware name given by avast on these detections ?

- I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

MBAM Related:
1. I wouldn't expect MBAM to find anything if they were moved to the avast chest, a protected area.

2. What did MBAM call the malware found in wuaueng.dll ?
This is a legit file name (doesn't mean it isn't infected) http://www.processlibrary.com/directory/files/wuaueng/21122/, but needs further investigation, see #### below.

Your avast questions:
1. I don't know what log you mean, as the items detected weren't logs ?
2. file size could be a factor over a certain size it might not be placed in the chest (but you should get an error at the time).
3. I would say it is a reasonable assumption but you need to ensure JAVA is up to date or this exploit (if that is what it is) could be back.

####
You could also check the offending/suspect wuaueng.dll file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the MBAM Quarantine you would have to restore it from quarantine first.

[Hubbaman]

What was the malware name given by avast on these detections ?

I don't remember exactly, and there is no log... But I think it may have been Js:pdfka-aiu.

2. What did MBAM call the malware found in wuaueng.dll ?

I don't remember if there was any more info at the time, but the MBAM log says:
\I386\WUAUENG.DLL (Trojan.Downloader) -> Quarantined and deleted successfully.

1. I don't know what log you mean, as the items detected weren't logs ?

I meant the log file from the scan when the threats were detected. I know it was there in the list of log files that day, it even had some text in red saying "threats detected" or something similar. Now there are just log files saying no virus found. So maybe it was a temporary log? If so, what is the point of a temporary log?

I ran the MBAM scan because it seems to be standard procedure when I read other posts on this forum. 

Thanks for your help.

[DavidR]

MBAM 1. - Check the MBAM interface, Logs, that should retain the log.
OK, trogan.downloader is a bit of a generic name and I suspect it may be a false positive, so you need to check it out as I said, a copy will be in quarantine and yo u need to restore that.

Avast 1. If you have closed the scan interface since this detection is won't be in the scan Report File from the UI. First you have to have set it up to save the scan log, from the Scan Computer (whichever scan you did, Quick, Full, etc.), settings, Report  You will need to find it here C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\Quick scan.txt (if it was the quick scan you did). This is for XP and for Vista/win7 it should be in this folder c:\ProgramData\Alwil Software\Avast5\Report.

[Hubbaman]

MBAM 1:
OK, I restored the file from the MBAM quarantine and sent it to Virustotal. Here is the result:
https://www.virustotal.com/file-scan/report.html?id=f1fcfefa6dd3c5de63219901f9cd058bf4556137a67c7aaf0695e39718d72126-1294096869

Avast 1:
I cannot find the folder c:\ProgramData\Alwil Software\Avast5\Report.
Only these folders:
c:\ProgramData\Alwil Software\Avast5\1044
c:\ProgramData\Alwil Software\Avast5\defs
c:\ProgramData\Alwil Software\Avast5\flash
c:\ProgramData\Alwil Software\Avast5\Setup
(Although with a slightly different path, I am running Windows 7 on a non-English pc.)

Regarding the scan logs, I have it set to delete logs older than 30 days and temporary logs older than 1 day. These are the default settings, I think. Should I change anything here or somewhere else? Sorry, but I'm not sure I follow you on this point.

I did not do a quick scan when the threats were detected. If I'm not mistaken, I right-clicked C in Explorer and clicked "Scan C" with Avast. I'm not 100 % sure, though.

[DavidR]

This as I suspected a false positive by MBAM

Where you are looking is the Program Files folder (see image1) Where you should be looking is ProgramData, image2. However, that is a hidden folder unless you have changed the windows default settings. Windows Explorer, Tools, Folder Options, View, and check the Show hidden files, folders and drives option.

[Hubbaman]

Thanks, I found the report folder now. These are the files there:
BehaviorShield.txt
EmailShield.txt
FileSystemShield.txt
IMShield.txt
NetworkShield.txt
P2PShield.txt
WebShield.txt

Are you saying that I need to change some setting in Avast for the logs to be found here?

Thanks for your help so far! I really have to sign off now, but will be back tomorrow.

[DavidR]

OK, this will keep to tomorrow.

For then, if you used the Right click scan (Explorer menu scan), it won't appear in any of the ones listed, they are the real-time shield reports.

The on-demand scans have their own report feature, but you have to switch them on. In the Scan Computer, whichever scan you are doing (Quick, Full, etc.) click its Settings button, Report File and enable the report.

To do the same thing for the windows explorer scan you have to have Special Scans shown in the Scan Computers section. To do this use the avastUI, Settings, Basic section, Special Scans and check the Show special scans in avast! user interface, see image. This will allow you enable a report file for those scans.

[Hubbaman]

OK, I have re-quarantined the file reported by MBAM just to be sure, even though it seems to be a false positive.

I still do not know any more about the threats that Avast detected and moved to the chest. Like I said, there were three items, but I only see two in the chest. A full scan of the system now shows no threats.

I did a Secunia OSI scan, and I had two programs that were not totally up to date: Adobe Acrobat Reader and Flash Player. They are now.

Do you recommend any more actions?

I see now that the "missing log" probably never existed, I guess what I saw was the scan result and not a log. I have now checked Show special scans under Settings. Perhaps it would be a good idea to have this checked by default, as well as create logs of all scans automatically? I would say that most scans that detect threats would be worth saving for later.

[DavidR]

No other actions other than possibly reporting the FP to MBAM forum, but that process is long winded to say the least.

I would always leave the Show special scans option checked, without it you can't customize those scans (not advised unless you know what the effects might be), but also to gather info in the log/report for future use. If it isn't enabled you can't get the information after the fact.

[Hubbaman]

Thank you for your help, DavidR!

One final question: How can one tell if the virus actually did any harm before it was detected and removed?

[DavidR]

Depends on which one you are talking about, the avast detections or the mbam one ?

Personally I don't think there is much more you can do and that includes investigation if any damage occurred, which as far as java .class issues they tend to be more exploits and those also have to get past avast, etc.

Aside from monitoring your system for any adverse/strange activity.

[Hubbaman]

I see. Once again, thanks for your help!

[DavidR]

No Problem.