Author Topic: Viruses Please Help  (Read 7765 times)

0 Members and 1 Guest are viewing this topic.

adam

  • Guest
Viruses Please Help
« on: October 30, 2004, 01:24:11 AM »
the following viruses where found by avast on me computer last night;

File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4378e4d-4aa5fbd2.zip\GetAccess.class is infected by JS:ClassLoader-7 - Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4378e4d-4aa5fbd2.zip\InsecureClassLoader.class is infected by JS:Exploit-Bytverify-11 - Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4378e4d-4aa5fbd2.zip\Installer.class is infected by Win32:Trojano-477 [Trj] - Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv255.jar-667ca30e-35a7cc55.zip\Counter.class is infected by JS:Classloader-6 - Deleted
File C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv255.jar-667ca30e-35a7cc55.zip\Parser.class is infected by JS:ClassLoader-5 - Delete:

these have been since deleted.

i run the following programs to help protect me on the net ( iam on b/b) ALL FULLY UPDATED

Avast Home Ed ( fully updated)  with resident scanner set on high
Zone alarm free version
spybot
ad-aware
spywareguard
spywareblaster

the only reason avast found the viruses is when i was doing a check with ad-aware, should avast have found these viruses straight away when they come on my computer ( with the standard shield) ?

i have since done two thorough with scan archives selected, and totally clean , do i need to take any more action.

many thanks Adam

inthewildteam

  • Guest
Re:Viruses Please Help
« Reply #1 on: October 30, 2004, 01:40:46 AM »
Delete all cache files in your browser, and within the java programme also.

If you are running Win 2000 or XP schedule a boot-time scan and then report back the results

Edit:

 Go to Start Menu -> Control Panel -> Java Plug-in (This opens the Java Plug-in Control Panel)

 Go to Cache Tab

 Click "Clear JAR Cache" or "Clear"

 Quit all browsers
« Last Edit: October 30, 2004, 02:13:32 AM by inthewildteam »

adam

  • Guest
Re:Viruses Please Help
« Reply #2 on: October 30, 2004, 02:30:50 AM »
hi there

results of last scan;

30/10/2004 00:01
Scan of all local drives


Number of searched folders: 1674
Number of tested files: 42253
Number of infected files: 0

there is no  Cache Tab but i have cleared out temporary Internet files from javas general tab, is that the same thing?

many thanks adam

inthewildteam

  • Guest
Re:Viruses Please Help
« Reply #3 on: October 30, 2004, 02:44:10 AM »
adam.

I don't know what version of windo$e you are using or what flavour of java either ....... it would appear you are now clear, however you might want to use the search function in the forum and double check your system for any malware.  Long involved process but better to be safe than sorry!

Some further research about browser settings and java ..... permisions might be useful too.

Let us know how you get on.

You will find links here to HijackThis and an online scanner for results of it's log file.

Post back if you have any questions.

Negeltu

  • Guest
Re:Viruses Please Help
« Reply #4 on: October 30, 2004, 02:54:33 AM »
just go to control panel... then open the java plugin if it's there and go to the cache tab....  click clear cache in the top right corner... then uncheck enable caching.  

inthewildteam

  • Guest
Re:Viruses Please Help
« Reply #5 on: October 30, 2004, 03:00:57 AM »
just go to control panel... then open the java plugin if it's there and go to the cache tab....  click clear cache in the top right corner... then uncheck enable caching.  

 ;)

well said!

adam

  • Guest
Re:Viruses Please Help
« Reply #6 on: October 30, 2004, 10:43:35 AM »
this is a post of my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 09:39:36, on 30/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Palick Soft\HDD Temperature\HDDTsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Palick Soft\HDD Temperature\HDDTemperature.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Paltalk\paltalk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: HDD temperature.lnk = C:\Program Files\Palick Soft\HDD Temperature\HDDTemperature.exe
O4 - Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3B898B0-7177-4F3F-8C31-966AF103B783}: NameServer = 195.92.195.95 195.92.195.94

Does all seem ok ?

thank you adam

also the version of java i am running is Java(TM) 2 Platform Standard Edition 5.0
« Last Edit: October 30, 2004, 10:46:37 AM by adam »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Viruses Please Help
« Reply #7 on: October 30, 2004, 08:00:45 PM »
1] You are using a old version of HJT
2] You do not have your system up-to-date
3] You are using a old version of IE
4] Use my HJT log analazer and the online one.

Negeltu

  • Guest
Re:Viruses Please Help
« Reply #8 on: October 31, 2004, 02:49:47 AM »
Be careful what you choose to fix based upon the recommendations of that analyzer.  It has recommened to fix MANY legitimate things on my system.  Double and triple check other sources for the things it says to fix BEFORE you fix them.  :)

Negeltu

  • Guest
Re:Viruses Please Help
« Reply #9 on: October 31, 2004, 02:07:32 AM »
Just wanted to make it clear that it is the ONLINE analyzer that has given me the false positives.  :)  I should have been more clear.  Sorry about that.  No harm intended.  I actually haven't tried Eddy's analyzer, but I certainly will.

techie101

  • Guest
Re:Viruses Please Help
« Reply #10 on: October 31, 2004, 04:45:30 AM »
Negeltu,

Eddy's analyzer makes using Hijack This a breeze.

Trying to decipher the initial HT scan report can be confusing and it is easy to remove vital files making things worse and in some cases, users of HT have reported that the computer was put into a compete state of "crash".  :(

I have used the HTA without incident and have found its' analysis accurate and easy to follow.

 :D
« Last Edit: October 31, 2004, 04:45:55 AM by Techie101 »