Java Virus Crap

Discussion in 'Windows Desktop Systems' started by paul2-0-0-2, Jul 28, 2005.

  1. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Anyone know why keep getting these?

    Delete the temp files with Java Sun and couple of days later always come back

    Windows XP SP1
    Firefox 1.0.6
    Never use I.E unless some link opens it up which is rare
     

    Attached Files:

  2. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I wouldn't really blame IE, but here are a few steps I would follow:

    • Ensure Windows is updated. If for whatever reason you can't go to SP2 (compatability maybe), at least get all other updates.
    • Update your AV Protection
    • Download MS Anti-Spyware and as a second, either Lavasoft Ad-Aware or Webroot Spysweeper. (these are my recommendations, others may give you supplemental progs to use).
    • Install and update your Anti-Spyware programs.
    • Boot into safe mode without networking
    • Delete all temp files, make sure you empty the recylce bin if you put them there, or use SHIFT + DEL and it will skip the bin entirely
    • Clean out the following directories:
      • C:\Documents and Settings\%username%\Local Settings\Temp
      • C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files
      • C:\Documents and Settings\%username%\Local Settings\History
      • C:\Documents and Settings\%username%\cookies
      • C:\Temp
      • C:\Windows\Temp
      • C:\Windows\Prefetch
    • Once all are deleted, run a spyware scan to remove any junk. Once spyware has been removed, boot back into windows and do another spyware scan with whichever program you prefer. Reason being if your AV is setup properly, it will find any and all viruses "on-access" and remove them.
    Reason you "keep getting" them is mostly because some viruses leave droppings behind, and are a pain to get rid of unless you kill all the sources.
     
  3. Shamus MacNoob

    Shamus MacNoob Moderator Political User

    Messages:
    4,199
    Location:
    L'Ile Perrot Quebec
    Yeah and stop going to porn sites and crack sites that helps
     
  4. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Did have a virus Trojan Dropper.Small.22.AW but AVG sorted that out and these just stared to come a month later then stop for weeks and come back

    Think its what Kermit said dodgy sites but i'll do half of what you said lol cause cant be doin safe mode and stuff today since they dont really do anything :rolleyes:
     
  5. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    What is the full path of the suspect files?
    Plus you could always throw down a hijackthis log just to be safe :)
     
  6. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    C:\DocumentsandSettings\******\ApplicationData\Sun\Java\Deployment\cache
     

    Attached Files:

    Shamus MacNoob likes this.
  7. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Logfile of HijackThis v1.99.1
    Scan saved at 16:30:47, on 28/07/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSI\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    C:\Program Files\Palick Soft\SIGuardian\SIGuardian.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\********\LOCALS~1\Temp\Rar$EX00.312\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SIGuardian.lnk = C:\Program Files\Palick Soft\SIGuardian\SIGuardian.exe
    O4 - Startup: Streamload Uploader.lnk = C:\Program Files\Streamload\StreamMgr.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Streamload Downloader.lnk = C:\Program Files\SlDB\SlDB.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\MSI\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
    O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122558459109
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\MSI\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Everything looks OK, although you do have alot of stuff running, but that won't cause your problem. The only one of that list I didn't recognize was..

    O4 - Global Startup: Streamload Downloader.lnk = C:\Program Files\SlDB\SlDB.exe

    Everything else looks good to me.

    EDIT: I would go sick and empty all temp folders/directories everywhere. Also, updating to the latest Java wouldn't hurt.. https://jsecom16a.sun.com/ECom/EComActionServlet;jsessionid=44215EDE87FAC9A0DC144089A33B8EE7
     
  9. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    I took a quick glance .. to tired to *really* look it over. However you do have an outdated version of java. I believe Sun is up to 1.5.0_04 (your using jre1.5.0_02).
     
  10. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    I would also suggest updating to SP2. make sure you are up to date. with all
    anti-virus, anti-spyware ect.... after your AVG scan is complete use the delete
    option.
     
  11. trukkmann

    trukkmann OSNN Addict

    Messages:
    110
    I was getting those same virii while playing Battlefield 1942 on Gamespy. AVG free would pop up mid-game informing me it found the trojan as soon as it arrived. I use Outpost firewall and was allowing the game server full permissions so the rules box wouldn't pop up during the game. I guess some L4M3R was pushing me a trojan. I reviewed all the settings on my firewall, blocking, testing, unblocking if necessary, all the different apps and sys controls in Outpost until my normal net usage was unhindered. Then went into my Linksys router and did a port forwarding of 113 (IDENT) to a non-existent IP on my LAN (as well as some other ports) and further tightened down other constraints in the router's settings. Finally I can set it to "Allow Most" when gaming and not get trojaned and not have to worry about setting rules for each game server.
     
  12. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Thats Streamload proper program, got rid of the temp stuff in the java folders etc aswel and anit come back for 2 days so far will be back no doubt


    Would update to SP2 but cant be bothred at moment, dont really scan for Spyware thses days either another thing i cant be bothered to do but AVG Scans/Updates every morning so 1 out 3 anit bad lol :lick:

    trukkmann

    I think it just some dodgy site or when IE opens up it downloads them seeing has can go weeks with out getting them and some days delete them and come back

    Thanks :)