Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

6 trojan horses quarantined: is it safe to return to online bill paying?


  • Please log in to reply
11 replies to this topic

#1 rabidrun

rabidrun

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 February 2011 - 03:44 PM

history:
--in 7/10 avast! free av had detected & quarantined following 2 viruses (JS: Pdfka-AFJ [Expl]; & HTML: Downloader-F [Trj]
--on 2/2/11 i downloaded norton internet security 2011 & it immediately found & quarantined following 6 trojan horses listed as high risk found on c drive in appdata files:
1. phone.class
2. myname.class
3. emailer.class
4. is.class
5. phonebook.class
6. familie.class

what do i need to do now to fix any problems with accessing online bill payment, etc. can the fixes all be done using norton internet security?

is it sufficient to just change log on passwords to these accounts? or does more need to be done like getting account numbers changed, or other?

is it even safe to go online into these accounts now that 6 trojan horses were found & quarantined---if these were found, are there more problems waiting?

BC AdBot (Login to Remove)

 


#2 ATGUNWAT

ATGUNWAT

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:30 PM

Posted 08 February 2011 - 10:30 AM

This is an unofficial response and the advice is mine, not that of bleepingcomputer.com or it's representatives...

I would change all the passwords and account numbers, if you think any of your accounts have been compromised.

Is it a hassle? = yes.
Is it inconvenient? = yes again.
Is it time consuming? = of course it is, but...
If someone steals your identity and or ruins your credit, it could take you months or even years to get it all straightened out again.
(Talk about time consuming and inconvenient)

I think that this is a clear case of "better to have it and not need it, than to need it and not have it."
I would err on the side of caution, every time.

Just my opinion,

ATGUNWAT B)

Edited by ATGUNWAT, 08 February 2011 - 10:54 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 08 February 2011 - 11:27 AM

Did you remove avast before installing Norton?

Where specifically in the C:\Documents and Settings\<username>\Application Data\ folder were these threats detected?

Anytime you encounter a malware infection on your computer, especially if that computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer as a precaution in case an attacker was able to steal your information when the computer was infected. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

If using a router, you also need to reset it with a strong logon/password before connecting again. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:These are general instructions for how to reset a router,:
  • Unplug or turn off your DSL/cable modem.
  • Locate the router's reset button.
  • Press, and hold, the Reset button down for 30 seconds.
  • Wait for the Power, WLAN and Internet light to turn on (On the router).
  • Plug in or turn on your modem (if it is separate from the router).
  • Open your web browser to see if you have an Internet connection.
  • If you don't have an Internet connection you may need to restart your computer.
For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#4 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 18 February 2011 - 08:05 PM

bleepin janitor, as requested, here is where the 6 trojan horses were found & are now quarantined:
1. phone.class:[Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\5\39f386c5-2140ffc9
2. myname.class:[Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\5\39f386c5-2140ffc9
3. emailer.class [Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\37\53c54425-3a7118a9
4. is.class[Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\5\39f386c5-2140ffc9
5. phonebook.class[Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\37\53c54425-3a7118a9
6. familie.class[Contained in] c:\users\myname\appdata\locallow\sun\java\deployment\cache\6.0\37\53c54425-3a7118a9

i changed account numbers, passwords, etc. did not reset my router but did change router password.

in response to your other question, i thought i had downloaded norton internet security 2011 before i agreed for norton to remove avast but norton may not have been fully downloaded. or it could be that avast! free av did not detect those trojan horses. it was probably the first situation since the trojan horses popped up as soon as norton av began scanning for viruses.

is there anything else i need to do? is it safe to start using banking account numbers on the pc that quarantined those 6 trojan horses? thanks!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 18 February 2011 - 11:27 PM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.Even Java advises users to always have the latest version of the Java since it contains security updates and improvements to previous versions.

The latest Java version contains important enhancements to improve performance, stability and security of the Java applications that run on your machine. Installing this free update will ensure that your Java applications continue to run safely and efficiently.

Why should I upgrade to the latest Java version?
Why should I upgrade to Java 6?

You can verify (test) your JAVA Software Installation & Version here.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 20 February 2011 - 01:18 AM

quietman7: successfully downloaded java version 6 update 24 (had update 23 on laptop).

followed your 5 steps above as best as possible but had problems w/ the following 2 on this win 7 home premium system laptop:
---tried to clear the 6 trojan horses from the java plug-in cache by navigating from start to control panel to java plug-in but can't find java plug-in only "java (32 bit)". also can't find the cache tab. any idea where this is as i assume i need to clear anything in there?
---re: deleting windows temp files, i typed in "%temp% in the start dialog box but what opened was a bunch of files located at: c, users, myname, appdata, local, temp----should i really be deleting everything in this folder (contains cvr file, cvg file, debug log file, java install_reg, java_install_sp,etc; & various folders like "low" which has folders for cookies, temp internet files, history, etc which i assume should be deleted. just not clear if it's safe to delete all the other folders & files in c, users, myname, appdata, local, temp folder?

[b]if norton NIS 2011 found 6 trojan horses on my pc in the java deployment cache on 2/2/11 & quarantined them, how do i find out if the pc is still infected & whether or not it is safe to resume online bill payment, etc.?

thanks so much!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 20 February 2011 - 07:56 AM

Alternatively, you can download and use TFC (Temp File Cleaner) by Old Timer.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts, including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean. Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.


There are no guarantees or shortcuts when it comes to malware removal. Infections and severity of damage will vary. The longer malware remains on your system, the more time it has to download additional malicious files. Depending on the infection, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous and security tools may not find all the remnants.

In any case, I can only go by what the scan logs show (what was detected/removed) and your description of whatever signs or symptoms of infection you are experiencing.

If you want a more detailed look at your system, then more advanced tools are needed to investigate. Before that can be done you will need you to folllow the instructions in the Preparation Guide and post a DDS log for further investigation in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 Davkal

Davkal

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 PM

Posted 20 February 2011 - 08:05 AM

just a thought, wouldnt it be a good idea to change passwords using another computer that isnt/wasnt infected just for safety

sorry Quietman7 i missed you saying do it from a clean computer until i reread everything for the 3rd time

Edited by Davkal, 20 February 2011 - 08:18 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 20 February 2011 - 08:10 AM

Yes. That is how I would do it.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#10 rabidrun

rabidrun
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 20 February 2011 - 02:56 PM

thanks, i changed all passwords on a different laptop.

quietman7, will norton internet security 2011 even allow me to download Temp File Cleaner or will it interfere with operation of norton av?

can anyone help me understand how to follow the 2 linked instructions:
---tried to clear the 6 trojan horses from the java plug-in cache (per instructions found in http://www.java.com/en/download/help/5000020300.xml provided by quietman7 in post#5) by navigating from start to control panel to java plug-in but can't find java plug-in only "java (32 bit)". also can't find the cache tab. any idea where this is as i assume i need to clear anything in there?
---re: deleting windows temp files (per instructions found in http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080422110127EN provided by quietman7 in post#5), i typed in "%temp% in the start dialog box but what opened was a bunch of files located at: c, users, myname, appdata, local, temp----should i really be deleting everything in this folder (contains cvr file, cvg file, debug log file, java install_reg, java_install_sp,etc; & various folders like "low" which has folders for cookies, temp internet files, history, etc which i assume should be deleted? just not clear if it's safe to delete all the other folders & files in c, users, myname, appdata, local, temp folder?
would like to clear these 2 out first as recommended by quietman7.

thank you

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 20 February 2011 - 04:50 PM

will norton internet security 2011 even allow me to download Temp File Cleaner or will it interfere with operation of norton av?

It should. TFC is just a toot that automates the cleaning of temp files in one step so you don't need to delete them manually.

I don't use Windows 7 but found these instructions if you want to know:

How to Clear Java Cache in Windows 7
How to Clean out Windows 7 temporary files

To clean other Temporary files and the Recycle bin, run Disk Cleanup
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Click "Ok".
  • If asked "Are you sure you want to perform these actions?, click Yes.
Vista and Windows 7 users can refer to these links:
If those instructions do not work for you or are confusing, then start a new topic in the Windows 7 forum.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 34,062 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:30 PM

Posted 20 February 2011 - 05:01 PM

should i really be deleting everything in this folder (contains cvr file, cvg file, debug log file, java install_reg, java_install_sp,etc; & various folders like "low" which has folders for cookies, temp internet files, history, etc

BTW, you don't delete the folders...just the junk and temp files within them.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users