 Downloaded Latest Java, Ended Up With 2 Trojans |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
  Feb 12 2007, 02:35 PM
Post
#1
|
|
|
Senior Member  Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964  |
I recently downloaded the latest version of Java and removed the older version. I just ran a scan with AVG Anti Spyware and it picked up 2 trojans. Java classloader.g and Java classloader.f I tried to quarantine them, but got a window saying they were embedded and was asked if I wanted to quarantine the entire archive. (What ever that means) so I clicked yes. Here is what is now quarantined:AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 12:34:51 PM 2/12/2007 + Scan result: C:\Documents and Settings\Dennis\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-73d04c00-65e38c10.zip/VaaaaaaaBaa.class -> Trojan.ClassLoader.f : Cleaned with backup (quarantined). C:\Documents and Settings\Dennis\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-73d04c00-65e38c10.zip/Dex.class -> Trojan.ClassLoader.g : Cleaned with backup (quarantined). C:\Documents and Settings\Dennis\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-73d04c00-65e38c10.zip/Dix.class -> Trojan.ClassLoader.g : Cleaned with backup (quarantined). C:\Documents and Settings\Dennis\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-73d04c00-65e38c10.zip/Dux.class -> Trojan.ClassLoader.g : Cleaned with backup (quarantined). ::Report end Where do I go from here ?? Should I uninstall Java and try a reinstall ?? I thought I was on a secure site when I down loaded, but maybe I was not. Thanks for your time, Dennis 
This post has been edited by Dennis H: Feb 12 2007, 02:48 PM |
 |
 
|
|
Feb 12 2007, 05:56 PM
Post
#2
|
|
 The Bookworm Group: Moderator Posts: 4,956 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
First off, from looking at the infected files, the version listed for Java doesn't match the current Java version at all unless I'm completely misinterpreting what I see.
Definitely uninstall everything to do with Java from Add/Remove programs. Go here: http://java.sun.com/javase/downloads/index.jsp to download and install the new version of Java. Unless you are into programming, choose the JRE download which is the fourth one in the list. By the way, what site did you download from? Orange Blossom 
-------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, AVG Anti-spyware Free, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.5, WinPatrol Plus, Sunbelt Personal Firewall - Full, Comodo BOClean 4.27, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
Feb 12 2007, 06:02 PM
Post
#3
|
|
|
Senior Member Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964 |
Thanks for the reply Orange Blossom.
When I click on my Java icon it says I have the Standard 6 version. 1.6.0 (build 1.6.0-b105 ?? Anyway, I will get rid of it right now. I found the site here on Bleeping computer after I had asked if someone could verify if I had the current version. I will find the post and list it here. Here is that post. http://www.bleepingcomputer.com/forums/topic79687.html Just to double check after I click on JRE 6, which platform should I download ? Windows XP,SP2,IE-7 Thanks Again, Dennis
This post has been edited by Dennis H: Feb 12 2007, 07:10 PM |
|
|
|
|
Feb 12 2007, 11:14 PM
Post
#4
|
|
 **pixie in training** Group: Members Posts: 1,853 Joined: 13-November 06 From: Honolulu, Hawaii Member No.: 95,371 |
I usually do the offline installation.
--------------------   I search for Sjogrens Syndrome Foundation...Who will you search for? |
|
|
|
|
Feb 12 2007, 11:22 PM
Post
#5
|
|
 Forum Addict Group: Global Moderator Posts: 20,575 Joined: 11-April 04 From: Chicago, Il. Member No.: 113 |
As I remember, the two Java items are actually POTENTIALLY a problem, not actually malware in itself.
You should download and install the latest JavaRuntimeEnvironment for Windows, making sure to delete previous versions,then clear the Java Cache from the Java Control Panel. Regards, John -------------------- Whereof one cannot speak, thereof one should be silent.
|
|
|
|
|
Feb 13 2007, 03:22 AM
Post
#6
|
|
|
The Bookworm Group: Moderator Posts: 4,956 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
Okay:
1) I did misinterpret what I saw, and you indeed had the latest version. :duncecap image: 2) The site you downloaded from before is the same as the link I provided, so no problem there. As for which platform. If your answer to "Do I do programming is?" is "No" then you want this one: QUOTE Java Runtime Environment (JRE) 6 which is the fourth one down the list.The Java SE Runtime Environment (JRE) allows end-users to run Java applications. I also agree with tink that you should do the off-line installation and with jgweed to clear the Java cache. Orange Blossom
-------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, AVG Anti-spyware Free, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.5, WinPatrol Plus, Sunbelt Personal Firewall - Full, Comodo BOClean 4.27, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
Feb 13 2007, 03:26 AM
Post
#7
|
|
|
The Bookworm Group: Moderator Posts: 4,956 Joined: 14-July 06 From: Bloomington, IN Member No.: 76,150 |
To add to previous post:
Once you click on the download button, you will be taken to another page. Unless you have 64 bit Windows - which I doubt, you will want to install the first one listed under Windows Platform. This will be the off-line installation. Orange Blossom
-------------------- Orange Blossom An ounce of prevention is worth a pound of cure ESET NOD32, AVG Anti-spyware Free, SuperAntiSpyware Pro, SpywareBlaster, Spybot 1.5, WinPatrol Plus, Sunbelt Personal Firewall - Full, Comodo BOClean 4.27, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript |
|
|
|
|
Feb 13 2007, 06:23 AM
Post
#8
|
|
|
Senior Member Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964 |
Thanks for the replies. I have a few more questions, if you folks have the patience.
I went to add/remove and removed Java. I then went to the control panel, but I do not know how to remove the Java cache. Probably because I do not know what the heck Java cache means. I see the Java icon in the control panel. If I click on it nothing happens. I suppose that is because I have removed the program ?? When I get to the second page on the download site, I do not see anything regarding offline installation. Apparently I (as usual) am missing something. Do you mean download the program to a file ,get offline and then install ? Thanks again for the help. I just want to make sure I do it correctly this time around. Thanks, Dennis
|
|
|
|
|
Feb 13 2007, 06:28 AM
Post
#9
|
|
|
**pixie in training** Group: Members Posts: 1,853 Joined: 13-November 06 From: Honolulu, Hawaii Member No.: 95,371 |
Delete all files and subfolders within the cache folder below.
C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\ -------------------- I search for Sjogrens Syndrome Foundation...Who will you search for? |
|
|
|
|
Feb 13 2007, 11:23 AM
Post
#10
|
|
 Bleepin' Janitor Group: Global Moderator Posts: 13,431 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
To Clear the Java Runtime Environment (JRE) cache, do this:
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008  |
|
|
|
|
Feb 13 2007, 12:59 PM
Post
#11
|
|
|
Senior Member Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964 |
Thanks for all the replies.
Here is what I did. I removed Java yesterday evening. I then restarted the computer. The Java icon was no longer in the control panel. I tried what tink536 suggested this morning and tried try to get the files and folders that I needed to delete to show up and could not get it done. I then did a file search by typing in the key word Java. About 90 files showed up in the search. Some just said Java in the file names but many also had other names and jargon in the file names. I was hesitant to just start deleting all these files. I decided just to download Java again and install it. I ran a scan and it came up clean. Quiteman, is it a good idea to start again and follow your instructions on removing the cache, removing Java and doing another install ? If I do that will it get rid of all the unneeded files and folders from past versions ? I have never tried to remove any files or folders after I have removed old versions and then installed the latest version available. Should I just leave well enough alone ? Thanks, Dennis
|
|
|
|
|
Feb 13 2007, 01:00 PM
Post
#12
|
|
 Guru at being a Newbie Group: HJT Team Posts: 5,715 Joined: 8-April 04 Member No.: 96 |
Hi Dennis,
I started writing this out before QM7 posted so sorry for the redundancy... First, AVGAS cleaned up the files you are asking about, according to the log you posted. If it says Cleaned with backup (quarantined), (which it does) it means that the file has been removed from it's original location to AVGAS's quarantine folder where it is locked and won't affect you. The particular files in question are actually .zip folders. A zip folder is called an archive, so you did right to have AVGAS take care of the entire thing. Second, uninstalling Java will not delete its cache. That folder will stay on your system unless you delete it manually. It's where tink536 indicated, and for you specifically it's here: C:\Documents and Settings\Dennis\Application Data\Sun\Java\Deployment\cache While Java is uninstalled you can delete the entire cache folder with no problem. With Java installed it may be "in use" so cache should be cleaned out thru Java's interface. Third, you didn't have the Java icon in your Control Panel that will allow you to clean out the cache correctly because at the time you had uninstalled Java. With Java installed, you will have an icon in your Control Panel that looks like a coffee cup; a bigger version of this:  As John mentioned, items flagged in you Java cache are a potential threat--it doesn't mean you are actually infected, but you could be if a certain set of circumstances happen. So it is advisable to keep Java up to date and clean it's cache from time to time. To clean cache when Java is installed, see this page. Lastly, those are the instructions for JRE versions 1.5.0 the latest version of which can be found on this page: http://www.java.com/en/download/manual.jsp The page you've been told to download from is what I call the developer's page and it now shows version 6, which is a major upgrade. There is a lot of confusion about why the two pages show different versions as the latest available and Sun, which makes Java, is being roundly criticized for this. Security specialists keep finding holes in version five, it gets patched and Java claims it is safe--but version five, that is currently at Update 11, may be inherently vulnerable. On the other hand, version 6 may be buggy. This is just to say that, once you do download version 6, the instructions for clearing cache may be different. I'll look into it in a bit to see if the they have changed. Hope I've cleared up some confusion except for the last part. 
-------------------- You know everybody is ignorant, only on different subjects.
Will Rogers To stay secure is to stay updated. Calendar of Updates. |
|
|
|
|
Feb 13 2007, 01:05 PM
Post
#13
|
|
|
Senior Member Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964 |
Thanks papakid !
Apparently I was typing as you were. Please see my above response and advise if you would. Thanks again for everyones time ! Dennis
|
|
|
|
|
Feb 13 2007, 01:23 PM
Post
#14
|
|
|
Guru at being a Newbie Group: HJT Team Posts: 5,715 Joined: 8-April 04 Member No.: 96 |
Well, now that you have Java reinstalled, go to Control Panel and see if the instructions for clearing cache are still the same. Go ahead and clear them if so and let us know. Otherwise you should have no other problems.
-------------------- You know everybody is ignorant, only on different subjects.
Will Rogers To stay secure is to stay updated. Calendar of Updates. |
|
|
|
|
Feb 13 2007, 01:34 PM
Post
#15
|
|
|
Senior Member Group: Members Posts: 475 Joined: 4-May 05 Member No.: 18,964 |
VICTORY !!
I bet you folks are tired of my "Javanese" banter. Thanks to everyone for your help !! Dennis
This post has been edited by Dennis H: Feb 13 2007, 01:36 PM |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2008 - 09:01 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.