Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira Found: Tr/java.downloader.gen And Tr/classloader During Scan


  • This topic is locked This topic is locked
2 replies to this topic

#1 Werewolf_359

Werewolf_359

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 01 November 2007 - 01:53 PM

While doing a virus scan earlier today, I got an alert about an infected file detection. I'm not sureif there is more that I will have to do, other than Quarrantining and deleting the problem file, and/or if there may be additional problems on the PC now as a result of this issue. Any advice/help/suggestions regarding the following Log and Description info would be helpful, and greatly appreciated...

My Avira scanner detected the following: Trojan Horse TR/ClassLoader within the following directory C:\Documents and Settings\Van\Local Settings\Temp\jar_cache58783.tmp . The excerpt from the scan summary was as follows:
AVIRA:
Start of the scan: Thursday, November 01, 2007 12:24

Starting search for hidden objects.
'51120' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'nSvcIp.exe' - '1' Module(s) have been scanned
Scan process 'nSvcAppFlt.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'nvraidservice.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '32' files ).

Starting the file scan:
Begin scan in 'C:\'

C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Van\Local Settings\Temp\jar_cache58783.tmp
[0] Archive type: ZIP
--> BnnnnBaa.class
[DETECTION] Is the Trojan horse TR/Java.Downloader.Gen
--> VaannnaaBaa.class
[DETECTION] Is the Trojan horse TR/ClassLoader
[INFO] The file was moved to '479bff05.qua'!

-----------------------------------------------------------------------------------------------------------------------------------------
I immediatley Had Avira Quarrantine the file. I uploaded the quarrantined file to Avira, which then showed the following info (the contents of the quarrantined file itself):

236199 MANIFEST.MF 71 Byte KNOWN CLEAN
254829 BnnnnBaa.class 1.92 KB MALWARE
254830 VaannnaaBaa.class 860 Byte MALWARE
254831 Dnnny.class 627 Byte CLEAN
254832 Bnnnnn.class 2.34 KB CLEAN
254833 Den.class 442 Byte CLEAN
254834 Din.class 21.46 KB CLEAN
254835 Dun.class 2.72 KB CLEAN

For the moment, until I get more info, I have left the quarrantined file as is by whatever Avira did to quarrantine it.
I have run CCleaner's Regisrty and cleanup options.
I have run Spybot S+D. Scan found no problems.
I have run Adaware. Scan found no problems.
I plan to run Stinger next, as I have only just now learned of it from this site.
I have run HijackThis, the LOG is as following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:13 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.dogsoftheseas.com
O15 - Trusted Zone: http://*.dogsoftheseas.com
O15 - Trusted Zone: http://*.dogsoftheseas.de
O15 - Trusted Zone: http://*.dogsoftheseas.nl
O15 - Trusted Zone: http://*.dots00.de
O15 - Trusted Zone: http://*.dots01.de
O15 - Trusted Zone: http://*.dots02.de
O15 - Trusted Zone: http://*.dots04.de
O15 - Trusted Zone: http://www.dots3.de
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187931522343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187931488984
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5820 bytes

-------------------------------------------------------------------------------------------------------------------------------------------

Most items in the log, I think I know what they are. I am concerned about the last Class 016- item:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

I do not know if this is a problematic entry, or just part of a normal log for a PC with Java on it. If it is a problem-type entry, or if any of the other entries are too, I would appreciate any help + info on this as well, if possible.

If I need to do more than just deleting the Avira-detected file, I would need to know that too, and what else may need to be done.

Overall, I have not had much problem with this PC to date, and this is the first time I have encountered these such problems on this machine. I have had some Video-related problems running one particular game recently (EQ II), that had run fine the last time I tried it a few weeks ago, but that may just be a hardware-related issue only (game "stutter-hangs frequently in graphic-intensive portions of game, where it always ran smooth before). However, if anything here could cause poor graphics performance, or problems with the Video card Driver for any reason, I would apprecaite any help or advice about it, too, if possible, since upgrading to the latest Video Driver has not resolved that particular graphics problem.

Thank you :thumbsup:

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:29 PM

Posted 21 November 2007 - 01:06 PM

I apologize for the very long delay. We have been very busy and it has been taking us greater time than normal to get the logs caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. DO not attach them.

Thank you for your patience.

#3 Werewolf_359

Werewolf_359
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 21 November 2007 - 07:02 PM

That's ok, Everything should be fine now. I got rid of the problem file, and checked a few other places in the meantime, and have been told everything should be fine.

thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users