Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mysterious file appeared?


  • This topic is locked This topic is locked
3 replies to this topic

#1 DTT

DTT

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 07 January 2010 - 04:05 PM

FILES IN QUESTION:
BLASHONE.DLL
60400856-71715a19
60400856-71715a19.idx


SITUATION:
I need a little help figuring something out. A file named blashone.dll appeared in my computer and I didn't have a clue what it was...so I did a system restore right? Well, after I did that I noticed these files were still left behind. I'm not sure what they are, but they were made in the same time frame as blashone.dll.

This is blashone.dll as it appeared on my dss.exe log prior to system restore:
2010-01-06 18:43:56 35328 --ah----- C:\WINDOWS\system32\blashone.dll

These are the files that were created the same time blashone.dll was created. They have been unaffected by system restore:

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\22\60400856-71715a19
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\22\60400856-71715a19.idx

Both files created on: January 06, 2010, 6:43:52 PM

QUESTIONS
1. Are these files related to or indicative of a infection? What are the functions of these files?
2. Is there a way I can do a system restore without the remaining files left behind?



Related Data. The following was done prior to a system restore. These installations had all been successfully completed prior to blashone.dll appearing:
* Uninstalled Firefox and updated to most updated version
* Uninstalled Skype and updated to most updated version
* Installed Google Chrome. Uninstalled after system restore.

Other details:
* As far as I can see, it would appear I was browsing the internet at the time these files were created as there were some web related cookie files created at this time.
* I recently had a plugin issue and had to uninstall it (not via browser, but through the uninstall utility that came with it), but according to the log these files were created hours after the plugin was supposedly gone... @_@ So I don't think it has any relevance...?
* As both files seem to be related to something with java, I checked the install text file. I was able to find the following data:

-----------------------------------------
Process start at 01/06/2010-18:43:51.
-----------------------------------------
== Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==
-----------------------------------------
Process start at 01/07/2010-01:43:03.
-----------------------------------------
== Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==
-----------------------------------------
Process start at 01/07/2010-14:20:03.
-----------------------------------------
== Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==



First one starts the same timeframe as blashone.dll appearing. @_@ It appears to be starting up each time I restart or start up my computer(?) I'm using an out of date version of java: jre1.6.0_02

Edited by DTT, 07 January 2010 - 05:46 PM.


BC AdBot (Login to Remove)

 


#2 DTT

DTT
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 07 January 2010 - 05:26 PM

Ok, so I figured out how a little bit of it worked, but I am still looking for answers as I am unsure there is a issue still. Any and all help is appreciated.

It would appear that java_install_reg.log is updated with a new entry each time I load something specifically with java (usually through my firefox browser). Given this, there is only one entry that is of interest with the log:

Process start at 01/06/2010-18:43:51.
-----------------------------------------
== Start JNICALL Java_com_sun_deploy_util_UpdateCheck_shouldPromptForAutoCheck ==

That initial process start is the same as the blashone.dll's creation (but off by a couple of miliseconds), thus I can assume that it was something I was viewing with java that most likely introduced blashone.dll.

2010-01-06 18:43:56 35328 --ah----- C:\WINDOWS\system32\blashone.dll

The other files that had also been created in this time frame, 60400856-71715a19 & 60400856-71715a19.idx were created on January 06, 2010, 6:43:52 PM. This is one milisecond after the java log notes an updatecheck. As these are located in the java deployment cache, these are undoubtedly related to java. These also update their last accessed check whenever I view a web page that utilizes a specific function with java.

Given this, I am assuming although these had been installed around the same time of blashone.dll that they aren't directly related to the file, but instead to java, and that blashone.dll must have been downloaded from whatever java application I was currently viewing in my browser, without my consent. Please verify if this logic is correct if you can, as I am by means no technology wizard and am only making an educated guess at this moment.It's still impossible for me to determine what generated the file, as I viewed several sites with java enabled that day.

I am currently running a Trend Micro Housecall to determine if there are any specific infections on my computer.

Edited by DTT, 07 January 2010 - 05:34 PM.


#3 DTT

DTT
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 07 January 2010 - 05:54 PM

DING! Found the infection. I'm infected with: JAVA_BYTEVER.AT, file: 604008~1
http://threatinfo.trendmicro.com/vinfo/vir...JAVA_BYTEVER.AT

It also recorded dss as an infection: dss.exe
/bhttp://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=TROJ_Generic

I think its just a false positive with the second one.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:25 PM

Posted 07 January 2010 - 07:36 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/285144/infected-with-java-byteverat/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users