Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JAVA/Dldr.Ag.DIVV or JAVA/Agent.2972 - Any cause for concern?


  • Please log in to reply
17 replies to this topic

#1 number9dream

number9dream

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 10:17 AM

Hello!

After running a scan the other day, Avira found the following:

The file 'C:\Documents and Settings\Jonathan Walsh\Application Data\Sun\Java\Deployment\cache\6.0\56\45a35b8-547603b4'
contained a virus or unwanted program 'JAVA/Agent.2972' [virus]
Action(s) taken:
The file was moved to the quarantine directory under the name '49152862.qua'.


I wasn't able to find any information on this when googling except for its recent addition to the definition files, so I restored the file and uploaded it to virustotal:
http://www.virustotal.com/sv/analisis/7c0c...2b3f-1273240342

Virustotal lists it as;
AntiVir - 8.2.1.236 2010.05.07 - JAVA/Dldr.Ag.DIVV
Antiy-AVL - 2.0.3.7 2010.05.07 - Trojan/Java.Agent
Avast5 - 5.0.332.0 2010.05.07 - Java:Djewers-H
Kaspersky - 7.0.0.125 2010.05.07 - Trojan-Downloader.Java.Agent.bj
McAfee - 5.400.0.1158 2010.05.07 - Exploit-CVE2008-5353
NOD32 - 5095 2010.05.07 - a variant of Java/TrojanDownloader.Agent.NAN
Sophos - 4.53.0 2010.05.07 - Troj/JavaDl-P

I'm not sure what to make of this. Googling the "Exploit-CVE2008-5353" and "Java:Djewers-H" seems to indicate it's an exploit targetting a much older version of JRE than what I had running (I noticed I was running JRE 19 so I updated it to the latest available, however 19 is still far newer than the ones listed as being exploited by this). Does this mean that this exploit was basically harmless, and so I should not be worried about it having done anything untowards while it was present?

What does it mean when my Avira version gives a different definition of the virus than the one listed on Virus Total (JAVA/Dldr.Ag.DIVV vs JAVA/Agent.2972) - is it just different naming formats? I can't find either in their virus description database... http://www.avira.com/en/threats/index.html

There was another detection when running an Adaware scan (but from Avira):

The file 'C:\System Volume Information\_restore{8E0C82EF-7856-424E-A5A1-35D47DE1A02B}\RP189\A0022272.exe'
contained a virus or unwanted program 'TR/Trash.Gen' [trojan]
Action(s) taken:
The file was moved to the quarantine directory under the name '4f3b5440.qua'.

Is my assumption that this could simply be the same file being detected but in its system restore form, correct, or is it a sign of something else being wrong?

In addition Malwarebytes and SuperAntiSpyware detected some QQ Messenger files as being spyware - TXOPShow.exe and Selfupdate.exe respectively (oddly enough not the same files, and the one I tested was listed as clean by VirusTotal). QQ is a chinese instant messenger, with perhaps not the best reputation, so I decided to delete it even though I suspect these were false positives. I doubt it's related but I figured I should mention it anyway in case I am wrong.

I have not noticed anything that would indicate anything is wrong, but I always feel slightly paranoid when something is detected :thumbsup:

Thanks for any help you can provide!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 11:12 AM

Hello yes it may be in System restore and we will get to it.

What JAVA version is on here
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 12:57 PM

Did you mean to write safe-mode the first time or should I run the scan in normal mode AND reboot into normal mode?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 01:10 PM

Hi as for MBAM...
Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 01:16 PM

Oh that's interesting, thanks. Will report back after I scan.

As for Java, the only version I can see in add/remove programs (even with show updates enabled) is Java 6 Update 20. I upgraded today, but I believe the previous version I had installed was 19.

Edited by number9dream, 07 May 2010 - 01:19 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 01:33 PM

Ok that's good as it appeared some malware may have been exploiting an older version of JAVA.. Update Adobe too if you use them. They like to get in thru there also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 01:51 PM

Adobe flash is up to date, and I use Sumatra for PDFs, think that's about it for Adobe software on my computer.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4076

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-05-07 20:48:49
mbam-log-2010-05-07 (20-48-49).txt

Scan type: Quick scan
Objects scanned: 122788
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by number9dream, 07 May 2010 - 01:51 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 02:18 PM

Ooops ,I also wanted you to remove older Java versions in CP and reboot after that.

How is it running now?

Let's run an online scan with ESET>

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 03:05 PM

Well that's the strange thing - I don't see any older versions listed under Control panel -> Add/remove, even with "show updates" clicked. Will run Eset now.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 04:07 PM

At least that's a good thing.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 05:41 PM

Eset finished, 6 listed infections, however I believe all are false positives. First of all, they are all from things I saved from an old drive.

The wmode.bwl files, are from a tool made to run Starcraft in window mode, and is very widely used and definitely legit. The Cardoza file is from a poker room on the iPoker network, and their installer has often come up when I run scans. It's a really big network so it's also harmless, but since I no longer play on there I'll delete it anyway. Klitekpp210e.exe... I guess it's an old Kazaa Lite installer, no idea why I still have it laying around. It probably hasn't been touched in 5+ years tho so deleting that as well.

F:\C Backups\spel\starcraft\chaos\wmode.bwl probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
F:\C Backups\spel\starcraft\Chaoslauncher\wmode.bwl probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
F:\C_backups 2\Poker\Poker Cardoza\_SetupPoker.exe Win32/PTCasino application cleaned by deleting - quarantined
F:\C_backups 2\spel\Starcraft\chaoslauncher\wmode.bwl probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
F:\C_backups 2\spel\Starcraft\ICCup Launcher\wmode.bwl probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
F:\Gamla filer_d\Filer fran gamla harddisken\Mina mottagna filer\klitekpp210e.exe probably a variant of Win32/TrojanDownloader.VB trojan deleted - quarantined

Edited by number9dream, 07 May 2010 - 05:45 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 06:17 PM

Hi ...OK I understand what you are saying on these items. How is it runnning now? You should update and scan again with AVira.
If all's good now we'll mop up.

Read all but note Item 3 here about online games How Malware Spreads - How did I get infected
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 07 May 2010 - 09:01 PM

Well the computer has been running completely fine all along so there's no difference, which is good =]

I see the point (item 3), but in this case it's a well known false positive (for example, see here: https://forum.f-prot.com/index.php?topic=1529.0), and none of those items have been touched since the installation I'm on was made so at least in this instance, they are not the source.

I'm running another Avira scan now, but gonna take a while so will post back with what it says tomorrow (it did turn up clean last time I scanned btw, after it had removed the infections listed in OP). Thanks for the help!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:15 PM

Posted 07 May 2010 - 09:10 PM

There are times when a malware tool cannot tell if it's a good or bad file,only that what it sees it doing is bad and it flags it. An example is sometimes you AV scan will pick up say a tool like SmitFraud Fix and say it is bad. It's only reacting to the files function not it's purpose. At least the AV is doing it's job. You can set the scanner tool to ignore such files by unchecking or telling it to ignore them when found.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 number9dream

number9dream
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 08 May 2010 - 06:42 AM

Oh I'm not complaining :thumbsup: I'd rather have a thousand false positives than a false negative after all...

Scan went fine, found nothing at all. Btw, I read somewhere that in order to do a complete scan, system restore needs to be disabled, is this true?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users