Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure if infected


  • Please log in to reply
3 replies to this topic

#1 AbeN468

AbeN468

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:49 AM

Posted 23 February 2011 - 01:13 AM

Hello all,

So I was fixing someone's computer and thought I'd run a few scans on my own laptop just for the heck of it (haven't been experiencing anything strange that would make me think I have a virus, etc.) I ran malwarebytes and found the following two things, which kind of surprised me:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\bisoft (Worm.Bagle) -> Quarantined and deleted successfully.
Folders Infected:
c:\Users\Abe\AppData\Roaming\drivers\downld (Worm.Bagle) -> Quarantined and deleted successfully.

I wasn't too worried though because it was just a folder, and there were no actual files found. To be safe though, last night I ran a boot scan using Avast Antivirus (I have the free edition), and it found a few Java related things. One of them had the [Heur] tag, so thought it might be a false positive, but the others didn't have this tag. I chose to move everything to chest. I can't find the log file, but a quick look at the virus chest shows these:

Name: bpac\oo.class
Location: C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\29faa9e7-36025192
Virus: Java:Jade-AB [Heur]

Name: Keyworq.class
Location: C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\6ca16228-1dd770a7
Virus: Other:Malware-gen

Name: Uutecwv.class
Location: C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\6ca16228-1dd770a7
Virus: Java:Djewers-n [Trj]

Name: yandex\xmlparser.class
Location: C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\29faa9e7-36025192
Virus: Other:Malware-gen

I replaced my actual user with Me btw. Anyway, another interesting thing is that after running the avast boot-time scan, my windows copy is now sayings its not genuine. I'm thinking that'll go away after I restart though because I've seen that happen before with avast boot-time scans. So, I guess I'm wondering if this was a real virus I had and if so, is there anything more I should do other than maybe double check that malwarebytes and avast come up clean still? Thanks for any help!

-AbeN468

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:49 AM

Posted 03 March 2011 - 08:45 PM

Hello.

How's the computer running?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 AbeN468

AbeN468
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern California
  • Local time:06:49 AM

Posted 09 March 2011 - 12:39 AM

Hi, the computer is running fine still. I'm just concerned because I really didn't expect there to be anything showing up on the scans and wondering if these are false positives or real. And also if I should do anything else to make sure I'm clean.

Edit: I should also note, that I found similar Java viruses on another computer in the house using avast boot-time scan, which I cleaned using Avast as well. Also, with both these computers, for some reason when I deleted these entries or moved them to the chest, the next time the computer started up, it said my copies of Windows was not genuine. A quick restart fixed it, but I thought I would mention it in case anyone thought it was important.

Edited by AbeN468, 09 March 2011 - 12:41 AM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:49 AM

Posted 09 March 2011 - 01:25 PM

Hello.

I'd clear out the Java cache just to be safe. . . but I think you should be good to go.

This tool will help with that.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



Hope that helps.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users