Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this a virus?


  • Please log in to reply
5 replies to this topic

#1 pinballpanda

pinballpanda

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 26 December 2011 - 09:30 AM

Hello,

I was doing my normal internet morning read around and noticed java console was open, I checked the cache for java and noticed something call ropan.jar was in it (it was the only thing listed in fact.) It says it came from h3dlio.com/ropan.jar (it's an E instead of a 3, didn't what to post a clickable link just in case.) Anyhow Avest! never gave me a popup warning about it and I used the url scan on virustotal to scan the site, they claim it's clean. I used the url scan as I delete the file before thinking about virustotal.

I'm running Malwarebytes right now so far it hasn't picked up anything.

Just a fare warning about me I'm a little paranoid about viruses and things like that so any thing like this makes me jump about a foot :).
I usually end up reformatting if my anti-virus even ever blocks anything, but seeing as I just did my bi-yearly reformat and reinstall I don't really feel like doing it again so I thought I'd ask you experts.

Thanks!


------------------------update.

Malwarebytes found nothing however superantispyware found this:

Heur.Agent/Gen-FakeIE
C:\WINDOWS\INSTALLER\{1AEFA7BC-4F05-4D9B-A7FD-1E18A17BE28D}\ICON1AEFA7BC3.EXE

Edited by pinballpanda, 26 December 2011 - 12:06 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 PM

Posted 30 December 2011 - 11:56 AM

Hello and welcome.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 pinballpanda

pinballpanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 December 2011 - 10:02 PM

Hello,

Thanks for the reply, I've since restored the PC using an old shadow I had, but really my question is now was that a virus? Is there some place where we could send that link to get looked into? Or does someone here know how to look into stuff like that?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 PM

Posted 30 December 2011 - 10:36 PM

This is possibly a False positive. We should double check it before we take action.

You have already submitted to VirusTotal and it was clean. You can also use Jotti and your AV's file check.
I am talking about this one... h3dlio.com/ropan.jar

JAR (for Java Archive) is an archive file format typically used to aggregate many Java class files and associated metadata and resources (text, images and so on) into one file to distribute application software or libraries on the Java platform.[
http://en.wikipedia.org/wiki/JAR_(file_format)


Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.



Are your Java up to date??
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 pinballpanda

pinballpanda
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 31 December 2011 - 12:40 AM

Hello,

As you said the URL scan of virustotal said it was clean and I don't have the file anymore (DBAN and shadow took care of that,) so I guess we're done. Thanks for the advice and reinforcement that I took the right steps (virustotal/MBAM etc....).

One last question, can I disable Java? I only use it for openoffice and Minecraft, I really don't care about anytime else Java related especially applets.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:38 PM

Posted 31 December 2011 - 07:43 PM

You're welcome. Whether you disable Java or not be sure it stays updated. Almost all updates are for security reasons.

To enable or disable Java in Internet Explorer:

1.From the Tools menu, or the Tools drop-down in the upper right, select Internet Options... .


2.Click the Programs tab, and then click Manage Add-ons.


3.Highlight Java Plug-in.


4.Click Disable (located under "Settings" in version 7).


5.Click OK twice.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users