Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE found Java exploits in Appdata


  • Please log in to reply
11 replies to this topic

#1 karlstad1336

karlstad1336

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 05 January 2012 - 11:56 PM

Hello everyone, recently Microsoft Security Essentials (MSE) picked up Java exploits in Java's appdata directory. The first time, MSE found these two: (I've edited out my username)

Exploit:Java/CVE-2010-0840.NS
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\a6b54d1-32e02dad
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-7087b1b5
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-4563122c
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\a6b54d1-32e02dad->xmltree/armin.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\a6b54d1-32e02dad->xmltree/erandus.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\a6b54d1-32e02dad->xmltree/opkat.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-7087b1b5->xmltree/armin.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-7087b1b5->xmltree/erandus.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\375f92ff-7087b1b5->xmltree/opkat.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-4563122c->xmltree/armin.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-4563122c->xmltree/erandus.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\511051c6-4563122c->xmltree/opkat.class
Exploit:Java/CVE-2011-3544.L
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\5d6255db-527e9f3c
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\13c9a6b2-27203453
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6b3b7a86-77a88682
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\5d6255db-527e9f3c->ropan.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\13c9a6b2-27203453->ropan.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\6b3b7a86-77a88682->ropan.class


I removed them with MSE and today it had found these. Two of them reoccurred and a third one appeared.


Exploit:Java/CVE-2010-0840.NS
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-20d4d7ae
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-20d4d7ae->xmltree/armin.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-20d4d7ae->xmltree/erandus.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-20d4d7ae->xmltree/opkat.class
Exploit:Java/CVE-2011-3544.L
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\70e83d9f-2dbfe639
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\70e83d9f-2dbfe639->notana.class
Exploit:Java/CVE-2010-0840.NU
containerfile:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-356b3817
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-356b3817->xmltree/kondar.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-356b3817->xmltree/pleno.class
file:C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\6e684651-356b3817->xmltree/rendom.class


Malwarebytes and Spybot S&D have come up clean. I am using Windows 7 Professional, Firefox 8/9, and Chrome, with real-time protection from MSE. My Java is "Java 6 Update 30" and Firefox's plugin check tells me my Java plugins are up to date.

What is going on? How can I make sure my computer is clean and avoid getting reinfected?

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 12:13 AM

More then likely a false positive:

Please download and run Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#3 karlstad1336

karlstad1336
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2012 - 12:28 AM

Done.

Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Java™ 6 Update 30
Mozilla Firefox (9.0.1)
Mozilla Thunderbird 5.0. Thunderbird out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Spybot Teatimer.exe is disabled!
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 12:44 AM

Does MSE constantly show this?

Try running Temp File Cleaner and clean out your temp files.

#5 karlstad1336

karlstad1336
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2012 - 01:00 AM

Not constantly. After I posted the Security Check log I ran a MSE scan of the appdata directory and a quick scan, both came up clean.

I ran TFC and rebooted. It said it removed about 1.1gb of temp files.

Edit: After TFC, it seems that it reset my Folder Options. Is there anything else it might have affected?

Edited by karlstad1336, 06 January 2012 - 01:02 AM.


#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 01:06 AM

TFC should not have messed up your folder options.

Run a full scan with MSE now.

#7 karlstad1336

karlstad1336
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2012 - 01:12 AM

Alright. I'll run a full scan, it'll probably take overnight so I'll get back to you tomorrow.

Thank you for your help. :)

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 01:14 AM

You are welcome.

#9 karlstad1336

karlstad1336
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2012 - 12:06 PM

MSE full scan came up clean.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 12:27 PM

then consider it a false positive. those files were probably old ones.

#11 karlstad1336

karlstad1336
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 06 January 2012 - 12:34 PM

Thank you.

I'll continue to do scans about once a week. If MSE picks up the same issue again, do I bump this thread or start a new one?

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:07 AM

Posted 06 January 2012 - 12:48 PM

You can post here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users