Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET found something but unsure how to proceed.


  • Please log in to reply
9 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:56 PM

Posted 29 April 2012 - 05:10 PM

Hello ALL
I have ESET security on my sons laptop since last April. It has been scanning at start up and doing what it is supposed to. Recently he started having some breaking up of sound.
The MS jingle at start up and sometimes songs he plays. I thought it prudent to do some scans just to make sure no malware has snuck in.

Updated and did a quick scan with MBAM. Nothing found

Did an ESET smart scan and it listed threats as “4 infiltrations”.
It stated it could not clean automatically and to pick a manual action.It does not list "clean" as an option

Only actions listed are:

Delete
Or
No action taken

I am reluctant to simply delete theses without getting some outside advise.

Input form BC friends would be appreciated

This is what is listed as found by ESET:

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\4ef244d4-49cf35e6 multiple threats No action

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\124509c7-563d8dc7 a variant of Java/TrojanDownloader.Agent.NDJ trojan No action


Best Regards
Nawtheasta

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:56 PM

Posted 29 April 2012 - 06:06 PM

Please download and run Temp File Cleaner and then do the following:

Please download and run Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 29 April 2012 - 08:37 PM

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:56 PM

Posted 01 May 2012 - 02:48 PM

Hi Boopme
Thanks for getting back to me. This is my sons computer so I try to work on it as time allows. Also he has no symptoms of infection. Just ESET scan results that indicate some bad items. With the exception of Windows temporary files I have deleted what you advised. I opened the temp folder with %temp%. I saw files and folders there but was reluctant to delete them without knowing what I was looking at.
( I apologize if I am being overly cautious about this)
I tried to look for the files manually but see no network service folder in documents and settings
I am showing the ESET scan in full. The first 4 items seem to be the ones in question. ESET does not have “clean” option for these but does have a delete option.
Please let me know what you think I should try or if these are just remnants possibly leaving them would cause no harm.

Best Regards
Nawtheasta


Scan Log
Version of virus signature database: 7101 (20120501)
Date: 5/1/2012 Time: 12:28:49 PM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
C:\pagefile.sys - error opening [4]

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\4ef244d4-49cf35e6 » ZIP » xmltree/kolan.class - a variant of Java/Agent.DZ Trojan

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\4ef244d4-49cf35e6 » ZIP » xmltree/londa.class - a variant of Java/TrojanDownloader.Agent.NDJ Trojan

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\4ef244d4-49cf35e6 » ZIP » xmltree/peqras.class - a variant of Java/TrojanDownloader.Agent.NDJ Trojan

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\7\124509c7-563d8dc7 » ZIP » andora.class - a variant of Java/TrojanDownloader.Agent.NDJ Trojan


C:\Documents and Settings\OEM PreInstall\Local Settings\Application Data\Identities\{F5E1D61C-4721-4147-9F50-5B5FAB868209}\Microsoft\Outlook Express\Deleted Items.dbx » DBX - is OK (internal scanning not performed)

C:\Documents and Settings\OEM PreInstall\Local Settings\Application Data\Identities\{F5E1D61C-4721-4147-9F50-5B5FAB868209}\Microsoft\Outlook Express\Outbox.dbx » DBX - is OK (internal scanning not performed)

C:\Program Files\Incredible Technologies\Golden Tee Golf\Suite-III\AutoPlay\Suite3.cdd » ZIP » _detect.dat - error - password-protected file

C:\Program Files\Incredible Technologies\Golden Tee Golf\Suite-III\AutoPlay\Suite3.cdd » ZIP » _proj.dat - error - password-protected file

C:\Program Files\Incredible Technologies\Golden Tee Golf\Suite-III\AutoPlay\Suite3.cdd » ZIP » _fonts.dat - error - password-protected file

C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)

Number of scanned objects: 158307
Number of threats found: 4
Number of cleaned objects: 0
Time of completion: 1:35:06 PM Total scanning time: 3977 sec (01:06:17)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 01 May 2012 - 07:01 PM

You're welcome.

Their may be exploitable Java on here,we'll check.

You can clean the TEMP with this safely.

Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:56 PM

Posted 05 May 2012 - 04:01 PM

Hi Boopme May 5, 2012
Thanks for the advice. I downloaded and ran TFC by OT (Temp File Cleaner).
I noticed during the cleaning that it cleaned some Java items. When complete it did ask for a reboot.
After the reboot I thought I would try the ESET smart scan before the mini toolbox. ESET smart scan was the AV tool that found the bad items originally. The ESET scan came up clean. :thumbsup: Updated and ran MBAM which also came up clean.
At this point I think we are all set (??) If you think more should be done please let me know.
I thank you very much for your help.
Best Regards
Nawtheasta

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 05 May 2012 - 04:12 PM

Run Mini with only these checked ..


•List content of Hosts

•List Installed Programs
or tell me what versions )if installed are Adobe reader and Java

You're welcome.

Edited by boopme, 05 May 2012 - 04:13 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:56 PM

Posted 05 May 2012 - 08:38 PM

Hi Boopme
Here is the mini toolbox log. Thanks again for your input. Best Regards, Nawtheasta


MiniToolBox by Farbar Version: 18-01-2012
Ran by OEM PreInstall (administrator) on 05-05-2012 at 21:33:55
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 7.1.4)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.63)
Adobe Flash Player 11 Plugin (Version: 11.2.202.228)
Adobe Reader X (10.1.3) (Version: 10.1.3)
aiofw (Version: 3.20.0000.0000)
aioprnt (Version: 3.20.0000.0000)
aioscnnr (Version: 3.20.0000.0000)
Apple Application Support (Version: 1.5.0)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Bonjour (Version: 2.0.4.0)
BufferChm (Version: 140.0.212.000)
C410 (Version: 140.0.273.000)
center (Version: 3.20.0000.0000)
Conexant AC-Link 2 Channel Audio
CouponBar
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 140.0.212.000)
DocProc (Version: 140.0.99.000)
ESET Online Scanner v3
ESET Smart Security (Version: 4.2.71.2)
Ezonics Greeting Cam Deluxe
EZPhoto Browser (Version: 2.1)
EZPhoto Tools (Version: 2.1)
EZSuite For Video Chat Kit (Version: 1.0)
EZVideo Chat 2.0
Fax (Version: 140.0.212.000)
GPBaseService2 (Version: 140.0.211.000)
HP Customer Participation Program 14.0 (Version: 14.0)
HP Imaging Device Functions 14.0 (Version: 14.0)
HP Photo Creations (Version: 1.0.0.2024)
HP Photosmart Prem C410 All-In-One Driver Software 14.0 Rel. 7 (Version: 14.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 14.0 (Version: 14.0)
HP Update (Version: 5.002.002.002)
HPAppStudio (Version: 140.0.95.000)
HPProductAssistant (Version: 140.0.212.000)
HPSSupply (Version: 140.0.211.000)
Intel® Extreme Graphics 2 Driver (Version: 6.14.10.4421)
ISO Recorder (Version: 2.0.0)
iTunes (Version: 10.2.1.1)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
KODAK All-in-One Printer Software (Version: 3.20.0.0)
ksDIP (Version: 3.20.0000.0000)
KwiClick (Version: 2.7)
Living 3D Dolphin (Version: 1.0.2)
Malwarebytes Anti-Malware version 1.61.0.1400 (Version: 1.61.0.1400)
MarketResearch (Version: 140.0.212.000)
Maxtor Manager (Version: 4.02.0303)
McAfee SiteAdvisor (Version: 3.4.195)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight (Version: 4.1.10111.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox 10.0.4 (x86 en-US) (Version: 10.0.4)
MSN
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
Network (Version: 140.0.215.000)
Nickelodeon Toon Twister 3-D
OCR Software by I.R.I.S. 14.0 (Version: 14.0)
PreReq (Version: 3.20.0000.0000)
PS_AIO_07_C410_SW_Min (Version: 140.0.273.000)
QuickTime (Version: 7.69.80.9)
QuickTransfer (Version: 140.0.98.000)
Scan (Version: 140.0.80.000)
Secunia PSI (2.0.0.3003)
Shop for HP Supplies (Version: 14.0)
SmartWebPrinting (Version: 140.0.186.000)
Soft Data Fax Modem with SmartCP
SolutionCenter (Version: 140.0.214.000)
SpongeBob SquarePants Employee of the Month
Status (Version: 140.0.256.000)
Texas Instruments PCIxx21/x515 drivers. (Version: 1.09.0000)
TIxx21 (Version: 1.09.0000)
Toolbox (Version: 140.0.428.000)
TrayApp (Version: 140.0.212.000)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
USB PC Camera
VLC media player 2.0.1 (Version: 2.0.1)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 140.0.212.017)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3 (Version: 20080414.031525)
WinZip (Version: 8.1 (4331))

**** End of log ****

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:56 PM

Posted 05 May 2012 - 09:19 PM

You're welxome. Java SE Runtime Environment (JRE) is at Version Number: 7.0. Update 4

I know on XP it may say you are up to date. But if you can install 7.4 you will be safer.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u4-windows-i586.exe (or jre-7u4-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered any unwanted software or toolbars during installation, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:12:56 PM

Posted 15 May 2012 - 07:01 PM

Hi Boopme
Thanks again for your help. I finally did the Java update as you advised. Hopefully my sons computer is as protected as it can be for now. ( Until the next hole is found in Java)
His computer seems fine now except that the sound breaks up during the MS jingle at start up and when he plays music. I don't think that's malware related. Maybe a post for a different forum.
All the Best
Nawtheasta




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users