Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to clean computer of Explot:Java/CVE-2012-0507.CG


  • Please log in to reply
11 replies to this topic

#1 infected_Lune

infected_Lune

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 18 August 2012 - 09:26 AM

I have windows 7. I did a Full scan of my computer with Microsoft security essentials. It found a virus called Explot:Java/CVE-2012-0507.CG now because of the way my antivirus works i cant post exactly where it was since it wont let me check or at least i dont know how to but i can say it was infecting avg's pc tuneup. When the scan had completed it was the next day. i Hit clean and it started to remove the virus. when it was about 75% of the way to completing the removal of the viru it stopped. It was still running but the bar just stopped. After 10 or 20 minutes it came up an error. i cant remember the exact error but it was along the lines of error in deleting, moving to quarantine, cant qaurantine cause file is to big to quarantine.

What ive done so far:
Disabled Java in Firefox
Downloaded updated version of Java
Removed old version of Java
Did a quick scan in safe mode MSE: found nothing
did a custom scan in safe mode MSE: scanned avg folders in program files and java folder in program files. : found nothing
In process of doing a full scan in safe mode MSE: Nothing found as of yet but its not even a quarter finished yet

(on a side note i only used pc tuneup to remove junk files not registry files I removed pc tuneup a while ago but had to do system restore cause my flash player wasnt working and nothing was fixing it and pctuneup came back but i cant uninstall now because the uninstall file is missing. I would remove it manually but i dont want to lose my restore of the junk files just in case)

In addition when i removed the junk files a different Java related virus was removed from my computer according to MSE. i forget its name but it had Blacole in it or something similiar.

I apreciate all the help i can get.

I am posting from a different computer well my laptop that is infected does the full scan in safe mode.

EDIT: found the error by looking in history of MSE: Security Essentials encountered the following error: Error code 0x800700df. The file size exceeds the limit allowed and cannot be saved.

Edited by infected_Lune, 18 August 2012 - 09:37 AM.


BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,125 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:02 PM

Posted 18 August 2012 - 12:57 PM

Hi Lune,

You should Clear the Java cache because its the place where the Explot:Java are created.

Also recommend to do a scan using Eset On-line Scanner

Make sure that the option Remove found threats is ticked and the Scan Archives option is also ticked.
Click on Advanced Settings, an check the options:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology are ticked.
Click Scan and then wait for the scan to finish (it will take long time).

When the scan ends press the button LIST OF THREATS FOUND, click Export to Text File open the text file and Copy & Paste the contents to your reply.
Press the BACK button.
Press Finish

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 20 August 2012 - 08:06 AM

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I agree with Rui Paz and recommend clearing the entire cache manually to ensure everything is cleaned out:If you want to perform a more thorough browser clean up, please refer to:
Eset On-line Scanner also detects and removes such threats. However, if you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a risk tool, a potential unwanted program or a possible threat.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 infected_Lune

infected_Lune
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 20 August 2012 - 06:20 PM

Ok the full virus scan i was running when i posted this found the virus (but could not remove it)

I did a system restore because at the time there were no replies yet. The system restore selections only went back to the 15th of this month.

I did the scan again and it was still there.

I disabled Java on firefox and redid everything i had originally done minus scans.

when going on fire fox MSE would tell me it was cleaning a threat.

Upon checking the history on MSE it was the same virus.

I disabled java 7 in firefox and it stopped.

I cleared Java cache but there was a difference in my options for temporary files than screenshot in instructions there was cached applications and programs but there was aloso installed applications and programs as an option to delete. to be safe i checked installed as well because it was just listed as one in the instructions given.

Cleared IE and Firefoxs cache and computers internet cache.

Downloaded Eset on-line scaner and am currently doing scan however because of what quietman7 said about false positives i unchecked remove threats. It is over 50% finished but its only been 40 minutes.. Rui Paz said it would take a long time so i am worried it is being stopped from scanning whole computer.

Edit: sorry its been 40 minutes not 15

Edited by infected_Lune, 20 August 2012 - 06:23 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 20 August 2012 - 08:48 PM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk size and used capacity (number of files that have to be scanned).
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Whether it stalls, hangs or freezes.
  • Interference from malware.
  • Interference from the user (whether or not you use the computer during the scan).
-- Using two security scanning engines at the same time can cause each to interfere with the other, cause systems hangs, false detections, unreliable results and other unpredictable behavior.
-- If the screensaver, hibernation or Sleep Mode are not turned off before scanning, those features can sometimes have odd effects when attempting to resume normal mode.


Further, it is not unusual for an anti-virus or anti-malware scanner to be suspicious of compressed, archived, .cab, .rar, .jar, .iso, and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files or just ignore (skip) them. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 infected_Lune

infected_Lune
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 20 August 2012 - 10:47 PM

It stayed at 99% for like 3 and a half hours but still scanned files so it worked out heres the log:

C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe Win32/Toolbar.Zugo application
C:\Users\Stevie\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120706152344378.rsc_tmp multiple threats


none of these programs i really care about and they don't seem to be hugely important i dont use veoh anymore and i had sworn i deleted it but this summer ive had so many problems so i probably system restored it back. PC Tuneup i deleted once i found out it was a registry cleaner (i did let it delete junk files though.. but i didn't let it touch my registry) but a system restore brought it back with the inability to delete it because the uninstall file didnt come back.

unfortunately i was not aware that i wouldn't be able to tell it to delete the threats after the scan... its late now and i dont want my computer on all night so im gonna turn it off now and redo the scan in the morning with remove threats checked.

Good night i will tell you how it went in the morning.

#7 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,125 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:02 PM

Posted 21 August 2012 - 04:28 AM

It stayed at 99% for like 3 and a half hours but still scanned files so it worked out heres the log:

C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe Win32/Toolbar.Zugo application
C:\Users\Stevie\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120706152344378.rsc_tmp multiple threats


none of these programs i really care about and they don't seem to be hugely important i dont use veoh anymore and i had sworn i deleted it but this summer ive had so many problems so i probably system restored it back. PC Tuneup i deleted once i found out it was a registry cleaner (i did let it delete junk files though.. but i didn't let it touch my registry) but a system restore brought it back with the inability to delete it because the uninstall file didnt come back.

unfortunately i was not aware that i wouldn't be able to tell it to delete the threats after the scan... its late now and i dont want my computer on all night so im gonna turn it off now and redo the scan in the morning with remove threats checked.

Good night i will tell you how it went in the morning.


Hi,

Check the Add/Remove programs if veoh shows on the list uninstall it, after that you could simply delete the files you listed above and all should be fine.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 21 August 2012 - 08:18 AM

It stayed at 99% for like 3 and a half hours but still scanned files so it worked out heres the log:

C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\qlps-qlipso-sntb.exe Win32/Toolbar.Zugo application
C:\Users\Stevie\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\120706152344378.rsc_tmp multiple threats


OpenCandy is an advertising application distributed by the OpenCandy Software Network which displays ads in other programs. The use of advertisement is a way to promote software packages and recover development costs. OpenCandy is not installed on a computer, does not collect personally identifiable information and in most cases allows the user to choose whether or not to install advertised software recommended by the vendor. Although no personal information is collected, the software does collect anonymous statistics about events and other data during installation. See What information does OpenCandy collect?

This is what OpenCandy has to say about their product.

OpenCandy provides a plug-in that developers include in their software to earn money by showing recommendations for other software in their installers. Developers use this money to keep their software free and invest in further software development. The installer uses the OpenCandy plug-in to present a software recommendation...during installation. You have complete control to accept the software recommendation by selecting either the “Install” or “Do not install” options on the software recommendation screen.

What is OpenCandy?

Of course OpenCandy is in business to make money so they are going to defend their product and portray it in a positive light.

The OpenCanday network has partnered with various popular and trusted software developers who bundle their product as part of the program's software installation package. A list of such developers can be found here. Some vendors will clearly advise the use of OpenCandy before downloading their software, while others may provide confusing or no information at all. An example would be SIW (System Information for Windows) which clearly indicates on their website the use of OpenCandy.

OpenCandy is an advertising application.

OpenCandy is similar to Google AdSense, except it displays advertisements in installation program instead of websites. These advertisements promote another software packages. The advertisements are selected by providers of software being installed. When user installing a software (SIW) chooses to install promoted package, revenue is generated and shared between OpenCandy and software providers (SIW developers).

SIW Home Edition is bundled with OpenCandy

OpenCandy is not a virus or malware. However, since it is responsible for displaying advertisements, it may be detected (and sometimes removed) by various anti-virus and other security scanning tools as Adware, a classification that broadly defines the term as any software package which automatically displays advertisements in any form in order to generate revenue. For example, the Microsoft Malware Protection Center (MMPC) detects the program as Adware:Win32/OpenCandy, a low level threat and so does McAfee.

In response to this detection, OpenCandy has provided the following information:
For another opinion, you may want to read: OpenCandy: A New Kind of Adware/Spyware.

IMO, removal of OpenCandy detections is an optional choice. I have provided the information so you can make an informed decision as whether to remove it or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 infected_Lune

infected_Lune
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 24 August 2012 - 10:16 AM

I deletd all infected files ran another scan with both MSE and Eset and found nothing. It appears my computer has been cleaned.

Thank you to both of you and sorry for the late reply

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 24 August 2012 - 02:11 PM

You're welcome.

Now you should Create a New Restore Point (alternate method) to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the newly created Restore Point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 infected_Lune

infected_Lune
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 30 August 2012 - 10:36 AM

Hi again the method of creating a system restore point you gave me isnt working. after i click system restore to get into the system restore window there is no option to create a restore point.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:02 AM

Posted 30 August 2012 - 02:02 PM

In the first link, the second screenshot shows the System Properties window with the word Create... outlined in red under Configure...

Posted Image

Are you saying the Create button is not there?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users