PDA

View Full Version : Java compromised? Keylogger?



ook222
2007-07-08, 05:25
I'm running XP SP2. Noticed a window would appear intermittently in my taskbar then disappear before I could read what it was. Got worried it might be malware of some kind. Ran ad-aware but it continued. Then found this forum and followed your directions as well.

Thanks!

Here's the results.

------ e-Trust antivirus scan results start ------

ar3.jar-29592d84-70658dcd.zip>Gummy.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
ar3.jar-29592d84-70658dcd.zip>Counter.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
ar3.jar-29592d84-70658dcd.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
ar3.jar-29592d84-70658dcd.zip>Beyond.class Java/Shinwow.N infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
classload.jar-da4ff31-54ea248b.zip Java/Shinwow.Q!ZIP infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
classload.jar-da4ff31-54ea248b.zip>GetAccess.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
classload.jar-da4ff31-54ea248b.zip>InsecureClassLoader.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
classload.jar-da4ff31-54ea248b.zip>Dummy.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
classload.jar-da4ff31-54ea248b.zip>Installer.class Java/Shinwow.Q infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-1eb3df3b-7ec66bff.zip Java/Shinwow.AT!ZIP infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-1eb3df3b-7ec66bff.zip>BlackBox.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-1eb3df3b-7ec66bff.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-1eb3df3b-7ec66bff.zip>Dummy.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-1eb3df3b-7ec66bff.zip>Beyond.class Java/Shinwow.AT infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-fc99d0-4acfc31b.zip Java/Shinwow.AT!ZIP infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-fc99d0-4acfc31b.zip>BlackBox.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-fc99d0-4acfc31b.zip>VerifierBug.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-fc99d0-4acfc31b.zip>Dummy.class Java/ByteVerify!exploit infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\
count.jar-fc99d0-4acfc31b.zip>Beyond.class Java/Shinwow.AT infected C:\RECYCLER\S-1-5-21-790525478-1580818891-725345543-1003\Dc3\Deployment\cache\javapi\v1.0\jar\

------ e-Trust antivirus scan results end ------


------ HJT log start ------

Logfile of HijackThis v1.99.1
Scan saved at 9:03:24 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163882810840
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163882845715
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

------ HJT log end ------

pskelley
2007-07-08, 16:39
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Those items look to be in the Recycle Bin >>> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_waste_empty_bskt.mspx?mfr=true

From the looks of those you recently had an infected Java cache, carefully follow these directions to clean the Java cache:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

Run clean mananger
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post a new HJT log (in normal mode, NOT safe mode) and let me know about any malware issues.

Thanks

ook222
2007-07-08, 23:10
I did read and act on all the information in the "Read this first" thread. I did as you noticed fail to reboot my machine out of safe mode before creating my previously posted hijackthis log. :(

I followed your directions and cleared out my Java Cache. Previous to that I had completely uninstalled Java because it seemed to be the source of many of my problems.

I ran the clean manager as you suggested as well.

I haven't noticed any bad behavior since I did all the housecleaning. No sign of the mystery window popping up in the taskbar ever so often.

Thanks so much for your help.

- ook


-----hijackthis log start-----

Logfile of HijackThis v1.99.1
Scan saved at 3:02:12 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163882810840
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163882845715
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


-----hijackthis log end-----

pskelley
2007-07-08, 23:38
Thanks for returning your information and your feedback. I actually think you had cleaned the bad stuff before you posted here. There is nothing wrong with Java: http://java.sun.com/java2/whatis/1996/
but like all software, hackers will exploit it to their benefit if they can, see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2

It looks like you picked up an infection but that is not hard to do, especially if you don't keep Java and all other programs updated.
Have a look: http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

Your HijackThis log looks clean but I suggest you run that e-Trust antivirus scan again to make sure it shows nothing. Since your problem seems to have been resolved, I suggest you clean your System Restore files:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

ook222
2007-07-09, 00:58
I ran the virus check again and nothing is showing up but unfortunately my mystery popup taskbar window is still hanging around. Do you have any ideas what it might be or how I can get rid of it...

Thanks for all the great info btw some very handy / informative links.

- ook

pskelley
2007-07-09, 01:21
Not without more information, It could be anything, try to see if you can provide more information about the Window. Let's have a look at your uninstall list in case it provides a clue.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

This may even be something valid Windows is doing, I am not sure where to start.

Thanks

ook222
2007-07-09, 05:28
Yeah it's really frustrating not knowing what it is. It only pops up about once in 20mins for a split second seemingly at random. It seems to momentarily switch the focus of the app I am running. (very annoying when you are watching a movie since it will break full screen)

Anyway I will continue to look for clues... Below is the uninstall list you asked for minus the Microsoft stuff.

ACDSee Pro
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
BitTorrent 5.0.7
Bookworm Adventures Deluxe 1.0
Creative Audio Console
Director 8.5 Shockwave Studio
Disney's Princess Fashion Boutique
DivX Codec
EPSON TWAIN 5
HijackThis 1.99.1
HP Image Zone 4.0
HP Software Update
KhalSetup
K-Lite Codec Pack 3.01 Standard
Logitech Harmony Remote Software 7
Logitech SetPoint
Macromedia Director MX 2004
Macromedia Dreamweaver 8
Macromedia Extension Manager
MagicDisc 2.5.74
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.3)
Mozilla Firefox (2.0.0.4)
Mozilla Thunderbird (1.5.0.12)
NVIDIA Drivers
OpenAL
overland
Photosmart 320,370,7400,8100,8400 Series
Picasa 2
Princess Magical Dress-Up
QuickTime
Shutterfly Plugin
Spybot - Search & Destroy 1.4
StatKing
Tablet
Trillian
Ventrilo Client
VideoLAN VLC media player 0.8.6b
Winamp (remove only)
WinRAR archiver
World of Warcraft

ook222
2007-07-09, 05:51
I found this thread about a program called "overland" when I noticed it running in my task manager... The thread has someone mention something that pops up intermittently.

http://www.castlecops.com/t126842-Overland_software_unwhittingly_install_was_it_sending_data.html

You think this might be it?

- ook

pskelley
2007-07-09, 14:33
Good morning, I notice you said this:

very annoying when you are watching a movie since it will break full screen
You should be able to set that so there are no interruptions while you are viewing. Not sure the software you use but have a look in options. Once I go full screen to watch a video, etc. nothing interrupts me.

uninstall list
Mozilla Firefox (2.0.0.3)
Mozilla Firefox (2.0.0.4)
If you do have this installed twice, the old version is wasting space.

I don't see anything that looks like malware, but I do not know all of your programs.

Overland: I know nothing about this program, did you install it? I wonder why it would be running in Task Manager.
http://www.netsquirrel.com/msconfig/
It looks like a legitimate program but if you did not install it and don't know it, consider uninstalling it.
http://www.overlandstorage.com/
http://www.overlandstorage.com/about_overland_landing.html

Let's run a good scan if you have time. It will not remove anything for us, but should show anything hidden.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

tashi
2007-07-17, 02:05
This topic has been archived due to lack of a response. :scratch:

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.