java problem and more

Rhodes · 09-28-10, 04:51 PM

Quote:

Originally Posted by Vendor

Starting in Safe Mode with Networking,to solve the problem

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYV...zgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

Many of the virus were when google redirects me.

I did some search and it's a root-kit, and many people have/had this problem.. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode.

Gerald · 09-28-10, 04:59 PM

Quote:

Originally Posted by Rhodes

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYV...zgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

I did some search and it's a root-kit. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode.

for clean an get rid of the prob.

http://www.f-secure.com/en_EMEA/secu...nline-scanner/

Rhodes · 09-28-10, 05:11 PM

Already did it. In a google support forum:
"then downloaded kaspresky malware tool and finally got rid of it what I found was, a rootkit that was called TDL3, it's the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:Google redirection.Slowness of the computer and poor performance."

trying to get some removal tool that works. Also read that in one case, the "bad guy" was in the router. Could this happend with a modem?

Gerald · 09-28-10, 05:12 PM

Rhodes! To avoid this in the future so add, some add-on for firefox (if you use the browser) Noscript, Ad Block Plus, WOT, etc.

Rhodes · 09-28-10, 05:27 PM

Possibly, but will try to fix this and use IE8. I do not have the certain thai it will not happen in firefox!

Gerald · 09-28-10, 05:29 PM

As long as you have a connection via the Internet, you can get it all down, at worst, therefore I propose real-time protection, update at least once per hour, which is necessary and if it has web scanning (remove viruses from web traffic), it is a plus,here is links for "bad thing"

http://www.bleepingcomputer.com/viru...ing-tdsskiller

http://www.f-secure.com/weblog/archives/00001976.html

Rhodes · 09-28-10, 05:34 PM

Yes, I'm in that sites reading, but the removal tool didn't find it. Will run it in safe mode to see if changes something. But I am begining to lose faith....

PS: Gentelmen, the bugger is terminated, killed, destroyed, obliterated!!!!!!!

I tried what many people said that had done the work, hitman 3.5 and it did. 3 things: the bugger made my IE access the net by a proxy server (possibly one specific to it) and the program deleted one shell.exe file and svchost.exe file also. After rebooting, went to google and had a normal and fast search and clicked on many sites, and it went there, no more virus paradise!

http://hitman-pro.en.softonic.com/ here's the link

Gerald · 09-28-10, 06:00 PM

It can be removed manually, also, by using the search,in the Start menu,

http://www.f-secure.com/en_EMEA/prod...es/blacklight/

http://www.tizersecure.com/about_TDL...ect_remove.php

http://forum.sysinternals.com/rootki...266_page1.html

http://hitmanpro.wordpress.com/2010/...l3-infections/

http://www.prevx.com/blog/155/x-TDL-...follow-up.html

Rhodes · 09-28-10, 06:06 PM

Forgot to thank every one here for the help and support,

Vendor!

Gerald · 09-28-10, 06:04 PM

Quote:

Originally Posted by Rhodes

Yes, I'm in that sites reading, but the removal tool didn't find it. Will run it in safe mode to see if changes something. But I am begining to lose faith....

PS: Gentelmen, the bugger is terminated, killed, destroyed, obliterated!!!!!!!

I tried what many people said that had done the work, hitman 3.5 and it did. 3 things: the bugger made my IE access the net by a proxy server (possibly one specific to it) and the program deleted one shell.exe file and svchost.exe file also. After rebooting, went to google and had a normal and fast search and clicked on many sites, and it went there, no more virus paradise!

http://hitman-pro.en.softonic.com/ here's the link

09-28-10, 05:11 PM	#3
Rhodes Silent Hunter Join Date: Aug 2005 Location: Figueira da Foz, Portugal Posts: 4,516 Downloads: 110 Uploads: 0	Already did it. In a google support forum: "then downloaded kaspresky malware tool and finally got rid of it what I found was, a rootkit that was called TDL3, it's the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:Google redirection.Slowness of the computer and poor performance." trying to get some removal tool that works. Also read that in one case, the "bad guy" was in the router. Could this happend with a modem? __________________ http://www.flickr.com/photos/16416646@N05/

09-28-10, 05:12 PM	#4
Gerald SUBSIM Newsman Join Date: May 2008 Location: Close to sea Posts: 24,254 Downloads: 553 Uploads: 0	Rhodes! To avoid this in the future so add, some add-on for firefox (if you use the browser) Noscript, Ad Block Plus, WOT, etc. __________________ Nothing in life is to be feard,it is only to be understood. Marie Curie

09-28-10, 05:27 PM	#5
Rhodes Silent Hunter Join Date: Aug 2005 Location: Figueira da Foz, Portugal Posts: 4,516 Downloads: 110 Uploads: 0	Possibly, but will try to fix this and use IE8. I do not have the certain thai it will not happen in firefox! __________________ http://www.flickr.com/photos/16416646@N05/

09-28-10, 05:29 PM	#6
Gerald SUBSIM Newsman Join Date: May 2008 Location: Close to sea Posts: 24,254 Downloads: 553 Uploads: 0	As long as you have a connection via the Internet, you can get it all down, at worst, therefore I propose real-time protection, update at least once per hour, which is necessary and if it has web scanning (remove viruses from web traffic), it is a plus,here is links for "bad thing" http://www.bleepingcomputer.com/viru...ing-tdsskiller http://www.f-secure.com/weblog/archives/00001976.html __________________ Nothing in life is to be feard,it is only to be understood. Marie Curie

09-28-10, 05:34 PM	#7
Rhodes Silent Hunter Join Date: Aug 2005 Location: Figueira da Foz, Portugal Posts: 4,516 Downloads: 110 Uploads: 0	Yes, I'm in that sites reading, but the removal tool didn't find it. Will run it in safe mode to see if changes something. But I am begining to lose faith.... PS: Gentelmen, the bugger is terminated, killed, destroyed, obliterated!!!!!!! I tried what many people said that had done the work, hitman 3.5 and it did. 3 things: the bugger made my IE access the net by a proxy server (possibly one specific to it) and the program deleted one shell.exe file and svchost.exe file also. After rebooting, went to google and had a normal and fast search and clicked on many sites, and it went there, no more virus paradise! http://hitman-pro.en.softonic.com/ here's the link __________________ http://www.flickr.com/photos/16416646@N05/ Last edited by Rhodes; 09-28-10 at 06:07 PM. Reason: Forgott the smiley

09-28-10, 06:00 PM	#8
Gerald SUBSIM Newsman Join Date: May 2008 Location: Close to sea Posts: 24,254 Downloads: 553 Uploads: 0	It can be removed manually, also, by using the search,in the Start menu, http://www.f-secure.com/en_EMEA/prod...es/blacklight/ http://www.tizersecure.com/about_TDL...ect_remove.php http://forum.sysinternals.com/rootki...266_page1.html http://hitmanpro.wordpress.com/2010/...l3-infections/ http://www.prevx.com/blog/155/x-TDL-...follow-up.html __________________ Nothing in life is to be feard,it is only to be understood. Marie Curie

09-28-10, 06:06 PM	#9
Rhodes Silent Hunter Join Date: Aug 2005 Location: Figueira da Foz, Portugal Posts: 4,516 Downloads: 110 Uploads: 0	Forgot to thank every one here for the help and support, Vendor! __________________ http://www.flickr.com/photos/16416646@N05/

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode