java problem and more

[Rhodes]

Today, when opening a normal page here, i got a warning of my anti-virus that the access would be denied because of a trojan virus and the java symbol pop-up has if I was enable the program.
Then, when going to google and search a website, it took a long time to do it and when I clicked in the first link it when strait to another completly difrent web page and my anti-virus went mad with all the trojans and etc.

After running the AV, it detected some trojan in the java program folder and other trojans in IE temp files, etc. After clean up, deleting all the temp files, running the av a few times in selected folders, noting.
After rebooting the pc, I went to google and see if every was fine. No, still the same thing.
Went looking for any thing similar on the web, read about it in the java site, cleaned the program cache, unistaled and reinstaled after reboot, etc.
But my google page is the same. Long times to do any search and the first click on any link sends me to a virus paradise.
Any one had some similar experience? Is the browser damage in any away? Im thinking of unistalling IE8 and then reinstall or install mozilla.

Any other access to sites is fine. MSN also, so it's not a slow internet connection.

PS: My antivirus is the NOD32, already runned ccleaner and spyboot!

[HunterICX]

What's the Virus identified as?

HunterICX

[Gerald]

Maybe a root-kit

[DarkFish]

Try uninstalling java, and then visit a google link (without java). Does it still send you to a virus site?

Quote:

Originally Posted by Rhodes

Im thinking of unistalling IE8 and then reinstall or install mozilla.

I'd install Firefox anyway (less vulnerability to viruses etc. being one of its advantages)

[Gerald]

Starting in Safe Mode with Networking,to solve the problem

[Rhodes]

Quote:

Originally Posted by Vendor

Starting in Safe Mode with Networking,to solve the problem

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYV...zgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

Many of the virus were when google redirects me.

I did some search and it's a root-kit, and many people have/had this problem.. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode.

[Gerald]

Quote:

Originally Posted by Rhodes

It's an idea. The anti-virus identifided this:
28-09-2010 18:56:53 HTTP filter file http://86.55.211.118/phxop001/l.php?i=2 a variant of Win32/Kryptik.GZK trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:43 HTTP filter file http://rezamaj.co.cc/CVMGCi8JNBdZDYV...zgPdJh?s=samba& a variant of Win32/Kryptik.EWF trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Programas\Java\jre6\bin\javaw.exe.
28-09-2010 18:19:34 HTTP filter file http://rezamaj.co.cc/client.zip Java/TrojanDownloader.Agent.NBU trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Application Data\Microsoft\Windows\shell.exe.
28-09-2010 18:07:07 HTTP filter file http://mneboras.com/mneboras9/files/bobbystellar.jar multiple threats connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.
28-09-2010 18:07:04 HTTP filter file http://mneboras.com/mneboras9/files/java.jar Java/Exploit.Agent.NAL trojan connection terminated - quarantined RHODES\Administrador Threat was detected upon access to web by the application: C:\Documents and Settings\Administrador\Definições locais\Temp\0.9025880865312967.exe.

I did some search and it's a root-kit. Downloaded the removal tool from kaspersky but didn't found anything. Then downloaded, installed and runned emsisoft anti-malware, but didn't found any thing.
Possibly do it again in safe mode.

for clean an get rid of the prob.

http://www.f-secure.com/en_EMEA/secu...nline-scanner/

[Rhodes]

Already did it. In a google support forum:
"then downloaded kaspresky malware tool and finally got rid of it what I found was, a rootkit that was called TDL3, it's the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:Google redirection.Slowness of the computer and poor performance."

trying to get some removal tool that works. Also read that in one case, the "bad guy" was in the router. Could this happend with a modem?

[Gerald]

Rhodes! To avoid this in the future so add, some add-on for firefox (if you use the browser) Noscript, Ad Block Plus, WOT, etc.

[SeaWolf U-57]

Today when I log into SubSim I was told I needed to install Java ok never had that before.
And then the next time I went to log in My nod 32 antivirus software went crazy and warned me that this site was trying to send Trojans to my computer
What gives

[HunterICX]

my scanners have kept quiet and so did Java.
@Work : AVG
@Home : Avast

I think you ran into a malware that exploits the vulnerability of Java and infests it.
They just hit you at random, mostly through banners, ads and scripted advertising.

has NOD32 been able to identify the malware? and what web browser are you using?

EDIT: someone else on this forum caught the same problem when visiting a different website:
http://www.subsim.com/radioroom/showthread.php?t=175495

HunterICX

[SeaWolf U-57]

I Found this in my quarantine folder of Nod32it was never allowed to install


29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade


(I removed the http:// to stop them being active links)


I connected using my Firefox browser

Edit ...... why did subsim ask for java to be installed in the first place ???

[Jimbuna]

Nothing to do with SS but I upgraded a Java applet about a month ago and ended up having to reformat a machine

[SeaWolf U-57]

Quote:

Originally Posted by jimbuna

Nothing to do with SS but I upgraded a Java applet about a month ago and ended up having to reformat a machine

Hhmmm Ok but I just un-installed Firefox and ran some hitman software that found nothing but would not un-install again.
So Restored my machine to before today’s java up data check all was ok then started up IE 64bit version check around the sites I used no problems so far.
But opened the SubSim forum and you guessed it these pages use a version of java to view them NFW am I doing that again the pages load ok without it

[Gerald]

Quote:

Originally Posted by SeaWolf U-57

I Found this in my quarantine folder of Nod32it was never allowed to install


29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade


(I removed the http:// to stop them being active links)


I connected using my Firefox browser

Edit ...... why did subsim ask for java to be installed in the first place ???

Java controls a crucial factor in the os, but if you add some add-on, and adjusts in configuring which sites you trust, then this is just a memory