Java:Exploit found

Hi,

I use and enjoy Avast, so I thought I should ask here.:

A few hours ago on my dad’s computer his antivirus found a Java:Exploit CVE 2010-0840.CE ranked severe on his computer and quarantined it.
(It was not running a scan, just popped up and said it had found this thing and to quarantine it.)
I looked up the information of the microsoft website here
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FCVE-2010-0840.CE&ThreatID=-2147322709
And looked around at other versions of this Java exploit and found that its
“successful exploitation leads to remote code execution.”

First of all, I quarantined it and am now running MBAM full scan.
I also checked and he did have an old version of Java (ver 7) installed along with update 24 so I uninstalled the version 7.

Now what does ‘remote code execution’ mean? Could someone explain this.
Also, is there anything else I need to check on his computer.
Microsoft Security Essentials had found it just as I was disconnecting from the internet and had opened up CCleaner.

I really need to know if this kind of thing could have stolen information from online,
because we had just put in confidential information into a government website before it was detected.
And apparently this version of the exploit (.CE) was just released yesterday so I don’t know when it got on his computer
but his MSE was update at 6:30 am and 2:30 pm today and wasn’t detected until 4:25 pm.

Do I need to check for any other old versions of java?
or for any temp files, or his firewall settings?
If it is quarantined, do I still have to delete it from his computer somehow?

Oh, and he’s running windows Vista, he had to reinstall from the partition drive about a month ago because of a
rogue anti-virus, but i don’t think that is connected but just in case…

Thank you for your help

Now what does 'remote code execution' mean? Could someone explain this.
Arbitrary code execution http://en.wikipedia.org/wiki/Arbitrary_code_execution
First of all, I quarantined it and am now running MBAM full scan.
just remeber to update so you have latest database before you scan....

Run Secunia online scan to check for programs you need to update
http://secunia.com/vulnerability_scanning/online/

Just run the latest GMER version to be downloaded from here: http://www.gmer.net/
give the attached rootkit/stealth malware detector log txt file with your next posting,

polonus

okay thank you so far guys.

I did update all his antimalware and antivirus programs before running the scans, and still nothing.
I was not able to get onto secunia because: a) when he opens internet explorer, the User Account Control keeps asking to let Java update 24 have permission to run, and he says it has never done that before so I thought that may be a symptom and told him to disconect (his firefox doesn’t do this but… b)he got frustrated and completely uninstalled java from his computer.

here is the gmer log of his C://

With the older versions of Java i.e. update 7 in your case the programmes and features from Vista will not remove it all

Please download JavaRa to your desktop and unzip it to its own folder

[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.

Secunia does run from Java - so to use it you will need to allow it access

I don’t know if that even did anything, it just said that it made a log when it was done, but I didn’t find any logs anywhere on the computer from it.

The log will be on your root c drive.

What problems are being experienced at the moment ?

We’re not experiencing anything actually. We uninstalled Java completely, then reinstalled it. With this, the “User Account Control” permission pop-ups stopped showing up when we tried to open internet explorer.

What’s worrying me is, how do I figure out if something is hidden on his computer, like if some hacker has some remote link to it that can steal his information. Also, he insists since we deleted the virus that his computer is fine now and he is now online again grrrrrrrrrrrr. Are there any ways I can check for remote code or something? Or was it just in the old java that we deleted?

And I don’t know why the heck that JavaRa didn’t work on his computer correctly, but I looked in his C:/ and searched throughout the rest of his computer and there is no log.

If you wish I can take a peek

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thank you very much for your help, time and consideration, EssexBoy.
Scan attached.

Just a bit of Norton and a couple of waifs and strays

I would recommend that he update to IE9 even if he does not use it

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (Norton Internet Security) Norton Internet Security [Auto | Stopped] -> 
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-950256297-24792667-4271955715-1000\] > -> HKEY_USERS\S-1-5-21-950256297-24792667-4271955715-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  ulseu3e2.exe -> C:\Users\Charles\Desktop\ulseu3e2.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Here is the final log from OTS. Thank you for your help


All Processes Killed
[Win32 Services - Safe List]
Service Norton Internet Security stopped successfully!
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-950256297-24792667-4271955715-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Users\Charles\Desktop\ulseu3e2.exe moved successfully.
[Empty Temp Folders]

User: All Users

User: Charles
->Temp folder emptied: 462688 bytes
->Temporary Internet Files folder emptied: 1260732 bytes
->Java cache emptied: 38043 bytes
->FireFox cache emptied: 44948063 bytes
->Flash cache emptied: 2876296 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 56366 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 47.00 mb

[EMPTYFLASH]

User: All Users

User: Charles
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04062011_085725

Files\Folders moved on Reboot…

Registry entries deleted on Reboot…

How is it now ?

everything’s doing great now, thanks for the help. ;D

OK just run OTS and hit the cleanup button ;D