Virus or not?

I noticed tonight while running Ad-Aware that two warnings popped up on me.

"7/27/2004 12:41:02 AM NT AUTHORITY\SYSTEM 1668 Sign of “JS:ClassLoader-7” has been found in “C:\PROGRA~1\Lavasoft\AD-AWA~1\Cache\GetAccess.class” file.

7/27/2004 12:41:02 AM NT AUTHORITY\SYSTEM 1668 Sign of “JS:Exploit-Bytverify-11” has been found in “C:\PROGRA~1\Lavasoft\AD-AWA~1\Cache\InsecureClassLoader.class” file."

But when I’d do a virus scan it would find nothing. It only says they are there when I’m running Ad-Aware. Plus I can’t seem to find the cache folder in Ad-Awares directory at all even if I tell it to show hidden files and folders.
So whats going on, do I have a virus or not?

Update**

I seem to have find the folder they were in, Sun Java. If those were 100% true viruses then how did they get past avast! in the first place?

http://www.sarc.com/avcenter/venc/data/trojan.byteverify.html

http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx
These links might help ???
For now I’d put them in the virus chest

The Maxx
Is your operating system up-to-date?

Yes, matter of a fact it has the latest WinXP SP2 on it. Plus a router and the WinXP firewall turned on.

Those look like somthing that would have come through a web page. What browser do you use.

Your OS may be upto date but there have been updates to the Sun Java Virtual Maching and MS JVM to combat a potential JAVA expliot.

If you haven’t already updated JVM (assuming you are using it), do it soon.

I use 3 browsers, IE with SP2, Firefox 0.9.2 and Opera 7.53 They could’ve been grabbed while messing with IE… but shouldn’t avast! have caught them before they got placed on my PC no matter which browser I was using at the time?

Also I don’t have MS JVM, I did have the latest Sun JVM tho, since I don’t use it much I just uninstalled it. If I need it again how do I make sure it’s 100% updated so this doesn’t happen again?

Since those are scripts, I think that script blocker would be needed (I could be completely wrong) And I am not sure if script blocker works with things other than IE. Please, correct me if I am wrong.

Both suspected virus infected files are in the Lavasoft folder. (Ad-aware)
I know that ad-aware doesn’t contain any harmfull code.
Please answer the following questions:

  1. what version of avast?
  2. what vps version?
  3. what version of ad-aware?
  4. do online scanners also detect it as infected?

I think they were listed in Ad-Aware was cause it scanned the Sun folder and found them as spyware first. But after scanning all directories avast! found them in the Sun folder.

After deleting them and uninstalling Sun Java, avast! couldn’t find any other viruses. I also ran a few online scanners such as McAfee and nothing else was found.

Hi,

imho those files got onto your PC as archives and via an unsafely configured IE/browser

  • Read VirusRemoval" below on how to secure your system & Browser(s) better, e.g. turn of activeX/scripting except for know, secure sites…

  • avast resident shield doesn’t scan archives in its default configuration (which is normally not necessary and would be a ressource-hog except on fast PCs)
    → ad-aware probably unpacked those archives for analysis, and that is where avast stepped in
    → in a full scan with archivescanning enabled, avast should catch the initial archives (as I gather it did?); if not, send them to alwil, please

:wink:

Could it have been you ran ad-aware, fixed the problems it found, and then ran Avast? If so it is possible that ad-aware removed/deleted the harmfull things, place them in the ad-aware cache folder and while running a scan with Avast, Avast found them there.

Ad-Aware didn’t get rid of them at all. I could run Ad-Aware 10 times and avast would still warn me… I tried fixing/cleaning them and avast! said it couldn’t due to some error. After that I just deleted them and then said “what the heck” and uninstalled Sun JVM for now.

Before getting rid of it all I did a full scan and avast! found them in the Sun folder. Then I run Ad-Aware again and found nothing at all… after that I did the online scanners and nothing. :slight_smile: