Avast Positives: What Now?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Did an Avast boot-time scan on C: and it came up with 4
positives, all of which I told Avast to delete.

----------------------------------------
04/24/2012 13:45
Scan of all local drives

File C:\Documents and Settings\Kolon\Application
Data\Sun\Java\Deployment\cache.0d3bd0c-69d48f2f|>encode\ANSI.class
is infected by Java:Agent-DU [Expl], Deleted
File C:\Documents and Settings\Kolon\Application
Data\Sun\Java\Deployment\cache.0d3bd0c-69d48f2f|>encode\ISO.class
is infected by Java:Agent-GM [Expl], Deleted
File C:\Documents and Settings\Kolon\Application
Data\Sun\Java\Deployment\cache.0d3bd0c-69d48f2f|>setup\cp1251.class
is infected by Java:Agent-ASE [Expl], Deleted
File C:\Documents and Settings\Kolon\Application
Data\Sun\Java\Deployment\cache.0d3bd0c-69d48f2f|>setup\lang.class
is infected by Java:Agent-DM [Trj], Deleted

Scanning aborted
Number of searched folders: 8998
Number of tested files: 795422
Number of infected files: 4
------------------------------------------

Since they were all in Java's deployment cache, I'm wondering
where I stand.

Do I have a clean system?   i.e. If I image it, can I call this a
virus-free image?

Is Java compromised?
--
Pete Cresswell

Re: Avast Positives: What Now?


Quoted text here. Click to load it

Java isn't compromised.  They are Java exploits.  Hopefully you used the
latest Sun Java v7 update 3 or v6 update 31.  If you are up-to-date in Java
then it probebly was not a successful exploit.  However you should scan
whole the system just in case.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Avast Positives: What Now?

Per David H. Lipman:
Quoted text here. Click to load it

Thanks.

I've got a legacy media app that dies if I inflict Java 7 on it,
so I've still got 6 and have turned Java's auto-updating off.

But it turns out that I only have Update 23.

I'm looking at the Java download page
(http://tinyurl.com/7hu833o ) but can't figure out which "31" to
download.

The choices appear tb:

 Windows x86 (32-bit) Kernel    0.87 MB
jre-6u31-windows-i586-iftw-k.exe

 Windows x86 (32-bit) Online    0.87 MB
jre-6u31-windows-i586-iftw.exe

 Windows x86 (32-bit) Offline    16.19 MB jre-6u31-windows-i586.exe

Or do I need all 3?
--
Pete Cresswell

Re: Avast Positives: What Now?


Quoted text here. Click to load it

I think  "Windows x86 (32-bit) Offline,  jre-6u31-windows-i586.exe" is the
best to use.

If you had v6 update 23 then you are vulnerable, especially to
Exploit:Java/CVE-2012-0507, which is actively being used in Blackhole
Exploits and its detection is EXTREMELY poor.

Yours were detected as; Java:Agent-XX which I don't think is related to
CVE-2012-0507.

You definitely need to check your computer ASAP!



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Avast Positives: What Now?

Per David H. Lipman:
Quoted text here. Click to load it

That's what prompted the OP.

I guess I'm about to scan it again too....

My first choice was Kaspersky, but I couldn't get to first base
with the graphical UI version - it kept doing weird things.

My fallback has been Avast's boot-time scan - which is something
of a PITA in that you have to sit there and watch it run in case
it catches something, issues a prompt, and then waits for user
input.
--
Pete Cresswell

Re: Avast Positives: What Now?

On Tue, 24 Apr 2012 21:49:40 -0400 (PeteCresswell) wrote:

Quoted text here. Click to load it
Well, no.  Open the Avast interface > Boot time scan > settings > "When a
threat is found > Move to Chest."
--
Ernie B.

Communication:  The art of moving an idea from one mind to another, hopefully
without distortion.

Re: Avast Positives: What Now?

"Ernie B." wrote:

Quoted text here. Click to load it

Wheeze!



Re: Avast Positives: What Now?


Quoted text here. Click to load it

BTW:  v6 update 32 and v7 update 4 have been released and it is stronngly
advised you update to either.

--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Avast Positives: What Now?

On Mon, 30 Apr 2012 16:07:25 -0400, David H. Lipman wrote:

Quoted text here. Click to load it

I can see Version 7 Update 4 (which I have installed), but I can only
see Version 6 Update 31. :-?

--
s|b

Re: Avast Positives: What Now?


Quoted text here. Click to load it

http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html
you see on top Java SE 7u4,
page down for Java SE 6  Update 32

--
Fred W. (NL)

Re: Avast Positives: What Now?


Quoted text here. Click to load it

Half-way down the page...
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Java SE 6 Update 32
http://www.oracle.com/technetwork/java/javase/downloads/jre-6u32-downloads-1594646.html



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Avast Positives: What Now?

On Mon, 30 Apr 2012 17:18:42 -0400, David H. Lipman wrote:

Quoted text here. Click to load it

http://www.oracle.com/technetwork/java/javase/downloads/jre-6u32-downloads-1594646.html

Tnx! (Both of you.)

--
s|b

Re: Avast Positives: What Now?

(PeteCresswell) wrote:

Quoted text here. Click to load it

Do you really need to have Java applets cached locally on your host
after you're done running them?  If so, how big are they?  How often do
you use them that caching is needed to eliminate the bandwidth to
download them again?  Even if you revisit the same site every day, like
for a crossword puzzle or online game, if the Java applet is small than
you gain little by having a locally cached copy of it.

In Control Panel for the Java applet, use it to flush Java's cache.
Disable the "Temporary Internet Files" option.  While you're there,
click on the "Delete Files" button to get rid of the old cached applets.

Re: Avast Positives: What Now?

Per VanguardLH:
Quoted text here. Click to load it

I'm so clueless that I didn't even know about the caching.
Thanks.

Quoted text here. Click to load it

Done.
--
Pete Cresswell

Site Timeline