[15Peter20]

I did an avast scan which quarantined 'vmain.class', which as far as I can tell was gotten somehow through Java. (It's in the temp folder under java)

I use Windows Live Messenger a lot, and I'm wondering whether this malware could have infected people I spoke to or somehow given them information about my browsing habits. Is malware like this a threat to one's privacy in such a directly personal way?

I couldn't find much about this on google, so I doubt anyone will be able to give any answers, but any help would be appreciated.

[Byteman]

Hi,

Usually, emptying the Java cache (temporary files) clears up the detection> do this:

My picuture below is from probably an older version of Java, but the principle is the same....

Open the Control Panel, find the Java plugin and open that....see pic:

[15Peter20]

Thanks, I've done that. Still, are my Windows Live Messenger concerns legitimate for when I did have it? I'm pretty concerned about this and I'd be grateful for any info about the likelihood of this having happened.

[Byteman]

Hi,

I suppose if other contacts were getting links in messages from you, that were not typed in by you....yes.

But, I don't think that was what you were having....or you would have put that in your question.

The profile link "virus" or infection, is more common with MSN Messenger, AIM, and other Instant Messaging programs...where one person gets infected and the malware creates automatically links to infections which are put into each Instant Message they send....

Is anyone telling you that your computer is sending them these type of links, usually to noteworthy things like x rated stuff....Osama Bin Laden is alive....crazy stuff like that?

If not I would not worry, the Java temp files are stored locally, they come into your computer but would not go out.

To make sure there is no hidden infection, I would run an online scanner: These detect the Java temp applets that your own installed antimalware programs "alert" you to.

Housecall online scan:
http://www.trendsecure.com/portal/en...security_tools


HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Or this one: Kaspersky online full scan

• Please go HERE and click Free Online Scanner
• Read and Accept the Agreement
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
• If you see a Windows dialog asking if you want to install this software, click the Install button.
• The program will launch and then begin downloading the latest definition files,
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
• Under "Please select a target to scan:", click My Computer to start the scan.
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
• Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

[Byteman]

Hi, Also in addition to what I have in my last reply Post #4,

do this:

go to Click here to download HJTsetup.exe

• On that page, select one of the servers in the list under the Free Downloads heading
• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Paste the log in your next reply.
• Don't use the Analyse This button, its findings are dangerous if misinterpreted.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

_ _ _ _
Please also do this:

• Open Hijack This and click on the "Open the Misc Tools section" button.
• Click on the "Open Uninstall Manager" button.
• Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
• Copy and paste that list here in your reply

[15Peter20]

How often does this happen? Is it a regular occurrence for people on this site to be targeted like this, or are security threats usually more commercial things? I have a theory that someone has hacked me or given me a trojan or a rootkit or something for purely socially malicious reasons, and even though it's pretty unlikely, I'm not quite ready to discount the possibility.

In the past few days, I had 'vmain.class' malware found by an avast scan, people have disappeared from my Facebook friends list, and youtube videos have been buffering constantly despite my 4meg connection. I'm sure this doesn't add up to any kind of real evidence, but it's pretty worrying nontheless.

[Byteman]

Hi,

If your computer(s) get one infection of a certain type- that opens the door to more and more, and the data they can scoop up and send out, can be misused, > such as credit card, password, email, and other personal information.

Most of the people we help with malware infections are not "targeted" but quite a few believe they have been....it is not rare to be "hacked" by someone requesting that you download a file, happens all the time- and there are "joke" trojans or pranks, that your buddies might use, to worry the heck out of you...

Usually, the folks we help have been using filesharing P2P programs and downloaded the malware believing it was something else> free cracks, hacks for games, free games, free programs, even licensed very expensive ones...that contain extras like worms, virii, etc....

Instant Messaging programs are a common avenue where someone who does not like another, might put a link in a message on purpose, of course this does not last long, as the malicious poster would be reported...

There are infected computers, running things like AIM or MSN or other IM programs, that become infected by clicking on links they think are put there by their friends....when it is the infection on the other computer doing it, and it then will go out in every IM message typed and sent on the new computer, that is how this type spreads....

Someone with physical access and a supply of malware to install could easily do that, provided you have an unlocked computer or have not secured it certain ways...

Someone malicious enough, who gained your trust, could have you download something they knew was an infected item, that installs things like trojans, keyloggers, etc so they can "control" your computer. Or, you can get these infections several other ways, all of them -and many more.

But usually, the vast majority of posters here are not hacked purposely, by anyone they know...rather they pick up the infection through the use of infected files, disks, email, websites, lack of security (Windows vulnerabilities not patched), letting the computer be used by an inexperienced person....

Occaisionally, we get requests for help from one half of a couple, believing the other half has planted some spyware keylogger on their computer....or, they want to rule out there has been one....we can help with removing keyloggers and all other malware.




The specific file vmain.class you mention is a Java applet, and is stored in your Java cache of temporary internet files, where the normal Disk Cleanup does not get rid of it.

You can by doing this:

Open the Java icon in your Control Panel, I have attached a screenshot to guide you. Look for a tab to clear the cache, or Delete temporary files....it differs from version to version of Java but you should have no trouble finding the right tab.

Next:

If you would like to check for malware, we use this below as the first step: Post the Hijackthis log and UNinstall list here in your next reply.

go to Click here to download HJTsetup.exe

• Click "Download the Hijackthis Installer" link in blue.
• Save HJTsetup.exe to your desktop.
• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
• Don't use the Analyse This button, its findings are dangerous if misinterpreted
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

_ _ _
Please also do this:

• Open Hijack This and click on the "Open the Misc Tools section" button.
• Click on the "Open Uninstall Manager" button.
• Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad.
• Copy and paste that list here in your reply

[15Peter20]

Thanks for the help. You already helped me with the vmain thing, so it was just a general question. Nobody has sent me any files I haven't immediately scanned, so the only way someone could have done this to me is by directly targetting my IP during a Messenger conversation or via Facebook. How likely is this?

[Byteman]

Hi,

I'm not sure- that is more common with ICQ, mIrc, and other means....

It would depend on how you are set up, how you connect to the Internet, whether or not you use a router and/or a software firewall, and what you do, what you click on, etc., what you are blocking and what has been Allowed.... For the IM programs> you do not have to open a file all it takes, is to click on a hyperlink which appears, in messages, as if it was typed or pasted into the message and sent to you....the link would take you to an infected server that immediately downloads and installs malware....with high speed Internet, it takes only seconds to get a lot of crap into the computer......these links might occaisionally, be purposely sent to someone, but the infection spreads over the Internet because all the contacts also receive the same link, and some will click on it....then it infects those machines, and uses the contacts in that computer and sends itself out, on and on.....

There are also, what we call drive-by malware installs....all you need to do, is go to an infected site, and you will start getting popups and things starting to download (more like injected!) into your computer...if your security setup is lacking, they can install at will.

For Facebook, I have no information> but I am pretty good at looking up so wait a bit and check this reply, if I find anything decent I will edit the post and paste it in here....

FacebooK: Has found some vulnerabilities and supposedly patched them.

Symantec describes what could happen, if you do respond to a fake or phished, email, and provide information or confirm information....to a third party, who is not from Facebook....

This it says, can lead to further attacks against those that seem "vulvnerable" to phishing...so, it could have happened to you in similar fashion....keep in mind, this is still could have....

Some Facebook source code was also leaked, last year and that could help explain the recent updates to patch Facebook...

http://www.symantec.com/enterprise/s...k_snatche.html

Only computer forensics could prove beyond a doubt what happened and when or by whom.

The page below, describes an incident of account hijacking on Facebook....

http://blogs.zdnet.com/micro-markets/?p=967

Here's a vulnerability description, and how to patch it for Facebook:

http://blogsecurity.net/reflections/...users-at-risk/

You still can't fully delete a Facebook account- they are keeping the data...but, the day may come when you can delete an old account, and start a new one.

There is a risk of breaches in security for anything- anyplace that your information is stored online can be a victim, and you become a second victim. I've had friends in the small town I live in, affected by fraud through phising emails, and it took me some time to convince them to call banks, change passwords, etc.

I do not have time to look into Messenger but I'm sure there are ways that it can be hacked- either through a direct attack or an action on your part such as someone clicking a link that was or was not intended to be sent to you. Really determined criminal types will keep on digging and finding holes to exploit, it seems.

The "patches" usually come around after a breach is found or someone turns in a vulnerability before it is exploited...sometimes we are not so lucky.

[Byteman]

Hi, Yes, I now see that you already had a thread going with the same questions basically and you stopped replying there...

We don't allow multiple threads for the same issue, so I guess I will move the posts here into your original thread.