Jump to content

Suspicious entry in Spybot Log & HijackThis


CNEBJL
 Share

Recommended Posts

Below I have posted an entry from my HiJackThis log (reference NeroFilterCheck). My google search for NeroCheck.exe indicated normal path to be in Programs directory. Since this is in the system32 path I suspect this might be a trojan or malware. (?)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:18:54 AM, on 10/9/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

~~~~~~~~~~~~~~~~~~~~~~

Below are 2 entries from my SpyBot log file. They appears to be the same with the exception of the following text:

description: Sun Java

classification: Legitimate

known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll

info link:

info source: Patrick M. Kolla

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_21

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

description: Sun Java

classification: Legitimate

known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll

info link:

info source: Patrick M. Kolla

Path: C:\Program Files\Java\jre6\bin\

Long name: npjpi160_21.dll

Short name: NPJPI1~1.DLL

Date (created): 7/17/2010 2:42:32 AM

Date (last access): 10/1/2010 10:01:14 AM

Date (last write): 7/17/2010 5:00:06 AM

Filesize: 141088

Attributes:

MD5: 0B3AC6C55A8F57FFEB18A9FC35A5E9CF

CRC32: 1D07915B

Version: 6.0.210.7

{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_21

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre6\bin\

Long name: npjpi160_21.dll

Short name: NPJPI1~1.DLL

Date (created): 7/17/2010 2:42:32 AM

Date (last access): 10/9/2010 6:45:48 AM

Date (last write): 7/17/2010 5:00:06 AM

Filesize: 141088

Attributes:

MD5: 0B3AC6C55A8F57FFEB18A9FC35A5E9CF

CRC32: 1D07915B

Version: 6.0.210.7

I am curious to know if this second entry is malware and if so, how to remove..

Any Suggestions would be most appreciated.

Link to post
Share on other sites

Hello CNEBJL! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please go to www.virustotal.com and upload the following file:

C:\Program Files\Java\jre6\bin\npjpi160_21.dll

Please post the resaults in your next reply.

Link to post
Share on other sites

Hello CNEBJL! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please go to www.virustotal.com and upload the following file:

C:\Program Files\Java\jre6\bin\npjpi160_21.dll

Please post the resaults in your next reply.

The following text resulted from the upload:

File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:

MD5: 0b3ac6c55a8f57ffeb18a9fc35a5e9cf

Date first seen: 2010-07-26 22:44:06 (UTC)

Date last seen: 2010-10-06 15:03:15 (UTC)

Detection ratio: 0/43

What do you wish to do?

Reanalyse View last report

Link to post
Share on other sites

Click on Reanalyse button and put the resaults in your next reply.

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: npjpi160_21.dll

Submission date: 2010-10-11 19:22:22 (UTC)

Current status: queued queued (#4) analysing finished

Result: 0/ 43 (0.0%)

VT Community

not reviewed

Safety score: -

Compact Print results Antivirus Version Last Update Result

AhnLab-V3 2010.10.11.00 2010.10.11 -

AntiVir 7.10.12.184 2010.10.11 -

Antiy-AVL 2.0.3.7 2010.10.11 -

Authentium 5.2.0.5 2010.10.11 -

Avast 4.8.1351.0 2010.10.11 -

Avast5 5.0.594.0 2010.10.11 -

AVG 9.0.0.851 2010.10.11 -

BitDefender 7.2 2010.10.11 -

CAT-QuickHeal 11.00 2010.10.11 -

ClamAV 0.96.2.0-git 2010.10.11 -

Comodo 6356 2010.10.11 -

DrWeb 5.0.2.03300 2010.10.11 -

Emsisoft 5.0.0.50 2010.10.11 -

eSafe 7.0.17.0 2010.10.11 -

eTrust-Vet 36.1.7905 2010.10.11 -

F-Prot 4.6.2.117 2010.10.11 -

F-Secure 9.0.15370.0 2010.10.11 -

Fortinet 4.2.249.0 2010.10.11 -

GData 21 2010.10.11 -

Ikarus T3.1.1.90.0 2010.10.11 -

Jiangmin 13.0.900 2010.10.11 -

K7AntiVirus 9.65.2724 2010.10.11 -

Kaspersky 7.0.0.125 2010.10.11 -

McAfee 5.400.0.1158 2010.10.11 -

McAfee-GW-Edition 2010.1C 2010.10.11 -

Microsoft 1.6201 2010.10.11 -

NOD32 5521 2010.10.11 -

Norman 6.06.07 2010.10.11 -

nProtect 2010-10-11.01 2010.10.11 -

Panda 10.0.2.7 2010.10.11 -

PCTools 7.0.3.5 2010.10.11 -

Prevx 3.0 2010.10.11 -

Rising 22.69.00.01 2010.10.11 -

Sophos 4.58.0 2010.10.11 -

Sunbelt 7038 2010.10.11 -

SUPERAntiSpyware 4.40.0.1006 2010.10.11 -

Symantec 20101.2.0.161 2010.10.11 -

TheHacker 6.7.0.1.054 2010.10.10 -

TrendMicro 9.120.0.1004 2010.10.11 -

TrendMicro-HouseCall 9.120.0.1004 2010.10.11 -

VBA32 3.12.14.1 2010.10.11 -

ViRobot 2010.10.4.4074 2010.10.11 -

VirusBuster 12.67.13.0 2010.10.11 -

Additional informationShow all

MD5 : 0b3ac6c55a8f57ffeb18a9fc35a5e9cf

SHA1 : 841e83d3936d8f9773c6f5a490a21bcbfa65a335

SHA256: 492187dd446140ce08e0f826909ed0dd63849efda1a2b51474ebd8a132dd7862

ssdeep: 1536:pOd/FcOQCVDpjaX8S7VzlddvEBIBeyOdLwYGFYDvMZAlnWPhVYmrL:Md/0cheh7Vz2BuOy

SvmAlnWPhqm3

File size : 141088 bytes

First seen: 2010-07-26 22:44:06

Last seen : 2010-10-11 19:22:22

TrID:

DirectShow filter (52.6%)

Windows OCX File (32.2%)

Win32 Executable MS Visual C++ (generic) (9.8%)

Win32 Executable Generic (2.2%)

Win32 Dynamic Link Library (generic) (1.9%)

sigcheck:

publisher....: Sun Microsystems, Inc.

copyright....: Copyright © 2010

product......: Java Platform SE 6 U21

description..: Classic Java Plug-in 1.6.0_21 for Netscape and Mozilla

original name: npjpi160_21.dll

internal name: Java Plug-in

file version.: 6.0.210.7

comments.....: n/a

signers......: Sun Microsystems, Inc.

VeriSign Class 3 Code Signing 2009 CA

Class 3 Public Primary Certification Authority - G2

signing date.: 2:00 PM 7/17/2010

verified.....: -

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x9EA7

timedatestamp....: 0x4C41A940 (Sat Jul 17 12:59:44 2010)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x100F1, 0x11000, 6.48, 564fffea0f838b9bb65d9c168e33a498

.rdata, 0x12000, 0x4CDE, 0x5000, 5.39, 39705d6a7e545362199733b4e6e24614

.data, 0x17000, 0x28E0, 0x1000, 2.32, 92079dabc6f13786c40d6a60a2fabd57

.rsrc, 0x1A000, 0x6808, 0x7000, 3.89, 0165e0f0942ce420ce3c151a5ab7ed93

.reloc, 0x21000, 0x1C5C, 0x2000, 4.96, a687e43049d04228ebce5530b4ec7b65

[[ 6 import(s) ]]

ADVAPI32.dll: RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegDeleteKeyA, RegDeleteValueA, RegCreateKeyExA, RegSetValueExA, RegEnumKeyExA, RegQueryInfoKeyA

KERNEL32.dll: GetProcAddress, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, lstrlenA, CloseHandle, ReleaseMutex, CreateEventA, GetModuleFileNameA, OpenEventA, WaitForSingleObject, CreateMutexA, GetCurrentProcessId, GetModuleHandleA, DisableThreadLibraryCalls, InterlockedIncrement, InterlockedDecrement, MulDiv, WideCharToMultiByte, lstrlenW, CreateProcessA, FreeLibrary, SizeofResource, LoadResource, FindResourceA, LoadLibraryExA, lstrcmpiA, lstrcpynA, IsDBCSLeadByte, FlushInstructionCache, GetCurrentProcess, GetCurrentThreadId, GetCommandLineA, SetEnvironmentVariableA, GetEnvironmentVariableA, GetShortPathNameA, InterlockedCompareExchange, HeapFree, GetProcessHeap, HeapAlloc, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, lstrcatA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, CompareStringW, CompareStringA, SetFilePointer, GetCPInfo, GetOEMCP, IsBadCodePtr, IsBadReadPtr, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, WriteFile, UnhandledExceptionFilter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, SetUnhandledExceptionFilter, TlsGetValue, TlsSetValue, TlsFree, SetLastError, TlsAlloc, HeapSize, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, ExitProcess, HeapReAlloc, VirtualQuery, GetSystemInfo, VirtualProtect, RtlUnwind, LoadLibraryA, GetLastError, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, FlushFileBuffers

USER32.dll: UnregisterClassA, CallWindowProcA, SetWindowLongA, GetDlgItem, SetDlgItemTextA, LoadStringA, EndDialog, DrawTextA, FillRect, MessageBoxA, DestroyWindow, DefWindowProcA, GetActiveWindow, PtInRect, UnionRect, RegisterClassExA, GetClassInfoExA, LoadCursorA, wsprintfA, CreateWindowExA, CharNextA, BeginPaint, EndPaint, DialogBoxParamA, GetKeyState, InvalidateRect, IsWindow, GetParent, GetFocus, IsChild, SetFocus, ShowWindow, GetWindowLongA, GetDC, ReleaseDC, IntersectRect, EqualRect, OffsetRect, SetWindowRgn, SetWindowPos, GetClientRect

ole32.dll: CoInitialize, CoCreateInstance, CLSIDFromString, OleRegEnumVerbs, OleRegGetUserType, CreateOleAdviseHolder, OleRegGetMiscStatus, OleLoadFromStream, WriteClassStm, OleSaveToStream, CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CoUninitialize

OLEAUT32.dll: -, -, -, -, -, -, -, -

GDI32.dll: RestoreDC, DeleteDC, SetViewportOrgEx, SetWindowOrgEx, SetMapMode, SaveDC, LPtoDP, GetDeviceCaps, CreateDCA, CreateRectRgnIndirect

[[ 11 export(s) ]]

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, NP_GetEntryPoints, NP_Initialize, NP_Shutdown, NSCanUnload, NSGetFactory, NSRegisterSelf, NSUnregisterSelf

ExifTool:

file metadata

CharacterSet: Windows, Latin1

CodeSize: 69632

CompanyName: Sun Microsystems, Inc.

EntryPoint: 0x9ea7

FileDescription: Classic Java Plug-in 1.6.0_21 for Netscape and Mozilla

FileExtents: |

FileFlagsMask: 0x003f

FileOS: Win32

FileOpenName: Java Applet|JavaBeans

FileSize: 138 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 6.0.210.7

FileVersionNumber: 6.0.210.7

FullVersion: 1.6.0_21-b07

ImageVersion: 0.0

InitializedDataSize: 69632

InternalName: Java Plug-in

LanguageCode: English (U.S.)

LegalCopyright: Copyright 2010

LinkerVersion: 7.1

MIMEType: application/x-java-applet;jpi-version=1.6.0_21|application/x-java-bean;jpi-version=1.6.0_21|application/x-java-applet;version=1.6|application/x-java-bean;version=1.6|application/x-java-applet;version=1.5|application/x-java-bean;version=1.5|application/x-java-applet;version=1.4|application/x-java-applet;version=1.4.1|application/x-java-applet;version=1.4.2|application/x-java-bean;version=1.4|application/x-java-bean;version=1.4.1|application/x-java-bean;version=1.4.2|application/x-java-applet;version=1.3|application/x-java-applet;version=1.3.1|application/x-java-bean;version=1.3|application/x-java-bean;version=1.3.1|application/x-java-applet;version=1.2|application/x-java-applet;version=1.2.1|application/x-java-applet;version=1.2.2|application/x-java-bean;version=1.2|application/x-java-bean;version=1.2.1|application/x-java-bean;version=1.2.2|application/x-java-applet;version=1.1|application/x-java-applet;version=1.1.1|application/x-java-applet;version=1.1.2|application/x-java-applet;version=1.1.3|application/x-java-bean;version=1.1|application/x-java-bean;version=1.1.1|application/x-java-bean;version=1.1.2|application/x-java-bean;version=1.1.3|application/x-java-applet|application/x-java-bean

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Dynamic link library

OriginalFilename: npjpi160_21.dll

PEType: PE32

ProductName: Java Platform SE 6 U21

ProductVersion: 6.0.210.7

ProductVersionNumber: 6.0.210.7

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2010:07:17 14:59:44+02:00

UninitializedDataSize: 0

VT Community

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.