Vmain.class = keylogger?

CurrentR · ‎10-16-2009

Hi,

Norton found and successfully removed a vclass.main (Trojan.Gen) found at C:documents and settings...application data\sun\java\deployment\cache\6.0\29.

After being removed, I ran NIS 2010 again and a quick scan of Mawarebytes but no virus, etc. were found.

I've also cleared the Java cache and ensured I have the latest version (Version 6 update 20). Also, I've changed the settings on Java so no temporary files are stored on my computer.

Is this a very malicious Trojan? I've read elsewhere on the forum that it is a keylogger. Should I still be concerned now that it appears to have been resolved? Can I take any further steps?

Also, would this trojan have recorded any personal data?

Pardon all the questions but this type of virus is a lttle unnerving.

Thanks,

CurrentR

floplot · ‎04-11-2009

Hello CurrentR

I would also make sure that all the old Javas on your system have been removed and any remnants of them. You can also run a full scan with the free version of SuperAntiSpyware to make sure that all of the Trojan Gen was cleaned up. It is another on demand scanner which you can use.

Here is a free on demand antimalware scanner. It is safe to use on demand with your Norton product.

http://www.superantispyware.com/

Here is another site you can use to get the program.

http://www.filehippo.com/download_superantispyware/

The download button is on the right hand side. Please be careful not to download Spyware Doctor which is on the left side. Also, please don't forget to update the program each time before use of it. In fact you can update it every day just in case some malware may prevent you from updating it.

Trojan Gen also has many different variants to it which are always changing also. Here is a report from ThreatExpert about it.

http://www.threatexpert.com/report.aspx?md5=b2479060bba55ad29e340b64f746f865

Success always occurs in private and failure in full view.

CurrentR · ‎10-16-2009

Hi floplot,

Would removing any previous version with Add/Remove in control panels ensure that all previous version are gone?

Thanks.

SendOfJive · ‎02-07-2009

Hi CurrentR,

Any versions of Java older than the latest Update 20 or 21 should be individually removed via Add/Remove Programs (Update 21 was released a couple of days ago but has no security fixes, so it is not necessary to install this from a security standpoint).

TooStrong · ‎10-24-2008

to send of jive

When I checked on javas website to see the latest version it says version 6 update 20... Where did u get update 21?

and if there is a 21 update why isnt it showing up on their website when i do the java test to see if I have the latest version?

Thanks Kevin

SendOfJive · ‎02-07-2009

Hi TooStrong,

The Java program updater is still not showing this update but that is probably because there are no security issues being addressed in this release. Information on the new version can be found here:

Release notes: http://java.sun.com/javase/6/webnotes/6u21.html

Download: http://java.sun.com/javase/downloads/index.jsp

CurrentR · ‎10-16-2009

Hi SendOfJive,

In "Add/Remove Programs" only version 20 of Java is listed.

But at "C:\Documents and Settings\...\Application Data\Sun\Java" there are still folders "jre1.6.0_14", "jre1.6.0_16", "jre1.6.0_17" and "jre1.6.0_19" as well as "jre1.6.0_20" can those prior to jre1.6.0_20 be deleted. Or do they pose any potential risk at all.

Also, I downlaoded and ran a full scan of SuperAntiSpyware that found only tracking cookies. Can I assume all is well now?

Thanks.

floplot · ‎04-11-2009

Hello CurrentR

I only have the version 20 in my folder. Keep an eye on things, but I would say that you are ok now.

Success always occurs in private and failure in full view.

SendOfJive · ‎02-07-2009

Well what do you know? I've got those folders, too. One's empty. Some recent ones have only an Open Office banner .jpg that was part of an advertisement that displayed during the Java installation process. The rest contain only a single lzma.dll file that a quick bit of research indicates was part of the Java installer that should have been deleted automatically but was not, due to a bug in those versions. So I would say these are safe to delete. On the other hand they are very tiny and do not pose any problems so there is no harm in keeping them either. I'd just leave 'em.