Not what you were looking for? Ask our experts!
Reply
Contributor
Jen2010
Posts: 29
Registered: ‎08-13-2010

Javaupdatemanager.class (Downloader) trojan?

Hi.  I am running Norton Security Suite 4.2.0.12 on Vista Home Premium SP2, with two users set up, one with Admin rights.

 

 Every so often, Norton finds files that it labels as a High Security Threat in the Users\"username"\appdata\locallow\sun\java\deployment\cache\ folders.  Always an alphanumeric (hex?) filename like 2a5cd7-2d311244, and it says its a javaupdatemanager.class (Downloader).  It found one last night in the non-Admin account's \cache folder and quarantined it.  The odd thing is, the *exact* same filename exists in the cache folder on the user account with Admin rights.  So I had Norton scan it, and it showed it as clean!  I am confused, please help.  

 

Thanks

 

Jen

SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Javaupdatemanager.class (Downloader) trojan?

[ Edited ]

Hi Jen2010,

 

Vulnerabilities in older versions of Java can allow malware to be installed.  Follow the instructions in the link below to clear the Java cache which will remove the files that Norton is detecting.  After you have done this in all user accounts go to the account with administrator privileges and reopen the Java Control Panel.  Open the Update tab and click the Update Now button.  If a new version is available, install it.  Note the new version number.  Once the installation has finished go to Add/Remove Programs and if you find any old versions of Java listed remove them, leaving just the latest version installed.

 

http://www.java.com/en/download/help/plugin_cache.xml

Contributor
Jen2010
Posts: 29
Registered: ‎08-13-2010

Re: Javaupdatemanager.class (Downloader) trojan?

Hi

 

Thank you for the quick reply.  I should have mentioned in my original email that a couple of weeks ago I did uninstall old versions of Java from all our computers, and the one we are running now 6 update 21 appears to be the most recent.  The thing that worries me is that I do full scans routinely, almost compulsively now, and I did one just the day before this trojan was detected.  I also scan on an ad hoc basis with Malwarebytes.  And  Norton/Malwarebytes don't seem to think the files are trojans when I run a file-level scan.   Could it be a false positive?  Our web-surfing is really pretty limited.   I tried not having Java installed at all, but there were a few things my husband needed that require it.

 

Thanks again

 

Jen

SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Javaupdatemanager.class (Downloader) trojan?

Hi Jen 2010,

 

You do have the most recent version of Java.  I am not sure why you got mixed scan results with this file.  If you still have it, or if it comes back, you could upload it to VirusTotal to see if the AV scanners there can reach a consensus.  As for doing away with Java entirely, at least one security expert is in agreement with you:

 

http://krebsonsecurity.com/2010/06/dont-need-java-junk-it/

Contributor
Jen2010
Posts: 29
Registered: ‎08-13-2010

Re: Javaupdatemanager.class (Downloader) trojan?

Thanks.  I did empty the cache from the Java control panel, from both user accounts, but even after doing that, there are still many files in the appdata\locallow\sun\java\deployment\cache\6.0\  folders  (within numbered folders) and also in appdata\locallow\sun\java\deployment\SystemCache\6.0 folders.  Many of them have pretty old "date modified" dates, and scans of the folders turn up no suspicious flags.  Is this normal?

 

I did uncheck the "keep temporary files on my computer" box,but I am guessing that will cripple any Java app?  

Other than doing a Norton scan from Safe Mode, with the scan set to "Full" rather than "Trusted" and a *full* Malwarebytes scan that took 7 hours (not from safe mode, they don't recommend it?) is there anything else I should do? 

 

Thanks again.  

 

Jen

 

 

floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Javaupdatemanager.class (Downloader) trojan?

Hello Jen2010

 

Here is an article about how to get control over Java settings.

 

http://www.pcmech.com/article/getting-better-control-over-your-java-settings/

 


If you don’t use Java that often, I recommend unchecking Keep temporary files on my computer. This will keep Windows from being clogged up with tons of Java application data, which can happen all too easily. As you can see from above, Java keeps its own cache directory for its own applications. You can save yourself the headache of clearing this out by having Java not save temporary files in the first place.

Again, this is only if you don’t use Java that often. If you do use it with a fair amount of freqency, Java will have to reload everything each time it starts. If not, leave the box above unchecked.

When done, click OK.


This was taken from the above article. So if you leave it unchecked, the program that uses java will reload it again, so it won't cripple your programs that use it. By leaving it unchecked, it may leave slow you down for a couple of seconds, but you will be safer in the long run. If you do use it frequently, then clean it out daily is my opinion.

 

Please read the rest of that article because it explains all the settings in Java; Thanks.

Success always occurs in private and failure in full view.




SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Javaupdatemanager.class (Downloader) trojan?

Browsing through the application data folder I am also finding the numbered folders you mention, so these are normal.  I wouldn't worry about them.  What you want to clear, and already have via the Java Control Panel, are the temporary internet files that Java keeps around.  Unchecking "Keep temporary files on my computer" should not cripple the application.  It should continue to work fine.  I think you have done everything that needs to be done.

Contributor
Jen2010
Posts: 29
Registered: ‎08-13-2010

Re: Javaupdatemanager.class (Downloader) trojan?

Thank you both very much for your help, and for the links to other resources.  

 

Jen

Newbie
tom24nh
Posts: 4
Registered: ‎03-19-2010

Re: Javaupdatemanager.class (Downloader) trojan?

I get the same thing, it has happened the last 2 time java has updated. This was the last update javaupdateapplication.class and javaupdatemanager.class  A full scan was done on sunday and computer was not used on monday but when started today this came up as virus threats. Idle quick scan showed no problem 20 min before idle full scan. I think this is a problem with norton and not a virus threat. Can anyone tell me different?

floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Javaupdatemanager.class (Downloader) trojan?

Hello tom24nh

 

Welcome to the Norton Community Forum

 

Are you running the latest version of Java which is 21 now? Have you deleted the older versions from Add/remove? I would disable the auto update of Java and go to the Java website once a week and see if there are any updates available. Even though your computer was off or not used, new definitions are coming out and new pulse updates come out all the time also. I would also empty out the java temp files and empty the cache as explained in the posts in this thread.

 

You can also run a full scan with the free version of Malwarebytes as an on demand scanner which won't interfere with your Norton product.

 

Download the free version, install and update then run a FULL scan. After the scan completes you should post the logs back to this thread.

You can find Malwarebytes here

http://www.filehippo.com/download_malwarebytes_anti_malware/

It is a safer location to get the program from than malwarebytes themselves because some malware creators have large lists of sites that they block. Please be careful to down load the correct program ----the FREE version of MALWAREBYTES

(Thanks to Delph for providing the alternative site)

 

Please let us know if this shows anything and also please make sure your adobe products are up to date also.

Success always occurs in private and failure in full view.