General discussion

TR/Dldr.java.agent.ah.1 and TR/FakeRean.A.493 found on scan

HELP!
Yesterday evening my laptop slowed to a crawl. Opening a web page takes several minutes. I tried a reboot but no change. Ran Malware Bytes- no viruses found, ran ccCleaner but still found web viewing painfully slow. I have now ran Avira Antivir Personal version 10.0.0.561. I let it run over night and it has detected the following

object: jar_cache221880869087211....
detection: TR/Dldr.Java.Agent.AH.1
object: n008106201318r0409J100...
detection: TR/FakeRean.A.493

What I'm finding to be very strange is that these viruses are highlighted as being found but it looks like the scan was somehow halted? it shows the status at SCANNING FILE. Last Object: D:\Windows\System32\WinpeBranding.log at 87.7% and it shows 3 detections found, but yet its only listing 2 as a quaranteen? I have a screen cap and an export of my registry file but i'm not sure how to attach it to here.

Discussion is locked
Follow
Reply to: TR/Dldr.java.agent.ah.1 and TR/FakeRean.A.493 found on scan
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: TR/Dldr.java.agent.ah.1 and TR/FakeRean.A.493 found on scan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
more info on my virus situation

here's the report on teh scan.....it appears to be temporary IE files in teh cache that are infected? but i havent been able to find anything on line regarding these two files? Can I go ahead and quarantine them?


Avira AntiVir Personal
Report file date: Friday, April 09, 2010 21:59

Scanning for 1981271 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista x64
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : SYSTEM
Computer name : GOODNOW-PC

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 21:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 16:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 04:56:06
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 04:56:09
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 04:56:12
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 03:00:02
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 03:00:02
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 03:00:02
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 03:00:02
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 03:00:02
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 03:00:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 03:00:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 03:00:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 03:00:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 03:28:35
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 03:28:36
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 03:35:15
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 14:43:08
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 14:43:04
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 20:56:44
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 19:25:56
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 19:25:58
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 19:25:59
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 19:26:00
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 19:26:02
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 19:26:03
VBASE025.VDF : 7.10.5.254 187904 Bytes 3/30/2010 19:26:04
VBASE026.VDF : 7.10.6.18 130560 Bytes 4/1/2010 12:16:38
VBASE027.VDF : 7.10.6.34 136192 Bytes 4/6/2010 15:07:17
VBASE028.VDF : 7.10.6.44 232448 Bytes 4/7/2010 15:07:18
VBASE029.VDF : 7.10.6.45 2048 Bytes 4/7/2010 15:07:19
VBASE030.VDF : 7.10.6.46 2048 Bytes 4/7/2010 15:07:19
VBASE031.VDF : 7.10.6.48 20992 Bytes 4/8/2010 15:07:19
Engineversion : 8.2.1.210
AEVDF.DLL : 8.1.1.3 106868 Bytes 1/30/2010 04:56:22
AESCRIPT.DLL : 8.1.3.24 1282425 Bytes 4/4/2010 12:16:41
AESCN.DLL : 8.1.5.0 127347 Bytes 2/26/2010 02:29:42
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:32:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:32:22
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/31/2010 19:26:15
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:31:22
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/31/2010 19:26:13
AEHELP.DLL : 8.1.11.3 242039 Bytes 4/4/2010 12:16:41
AEGEN.DLL : 8.1.3.6 373108 Bytes 4/4/2010 12:16:40
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26
AECORE.DLL : 8.1.13.1 188790 Bytes 4/4/2010 12:16:40
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 15:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 22:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 21:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 14:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\program files (x86)\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,

Start of the scan: Friday, April 09, 2010 21:59

The scan of running processes will be started
Scan process 'avscan.exe' - '64' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'avcenter.exe' - '64' Module(s) have been scanned
Scan process 'hpqToaster.exe' - '26' Module(s) have been scanned
Scan process 'Com4QLBEx.exe' - '19' Module(s) have been scanned
Scan process 'soffice.bin' - '89' Module(s) have been scanned
Scan process 'jusched.exe' - '29' Module(s) have been scanned
Scan process 'hpqwmiex.exe' - '34' Module(s) have been scanned
Scan process 'avgnt.exe' - '53' Module(s) have been scanned
Scan process 'soffice.exe' - '18' Module(s) have been scanned
Scan process 'TVAgent.exe' - '99' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '72' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '17' Module(s) have been scanned
Scan process 'QLBCTRL.exe' - '43' Module(s) have been scanned
Scan process 'CLMLSvc.exe' - '47' Module(s) have been scanned
Scan process 'TSMAgent.exe' - '61' Module(s) have been scanned
Scan process 'DVDAgent.exe' - '55' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '32' Module(s) have been scanned
Scan process 'HPAdvisor.exe' - '147' Module(s) have been scanned
Scan process 'TVSched.exe' - '39' Module(s) have been scanned
Scan process 'TVCapSvc.exe' - '77' Module(s) have been scanned
Scan process 'RichVideo.exe' - '21' Module(s) have been scanned
Scan process 'BLService.exe' - '26' Module(s) have been scanned
Scan process 'sqlservr.exe' - '54' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '23' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned
Scan process 'avguard.exe' - '66' Module(s) have been scanned
Scan process 'sched.exe' - '56' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '772' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Users\michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0OGL3O3C\n008106201318r0409J10000601W351462e7Xb4602b79Yffd2de49Z0100f0700[1]
[DETECTION] Is the TR/FakeRean.A.493 Trojan
C:\Users\veemoney\AppData\Local\Temp\jar_cache2218808690872148765.tmp
[0] Archive type: ZIP
[DETECTION] Is the TR/Dldr.Java.Agent.AH Trojan
--> AppletPanel.class
[DETECTION] Is the TR/Dldr.Java.Agent.AH Trojan
--> Main.class
[DETECTION] Is the TR/Dldr.Java.Agent.AH.1 Trojan
Begin scan in 'D:\' <RECOVERY>

Beginning disinfection:
C:\Users\veemoney\AppData\Local\Temp\jar_cache2218808690872148765.tmp
[DETECTION] Is the TR/Dldr.Java.Agent.AH.1 Trojan
[WARNING] The file was ignored!
C:\Users\michael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0OGL3O3C\n008106201318r0409J10000601W351462e7Xb4602b79Yffd2de49Z0100f0700[1]
[DETECTION] Is the TR/FakeRean.A.493 Trojan
[WARNING] The file was ignored!


End of the scan: Saturday, April 10, 2010 08:52
Used time: 1:58:40 Hour(s)

The scan has been done completely.

44207 Scanned directories
1636112 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1636109 Files not concerned
5903 Archives were scanned
2 Warnings
0 Notes

- Collapse -
No Expert BUT Yes..Being In Temp

files, you can delete the temp files. Note: You will need to delete them from BOTH your MS IE files (including all OFF LINE files)& from the Java temp files (assuming you have Sun Java of some version. Click on the coffee cup Icon and find cache tab. You can uncheck box saying enable cache & then click the "Clear" button. You can access both from your Control Panel.

I don't know what this program is:
C:\Users\veemoney\AppData\Local\Temp\jar_cache2218808690872148765.tmp
but VEE Money seems to be the source. I think you need to get rid of the program. Is there an original .zip file of this you installed from? That cache may actually have a copy in the app data file it's self so you may have to double check that is removed also.

You may have to delete from *safe mode* if it won't go on its own
via delete temp or from the Add/Delete programs IF it is installed & listed there. After removal rescan w/ Avira.

You may, depending WHEN this started, also have to dump your system restore files as copy may be there also?

ADDITIONALY: Download free program CCleaner *SLIM* (no toolbar) from the last download at the very bottom of the page linked below.

After installing, BEFORE running, go to "OPTIONS" >Settings & uncheck box for "Automatically check for updates" (use below link also to check for updates manually every few months) then go to "Advanced & uncheck box for "only delete ...Files older than 48 hours" so you will get all temp files. You may recheck the box (if desired) after your clean.

Then run the cleaner section. I run this every time I leave the net to avoid saving trouble. Only takes a few seconds normally BUT first run may take 10 + minutes depending on existing built up amount.

http://www.piriform.com/ccleaner/builds

Good Luck! Happy

- Collapse -
Justa Clarification...

When Avira says "ignored" was this because YOU told it to ignore on purpose? To check IF false positive before allowing to quarantine?
Or because Avira couldn't delete & quarantine on it's own because it was still active?

IF YOU instructed to ignore, then re-run the scan & let quarantine (it's then no further threat while in quarantine).

My previous instr. assumed (stupid me) that it couldn't and you'd need to remove manually. Actually, it's most likely that CCleaner will remove
it all from temp files IF you are sure it's not important program. Happy

- Collapse -
thanks for the reply

sorry for the late reply. I googled and checked the Avira Antivirus website and there were various posts that were related to pieces of waht i was seeing. there was a program that i was able to run, then i ran cccleaner and it appears to have resolved everything. As for the system restore i do have separate restore cds that i created when i first bought the laptop - so i think i should be ok as far as that goes, right?

- Collapse -
Well, What You've Posted

doesn't show any infection found in System Restore or "system volume"
so you're existing restore points are probably not infected so you won't have to dump them.

Having restore disk as when new is a good thing in general BUT it usually includes all the trial crapola that OEM's get paid to load in there often w/ stuff anti-spyware often thinks is spyware due to the links back to program homes hoping you'll click on to buy the full version from your trial versions. This might include things like Norton A/V trial which you might not want to re-install.

If machine NOW has ONLY what you want (unwanted stuff gone ) & is working very well, then if you can manage, it would be a good/better to create another set of back- up CD/DVD disks to use from current status.

Using CCleaner each time you end a net session will help keep you
clean. Tip: I have started doing a right click "Refresh" of my desktop
immediately after finishing CC run/clean to ensure good full desktop is created for next boot up or before manually creating a restore point. This is because I keep the "only older than 48 hours" box UNCHECKED all the time to deny malware even that time frame to hide in.

Thanks for posting back w/ end results! Glad all is clean now! Good work on your part!! Congrats! Enjoy!Grin

CNET Forums