8 replies to this topic

[Alpha32]

Hi,

I just went on a minecraft site which offers skins, texture packs, tutorials etc but when I googled to find something on it Java opened up and a Malwarebyte's bubble thingy popped up saying it successfully blocked access to a potentially malicious site. I've done 3 or 4 quick scans (lol) just to make sure it wasn't picking up anything but returned no results.

See I don't know if it's just a false positive and Java opening up was for legit use because the site requires it or not. I have been on that site before with no problems and it is a very popular site when it comes to minecraft resources.

The site in question is

planetminecraft.com

and the popup from malwarebyte's + Java was

planetminecraft.com/skin/google-chrome-skin/

I also used norton's safeweb scanner to see if it detected anything or if anyone reported anything but it has a 5.0 rating from 2 submittions. Does anyone have any info on planetminecraft and as to why Java opened + got the warning from malwarebyte's?


Thanks

[Fatdcuk]

Hello Alpha32,

I have just visited and crawled all over the site and could not find any malicious code hosted at the site

However I found that my Java application was not evoked on my test machine so this is an immediate indicator that something is not quite right.

If the webpage was still rendering(viewable)whilst Java was launched on your computer and then the MBAM IP blocker alerted you to outbound connecting to bad IP then this would strongly suggest that you almost collected a "drive-by" infection most probaly c/o a compromised 3rd party ad-server displaying ads on their page.

The mechanism would most probaly have been a java exploit(since java was evoked) which then attempted to download a payload(This is the point where our IP blocker would have made the block\save for you).

I would suggest running the following excellent free tool just to see if all your current applications are up todate.
http://secunia.com/v...nning/personal/

Most exploits target known holes in older versions as a way of penetrating peoples computers.In the case of your Java then you probaly may have older version(s) installed on your computer.

It is considered best practice to always have the most current version and uninstall any older versions that have known security holes.This shuts the door on the vast majority of known java exploit code circulated in the wild.

Safe surfing

[Alpha32]

 Fatdcuk, on 07 January 2012 - 12:24 AM, said:

If the webpage was still rendering(viewable)whilst Java was launched on your computer and then the MBAM IP blocker alerted you to outbound connecting to bad IP then this would strongly suggest that you almost collected a "drive-by" infection most probaly c/o a compromised 3rd party ad-server displaying ads on their page.

Yeah, the site loaded fine, I wasn't redirected or anything. But I do have ad-block plus and didn't have no ads which I could see which made it's way throught the plugin.

 Fatdcuk, on 07 January 2012 - 12:24 AM, said:

I would suggest running the following excellent free tool just to see if all your current applications are up todate.
http://secunia.com/v...nning/personal/

I just ran the scan with the following results:

Quote

Detection Statistics:
9 Applications Detected in Total
8 Insecure Versions Detected
1 Patched Version Detected

There must be at least 30 window updates which I hasn't installed (stupid I know lol), Adobe Reader, Quicktime, Safari, Internet Explorer, WMP, Adobe Flash Player and Java.

The problem with Java is I was told I couldn't update or install a fresh verison as I was infected with fake AV (System Tools) back early last year and as I couldn't run Malwarebyte's or Avast to remove it (kept blocking it from running) I was told to patch my version of Java on the site above but was told I couldn't update Java as it may bring back the fake AV via a new exploit. I don't know how true this is as when it comes to viruses I know nothing :/

However, I do know that Malwarebyte's saved my skin this morning by blocking whatever tried to infect me.. so the favour I can do in return is buy the pro when my trial expires (thankfully the trial reset on 1.60 helped on saving me! )

[Fatdcuk]

 Alpha32, on 07 January 2012 - 02:34 PM, said:

There must be at least 30 window updates which I hasn't installed (stupid I know lol), Adobe Reader, Quicktime, Safari, Internet Explorer, WMP, Adobe Flash Player and Java.

The problem with Java is I was told I couldn't update or install a fresh verison as I was infected with fake AV (System Tools) back early last year and as I couldn't run Malwarebyte's or Avast to remove it (kept blocking it from running) I was told to patch my version of Java on the site above but was told I couldn't update Java as it may bring back the fake AV via a new exploit. I don't know how true this is as when it comes to viruses I know nothing :/

Hi,

I have never heard of such an updating vulnerability with Java so most conclude you have received some incorrect advice with regards to this.

Best security practice would be to uninstall all older versions and update to most recent ones.Also apply all windows security updates as more often then not they are patchs to close newly exposed holes in their operating system or products.

Best to close up all those security holes so you dont have to rely on whether your current security blacklisting covers the next attack that would be exploiting them.

Shutting those open doors would greatly increase your level of security by giving malicious code less easy targets to gain entry onto your computer.

Reverse security logic is the more holes you have in your computer security then the greater the probability your computer will be sucessfully attacked

Time to get busy updating, safe surfing

[Alpha32]

Yeah, problem is when I get an message saying a update is ready to be installed it's usually when i'm busy doing something so I just leave it but then forget about it and over time it just mounts up.

I have a free night tonight so i'll get busy with the window updates for starters, probably will be the one that will take the longest to install.


Thanks for your help

[Alpha32]

Sorry for the double post but I just did a full scan (first one for over a year) and found a Trojan.Agent.PE3 (whatever that is) which is located in AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\ folder. Maybe this could be the cause to Java opening up when I visit minecraftplanet?

I've had a few Trojan.Agent viruses over the years but never seen one with .PE3 attached to it. What exact harm could this do? Considering I do alot of banking (PayPal) on this computer, I don't want my details to be at risk.


Also, the reason I did a full scan was because my Firefox browser wouldn't close when I clicked on it when I had hotmail open. All the X would do was flash like as if the cursor kept hovering over it and when I opened the task manager (processes) I noticed AcroRd32.exe was running (still is) and thought I may have been infected but a quick scan never picked anything up and all the full scan found was that Trojan but i've never known AcroRd32.exe to be running unless it was open, I did recently restart my PC but never ever have been that process to be open.

[Fatdcuk]

Hello Alpha32,

You really do need to update all your applications including Adobe as it looks like that has been evoked by yet another exploit.Having known holes in your security is like a human playing Russian roulette, You might get lucky a few times but ultimatley you will catch a bullet sooner later!

Hotmail webpage does display rotating 3rd party banner ads. Hotmail might be secure but unfortunetly from time to time those banner ads are serving up exploit code

AcroRd32.exe is only legitimatly evoked when attempting to view a PDF document via your browser. No online PDF document usage in the same session as seeing that process in memory = Not legitimate usage(immediate cause for concern).

Have just checked in our database to see the signature producing that detection but it was based soley at targeting a packer string so the file could be a number of things.

The fact we detect the file when sniffing it on a fullscan means automatically that if it had attempted to load into memory or was already memory resident either our realtimer Protection Module would have blocked or our quick scan would have picked it up.

In the absense of either detection i would say that the file has been written to disk probaly downloaded by one your exploits but it failed to be loaded into memory where it would have been able to carry out it operations.

That said it would be prudent to have your computer looked over just to make sure that nothing else has sneeked past us, It does happen occaisionally as no blacklisting software will know all malicious code that is created.

Since your are a paid up customer here are several options where you get a quick checkover for your PC.Please make use of one and in your initial contact please give a link back to this post so whoever helps you has a point of reference as to how best best assist you.

Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.
One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

*If you would prefer to be assisted via email isntead you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

**If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

[Alpha32]

Problem is, I did update all my software and that which needed updating.

Also I ain't a paying customer, I'm on the trial but once it runs out (4 days) I will be buying it!

[Fatdcuk]

Hi,

Please feel free still to use one of the first 2 options for getting your PC checked out.

Safe surfing