I run Windows 98SE with a Promise drive array as drive C. I have also drives D, E, and F. SFC, Scandisk & Defrag run all fine - P4 3.4GHz, 500 MB memory, IE6, CA eTrust EzAntivirus (paid version), ZoneAlarm (free version), BHOdemon, Secretmaker, SpyWareBlaster (paid version), WinPatrol (paid version), AdAware SE free version and SpyBot, all updated daily and latest versions. SFC runs without reporting anything wrong with any system file. I religiously do signature downloads/updates & full screens whenever I get up from the PC, sometimes several times daily.
All ran well until I downloaded the latest Java Runtime Environment on 10/6/05. I suddenly got strange anti-virus messages from ezAntivirus. It said that a whole series of files in
C:\WINDOWS\Application Data\Sun\Java\Deployment\c
ache\javap
i\v1.0\jar
were infected, but that it could not remove or quarantine them. These are all ZIP files, which are still in the above folder ...\jar and have strange names, the first is
a.jar-228d5c98-53736ebc.zi
p
All these files are accompanied by an idx file with the same prefix:
a.jar-228d5c98-53736ebc.id
x
EzAntivirus calls them "a.class", "Dummy.class", Verifierbug.class", "Gummy.class", and "Counter.class". Weirder yet, instead of removing them, their designations as JavaByteVerifyExploit and Java/Shinwow are highlighted as a web link and there I find the explanation:
Description
This is not a virus, but rather a method to exploit a security vulnerability in the Microsoft Virtual Machine. This vulnerability arises as the ByteCode verifier in the Microsoft Virtual machine does not correctly check for the presence of certain malformed code when a Java applet is loaded. Attackers could exploit this vulnerability by creating malicious Java applets and inserting them into web pages. These web pages could be hosted on a site by a malicious web master, or could be sent to users as an attachment. To read more about this issue, and to download the necessary patches, please visit:
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspxFor more information, or for examples of this exploit in action, please see the description of the following malware (found elsewhere in the encyclopedia):
Java.Shinwow
Note: this detection may be triggered by merely visiting a web page that contains malicious code. It does not necessarily mean your machine has been compromised, nor that your machine is vulnerable to this particular exploit.
Now, these weird ZIP files began to proliferate: At first, there were only 3 such "maybe-viruses" found by ezAntivirus, but then there were more and more, from recognizable web visits strange ZIP files formed and were kept in these directories. I now have 53 occurrences marked as such irremovable "exploits", with which I apparently should have to live. But I never had any of this before I installed the Java Runtime Environment and have the following questions:
1. Why did the complete uninstall, which went well, as did the subsequent reboot, NOT remove this entire directory tree:
C:\WINDOWS\Application Data\Sun\Java\Deployment\c
ache\javap
i\v1.0\jar
2. Do I need this bizarre array of folders like ...\jar, or for that matter, that entire tree from \Sun\Java... on at all, or can I safely remove it from C:\WINDOWS\Application Data?
I almost never needed that unstable and weird Java crap and am sorry now that I created this mess.
Note: Before uninstalling the Java crap, I was only able to reboot into Safe Mode. If I wanted to get back into Windows, I had to boot to Command Prompt only, run scanreg /restore, click on a previous version of the registry that was not started yet and only then could I finally boot into Windows - ruinously labor intensive.
All this went away when I uninstalled ezAntivirus, then uninstalled the Java Environment from Add/Remove Programs (it has a strange name there - something like j2se and then something about an update to version 5.0 - I am sorry that I did not write that down, I removed it and, of course, can't see it any more, but it was the download from Sun).
In my experience, no download from Sun ever worked right in my Windows 98SE environment and having uninstalled it and reinstalled ezAntivirus now allows me upon Restart to boot steadily back into Windows 98SE. Does the above directory tree from \Sun... on down serve any function, or can it be safely removed, along with all the garbage, ezAntivirus keeps marking as "exploits"?
Or am I maybe being deceived, that the real cause for all this is something else?
Thank you very much in advance.
Sincerely,
Bernard
