# Is it safe to delete these files?



## Fractalogic (Jul 4, 2010)

Hi there!

Well, my computer had a virus infection last weekend. I had Rootkit.Win64.TDSS.fa in memory and Rootkit.Win32.TDSS.mbr on a disk drive, among other things. But Kaspersky Virus Removal Tool (VRT) took care of it. I checked the logs from Kaspersky VRT now and found that the following files were not deleted from the computer. The search paths are from the log (user name replaced with an X) and the name of the malware is to the left of each path.


```
The file jar_cache8022171492559598604.tmp
Trojan-Downloader.Java.Agent.ij: C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8022171492559598604.tmp/applet.class

The file jar_cache8061785847061396868.tmp
Trojan-Downloader.Java.Agent.hx: C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/a.class
Trojan-Downloader.Java.OpenConnection.cg: C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/KAVS.class

The file 527d4eae-43ae166b and or 527d4eae-43ae166b.idx
Trojan-Downloader.Java.Agent.bm: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hieeyfc.class
Trojan-Downloader.Java.Agent.bm: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hirwfee.class
Trojan-Downloader.Java.Agent.bm: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hiydcxed.class

The file 50f48385-440392c7 and or 50f48385-440392c7.idx
Trojan-Downloader.Java.OpenConnection.ay: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/a.class
Trojan-Downloader.Java.OpenConnection.cg: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/KAVS.class

The file 38157133-75c0c142 and or 38157133-75c0c142.idx
Trojan-Downloader.Java.OpenConnection.ay: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/a.class
Trojan-Downloader.Java.OpenConnection.cg: C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/KAVS.class
```
I've seen that it has deleted some of the infected objects listed in the log because I cannot find them anymore on the computer. But the files above had not been deleted. Have they been disinfected perhaps so that they no longer contain the virus? In the log it just says for each object that the default counter measure had been taken, but what the default counter measure is depends from object to object, sometimes it's to try to disinfect it but it can also mean deletion if the disinfection fails. So that doesn't tell me much.

Is it safe to delete these files? I would like to delete these files just to be sure the viruses are gone. But what are jar_cache files used for? I don't want to mess something up, again.

What kind of files are those located in LocalLow\Sun\Java\Deployment\? There are for example two files named 38157133-75c0c142 where one of them has the extension IDX while the other does not. They usually have different sizes so they are not binary identical. Those without the IDX extension can be up to 80 times the size of the ones with the IDX extension, so when the one with the extension is 1 KB then the one without the extension is 80 KB. What are these used for? What is IDX?

Thanks in advance!


----------



## Fractalogic (Jul 4, 2010)

Alright now, it's time for an update. It seems like I have answered some of these questions on my own.

I have deleted the files in C:\Documents and Settings\X\AppData\Local\Temp and all the files in the C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache directory except for the sub directories.

Since these files located in LocalLow\Sun\Java\Deployment\cache can contain viruses it may be useless to delete them because in some cases they reappear even thou you have deleted them. So you should first run a virus scan of the cache directory or the whole Java parent directory, and then delete the cache files.

There is a special procedure for deleting the Java cache files. You go to your Control Panel and double click the Java icon when in classic view mode. If you use the default view in Windows Vista or 7, you have to click Additional Options first on the first page of Control Panel, and then click the Java icon.

This is especially true for those running 64-bit of Vista or 7, because 32-bit Windows control panel applets are normally not displayed. When you click the Additional Options link on the first page of Control Panel, there is actually a link titled "View 32-bit Control Panel Items". You have to click it first to see the Java icon on the Control Panel. You may also search for it by typing in "32-bit" in the search field on top right of Control Panel (Vista).

Once in Java Control Panel, under the General tab click the Settings button under Temorary Internet Files section. Then you can just click the Delete Files button and click OK. Or you can even disable Java temporary files by unchecking the "Keep temporary files on my computer" box.

This is what I did to remove these files. This procedure removes all IDX files but does not seem to delete their counterpart files without the IDX suffix. I figured out that IDX stands for Index.

Then I browsed to C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\ and used *.* wildcard expression to list all files in \cache\6.0 regardless of their location. Then I grouped them, clicked the group name to mark them all, hit Delete to delete them all. This way I removed all the remaining Java cache files that were left behind.

I hope this is helpful to anyone looking for information on these damn Java cache files that often infect computers with viruses. They only speed up things a little bit when visiting different websites running Java applets. Go figure if it's worth it. I would suggest unchecking that box to disable this feature in Java control panel.

Have a good time!


----------



## Elvandil (Aug 1, 2003)

It doesn't really matter if the files contain viruses. They can't do anything unless executed, and files that can't be executed can't cause any problems. Since most of the files (all?) that you have specified are not executable, they can not harm anything.

Viruses rarely go to such hidden locations. They may produce files that end up there, but since they need to be "run", like any program, they generally infect active areas of the machine where they can be executed,often by the user. Even if those folders were filled with viruses, since they are not alive, they could never harm anything and would just sit there.

Unless you have space problems and need a new drive, it is not a good idea to delete files that you do not understand, especially ones that could not possibly infect. If you wonder if files are infected, scanning is what the anti-virus program exists for.


----------



## Fractalogic (Jul 4, 2010)

Hello Elvandil! Thanks for the reply!

Yes, I would normally agree with you. You are absolutely right. Except for one thing. Those files were identified as infected objects by Kaspersky Virus Removal Tool, version 9.0.0.722 (updated 2011-03-18). I pulled those out from the log. Here is the complete log, as is.


```
Automatisk sökning: stoppad 20 minuter sedan   (händelser: 27, objekt: 1212196, tid: 03:07:38)    
2011-03-18 21:15:21    Uppgiften har startats        Standardåtgärden är vald    
2011-03-18 21:29:53    Upptäckt: Trojan-Downloader.Java.Agent.ij    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8022171492559598604.tmp/applet.class    Standardåtgärden är vald    
2011-03-18 21:29:53    Upptäckt: Trojan-Downloader.Java.Agent.hx    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:30:30    Upptäckt: Exploit.JS.Pdfka.chz    C:\Documents and Settings\X\AppData\Local\Temp\plugtmp-12\plugin-footletwistaround.pdf/data0000    Standardåtgärden är vald    
2011-03-18 21:35:29    Borttagen: Trojan-Downloader.Java.Agent.hx    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:35:29    Upptäckt: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:36:43    Borttagen: Exploit.JS.Pdfka.chz    C:\Documents and Settings\X\AppData\Local\Temp\plugtmp-12\plugin-footletwistaround.pdf    Standardåtgärden är vald    
2011-03-18 21:37:37    Borttagen: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8061785847061396868.tmp/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:37:37    Borttagen: Trojan-Downloader.Java.Agent.ij    C:\Documents and Settings\X\AppData\Local\Temp\jar_cache8022171492559598604.tmp/applet.class    Standardåtgärden är vald    
2011-03-18 21:38:05    Upptäckt: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hieeyfc.class    Standardåtgärden är vald    
2011-03-18 21:38:17    Upptäckt: Trojan-Downloader.Java.OpenConnection.ay    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:38:18    Upptäckt: Trojan-Downloader.Java.OpenConnection.ay    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:39:23    Borttagen: Trojan-Downloader.Java.OpenConnection.ay    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:39:24    Upptäckt: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:39:24    Borttagen: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hieeyfc.class    Standardåtgärden är vald    
2011-03-18 21:39:25    Upptäckt: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hirwfee.class    Standardåtgärden är vald    
2011-03-18 21:40:01    Borttagen: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\50f48385-440392c7/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:41:11    Borttagen: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hirwfee.class    Standardåtgärden är vald    
2011-03-18 21:41:11    Borttagen: Trojan-Downloader.Java.OpenConnection.ay    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/a.class    Standardåtgärden är vald    
2011-03-18 21:41:12    Upptäckt: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:41:12    Upptäckt: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hiydcxed.class    Standardåtgärden är vald    
2011-03-18 21:41:36    Borttagen: Trojan-Downloader.Java.OpenConnection.cg    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\38157133-75c0c142/bpac/KAVS.class    Standardåtgärden är vald    
2011-03-18 21:42:06    Borttagen: Trojan-Downloader.Java.Agent.bm    C:\Documents and Settings\X\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\527d4eae-43ae166b/sklif/Hiydcxed.class    Standardåtgärden är vald    
2011-03-19 00:11:34    Upptäckt: MEM:Rootkit.Win64.TDSS.fa    Okänt program    Standardåtgärden är vald    
2011-03-19 00:12:50    Kan inte säkerhetskopieras: MEM:Rootkit.Win64.TDSS.fa    Okänt program    Standardåtgärden är vald    
2011-03-19 00:21:52    Upptäckt: MEM:Rootkit.Win64.TDSS.fa    System Memory    Standardåtgärden är vald    
2011-03-19 00:22:59    Uppgiften har stoppats        Standardåtgärden är vald    
Desinficera aktiva hot: slutförd 15 minuter sedan   (händelser: 8, objekt: 4472, tid: 00:05:36)    
2011-03-19 00:22:59    Uppgiften har startats        Standardåtgärden är vald    
2011-03-19 00:23:00    Upptäckt: MEM:Rootkit.Win64.TDSS.fa    System Memory    Standardåtgärden är vald    
2011-03-19 00:23:00    Desinficerad: MEM:Rootkit.Win64.TDSS.fa    System Memory    Standardåtgärden är vald    
2011-03-19 00:23:00    Desinficerad: MEM:Rootkit.Win64.TDSS.fa    System Memory    Standardåtgärden är vald    
2011-03-19 00:27:04    Upptäckt: Rootkit.Win32.TDSS.mbr    \Device\Harddisk1\DR1    Standardåtgärden är vald    
2011-03-19 00:28:26    Desinficerad: Rootkit.Win32.TDSS.mbr    \Device\Harddisk1\DR1    Standardåtgärden är vald    
2011-03-19 00:28:26    Desinficerad: Rootkit.Win32.TDSS.mbr    \Device\Harddisk1\DR1    Standardåtgärden är vald    
2011-03-19 00:28:35    Uppgiften har slutförts        Standardåtgärden är vald
```
You cannot say I did not scan the computer for viruses with an anti-virus program. I did. Kaspersky Virus Removal Tool is a type of anti-virus program. It's a free virus removal tool from Kaspersky.

For sure, Virus Removal Tool is not equally as good as Kaspersky Anti-Virus or the Internet Security suite, but never the less, it is an anti-virus program. The thing is I was not able to install the Kaspersky Internet Security suite because upon starting the installer it detected a virus infection and the virus prevented it from being installed. So the installer suggested me to use the Kaspersky VRT first to remove the virus in order to install the Internet Security suite. Which I did. The results are seen above. The complete scan of C system disk took about 3 hours to complete.

If those files are not infected as you say, why would Kaspersky VRT detect them as viruses?

I believe they must contain at least some traces of viruses which causes VRT to react on it the way it does or did.

For instance, for the file 527d4eae-43ae166b it clearly says "Hiydcxed.class". Those types of things are at least part of an infected object, spread out throughout the system, so the user as you say, would normally not expect to find it there.

*Ps.* I chose to install with Swedish language support. But the headings above are pretty much self explanatory. If anything needs to be translated to English just ask and I'll translate it.


----------

