Hello people of the interwebs!
I tried to search up my problem here, but I couldn’t find it, so I decided to make a post about it, to see if any of you guys could help me with it. I use a PC with Windows 7.
So basically this problem has been ongoing for 2-3 months now, and it all started when a hacked steam messenger messaged me a java file that might’ve contained a virus, I clicked on it and then boom. I immediately deleted the file and cleaned my cpu from it, and scanned it with malbytes.
However, over these past few months, at the startup, in the task manager, I always have a Javaw.exe running at 1.5-2 million memory. I usually just end the process and continue with my business.
I’ve tried to solve it many times, by reinstalling Java, scanning deeply and startup with avast, but to no avail. If you guys need more information feel free to ask, I’m not sure what to give since I am still in high school and naive to antivirus.
Thank you!
in the task manager, I always have a[b] Javaw.exe [/b]running at 1.5-2 million memory.upload and test file at www.virustotal.com if tested before, click rescan for a fresh result post link to scan result here
follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach requested logs
when done a malware expert will assist you when online … it may take hours
seems like there’s a backdoor
here are the logs
Scan this: Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdater.jar
you did not click rescan for a fresh result … Analysis date: 2015-05-29 15:30:43 UTC ( 3 days, 9 hours ago )
anyway it is a false positive from Agnitum
First submission 2015-05-01 17:32:25 UTC ( 1 month ago )
Authenticode signature block CopyrightCopyright © 2015 Publisher Oracle America Product Java(TM) Platform SE 8 Original name javaw.exe Internal name javaw File version 8.0.45.15 Description Java(TM) Platform SE binary Signature verification Signed file, verified signature Signing date 9:06 PM 4/30/2015 Signers [+] Oracle America [+] Symantec Class 3 SHA256 Code Signing CA [+] VeriSign Counter signers [+] Symantec Time Stamping Services Signer - G4 [+] Symantec Time Stamping Services CA - G2 [+] Thawte Timestamping CA
malware expert will be back online tomorrow
I’m so sorry, I forgot to reanalyze both files, here are the updated ones:
Just on a side note, Pondus, are you a bot?
Makes you wonder, doesn’t it? But, no, he’s not. He’s an actual Human being, on a computer.
Not a surprise to see that listed as being malware. I suspect someone will remove it along the way. Jar files shouldn’t be auto-starting with Windows.
Edit:
FYI: The reason why javaw.exe is being detected rather then the AutoUpdater.jar file, is because Java runs the Jar File. Java can’t tell if it’s malicious or not. You see the same thing with games like Minecraft that use .JAR files. When you lunch minecraft, you’re launching javaw.exe*32. That’s why we recommend removing Java unless absolutely needed.
First submission 2015-06-02 00:19:18 UTC ( 10 hours, 7 minutes ago ) Last submission 2015-06-02 00:49:48 UTC ( 9 hours, 36 minutes ago )
it is new ^^
Let me know how the computer is after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-3799384054-596061444-940522682-1000\...\Run: [Boxoft Tools] => C:\ProgramData\Boxtools\Boxofttoolbox.exe [514048 2010-12-15] () AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL => C:\PROGRA~3\Wincert\WIN64C~1.DLL File not found AppInit_DLLs: C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll => C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll File not found AppInit_DLLs: C:\PROGRA~2\SETTIN~1\systemk\x64\syskldr.dll => C:\PROGRA~2\SETTIN~1\systemk\x64\syskldr.dll File not found AppInit_DLLs-x32: C:\PROGRA~3\Wincert\WIN32C~1.DLL => "C:\PROGRA~3\Wincert\WIN32C~1.DLL" File not found AppInit_DLLs-x32: C:\PROGRA~2\Linkey\IEEXTE~1\iedll.dll => "C:\PROGRA~2\Linkey\IEEXTE~1\iedll.dll" File not found IFEO\bitguard.exe: [Debugger] tasklist.exe IFEO\bprotect.exe: [Debugger] tasklist.exe IFEO\bpsvc.exe: [Debugger] tasklist.exe IFEO\browsemngr.exe: [Debugger] tasklist.exe IFEO\browserdefender.exe: [Debugger] tasklist.exe IFEO\browsermngr.exe: [Debugger] tasklist.exe IFEO\browserprotect.exe: [Debugger] tasklist.exe IFEO\browsersafeguard.exe: [Debugger] tasklist.exe IFEO\bundlesweetimsetup.exe: [Debugger] tasklist.exe IFEO\cltmngsvc.exe: [Debugger] tasklist.exe IFEO\delta babylon.exe: [Debugger] tasklist.exe IFEO\delta tb.exe: [Debugger] tasklist.exe IFEO\delta2.exe: [Debugger] tasklist.exe IFEO\deltainstaller.exe: [Debugger] tasklist.exe IFEO\deltasetup.exe: [Debugger] tasklist.exe IFEO\deltatb.exe: [Debugger] tasklist.exe IFEO\deltatb_2501-c733154b.exe: [Debugger] tasklist.exe IFEO\dprotectsvc.exe: [Debugger] tasklist.exe IFEO\iminentsetup.exe: [Debugger] tasklist.exe IFEO\protectedsearch.exe: [Debugger] tasklist.exe IFEO\rjatydimofu.exe: [Debugger] tasklist.exe IFEO\searchprotection.exe: [Debugger] tasklist.exe IFEO\searchprotector.exe: [Debugger] tasklist.exe IFEO\snapdo.exe: [Debugger] tasklist.exe IFEO\stinst32.exe: [Debugger] tasklist.exe IFEO\stinst64.exe: [Debugger] tasklist.exe IFEO\sweetimsetup.exe: [Debugger] tasklist.exe IFEO\tbdelta.exetoolbar783881609.exe: [Debugger] tasklist.exe IFEO\utiljumpflip.exe: [Debugger] tasklist.exe Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdater.jar [2015-03-15] () GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION URLSearchHook: [S-1-5-21-3799384054-596061444-940522682-1000] ATTENTION ==> Default URLSearchHook is missing BHO-x32: No Name -> {6AC15D28-71DE-9984-2276-5E0A9F988F00} -> No File Toolbar: HKU\S-1-5-21-3799384054-596061444-940522682-1000 -> No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - No File CHR Extension: (Plus-HD-9.3) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\gngfnjclpjflgomhidfecidndbfaniak [2014-04-01] 2015-05-16 23:18 - 2015-05-16 23:18 - 00000000 _____ () C:\Windows\SysWOW64\REN5763.tmp 2015-05-16 23:04 - 2015-05-21 23:45 - 00000000 ____D () C:\Users\User\Downloads\sarkar 2015-05-16 13:53 - 2015-05-16 22:56 - 00000000 ____D () C:\ProgramData\SecTaskMan 2015-05-16 13:53 - 2015-05-16 13:53 - 00000000 ____D () C:\Users\User\AppData\Local\SecTaskMan 2015-06-01 14:58 - 2013-01-25 19:42 - 00000000 ____D () C:\ProgramData\Boxtools 2015-05-31 19:06 - 2013-01-28 19:48 - 00000000 ____D () C:\Program Files (x86)\WebSearch Task: {61A6506C-8F8A-4DB6-A3E2-F6D29195D8B8} - \SoftUpdateDaily No Task File <==== ATTENTION Task: {F8684EB5-B0D9-4A8A-8ECF-E5F3E9F87875} - \SoftUpdateLogon No Task File <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: Hosts: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Yay! Good news it’s fixed, I’ll post the log just in case there’s any other problems left, but thank you to everyone that helped me!
If the experts don’t mind I have a few follow up questions:
- What was actually wrong with my computer? Was it a virus?
- What did you do to get rid of it?
- Are you guys paid to do this, or do you volunteer all these hours into helping people?
You guys are all amazing, and were very nice and fast. Thank you!
Could you post the FRST fixlog please
The file was a generic downloader for adware programmes, now removed
Just deleted the relevant files and their associated registry entries
All done for free
um… did I post the wrong one? oops
-
Not technically. It would’ve been classified as Malware or a Java Exploit… Viruses are self replicating, without your interaction.
-
We used specialized tools and directed them to remove the malicious files on your system, along with the IFEO Blacklist.
-
We are paid by your thankfulness. We mostly volunteer, but, some of the Experts here, have Paypal accounts if you wish to donate. Some choose not to accept them at all, but rather direct them towards who trained them, or the website that provides the stomping grounds. (Lingo for the online University).
And thank you. We aim to please.
FYI: You can find most of the Experts like Essex all over the interwebs. We aren’t limited to strictly Avast!.
A few of the experts were trained at G2G, where Essex Teaches: http://www.geekstogo.com/forum/.
A very useful site, for practically everything computer related.
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix
Select the options as shown
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
https://dl.dropboxusercontent.com/u/73555776/javara.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe
Thanks for all your help!
I’m just wondering, what makes Java so bad to run?
It’s so widely used, and so easily exploitable. I don’t know what causes the exploits, but I do know we have to have a briefing (End Speech) for it.
And you are quite welcome.