Problems with Java Virtual Machine

Sorry Jim we were posting at same time seee my post #18

See this link! have you ran Spybot and Adaware lately?
http://www.artima.com/forums/flat.jsp?forum=1&thread=61427

Run HJT and look for any entries similar to the below and remove them!

O4 - HKLM\..\Run: [WebRebates] javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates "

Do this first before SpyBot and Adaware, if it cures or not then do the the scans.

Mike

 

See my post #20.

I run both Spybot and Ad-Aware on a regular basis, and have done so several times since becoming aware of the problem.

That was one of the first sites I looked at, but didn't find anything relevant or helpful.

Will do.

 

You could get the Portable Opera that installs no registry items and does not effect any other browser installed. Good to have in reserve and for 2nd opinions as needed here.

Why not post a HJT and a Deckards Log to allow us to see if anything else pops out that may effect this.

mike

 

Hi Mike,

I'd never heard of Deckard's System Scanner before, and am unable to download it from the Geeks to Go! website ... apparently the link is broken.

Here's an HJT log, but there's nothing remotely resembling what you said to look for.

Logfile of HijackThis v1.99.1
Scan saved at 13:03:55, on 4-7-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAM FILES\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\AVG\ANTI-V~1\avgcc.exe
C:\PROGRAM FILES\VirtualDrive Pro\VHD\RDTask.exe
C:\PROGRAM FILES\Spyware Doctor\pctsTray.exe
C:\PROGRAM FILES\KeyScrambler\keyscrambler.exe
C:\PROGRAM FILES\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRAM FILES\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRAM FILES\AutoSizer\AutoSizer.exe
C:\PROGRAM FILES\CrossHair\CrossHair.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\DriveGLEAM\drivegleam.exe
C:\PROGRAM FILES\ClipTrakker\ClipTrakker.exe
C:\PROGRAM FILES\FastStone Capture\FSCapture.exe
C:\PROGRAM FILES\GhostSurf\GhostSurf.exe
C:\PROGRAM FILES\HotKeyz\HotKeyz.exe
C:\PROGRAM FILES\ACD Systems\ImageFox\ImageFox.exe
C:\PROGRAM FILES\PrintKey-Pro\PKey_Pro.exe
D:\UTILITIES\RTVReco\RtvReco.exe
C:\WINDOWS\system32\netdde.exe
D:\UTILITIES\AllCharacters\AllChars.exe
C:\PROGRAM FILES\COMMON FILES\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\ANTI-V~1\avgamsvr.exe
C:\PROGRA~1\AVG\ANTI-V~1\avgupsvc.exe
C:\PROGRA~1\AVG\ANTI-V~1\avgemc.exe
C:\PROGRAM FILES\Diskeeper\DkService.exe
C:\PROGRAM FILES\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRAM FILES\Spyware Doctor\pctsAuxs.exe
C:\PROGRAM FILES\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\COMMON FILES\Acronis\Fomatik\TrueImageTryStartService.exe
C:\PROGRAM FILES\UPHClean\uphclean.exe
C:\PROGRAM FILES\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRAM FILES\Webroot\Spy Sweeper\SSU.EXE
D:\UTILITIES\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\PROGRAM FILES\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\PROGRAM FILES\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\AVG\ANTI-V~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\PROGRAM FILES\Diskeeper\DkIcon.exe "
O4 - HKLM\..\Run: [RAMDrive] "C:\PROGRAM FILES\VirtualDrive Pro\VHD\RDTask.exe "
O4 - HKLM\..\Run: [ISTray] "C:\PROGRAM FILES\Spyware Doctor\pctsTray.exe "
O4 - HKLM\..\Run: [KeyScrambler] "C:\PROGRAM FILES\KeyScrambler\keyscrambler.exe" /a
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\PROGRAM FILES\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [WIAWizardMenu] "RUNDLL32.EXE" C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [TClockEx] D:\UTILITIES\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [AutoSizer] "C:\PROGRAM FILES\AutoSizer\AutoSizer.exe "
O4 - HKCU\..\Run: [CrossHair] "C:\PROGRAM FILES\CrossHair\CrossHair.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriveGLEAM] "C:\PROGRAM FILES\DriveGLEAM\drivegleam.exe" /STARTUP
O4 - Startup: ERUNT AutoBackup.lnk = C:\PROGRAM FILES\ERUNT\AUTOBACK.EXE
O4 - Startup: FastStone Capture.lnk = D:\PROGRAMS\FastStone Capture\FSCapture.exe
O4 - Startup: GhostSurf.lnk = D:\PROGRAMS\GhostSurf\GhostSurf.exe
O4 - Startup: HotKeyz.lnk = D:\PROGRAMS\HotKeyz\HotKeyz.exe
O4 - Startup: ImageFox.lnk = C:\PROGRAM FILES\ACD Systems\ImageFox\ImageFox.exe
O4 - Startup: PrintKey-Pro.lnk = D:\PROGRAMS\PrintKey-Pro\PKey_Pro.exe
O4 - Startup: RtvReco.lnk = D:\UTILITIES\RTVReco\RtvReco.exe
O4 - Startup: Xplorer.lnk = C:\WINDOWS\explorer.exe
O4 - Startup: ZeeChars.lnk = D:\UTILITIES\AllCharacters\AllChars.exe
O4 - User Startup: ERUNT AutoBackup.lnk = C:\PROGRAM FILES\ERUNT\AUTOBACK.EXE
O4 - User Startup: FastStone Capture.lnk = D:\PROGRAMS\FastStone Capture\FSCapture.exe
O4 - User Startup: GhostSurf.lnk = D:\PROGRAMS\GhostSurf\GhostSurf.exe
O4 - User Startup: HotKeyz.lnk = D:\PROGRAMS\HotKeyz\HotKeyz.exe
O4 - User Startup: ImageFox.lnk = C:\PROGRAM FILES\ACD Systems\ImageFox\ImageFox.exe
O4 - User Startup: PrintKey-Pro.lnk = D:\PROGRAMS\PrintKey-Pro\PKey_Pro.exe
O4 - User Startup: RtvReco.lnk = D:\UTILITIES\RTVReco\RtvReco.exe
O4 - User Startup: Xplorer.lnk = C:\WINDOWS\explorer.exe
O4 - User Startup: ZeeChars.lnk = D:\UTILITIES\AllCharacters\AllChars.exe
O4 - Global Startup: ClipTrakker.lnk = C:\PROGRAM FILES\ClipTrakker\ClipTrakker.exe
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Download with GetRight - C:\PROGRAM FILES\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRAM FILES\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\PROGRAM FILES\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\PROGRAM FILES\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139406804265
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\PROGRAM FILES\COMMON FILES\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\ANTI-V~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\ANTI-V~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG\ANTI-V~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\PROGRAM FILES\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\PROGRAM FILES\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\PROGRAM FILES\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\PROGRAM FILES\Spyware Doctor\pctsSvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\PROGRAM FILES\COMMON FILES\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\PROGRAM FILES\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi Jim

Here is the link to both HJT and Deckard from our own Spyware forum.

You need to get rid of the old HJT 1.99 get the new and post again.

http://windowsbbs.com/announcement.php?f=41

But after looking at your log, there are programs there that could interfere. Ghost Surf, and Webroot or Firewall also be trying to block.

The Deckard will give a deeper view of autoruns that may not be visable normally.

The next time you run SpyBot and Adaware I would update and then boot to safemode only (no network) and scan.

But for now try the below and and let us know.

Boot to safe mode networking and try Securina.

Mike

 

Hi Mike,

My taxes are done, and I finally have some free time. I've been running in Safe Mode the past couple of days, as that was the only way I could get online and be sure that the computer wasn't going to freeze on me. During that time I ran all my usual security scans, which reported nothing at all in the way of spyware/malware. I don't currently have Ad-Aware installed, so didn't run it (I had uninstalled 1.06r to install 2007, which I don't like at all, so I uninstalled it and haven't gotten around to reinstalling the older one).

FYI, I'm not currently running a software firewall, relying instead on the hardware firewall in my router. I've been running both GhostSurf and WebRoot's SpySweeper for years, and neither has ever caused a problem (except that I can't login to the Google Earth server with GhostSurf running, despite having followed Google's instructions concerning GhostSurf).

It's still a no go ... the Secunia site searches for the required Java applet and, when it can't find it, stalls out.

This afternoon I booted normally, just to see what would happen and, wouldn't you know it ... the computer seems to be running just fine (except for the Java problem that originally prompted this thread). I've been up for nearly an hour, Firefox and Thunderbird are opening normally and, knock wood, there has been no sign of a freeze.

I successfully ran a Deckard's System Scan a short time ago (I tried earlier, but it won't run in Safe Mode), but the logfile is so long, and contains such detailed information about my system, that I'm reluctant to post it. How about I send it to you in a PM?

 

Yes send it by PM if that is what you want.

I also suggest you send it to noahdfear as some research I did just now indicates a Vundo infection can possible cause issues with Java.

I think the Deckards may give insight to this.

I think the Vundo cleaner should be run.

If Vundo is found and cleaned then try my entire removal procedure again.

Mike

 

Hi Mike,

The Deckard scan files are too large to send in a PM, and it's not possible to add them as attachments, either, so I'll attach them as a .zip file here.

I ran FixVundo.exe, and no infection was found on my system.

I'll try your removal procedure again tomorrow.

Regards,

Jim

 

Mike ...

To bring you up to date, I never was able to use Revo Uninstaller to totally remove Java from my desktop without completely munging my system, as described in post #2.

For reasons unknown, however, the situation I was faced with seems to have fixed itself. I just reinstalled Java jre1.6.0_05 without a problem. The console now opens properly and I no longer get the Java Virtual Machine Launcher message about not being able to find the main class. And, the Secunia Software Inspector site now loads and runs properly.

I have no idea what cleared up the problem, but things are working properly now, so I'm satisfied. And curious.