Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java won't run after virus recovery


  • Please log in to reply
27 replies to this topic

#1 hydrosong

hydrosong

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 02 February 2012 - 10:54 PM

I was infected with the ZeroAcess virus and received very helpful assistance from BleepingComputer to remove it. As the expert tech assisting me said, "unfortunately removing malware can cause other issues." After the virus removal, I cannot get Java to run. I removed all old copies of Java and loaded the latest version for my Windows XP SP3 installation.

The expert tech recommended running the Revo Uninstaller to really clean out all vestiges of old Java and then reinstalling. I have run the Revo Uninstaller and reinstalled the latest Java again and Java still will not run. It doesn't do anything.

I looked at the event viewer and find that I get the following message everytime I attempt to run a Java app in IE or a Java program on my machine locally:

DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

I have looked at my msconfig and find that there are a lot of services unchecked and some of the startups as well. I did not notice any of these that refered to MDM. I am guessing that this is the machine debug manager that is checked and DCOM is definitely checked.

Here is a link to my virus infection removal blog:

http://www.bleepingcomputer.com/forums/topic439327.html

The virus tech recommended that I include that so that you can see what I was infected with and the steps we have taken to resolve it.

Any assistance will be appreciated.

Hydrosong

Edited by hydrosong, 02 February 2012 - 10:57 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:01 PM

Posted 03 February 2012 - 08:48 AM

Let's try unchecking the MDM service, please. It's not necessary, from what I see...and enabling anything to do with script debugging is a waste of time, IMO...since the only scripts you will see...will have been written by someone else and you won't be able to debug such.

Louis

#3 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 04 February 2012 - 10:46 AM

I have unchecked Machine Debug Manager.

There is also a WMDM PMSP Service. I am guessing that this is related to the Machine Debug Manager. Should I uncheck that as well?

Thank you for your assistance.

Hydroson

#4 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 04 February 2012 - 11:11 AM

Just want to chime in that there are two common places that cause Java to start the MDM service.
One is Internet Options and the other is in the Java control panel applet.

In Internet Explorer

Open Internet Explorer
Click Tools
Select Internet Options
Click the Advanced tab
Make sure the Disable Script Debugging checkboxes are checked.(there are probably 2 checkboxes for this)

If they are not checked, check them, click OK and see if Java is working.

In the Java control panel applet

My description of the location of this one may not be exactly right because I have jobs running on all my XP boxes right now that I can't interrupt so this is kind of off the top of my head :)

In XP
Click START
Click CONTROL PANEL
Double Click the Java icon
A Java Control Panel window should open
Click the ADVANCED tab
Click the plus sign next to DEBUGGING
Confirm that all of the boxes under Debugging are not checked (I think there are 3)
If any are checked, uncheck them, , click OK and see if Java is working.

Hope this helps
James

Edited by NeverSayDie, 04 February 2012 - 11:12 AM.


#5 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 06 February 2012 - 07:13 PM

I have done all of the above. Everything was already set as recommended. I did clean out my IE cache. I am now able to run my Java desktop applications but I still can't get Java aplets to run in IE. For instance, when I try to run the Java test page at the java site, I get no response.

thanks for your assistance.

Hydrosong

#6 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 06 February 2012 - 07:33 PM

... For instance, when I try to run the Java test page at the java site, I get no response...


Hi

What do you mean by no response?
When you go to

http://www.java.com/en/download/installed.jsp

in Internet Explorer and click on the Verify Java Version button.

What happens?

After about a minute does it say...
"No working Java was detected on your system."

or does something else happen?

James

#7 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 06 February 2012 - 10:01 PM

When I go to that site it looks at my computer and says I have the latest Version of Java.

However, when I go to:

http://java.com/en/download/testjava.jsp

It is supposed to list my machine info. It does not. The box just remains empty. If I go to the event viewer, it will tell me:

DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service MDM with arguments "" in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

and the time stamp will be the same as when I went to the site. An example of what I am talking about can be found at:

http://weather.rap.ucar.edu/satellite/

Be sure that you set it for a loop duration of more than a single image. Before I deleted all of my old Java environments, this would work. Now I just get a blank box where the satellite animation should be.

Hydrosong

#8 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 06 February 2012 - 11:18 PM

I'm reading through your logs from when you cleaned the virus. Unfortunately, it does not show any events before the infection (1/15/12) but it does show that you were getting DCOM errors including the one with MDM before CatByte helped you clean up. Is this after you tried the System Restore? That might have been when this problems started.

Here's a few of them...

01/17/2012 03:04:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
01/17/2012 03:03:31, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
01/16/2012 21:20:04, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
01/16/2012 20:55:59, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}


I also notice some developer software on the system. What kind of programming have you done on it? I ask because that would be related to your DCOM settings and also settings for running MDM

I'll look at this logs some more and see if there are any clues to what to try next.

James

#9 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 07 February 2012 - 12:28 AM

CONTINUED FROM PREVIOUS POST

Okay, I read through your logs and the gist of it is that the file

C:\WINDOWS\system32\DRIVERS\netbt.sys

was infected and was replaced with a backup copy.

Your DCOM error is more an effect than a cause. It means the IE Java Plugin is crashing but it is unable to give an MDM log of the crash. Whether MDM is there or not is inconsequential. Java is crashing for some other reason THEN we are getting the problem with loading MDM.

My suspicion is that the backup copy of netbt.sys is the problem. But how would that be a problem before the virus cleaner replaced it?

It's because you did a system restore after the initial infection which may have used the backup copy when you did it on the 15th or 16th before the errors on the 16th, then you were reinfected because the virus came out of its hiding place and reinfected netbt.sys which was then cleaned and replaced from the backup copy with the help of CatByte.

I can't help you verify your copy of netbt.sys. (I've only been posting on forums for a month and it's much harder than being there in person :) ) Hopefully someone else can.

TLDR
I think that the backup copy of netbt.sys that TDSS Killer used to replace the infected copy may be causing this problem. Could someone help him check if this is it?

James

Edited by NeverSayDie, 07 February 2012 - 12:30 AM.


#10 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 07 February 2012 - 11:52 PM

I am guessing that the developer software you refer to is MS Visual Studio. My son was learning Visual Basic with a Student version. It's been on my computer for about 5 years and not used in the last 3 years.

I also have Microsoft FORTRAN and SilverFrost FORTRAN that I use for writing engineering programs and various directory analysis text manipulation programs.

I appreciate your discussion of the removal of the infection involving NetBT.sys. I do hope someone will suggest how I might get a proper replacement for it. I had some suspicion that it could be the culprit but didn't want to mess with it without the advice of an expert tech.

It is interesting that it was producing the DCOM errors further back. I had noticed a number of errors and warnings in my system event log but could find no one who could suggest a fix. The computer occasionally seemed slow but otherwise seemed to do everything without failure until the virus showed up. I may not have done anything with Java since that time so I don't know if the Java failure occured before the virus, after the virus but before the clean up, or after the clean up. I do know that I made extensive use of a Java program from the National Weather Service for reading NEXRAD files sometime back in the summer. And I do look at the satellite loops (using a Java animation app) every week or two when I am trying to anticipate storm systems.

Keep in mind that I was able to use a Corps of Engineers Java application from my desktop yesterday after clearing out my IE cache and it produced no event logs about DCOM or MDM. However, as soon as I saw that I could run the desktop Java apps, I tried to use the Satellite loop Java app in IE and got no response but did get the even log about DCOM.

Again, thanks for all your help.

Hydrosong

#11 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 08 February 2012 - 12:18 AM

Ok. I just tried something on a wild hair.

I logged off my usual user account (it does have admin privilages) and logged onto the admin account and the Java app in Internet Explorer worked fine even though I can't get it to run on my user account. That suggests to me that there is either a problem in my MSconfig or in the registry for my user account.

How do I find out what that is?

hydrosong

#12 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 08 February 2012 - 12:58 AM

Maybe we can narrow down the search some more. That certainly does point to a registry entry of some sort.

I noticed that you have Firefox installed.

Does it work in Firefox from your user account?

James

#13 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 08 February 2012 - 10:09 AM

It does work in Firefox on my usual user account. When I started Firefox, it notified me that Java Quick Starter wanted to install as an addin to Firefox. I said yes, Firefox restarted and I went to my satellite web site and openned the page that needed the Java animation app. I heard a bit of hard disk activity as the app loaded and then the animation displayed as it should. Then I tried it in IE again just to be sure but it was still a no-go. I am wondering if the problem could be that IE is broken. It never asked to install the Java Quickstart plugin after I updated my Java. I do recall unchecking the Java Quick Starter in MSConfig because I saw complaints in blogs that it was always running even if you weren't using any Java and it's only use was to help Java load faster. However, I did re-enable the Quick Starter as soon as I discovered that Java wasn't running. Is there a way to reinstall IE or to get it to recognize that it needs to install the Java Quick Starter addin?

Hydrosong

#14 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:01 PM

Posted 08 February 2012 - 01:15 PM

Slowly we are getting closer :)

I don't think this is a Quickstart issue. Let's try this...

In Internet Explorer

Click TOOLS
Click MANAGE ADD-ONS
Click Toolbars And Extensions
Make sure that all the Java (Publisher is Sun Microsystems) items in the list are set to ENABLED

If they are already, let us know what Java items you see (there are usually 4)

James

Edited by NeverSayDie, 08 February 2012 - 01:17 PM.


#15 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:09:01 PM

Posted 08 February 2012 - 11:27 PM

There are only three items in Toolbars & Extensions:

Name Java™ Plug-In SSV Helper
Publisher Sun Microsystems, Inc.
Status Enabled
File date Tuesday, January 31, 2012, 22:37
Version 6.0.300.12
Load time 0.02 s

Name Java™ Plug-In 2 SSV Helper
Publisher Sun Microsystems, Inc.
Status Enabled
File date Tuesday, January 31, 2012, 22:37
Version 6.0.300.12
Load time 0.24 s

Name JQSIEStartDetectorImpl Class
Publisher Sun Microsystems, Inc.
Status Enabled
File date Tuesday, January 31, 2012, 22:37
Version 6.0.300.12
Load time 0.01 s

Hydrosong




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users