Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

javaws.exe*32 - hundreds of instances running in Taskmanager


  • Please log in to reply
8 replies to this topic

#1 danielzink

danielzink

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 August 2015 - 02:14 PM

Hello,

 

 

Computer is very slow.

 

Taskmanager shows hundreds of instances of javaws.exe*32 running.

 

Win 7 machine (64bit).

 

Any help is appreciated.

 

Thanks, Dan



BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 AM

Posted 03 August 2015 - 02:18 PM

Hello,
 
please download MiniToolBox by Farbar and save it to your desktop.
 
Run tool as Administrator and make sure that these options are checked :
 
  • Flush DNS
  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
  • List Installed Programs
 
Post log here .
 
Step 2
 
Download TFC by OldTimer and save it to your desktop.
 
Run it as Administrator and click on Start button.
 
If programs need reboot, allow it to do so.
 
NOTE: IF your desktop disappears, don't panic, it's normal.
 
Step 3
 
Download Rkill and save it to your desktop (prefered version is iexplore.exe). 
 
Run tool as Administrator,it will kill all malicious processes.
 
Program will download and install Malwarebytes as well, and it will launch.
 
Make sure you have latest definitions by clicking on Update Now,then under Scan choose Threat Scan.
 
After scanning is done, click on Remove if malware is found,tool will ask for restart , allow it to do so.
 
Attach MBAM log here (you can find it in History > Application Logs).
 
Step 4
 
Scan with Malwarebytes AntiRootkit
 
Please download MBAR and save it to your desktop.
 
Run tool as Administrator, tool will extract itself, and then launch.
 
Click Next to accept terms and conditions, and click Update to obtain latest definitions.
 
If malware is found click on Cleanup button , but make sure that Create restore point option is checked before proceeding !
 
Program will ask you to restart, allow it to do so.
 
Note: If you're experiencing internet connection issues or other anomalies after running MBAR and removal of rootkits, it is recommended to run fixdamage.exe located inside mbar folder. Run it as Administrator and press Y if asks you do you want to continue.

 

 

Step 5

 

Scan with Norton Power Eraser
 
CAUTION: NPE uses aggressive methods to detect and remove malware,so do not touch any of settings !
 
Download NPE by Symantec and save it to your desktop.
 
Run the tool as Administrator,accept license agreement,and click  Scan button. 
 
Program will ask you to reboot to continue scanning (includes rootkit scan),so allow it to restart.
 
After restart program will automatically launch itself and start scanning. Scanning takes 5-10 minutes,so be patient !
 
If malware is detected,make sure that Create restore point option is checked,then click Fix button. After that,click on Restart now to complete removal.


#3 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 03 August 2015 - 06:12 PM

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by DAN (administrator) on 03-08-2015 at 18:06:52
Running from "C:\Users\DAN\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Model: M68M-S2P Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
=========================== Installed Programs ============================
 
Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.00 - Adobe Systems)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{7FE25256-B7C1-480D-B736-10A67A833AEA}) (Version: 3.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B255D495-4734-4E9B-B4F5-96702FD4A7B9}) (Version: 3.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{5D61F006-168C-4B8B-B7FD-F113C10AE0E4}) (Version: 8.2.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Arachnophilia (remove only) (HKLM-x32\...\Arachnophilia) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
ESET Smart Security (HKLM\...\{293ADC3B-DCF3-44C2-9CE8-19DD2B4F7646}) (Version: 8.0.312.0 - ESET, spol s r. o.)
FileZilla Client 3.11.0.2 (HKLM-x32\...\FileZilla Client) (Version: 3.11.0.2 - Tim Kosse)
Genie Backup Manager (HKLM\...\Genie Backup Manager) (Version: 9.0 - Genie9)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.1 - Google Inc.) Hidden
iTunes (HKLM\...\{6CF1A7E2-8001-4870-9F18-3C6CDD6FE9E3}) (Version: 12.2.1.16 - Apple Inc.)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x64) ENU  (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU  (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visio Professional 2013 (HKLM\...\Office15.VISPROR) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM\...\{90150000-001F-040C-1000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1204 - SUPERAntiSpyware.com)
SyncToy 2.1 (x64) (HKLM\...\{88DAAF05-5A72-46D2-A7C5-C3759697E943}) (Version: 2.1.0 - Microsoft)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.43879 - TeamViewer)
UltraISO Premium V9.53 (HKLM-x32\...\UltraISO_is1) (Version:  - )
Update for Skype for Business 2015 (KB2889853) 64-Bit Edition (HKLM\...\{90150000-012B-0409-1000-0000000FF1CE}_Office15.PROPLUS_{40930C8E-A677-414C-A72F-DFDEB10738FB}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054946) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{5280698D-EE40-4A94-9E69-ED2E2B1E12A2}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054946) 64-Bit Edition (HKLM\...\{90150000-00C1-0000-1000-0000000FF1CE}_Office15.PROPLUS_{5280698D-EE40-4A94-9E69-ED2E2B1E12A2}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054946) 64-Bit Edition (HKLM\...\{90150000-00C1-0000-1000-0000000FF1CE}_Office15.VISPROR_{5280698D-EE40-4A94-9E69-ED2E2B1E12A2}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054946) 64-Bit Edition (HKLM\...\{90150000-012B-0409-1000-0000000FF1CE}_Office15.PROPLUS_{5280698D-EE40-4A94-9E69-ED2E2B1E12A2}) (Version:  - Microsoft)
WD Quick View (HKLM-x32\...\{B74717F4-9E4D-4FEF-B234-97EC2ADACFD8}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
WD SmartWare (HKLM\...\{E0223E66-5682-4F65-9F5D-A2AB7C593323}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
WD SmartWare Installer (HKLM-x32\...\{f8b1c3bb-688a-4421-a45e-a22dd15f22ee}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
 
**** End of log ****
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 8/3/2015
Scan Time: 6:43 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.08.03.07
Rootkit Database: v2015.08.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DAN
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 353499
Time Elapsed: 8 min, 23 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
Ran all as asked.
 
After 2 to 3 minutes javaws.exe *32 process show back up in Taskmanager and computer slows to a crawl again.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 04 August 2015 - 09:59 PM

Hello try going into Control Panel ...Uninstall and Remove Java 8 Update 45

reboot

Edited by boopme, 04 August 2015 - 10:03 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 AM

Posted 05 August 2015 - 03:30 AM

Ok, let's try GMER just to make sure that PC is rootkit-free.

 

Download GMER and save it on your desktop.

 

NOTE: If you cannot run it, rename it into iexplore.exe , that shall work.

 

Run it as Administrator and click Scan button, it will scan and automatically remove all present rootkits.

 

Created log attach here, if there's no log, just use Copy option iniside program.

 

If you still get javaws in task manager, try to uninstall with JavaRa and download and install latest Java . (Make sure you don't install Ask Toolbar).



#6 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 05 August 2015 - 06:03 AM

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-08-05 07:01:48
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005d WDC_WD20 rev.80.0 1863.02GB
Running: em2kzc39.exe; Driver: C:\Users\DAN\AppData\Local\Temp\uwldapow.sys
 
 
---- User code sections - GMER 2.1 ----
 
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter  00000000768e8781 4 bytes [C2, 04, 00, 00]
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17       0000000075431401 2 bytes JMP 7690b21b C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17         0000000075431419 2 bytes JMP 7690b346 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17       0000000075431431 2 bytes JMP 76988f29 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42       000000007543144a 2 bytes CALL 768e489d C:\Windows\syswow64\kernel32.dll
.text  ...                                                                                                                        * 9
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17          00000000754314dd 2 bytes JMP 76988822 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17   00000000754314f5 2 bytes JMP 769889f8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17          000000007543150d 2 bytes JMP 76988718 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17   0000000075431525 2 bytes JMP 76988ae2 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17         000000007543153d 2 bytes JMP 768ffca8 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17              0000000075431555 2 bytes JMP 769068ef C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17       000000007543156d 2 bytes JMP 76988fe3 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17         0000000075431585 2 bytes JMP 76988b42 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17            000000007543159d 2 bytes JMP 769886dc C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17         00000000754315b5 2 bytes JMP 768ffd41 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17       00000000754315cd 2 bytes JMP 7690b2dc C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20   00000000754316b2 2 bytes JMP 76988ea4 C:\Windows\syswow64\kernel32.dll
.text  C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[1604] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31   00000000754316bd 2 bytes JMP 76988671 C:\Windows\syswow64\kernel32.dll
 
---- EOF - GMER 2.1 ----


#7 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:43 AM

Posted 05 August 2015 - 06:09 AM

How is the situation now ?



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:43 AM

Posted 07 August 2015 - 01:56 PM

I would recommend you repost with a FRST log as this is a keylogger and bank account tracker.

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 danielzink

danielzink
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 07 August 2015 - 05:39 PM

Thanks. Done


Edited by danielzink, 08 August 2015 - 04:07 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users