Windows 7: Trojan Virus = Java errors??

Tousdae · 19 Nov 2011

A few weeks ago MSE picked up 3 instances of "Trojan:JS/Redirector.EV"

Explanation - Encyclopedia entry: Trojan:JS/Redirector.EV - Learn more about malware - Microsoft Malware Protection Center

It just occured to me NOW that I have an error at some point every day that reads:

Code:

 
#
# A fatal error has been detected by the Java Runtime Environment:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0xcccccccc, pid=4284, tid=1660
#
# JRE version: 6.0_29-b11
# Java VM: Java HotSpot(TM) Client VM (20.4-b02 mixed mode, sharing windows-x86 )
# Problematic frame:
# C 0xcccccccc
#
# If you would like to submit a bug report, please visit:
# HotSpot Virtual Machine Error Reporting Page
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
--------------- T H R E A D ---------------
Current thread (0x054f8400): JavaThread "AWT-Windows" daemon [_thread_in_native, id=1660, stack(0x02740000,0x02840000)]
siginfo: ExceptionCode=0xc0000005, reading address 0xcccccccc
Registers:
EAX=0x6d0c013a, EBX=0x00000001, ECX=0x05557110, EDX=0x00000004
ESP=0x0283faa0, EBP=0x0283facc, ESI=0x054f8528, EDI=0x05557110
EIP=0xcccccccc, EFLAGS=0x00210293
Top of Stack: (sp=0x0283faa0)
0x0283faa0: 6d09ccc0 00000000 6d09c780 00000000
0x0283fab0: 0283fb48 00000000 054f8528 0283faa4
0x0283fac0: 0283fb60 6d0c0628 00000001 0283faf8
0x0283fad0: 75fa62fa 00080662 0000981a 05557110
0x0283fae0: 00000000 6d09c780 dcbaabcd 00000000
0x0283faf0: 00000000 6d09c780 0283fb70 75fa6d3a
0x0283fb00: 6d09c780 00080662 0000981a 05557110
0x0283fb10: 00000000 c0f7ab24 0283fc04 0283fbfc 
Instructions: (pc=0xcccccccc)
0xccccccac: 
[error occurred during error reporting (printing registers, top of stack, instructions near pc), id 0xc0000005]
Register to memory mapping:
EAX=0x6d0c013a is an unknown value
EBX=0x00000001 is an unknown value
ECX=0x05557110 is an unknown value
EDX=0x00000004 is an unknown value
ESP=0x0283faa0 is pointing into the stack for thread: 0x054f8400
EBP=0x0283facc is pointing into the stack for thread: 0x054f8400
ESI=0x054f8528 is an unknown value
EDI=0x05557110 is an unknown value
 
Stack: [0x02740000,0x02840000], sp=0x0283faa0, free space=1022k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C 0xcccccccc
C [USER32.dll+0x162fa] gapfnScSendMessage+0x332
C [USER32.dll+0x16d3a] GetThreadDesktop+0xd7
C [USER32.dll+0x177c4] CharPrevW+0x138
C [USER32.dll+0x1788a] DispatchMessageW+0xf
Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
j sun.awt.windows.WToolkit.eventLoop()V+0
j sun.awt.windows.WToolkit.run()V+52
v ~StubRoutines::call_stub
--------------- P R O C E S S ---------------
Java Threads: ( => current thread )
0x0acfc000 JavaThread "TickTimer" daemon [_thread_blocked, id=352, stack(0x0b860000,0x0b8b0000)]
0x08a7f000 JavaThread "ITimer" daemon [_thread_blocked, id=5236, stack(0x0a3f0000,0x0a440000)]
0x08a83000 JavaThread "ScrollBar" daemon [_thread_blocked, id=5716, stack(0x0b570000,0x0b5c0000)]
0x08a82800 JavaThread "TextField" daemon [_thread_blocked, id=5160, stack(0x0b4e0000,0x0b530000)]
0x08a82000 JavaThread "ScrollBar" daemon [_thread_blocked, id=5152, stack(0x0b450000,0x0b4a0000)]
0x08a81c00 JavaThread "ScrollBar" daemon [_thread_blocked, id=4760, stack(0x0b3c0000,0x0b410000)]
0x08a81400 JavaThread "ScrollBar" daemon [_thread_blocked, id=5900, stack(0x0b330000,0x0b380000)]
0x08a81000 JavaThread "ScrollBar" daemon [_thread_blocked, id=2316, stack(0x0b2a0000,0x0b2f0000)]
0x08a80800 JavaThread "ScrollBar" daemon [_thread_blocked, id=4508, stack(0x0b210000,0x0b260000)]
0x08a80400 JavaThread "TickTimer" daemon [_thread_blocked, id=3872, stack(0x0b180000,0x0b1d0000)]
0x08a7fc00 JavaThread "ScrollBar" daemon [_thread_blocked, id=3024, stack(0x0a360000,0x0a3b0000)]
0x08a7e800 JavaThread "BadgeStorage" daemon [_thread_blocked, id=5980, stack(0x083a0000,0x083f0000)]
0x08a7dc00 JavaThread "AsynchRasterManager.avatar" daemon [_thread_blocked, id=5148, stack(0x0a090000,0x0a0e0000)]
0x08a7d800 JavaThread "Direct Clip" daemon [_thread_blocked, id=5680, stack(0x0a000000,0x0a050000)]
0x0550b800 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=2632, stack(0x09740000,0x09790000)]
0x05509000 JavaThread "thread applet-com.pogo.game.client2.color.ColorApplet-5" [_thread_blocked, id=5296, stack(0x08160000,0x081b0000)]
0x05509800 JavaThread "thread applet-com.pogo.game.client2.shell.ShellApplet-4" [_thread_blocked, id=5796, stack(0x07f20000,0x07f70000)]
0x05505800 JavaThread "thread applet-com.pogo.game.client2.shell.ShellApplet-3" [_thread_blocked, id=5204, stack(0x07890000,0x078e0000)]
0x05509c00 JavaThread "AWT-EventQueue-4" [_thread_in_native, id=5188, stack(0x081f0000,0x08240000)]
0x05506400 JavaThread "AWT-Shutdown" [_thread_blocked, id=5256, stack(0x07210000,0x07260000)]
0x05506c00 JavaThread "Applet 4 LiveConnect Worker Thread" [_thread_blocked, id=5492, stack(0x07e00000,0x07e50000)]
0x05508400 JavaThread "Applet 3 LiveConnect Worker Thread" [_thread_blocked, id=5664, stack(0x07430000,0x07480000)]
0x05507000 JavaThread "JVM[id=0]-Heartbeat" daemon [_thread_blocked, id=5696, stack(0x07e90000,0x07ee0000)]
0x05506000 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=5584, stack(0x07d20000,0x07d70000)]
0x05505400 JavaThread "Windows Tray Icon Thread" [_thread_in_native, id=5604, stack(0x07770000,0x077c0000)]
0x05504c00 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=5612, stack(0x076e0000,0x07730000)]
0x05501400 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=5600, stack(0x07650000,0x076a0000)]
0x054ab800 JavaThread "SysExecutionTheadCreator" daemon [_thread_blocked, id=5348, stack(0x056a0000,0x056f0000)]
=>0x054f8400 JavaThread "AWT-Windows" daemon [_thread_in_native, id=1660, stack(0x02740000,0x02840000)]
0x054f5400 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=5628, stack(0x07180000,0x071d0000)]
0x0265f400 JavaThread "Java Plug-In Pipe Worker Thread (Client-Side)" daemon [_thread_in_native, id=5444, stack(0x05730000,0x05780000)]
0x054ab400 JavaThread "Timer-0" [_thread_blocked, id=6084, stack(0x053b0000,0x05400000)]
0x02627400 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=6028, stack(0x05170000,0x051c0000)]
0x025ef000 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=5732, stack(0x04f00000,0x04f50000)]
0x025e8400 JavaThread "C1 CompilerThread0" daemon [_thread_blocked, id=2540, stack(0x04e70000,0x04ec0000)]
0x025e7400 JavaThread "Attach Listener" daemon [_thread_blocked, id=5580, stack(0x04de0000,0x04e30000)]
0x025e6800 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=5292, stack(0x04d50000,0x04da0000)]
0x025dc400 JavaThread "Finalizer" daemon [_thread_blocked, id=5420, stack(0x02a40000,0x02a90000)]
0x025db000 JavaThread "Reference Handler" daemon [_thread_blocked, id=6100, stack(0x02940000,0x02990000)]
0x0273ac00 JavaThread "main" [_thread_blocked, id=6064, stack(0x005c0000,0x00610000)]
Other Threads:
0x0259e400 VMThread [stack: 0x02660000,0x026b0000] [id=4772]
0x025f0800 WatcherThread [stack: 0x04f90000,0x04fe0000] [id=2628]
VM state:not at safepoint (normal execution)
VM Mutex/Monitor currently owned by a thread: None
Heap
def new generation total 39296K, used 3051K [0x2c550000, 0x2eff0000, 0x2eff0000)
eden space 34944K, 7% used [0x2c550000, 0x2c7e5288, 0x2e770000)
from space 4352K, 9% used [0x2e770000, 0x2e7d5c68, 0x2ebb0000)
to space 4352K, 0% used [0x2ebb0000, 0x2ebb0000, 0x2eff0000)
tenured generation total 87424K, used 80361K [0x2eff0000, 0x34550000, 0x34550000)
the space 87424K, 91% used [0x2eff0000, 0x33e6a448, 0x33e6a600, 0x34550000)
compacting perm gen total 12288K, used 5322K [0x34550000, 0x35150000, 0x38550000)
the space 12288K, 43% used [0x34550000, 0x34a82b20, 0x34a82c00, 0x35150000)
ro space 10240K, 51% used [0x38550000, 0x38a7d0b8, 0x38a7d200, 0x38f50000)
rw space 12288K, 54% used [0x38f50000, 0x395e9570, 0x395e9600, 0x39b50000)
Code Cache [0x02ae0000, 0x02ed0000, 0x04ae0000)
total_blobs=2059 nmethods=1815 adapters=178 free_code_cache=29452608 largest_free_block=256
Dynamic libraries:
0x00400000 - 0x00424000 C:\Program Files (x86)\Java\jre6\bin\java.exe
0x76fb0000 - 0x77130000 C:\Windows\SysWOW64\ntdll.dll
0x764f0000 - 0x76600000 C:\Windows\syswow64\kernel32.dll
0x75a60000 - 0x75aa6000 C:\Windows\syswow64\KERNELBASE.dll
0x76250000 - 0x762f0000 C:\Windows\syswow64\ADVAPI32.dll
0x756f0000 - 0x7579c000 C:\Windows\syswow64\msvcrt.dll
0x754a0000 - 0x754b9000 C:\Windows\SysWOW64\sechost.dll
0x76600000 - 0x766f0000 C:\Windows\syswow64\RPCRT4.dll
0x746a0000 - 0x74700000 C:\Windows\syswow64\SspiCli.dll
0x74690000 - 0x7469c000 C:\Windows\syswow64\CRYPTBASE.dll
0x72a30000 - 0x72a7c000 C:\Windows\system32\apphelp.dll
0x6dec0000 - 0x6df4d000 C:\Windows\AppPatch\AcLayers.DLL
0x75f90000 - 0x76090000 C:\Windows\syswow64\USER32.dll
0x757a0000 - 0x75830000 C:\Windows\syswow64\GDI32.dll
0x75cd0000 - 0x75cda000 C:\Windows\syswow64\LPK.dll
0x75ef0000 - 0x75f8d000 C:\Windows\syswow64\USP10.dll
0x747c0000 - 0x7540a000 C:\Windows\syswow64\SHELL32.dll
0x76490000 - 0x764e7000 C:\Windows\syswow64\SHLWAPI.dll
0x754c0000 - 0x7561c000 C:\Windows\syswow64\ole32.dll
0x75410000 - 0x7549f000 C:\Windows\syswow64\OLEAUT32.dll
0x73090000 - 0x730a7000 C:\Windows\system32\USERENV.dll
0x72d10000 - 0x72d1b000 C:\Windows\system32\profapi.dll
0x72d30000 - 0x72d81000 C:\Windows\system32\WINSPOOL.DRV
0x6dea0000 - 0x6deb2000 C:\Windows\system32\MPR.dll
0x75ab0000 - 0x75b10000 C:\Windows\system32\IMM32.DLL
0x75620000 - 0x756ec000 C:\Windows\syswow64\MSCTF.dll
0x7c340000 - 0x7c396000 C:\Program Files (x86)\Java\jre6\bin\msvcr71.dll
0x6d7f0000 - 0x6da9f000 C:\Program Files (x86)\Java\jre6\bin\client\jvm.dll
0x72880000 - 0x728b2000 C:\Windows\system32\WINMM.dll
0x6d7a0000 - 0x6d7ac000 C:\Program Files (x86)\Java\jre6\bin\verify.dll
0x6d320000 - 0x6d33f000 C:\Program Files (x86)\Java\jre6\bin\java.dll
0x6d000000 - 0x6d14c000 C:\Program Files (x86)\Java\jre6\bin\awt.dll
0x72610000 - 0x727ae000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
0x723e0000 - 0x72460000 C:\Windows\system32\uxtheme.dll
0x6d7e0000 - 0x6d7ef000 C:\Program Files (x86)\Java\jre6\bin\zip.dll
0x71b90000 - 0x71d53000 C:\Windows\system32\d3d9.dll
0x72460000 - 0x72469000 C:\Windows\system32\VERSION.dll
0x73080000 - 0x73086000 C:\Windows\system32\d3d8thk.dll
0x72a10000 - 0x72a23000 C:\Windows\system32\dwmapi.dll
0x73740000 - 0x737f9000 C:\Windows\system32\aticfx32.dll
0x73070000 - 0x7307b000 C:\Windows\system32\atiu9pag.dll
0x6e6a0000 - 0x6eabf000 C:\Windows\system32\atiumdag.dll
0x6ead0000 - 0x6eed4000 C:\Windows\system32\atiumdva.dll
0x6d420000 - 0x6d426000 C:\Program Files (x86)\Java\jre6\bin\jp2native.dll
0x6d1d0000 - 0x6d1e3000 C:\Program Files (x86)\Java\jre6\bin\deploy.dll
0x75850000 - 0x7596d000 C:\Windows\syswow64\CRYPT32.dll
0x75830000 - 0x7583c000 C:\Windows\syswow64\MSASN1.dll
0x75b10000 - 0x75c2a000 C:\Windows\syswow64\WININET.dll
0x76f80000 - 0x76f83000 C:\Windows\syswow64\Normaliz.dll
0x76090000 - 0x76248000 C:\Windows\syswow64\iertutil.dll
0x75d70000 - 0x75e80000 C:\Windows\syswow64\urlmon.dll
0x6d6a0000 - 0x6d6e6000 C:\Program Files (x86)\Java\jre6\bin\regutils.dll
0x6d600000 - 0x6d613000 C:\Program Files (x86)\Java\jre6\bin\net.dll
0x75970000 - 0x759a5000 C:\Windows\syswow64\WS2_32.dll
0x75840000 - 0x75846000 C:\Windows\syswow64\NSI.dll
0x74170000 - 0x741ac000 C:\Windows\system32\mswsock.dll
0x74150000 - 0x74156000 C:\Windows\System32\wship6.dll
0x6d620000 - 0x6d629000 C:\Program Files (x86)\Java\jre6\bin\nio.dll
0x74380000 - 0x74388000 C:\Windows\system32\Secur32.dll
0x742f0000 - 0x74334000 C:\Windows\system32\dnsapi.DLL
0x74240000 - 0x7425c000 C:\Windows\system32\iphlpapi.DLL
0x74230000 - 0x74237000 C:\Windows\system32\WINNSI.DLL
0x6d230000 - 0x6d27f000 C:\Program Files (x86)\Java\jre6\bin\fontmanager.dll
0x74160000 - 0x74165000 C:\Windows\System32\wshtcpip.dll
0x74120000 - 0x74147000 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL
0x75eb0000 - 0x75eb5000 C:\Windows\syswow64\PSAPI.DLL
0x74020000 - 0x74026000 C:\Windows\system32\rasadhlp.dll
0x73fa0000 - 0x73fd8000 C:\Windows\System32\fwpuclnt.dll
0x6d510000 - 0x6d535000 C:\Program Files (x86)\Java\jre6\bin\jsound.dll
0x6d540000 - 0x6d548000 C:\Program Files (x86)\Java\jre6\bin\jsoundds.dll
0x72800000 - 0x72872000 C:\Windows\system32\DSOUND.dll
0x727d0000 - 0x727f5000 C:\Windows\system32\POWRPROF.dll
0x762f0000 - 0x7648d000 C:\Windows\syswow64\SETUPAPI.dll
0x75e80000 - 0x75ea7000 C:\Windows\syswow64\CFGMGR32.dll
0x75cb0000 - 0x75cc2000 C:\Windows\syswow64\DEVOBJ.dll
0x72590000 - 0x725c9000 C:\Windows\system32\MMDevAPI.DLL
0x71930000 - 0x71a25000 C:\Windows\system32\PROPSYS.dll
0x71a90000 - 0x71ac0000 C:\Windows\system32\wdmaud.drv
0x727b0000 - 0x727b4000 C:\Windows\system32\ksuser.dll
0x72600000 - 0x72607000 C:\Windows\system32\AVRT.dll
0x71a50000 - 0x71a86000 C:\Windows\system32\AUDIOSES.DLL
0x72580000 - 0x72588000 C:\Windows\system32\msacm32.drv
0x724e0000 - 0x724f4000 C:\Windows\system32\MSACM32.dll
0x72570000 - 0x72577000 C:\Windows\system32\midimap.dll
0x75ce0000 - 0x75d63000 C:\Windows\syswow64\CLBCatQ.DLL
0x6d440000 - 0x6d465000 C:\Program Files (x86)\Java\jre6\bin\jpeg.dll
0x71b70000 - 0x71b86000 C:\Windows\system32\CRYPTSP.dll
0x71b30000 - 0x71b6b000 C:\Windows\system32\rsaenh.dll
0x741c0000 - 0x741d0000 C:\Windows\system32\NLAapi.dll
0x6df80000 - 0x6df90000 C:\Windows\system32\napinsp.dll
0x6df60000 - 0x6df72000 C:\Windows\system32\pnrpnsp.dll
0x6df50000 - 0x6df58000 C:\Windows\System32\winrnr.dll
VM Arguments:
jvm_args: -D__jvm_launched=27024890823 -Xbootclasspath/a:C:\\PROGRA~2\\Java\\jre6\\lib\\deploy.jar;C:\\PROGRA~2\\Java\\jre6\\lib\\javaws.jar;C:\\PROGRA~2\\Java\\jre6\\lib\\plugin.jar -Dsun.awt.warmup=true -Xmx128m -Dsun.plugin2.jvm.args=-D__jvm_launched=27024890823 "-Xbootclasspath/a:C:\\\\PROGRA~2\\\\Java\\\\jre6\\\\lib\\\\deploy.jar;C:\\\\PROGRA~2\\\\Java\\\\jre6\\\\lib\\\\javaws.jar;C:\\\\PROGRA~2\\\\Java\\\\jre6\\\\lib\\\\plugin.jar" "-Djava.class.path=C:\\\\PROGRA~2\\\\Java\\\\jre6\\\\classes" -Dsun.awt.warmup=true --- -- -Xmx128m 
java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid4656_pipe3,read_pipe_name=jpi2_pid4656_pipe2
Launcher Type: SUN_STANDARD
Environment Variables:
PATH=C:\Program Files (x86)\Internet Explorer;;C:\Program Files (x86)\AMD APP\bin\x86_64;C:\Program Files (x86)\AMD APP\bin\x86;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files (x86)\Windows Live\Shared;C:\Program Files (x86)\QuickTime\QTSystem\
USERNAME=Leah
OS=Windows_NT
PROCESSOR_IDENTIFIER=AMD64 Family 16 Model 4 Stepping 3, AuthenticAMD
 
--------------- S Y S T E M ---------------
OS: Windows 7 , 64 bit Build 7601 Service Pack 1
CPU:total 4 (4 cores per cpu, 1 threads per core) family 16 model 4 stepping 3, cmov, cx8, fxsr, mmx, sse, sse2, sse3, popcnt, mmxext, 3dnow, 3dnowext, lzcnt, sse4a
Memory: 4k page, physical 8387700k(6038552k free), swap 16773552k(14392164k free)
vm_info: Java HotSpot(TM) Client VM (20.4-b02) for windows-x86 JRE (1.6.0_29-b11), built on Oct 3 2011 01:01:08 by "java_re" with MS VC++ 7.1 (VS2003)
time: Fri Nov 18 07:32:30 2011
elapsed time: 981 seconds
--------------------------------------------------------------------------

Do you think I'm getting this error becuz of this Trojan? It deleted the trojan twice, but allowed it once. I have scanned my system like crazy with MSE, Malware bytes and ESET online scanner 3 or 4 times and nothing shows up. I thought it was gone, but now I wonder becuz of these error messages saved to my desktop.

The trojan that was allowed, I can't find the path that leads to where it is to manually delete anything fishy.

Thanks

Maguscreed · 19 Nov 2011

uninstall and reinstall java would seem to be the easiest fix for this.
It looks like something inside of java was damaged by the attack.

Tousdae · 19 Nov 2011

I did uninstall Java last night after putting up this thread. Now I can't reintall it. It gets some sort of error. I'll try again and get the message. Also I had malwarebytes and eset scan again before I went to bed ... I woke up to 7 infected files. 1 in temp folder, 7 in programs folder (I love how it doesn't tell me which program did this) and 1 in my registry key about Google. Oh, I just figured out which program did this! One of the virus protections already deleted it. I found that out when I tried to uninstall it myself. The virus was pup.fctplugin, which I haven't looked up yet.

Tousdae · 19 Nov 2011

I cleaned out the registry file and now Java can install.

Thanks

Windows 7: Trojan Virus = Java errors??

Trojan Virus = Java errors?? problems?