Javaw.exe Virus?

[REDACTED]

Hello people of the interwebs!
I tried to search up my problem here, but I couldn't find it, so I decided to make a post about it, to see if any of you guys could help me with it.  I use a PC with Windows 7.
So basically this problem has been ongoing for 2-3 months now, and it all started when a hacked steam messenger messaged me a java file that might've contained a virus, I clicked on it and then boom. I immediately deleted the file and cleaned my cpu from it, and scanned it with malbytes.
However, over these past few months, at the startup, in the task manager, I always have a Javaw.exe running at 1.5-2 million memory. I usually just end the process and continue with my business.
I've tried to solve it many times, by reinstalling Java, scanning deeply and startup with avast, but to no avail. If you guys need more information feel free to ask, I'm not sure what to give since I am still in high school and naive to antivirus.
Thank you!

[Pondus]

in the task manager, I always have a Javaw.exe running at 1.5-2 million memory.

upload and test file at www.virustotal.com  if tested before, click rescan for a fresh result
post link to scan result here

[Pondus]

follow instructions here  https://forum.avast.com/index.php?topic=53253.0
attach requested logs

when done a malware expert will assist you when online ..... it may take hours

[REDACTED]

https://www.virustotal.com/en/file/e9fe45c91d7e9cf53615929f90b52fecb9337634712869738b86af5b846ab306/analysis/

seems like there's a backdoor

[REDACTED]

here are the logs

[Michael (alan1998)]

Scan this: Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdater.jar

[REDACTED]

https://www.virustotal.com/en/file/2cbd7b140fbd217d12d8391799daa868e0b3f1ff991e3505babeab762849ebf0/analysis/1433204358/

[Pondus]

https://www.virustotal.com/en/file/e9fe45c91d7e9cf53615929f90b52fecb9337634712869738b86af5b846ab306/analysis/

seems like there's a backdoor

you did not click rescan for a fresh result .... Analysis date:   2015-05-29 15:30:43 UTC ( 3 days, 9 hours ago )

anyway it is a false positive from Agnitum
First submission 2015-05-01 17:32:25 UTC ( 1 month ago )

Authenticode signature block
CopyrightCopyright © 2015
Publisher Oracle America
Product Java(TM) Platform SE 8
Original name javaw.exe
Internal name javaw
File version 8.0.45.15
Description Java(TM) Platform SE binary
Signature verification  Signed file, verified signature
Signing date 9:06 PM 4/30/2015
Signers   

• Oracle America
• Symantec Class 3 SHA256 Code Signing CA
• VeriSign

Counter signers   

• Symantec Time Stamping Services Signer - G4
• Symantec Time Stamping Services CA - G2
• Thawte Timestamping CA

[Pondus]

malware expert will be back online tomorrow

[REDACTED]

I'm so sorry, I forgot to reanalyze both files, here are the updated ones:

https://www.virustotal.com/en/file/e9fe45c91d7e9cf53615929f90b52fecb9337634712869738b86af5b846ab306/analysis/1433205966/

https://www.virustotal.com/en/file/2cbd7b140fbd217d12d8391799daa868e0b3f1ff991e3505babeab762849ebf0/analysis/1433206188/

Just on a side note, Pondus, are you a bot?

[Michael (alan1998)]

Just on a side note, Pondus, are you a bot?

Makes you wonder, doesn't it? But, no, he's not. He's an actual Human being, on a computer.

https://www.virustotal.com/en/file/2cbd7b140fbd217d12d8391799daa868e0b3f1ff991e3505babeab762849ebf0/analysis/1433206188/

Not a surprise to see that listed as being malware. I suspect someone will remove it along the way. Jar files shouldn't be auto-starting with Windows.

Edit:
FYI: The reason why javaw.exe is being detected rather then the AutoUpdater.jar file, is because Java runs the Jar File. Java can't tell if it's malicious or not. You see the same thing with games like Minecraft that use .JAR files. When you lunch minecraft, you're launching javaw.exe*32. That's why we recommend removing Java unless absolutely needed.

First submission 2015-06-02 00:19:18 UTC ( 10 hours, 7 minutes ago )
Last submission 2015-06-02 00:49:48 UTC ( 9 hours, 36 minutes ago )

it is new ^^

[essexboy]

Let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-3799384054-596061444-940522682-1000\...\Run: [Boxoft Tools] => C:\ProgramData\Boxtools\Boxofttoolbox.exe [514048 2010-12-15] ()
AppInit_DLLs: C:\PROGRA~3\Wincert\WIN64C~1.DLL => C:\PROGRA~3\Wincert\WIN64C~1.DLL File not found
AppInit_DLLs:  C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll => C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll File not found
AppInit_DLLs:  C:\PROGRA~2\SETTIN~1\systemk\x64\syskldr.dll => C:\PROGRA~2\SETTIN~1\systemk\x64\syskldr.dll File not found
AppInit_DLLs-x32: C:\PROGRA~3\Wincert\WIN32C~1.DLL => "C:\PROGRA~3\Wincert\WIN32C~1.DLL" File not found
AppInit_DLLs-x32:  C:\PROGRA~2\Linkey\IEEXTE~1\iedll.dll => "C:\PROGRA~2\Linkey\IEEXTE~1\iedll.dll" File not found
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browsemngr.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browsermngr.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\bundlesweetimsetup.exe: [Debugger] tasklist.exe
IFEO\cltmngsvc.exe: [Debugger] tasklist.exe
IFEO\delta babylon.exe: [Debugger] tasklist.exe
IFEO\delta tb.exe: [Debugger] tasklist.exe
IFEO\delta2.exe: [Debugger] tasklist.exe
IFEO\deltainstaller.exe: [Debugger] tasklist.exe
IFEO\deltasetup.exe: [Debugger] tasklist.exe
IFEO\deltatb.exe: [Debugger] tasklist.exe
IFEO\deltatb_2501-c733154b.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\iminentsetup.exe: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\rjatydimofu.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\sweetimsetup.exe: [Debugger] tasklist.exe
IFEO\tbdelta.exetoolbar783881609.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoUpdater.jar [2015-03-15] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-3799384054-596061444-940522682-1000] ATTENTION ==> Default URLSearchHook is missing
BHO-x32: No Name -> {6AC15D28-71DE-9984-2276-5E0A9F988F00} ->  No File
Toolbar: HKU\S-1-5-21-3799384054-596061444-940522682-1000 -> No Name - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} -  No File
CHR Extension: (Plus-HD-9.3) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\gngfnjclpjflgomhidfecidndbfaniak [2014-04-01]
2015-05-16 23:18 - 2015-05-16 23:18 - 00000000 _____ () C:\Windows\SysWOW64\REN5763.tmp
2015-05-16 23:04 - 2015-05-21 23:45 - 00000000 ____D () C:\Users\User\Downloads\sarkar
2015-05-16 13:53 - 2015-05-16 22:56 - 00000000 ____D () C:\ProgramData\SecTaskMan
2015-05-16 13:53 - 2015-05-16 13:53 - 00000000 ____D () C:\Users\User\AppData\Local\SecTaskMan
2015-06-01 14:58 - 2013-01-25 19:42 - 00000000 ____D () C:\ProgramData\Boxtools
2015-05-31 19:06 - 2013-01-28 19:48 - 00000000 ____D () C:\Program Files (x86)\WebSearch
Task: {61A6506C-8F8A-4DB6-A3E2-F6D29195D8B8} - \SoftUpdateDaily No Task File <==== ATTENTION
Task: {F8684EB5-B0D9-4A8A-8ECF-E5F3E9F87875} - \SoftUpdateLogon No Task File <==== ATTENTION
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
Hosts:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Yay! Good news it's fixed, I'll post the log just in case there's any other problems left, but thank you to everyone that helped me!
If the experts don't mind I have a few follow up questions:
1. What was actually wrong with my computer? Was it a virus?
2. What did you do to get rid of it?
3. Are you guys paid to do this, or do you volunteer all these hours into helping people?

You guys are all amazing, and were very nice and fast. Thank you!

[essexboy]

Could you post the FRST fixlog please

The file was a generic downloader for adware programmes, now removed

Just deleted the relevant files and their associated registry entries

All done for free

[REDACTED]

um... did I post the wrong one? oops