Microsoft VM on Win2000 SP4

  • Thread starter Thread starter nancy
  • Start date Start date
N

nancy

I have identified that I have the Microsoft VM "virus"

I am running on win2000 service pack 4, and according
to "http://support.microsoft.com/?kbid=820101" Question 4,
I am supposed to go to windowsupdate.microsoft.com, and
micrsoft will detect that I need to update it. However, I
have downloaded all the patches it suggests, and the
problem is still not fixed (the same website keeps getting
reset as my homepage every time i restart my computer).

Can someone refer me to a page where I can download this
patch directly??? Thanks!
 
Hi Nancy - It appears that you're trying to deal with two different
problems - re-installing the MS Java VM for Win2kSP4 and with a hijacked
home page. I'm going to make two separate posts - this one to deal with the
Java VM issue and a separate one about the home page problem. In what
follows, there are special provisions for the SP4 case, so take note.

You can test whether Java is working on your machine at the following
sites:

http://www.pocoso.de/pocoso052.html
http://www.clan.lib.ri.us/clan/javatest.html
http://www.fitwise.com/testjava.asp (both 1.0 and 1.1 and what's
installed)
http://coglab.wadsworth.com/support/browsercheck.html
http://www.ces.clemson.edu/webct/browser_detect.html

and you can test Javascript here:
http://www.dancespots.net/browsertest.htm

and check whether you have the MS VM installed and which version here:
http://www.visualware.com/support/javasupport.html

Be aware, however, that after Sept. 30, 2004, MS will apparently no longer
be distributing Java or providing any support for Java including
security fixes. (It's unclear as to how 6/26/03 court decision will
affect this) See here:

http://www.microsoft.com/windowsxp/pro/evaluation/news/jre.asp, and
http://www.microsoft.com/mscorp/java/ ,and more recently here:
http://www.reuters.com/newsArticle....RBAELCFEY?type=technologyNews&storyID=3572282
so you
might want to start thinking about the future.

You can get the Sun Java J2SE RunTimes or SDK here:
http://java.sun.com/downloads/index.html (all versions - select using
the dropdown)

Sun also offers an automatic download and install of the 1.4 Java
plug-in here: http://java.sun.com/getjava/download.html



For the MS Java VM, you may need to install v.3809 prior to upgrading
to v. 3810 if you didn't previous have MS Java v. 3805 or 3809
installed.

If your OS is Win2000 SP2, SP3 but NOT SP4 then you can download and
install the MS Java VM v. 3809 from here:
http://download.windowsupdate.com/m..._510A502BA8F9B6F19230BB2BCCE87D5474AC9DCD.exe
or here:
http://www.biologylab.awlonline.com...icrosoft.Q810030_W2K_SP4_5849/Q810030_W2K.exe

For Win2000 SP4, you'll need to re-install v.3805, from here:
http://www.nhyrvana.com/files/pop.cgi?file=win2kmsjavx86.zip It will
download as Pop.zip. Just unzip it and then execute the resultant
msjavx86. This is the only version that I know of that will re-install
under SP4.

For all other OS's:

Download and install the MS Java VM v. 3809 from one of the links here:
http://www.nhyrvana.com/files/pop.cgi?file=3809.exe (it will be named
pop.exe), or here:
http://www.biologylab.awlonline.com...XP/com_microsoft.javavm_3809_5853/msjavwu.exe,
or here:
http://secinfo.huji.ac.il/patches/Win-xp/msjavwu.exe


Then upgrade to v. 3810:

For all OS's except Win2k, obtain v. 3810 here:
http://fileforum.betanews.com/detail.php3?fid=1050022631

For all versions of Win2k - SP2, SP3 or SP4 - obtain v. 3810 here:
http://download.microsoft.com/downl...-9b18-423356321682/Q816093_W2K_SP4_X86_EN.exe

Both Java VM's can co-exist on your machine quite nicely. Just select
which one you want to use in Tools|Internet Options|Advanced and restart
all IE browsers. Here, courtesy of Michel Gallant, MVP Security, is a
tiny utility which allows you to toggle and view status of your current
Java VM vendor associated with IE:
http://pages.istar.ca/~neutron/SelectIEJVM

A note from Mitch Gallant:

"One note about the JVM Selector utility:
If/when you install a new version of Sun J2SE, you need to manually
select to have Sun JVM as default JVM for IE (in install), or after
install
via the JavaPlugin control panel. This generates the necessary win32
registry
entries, which must be present for the utility to know about JavaPlugin.
After that, the utility should work properly."


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
OK Nancy, now about your start page. It sounds like you've been hijacked.
If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

From your description it's difficult to be sure just what you got into, and
therefore to prescribe any specific actions. Do the following:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

In addition to the above, if you don't already have them here are some
things which will help you defense your systems:

The best way to start is to get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove things
which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to re-boot
and rerun SpyBot again and repeat this cycle until you get a clean "no red"
scan. The reason is that SpyBot sometimes has to remove things which are
currently "in use" before it can then clean up others.

Lastly, you might want to consider installing the SpywareBlaster and
SpywareGuard here to help prevent this kind of thing from happening in the
future:

http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed (currently 822 baddies), and it provides information and
fixit-links for a variety of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
sorry jim-

i forgot to mention that i already have Microsoft VM v.
3810
(after i ran the "jview" command, the first line
indicated: "Java Version 5.00.3810")

so do i still need to download other versions of VM? i
won't just yet.. but i will go ahead and execute what you
have advised me in your next post.
 
Hi Nancy - Did you run ALL of the tests at ALL of the sites I listed? What
did they show? [There's a procedure for doing a reinstall of MS Java VM in
SP4 (besides the reinstall from scratch approach that I already gave you),
but it's involved and we should avoid it if possible.] If the tests show
OK, then I think you need to look at the malware issues (my other post).
Your VM is probably OK if those tests are good and jview shows 3810.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
Thanks, Jim

the "aumha.org" website was able to detect that i had
the "winshow" parasite, and directed me to manually delete
the files from my Windows folder. however, i am still
experiencing the same problem, but i did create the two
log files from HijackThis and copy/pasted them to the
hijackthis technicians.. hope they can resolve it!
-----Original Message-----
OK Nancy, now about your start page. It sounds like you've been hijacked.
If you go to this page at Jim Eshelman's site, here:
http://aumha.org/a/noads.htm and wait a little bit (be patient), an analysis
of a number of possible parasites on your machine will be made to help you
identify and remove them. NOTE: You will need to disable Ad Blocking in
Zone Alarm 3.x, if present or any other Ad Blocking software which
interferes with Java Scripting for this scan to work. You should get a
message between the two lines of **** giving the results of the scan.

From your description it's difficult to be sure just what you got into, and
therefore to prescribe any specific actions. Do the following:

Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click the
Config button, then Misc Tools and click on Generate StartupList.log which
will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php? s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files into a message asking for
assistance, Someone will answer with detailed instructions for the removal
of your parasite(s).

In addition to the above, if you don't already have them here are some
things which will help you defense your systems:

The best way to start is to get Ad-Aware 6.0, Build 181 or later, here:
http://www.lavasoftusa.com/support/download/. Update and run this regularly
to get rid of most "spyware/hijackware" on your machine. If it has to fix
things, be sure to re-boot and rerun AdAware again and repeat this cycle
until you get a clean scan. The reason is that it may have to remove things
which are currently "in use" before it can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-
Click to expand...
bin/forums/ikonboard.cgi. I recommend
 
OK, Nancy - Sounds like you're headed in the right direction. They're a
very good bunch in that forum and will like be able to help. Just to be
sure - you did delete all three of winshow.dll, winshow.cfg and dict.dat
from the Windows folder? I doubt that this was the cause of your homepage
problem, however. Let's see what the Forum comes up with. Please post back
with your results.

--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
jim-

they did a great job. i posted my log files from
HijackThis, and they were able to tell me which files i
should select to "fix" and to delete "sys.reg" from my
Windows folder, and it seems to have done the trick!

yes, i also deleted the three files you mentioned below,
and yes, i have MS VM v. 3810.

thanks a bunch for all your help! :)
 
Back
Top