Problem with persistent java.exe process on WinXP (Solved)

[DJQuanta]

Hello Guys,

Yesterday I noticed something that brought my attention. While checking the task manager on WinXP (SP2) I noticed a java.exe process, I thought it could be from some applet that I had navigated, but since I had the browser closed I just killed the process. To my surprise after 4 or 5 secs the process appears again.

Inmediately I suspected some irregular activity, so I ran Netstat to check if there were some external connections active, what I found was this (enigma is the name of my computer):

TCP enigma:1026 localhost:32000 ESTABLISHED
TCP enigma:32000 localhost:1026 ESTABLISHED

When I kill the java.exe process and run netstat those two connections dissapear, but when the java.exe process appears again the two connections come back, so obviously the java.exe is making the two connections.

Any ideas about this ?. I tryed unistalling the Java 5 SDK but the java.exe process it's still there, I searched my computer and the only other two instances of java.exe I have are from Dreamweaver MX and Maya 6.

Thanks,

Quanta

 

[MercenaryForHire]

Got Virus?

It's connecting back to itself (localhost) but it could also be waiting for something from outside. Run a scan, check your registry & msconfig for suspicious startup entries.

- M4H

 

[mechBgon]

MyDoom virus variants use that filename, for starters. Yeah, run a virus scan. If your antivirus software is expired or none at all, then there's some online scanners listed at http://www.antisource.com, link on the left side there. Panda and TrendMicro are recommended a lot, so try them.

 

[DJQuanta]

Sorry I didn't mentioned that guys... I ran an updated Norton Antivirus and Mcafee Stinger and both returned no viruses found.

Other ideas ??

 

[mechBgon]

Originally posted by: DJQuanta
Sorry I didn't mentioned that guys... I ran an updated Norton Antivirus and Mcafee Stinger and both returned no viruses found.

Other ideas ??

Can you find the java.exe file and send me a copy? tmcfadden (a) omnicast (dot) net

Edit: also could you post a HijackThis logfile. HijackThis download.

 

[DJQuanta]

Well.... I did a check of my services and found the little sucker...

Alias Wavefront Maya 6 documentation works with a custom java application server (it seems a striped down version of Tomcat) that serves the pages and allows searching of the docs. When you install Maya the service is configured as "Automatic" so the server is up all the time (and thus the java.exe process). That's why I found a java.exe inside the Maya folder, 'cause it ships with a copy of the JRE.

BTW.... it's not neccesary to have it in AUTOMATIC, 'cause if you stop the process and request the documentation from Maya the server it's started and then the docs are displayed.

Now I have 18 Mb of my Ram back from javaland

Thanks for the help.

Quanta