Pryda
Posts: 31 +0
Hello. I did various scans using MSE, Sophos and something else (eset? I can't remember) last night which all removed trojans etc so each time I thought I was in the clear. I was very wrong and the problem has not gone away.
I can't windows update (actually haven't been able to for ages). For the past few days my Google search results have been redirecting. I can't view the event log. It's a bad situation. Yesterday before bed I started a Kapersky Labs Rescue CD scan. I found loads of stuff, and I'd like to think so given the duration of the scan. Here is the log:
Objects Scan: malfunction (events: 1, objects: 0, time: Unknown)
8/21/12 1:00 AM Task started
Objects Scan: completed 8 minutes ago (events: 42, objects: 3655276,
time: 12:52:43)
8/21/12 1:02 AM Task started
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2011-3544.hz C:/Users/McGinley/AppData/
LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2011-3544.hz C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class Postponed
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2010-0840.gg C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2010-0840.gg C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class Postponed
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2010-0840.gh C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2010-0840.gh C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class Postponed
8/21/12 6:24 AM Detected:
HEUR:Trojan.Win32.Generic C:/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 6:24 AM Untreated:
HEUR:Trojan.Win32.Generic C:/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto
RG].exe/twunk_32.exe Postponed
8/21/12 6:26 AM Detected:
Trojan-Downloader.Java.Agent.nu C:/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 6:26 AM Untreated:
Trojan-Downloader.Java.Agent.nu C:/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class Postponed
8/21/12 7:10 AM Detected:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 7:10 AM Untreated:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@ Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class Postponed
8/21/12 9:47 AM Processing
error /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/Downloads/GoT_-_S1_Extras_-_Making_Game_of_Thrones.rar/Game.of.Thrones.EXTRAS.Making.Game.of.Thrones.BLURAY.720p.x264.DTS-TvT.mkv Read
error
8/21/12 9:47 AM Processing
error /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/Downloads/GoT_-_S1_Extras_-_Making_Game_of_Thrones.rar Read
error
8/21/12 10:07 AM Detected:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 10:07 AM Untreated:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto
RG].exe/twunk_32.exe Postponed
8/21/12 10:07 AM Detected:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 10:07 AM Untreated:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class Postponed
8/21/12 11:06 AM Detected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 11:06 AM Untreated:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe Postponed
8/21/12 1:51 PM Detected:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 1:52 PM Deleted:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20
8/21/12 1:52 PM Detected:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 1:53 PM Detected:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 1:53 PM Deleted:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a
8/21/12 1:53 PM Detected:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 1:53 PM Deleted:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe
8/21/12 1:53 PM Detected:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 1:53 PM Deleted:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07
8/21/12 1:53 PM Detected:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 1:54 PM Deleted:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 1:54 PM Detected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Disinfected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Disinfected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Task completed
I thought that was problem solved. Well it's now after 3pm and it's still not fixed. After rebooting from the kapersky cd, I did a MSE quick scan. It all started happening again, Sirefef.y pops up in the list and windows says it'll shut down within a minute. I click 'clean' and 'remove all' but when the removal gets to about 75%, the time is up and the computer reboots.
I tried something I read on a forum while troubleshooting yesterday, shortcuts -> shutdown -a or something, but that didn't help prevent the shutdowns.
What I'll do now is try to run that FRST all the threads seem to require. I'll post the log asap.
Thanks for reading.
I can't windows update (actually haven't been able to for ages). For the past few days my Google search results have been redirecting. I can't view the event log. It's a bad situation. Yesterday before bed I started a Kapersky Labs Rescue CD scan. I found loads of stuff, and I'd like to think so given the duration of the scan. Here is the log:
Objects Scan: malfunction (events: 1, objects: 0, time: Unknown)
8/21/12 1:00 AM Task started
Objects Scan: completed 8 minutes ago (events: 42, objects: 3655276,
time: 12:52:43)
8/21/12 1:02 AM Task started
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2011-3544.hz C:/Users/McGinley/AppData/
LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2011-3544.hz C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class Postponed
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2010-0840.gg C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2010-0840.gg C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class Postponed
8/21/12 4:24 AM Detected:
Exploit.Java.CVE-2010-0840.gh C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 4:24 AM Untreated:
Exploit.Java.CVE-2010-0840.gh C:/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class Postponed
8/21/12 6:24 AM Detected:
HEUR:Trojan.Win32.Generic C:/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 6:24 AM Untreated:
HEUR:Trojan.Win32.Generic C:/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto
RG].exe/twunk_32.exe Postponed
8/21/12 6:26 AM Detected:
Trojan-Downloader.Java.Agent.nu C:/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 6:26 AM Untreated:
Trojan-Downloader.Java.Agent.nu C:/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class Postponed
8/21/12 7:10 AM Detected:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 7:10 AM Untreated:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@ Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class Postponed
8/21/12 8:33 AM Detected:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 8:33 AM Untreated:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class Postponed
8/21/12 9:47 AM Processing
error /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/Downloads/GoT_-_S1_Extras_-_Making_Game_of_Thrones.rar/Game.of.Thrones.EXTRAS.Making.Game.of.Thrones.BLURAY.720p.x264.DTS-TvT.mkv Read
error
8/21/12 9:47 AM Processing
error /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/Downloads/GoT_-_S1_Extras_-_Making_Game_of_Thrones.rar Read
error
8/21/12 10:07 AM Detected:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 10:07 AM Untreated:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto
RG].exe/twunk_32.exe Postponed
8/21/12 10:07 AM Detected:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 10:07 AM Untreated:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class Postponed
8/21/12 11:06 AM Detected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 11:06 AM Untreated:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe Postponed
8/21/12 1:51 PM Detected:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20/Efira.class
8/21/12 1:52 PM Deleted:
Exploit.Java.CVE-2011-3544.hz /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/25/2c516359-51c90f20
8/21/12 1:52 PM Detected:
Exploit.Java.CVE-2010-0840.gg /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/gggsd.class
8/21/12 1:53 PM Detected:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a/ggs.class
8/21/12 1:53 PM Deleted:
Exploit.Java.CVE-2010-0840.gh /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/54/469d6db6-38ad802a
8/21/12 1:53 PM Detected:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe/twunk_32.exe
8/21/12 1:53 PM Deleted:
HEUR:Trojan.Win32.Generic /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/Local/Temp/Total
Video Converter HD v3.71 + Serials [ChattChitto RG].exe
8/21/12 1:53 PM Detected:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07/Java.class
8/21/12 1:53 PM Deleted:
Trojan-Downloader.Java.Agent.nu /mnt/MountedDevices/PD-7F848494-0000000006500000/Users/McGinley/old_AppData/LocalLow/Sun/Java/Deployment/cache/6.0/32/21fa620-2d893b07
8/21/12 1:53 PM Detected:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 1:54 PM Deleted:
HEUR:Backdoor.Win64.Generic C:/$Recycle.Bin/S-1-5-21-3980526123-2046258496-35669315-1000/$RSYKZVK/80000000.@
8/21/12 1:54 PM Detected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Disinfected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Disinfected:
Virus.Win64.ZAccess.b C:/Windows/System32/services.exe
8/21/12 1:54 PM Task completed
I thought that was problem solved. Well it's now after 3pm and it's still not fixed. After rebooting from the kapersky cd, I did a MSE quick scan. It all started happening again, Sirefef.y pops up in the list and windows says it'll shut down within a minute. I click 'clean' and 'remove all' but when the removal gets to about 75%, the time is up and the computer reboots.
I tried something I read on a forum while troubleshooting yesterday, shortcuts -> shutdown -a or something, but that didn't help prevent the shutdowns.
What I'll do now is try to run that FRST all the threads seem to require. I'll post the log asap.
Thanks for reading.