Solved Windows command processor and possibly more

[Jay Pfoutz]

I doubt that. If the virus is going to spread, it'll spread via files. The only way that it won't spread to your flash drive when it's connected to the PC, is if it is write protected. But you'd still have to turn write protection off just to save files, so you'll throw yourself in a loop, if that makes sense.

 

[Nereth]

Hi there,

Kapersky Labs first scan crashed, so I started it again - it slowed down really hard at 50% and has been there for about 3 hours. It's now about 5 hours into the scan. It's still incrementing through files though, but I'll have to leave it while I get some sleep. It has currently found 8 threats. 6 are 'vulnerabilities', 2 are 'win32.Nimnul.e'

Oh, and there was no "OS" tick box available under scan scope in Kapersky. I ticked everything except optical drives though

So I'll post the log of the Norman Malware Cleaner Scan first incase it is useful to you on its own. The rest of the logs will come when their scan is complete.

By the way the NMC log was not named precisely as you described it would be, not sure if this is just a newer version or something.

Normal Malware Cleaner log:

Norman Malware Cleaner v2.06.01
Copyright © 1990 - 2012, Norman ASA.

Norman Scanner Engine Version: 7.00.12
nvcbin.def: Version: 7.00.1803, Date: 2012/11/08 14:20:42, Variants: 15294968
nvcmacro.def: Version: 0.00.00, Date: 1970/01/01 08:00:00, Variants: 0

Operating System: Windows 7 x64

Switches: /iagree

Scan started: 2012/11/08 17:59:35

Running pre-scan cleanup routine...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Scanning time: 0s

Scanning running processes and process memory...

Number of objects found: 2016
Number of objects scanned: 2016
Number of objects not scanned: 0
Number of malicious memory objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 17s

Scanning system for FakeAV...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Number of malicious files found: 0
Number of malicious files cleaned: 0
Scanning time: 0s

Running full scan...
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\master.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\mastlog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\model.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\modellog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\MSDBLog.ldf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\tempdb.mdf: Error opening file for read: 0x00000020
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA\templog.ldf: Error opening file for read: 0x00000020
C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe: File infected with winpe/Suspicious_Gen2.JJFPG
Delete file: C:\Program Files (x86)\Altium\AD 10\HS-AD10.exe
Cleaning successful
C:\System Volume Information\Syscache.hve: Error opening file for read: 0x00000020
C:\System Volume Information\Syscache.hve.LOG1: Error opening file for read: 0x00000020
C:\System Volume Information\Syscache.hve.LOG2: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\db.mdb: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\edb.log: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\48f599bc7394900b6b5b3925722d724750599fab.HomeGroupClassifier\027edd5e419cdf88462bec34151cbabd\grouping\tmp.edb: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1: Error opening file for read: 0x00000020
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\edb.log: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\DEFAULT.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\DEFAULT: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SAM: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SECURITY: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SOFTWARE: Error opening file for read: 0x00000020
C:\Windows\System32\config\RegBack\SYSTEM: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY: Error opening file for read: 0x00000020
C:\Windows\System32\config\SAM.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SECURITY.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\config\SOFTWARE.LOG1: Error opening file for read: 0x00000020
C:\Windows\System32\config\SYSTEM.LOG2: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSteam Event Tracing.etl: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl: Error opening file for read: 0x00000020
C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-1.bin: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\IMpServiceEDB4FA23-53B8-4AFA-8C5D-99752CCA7094.lock: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.67: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.7E: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.80: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.87: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.A0: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE0: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE1: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VE2: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\mpcache-4DA27D2F0496EC4CB8747BB6B36172DF8114BAC3.bin.VF: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MpDiag.bin: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb: Error opening file for read: 0x00000020
D:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\fla5028.tmp: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Local\Temp\acro_rd_dir\flaC861.tmp: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Mozilla\Firefox\Profiles\uot65xz2.default\parent.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\bistats.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\keyval.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\main.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\nereth1\msn.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\shared_dynco\dc.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\AppData\Roaming\Skype\shared_httpfe\queue.lock: Error opening file for read: 0x00000020
D:\Users\Ahmad\Desktop\cleaning\dds.com: File infected with winpe/Rootkit.ENBI
Delete file: D:\Users\Ahmad\Desktop\cleaning\dds.com
Cleaning successful
D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe: File infected with winpe/Suspicious_Gen4.BKROE
Delete file: D:\Users\Ahmad\Desktop\Downloaded youtube songs\ComboFix.exe
Cleaning successful
D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar: Archive infected
D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar/CORE\cr-adpp0\Keygen.exe: File infected with doslegacy/Sality.AW
Delete archive object: D:\Users\Ahmad\Desktop\ISOs\ADOBE.CREATIVE.SUITE.5.5.MASTER.COLLECTION.ESD-ISO\CORE_CS_5.5.rar\CORE\cr-adpp0\Keygen.exe
Cleaning successful
D:\Users\Ahmad\Desktop\ISOs\Altium.Designer.v10.0.iSO-HS\Altium\Private License Server Setup\Setup\instmsiw.exe/noname.cab/instmsi.msi/file30: Not scanned: 0x00000001
D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar: Archive infected
D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar/keil_arm_4\Keygen\keygen.exe: File infected with generic/Packed_spybot_gen6.A
Delete archive object: D:\Users\Ahmad\Desktop\ISOs\Keil_4\keil4.rar\keil_arm_4\Keygen\keygen.exe
Cleaning successful
D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe: File infected with winpe/App_Generic.AIPIY
Delete file: D:\Users\Ahmad\Downloads\Sony Vegas Pro 12 Build 367 (64 bit patch-KHG) [ChingLiu]\patch - KHG\vegas.pro.12.-patch.exe
Cleaning successful
D:\Users\Ahmad\NTUSER.DAT: Error opening file for read: 0x00000020
D:\Users\Ahmad\ntuser.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\Ahmad\ntuser.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\NTUSER.DAT: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\ntuser.dat.LOG1: Error opening file for read: 0x00000020
D:\Users\UpdatusUser\ntuser.dat.LOG2: Error opening file for read: 0x00000020

Number of files found: 284029
Number of archives unpacked: 9009
Number of objects found: 1355895
Number of objects scanned: 1355806
Number of objects not scanned: 89
Number of malicious objects found: 6
Number of malicious objects cleaned: 6
Number of malicious files found: 6
Number of malicious files cleaned: 6
Scanning time: 48m 6s

Running post-scan cleanup routine...

Number of malicious objects found: 0
Number of malicious objects cleaned: 0
Scanning time: 0s

Results:
Total number of files found: 284029
Total number of archives unpacked: 9009
Total number of objects found: 1357911
Total number of objects scanned: 1357822
Total number of objects not scanned: 89
Total number of malicious objects found: 6
Total number of malicious objects cleaned: 6
Total number of malicious files found: 6
Total number of malicious files cleaned: 6
Total number of objects quarantined: 4
Total scanning time: 48m 23s

 

[Nereth]

Hey,

The other scans are done.

However, the kapersky automatic scan file took something like 5-10 minutes to save and ended up being 600 megs. I assume something went wrong with it because that seems a bit big . I can't even open it up with notepad, notepad opens then stops responding before displaying anything. I wander if something went wrong with the kapersky scan in general. I do have the detected threats report though.

Kapersky detected threats:

Status: Vulnerability (events: 9)
8/11/2012 9:36:52 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
8/11/2012 9:37:23 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
8/11/2012 9:38:21 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
8/11/2012 9:41:34 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
8/11/2012 9:41:39 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
8/11/2012 9:41:43 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
9/11/2012 3:06:17 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
9/11/2012 3:06:33 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 c:\Program Files (x86)\Java\jre7\bin\java.exe Low
9/11/2012 3:06:50 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
Status: Disinfected (events: 2)
8/11/2012 10:37:30 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\Alcohol Soft\Alcohol 120\pidalc.dll High
8/11/2012 10:37:32 PM Disinfected virus Virus.Win32.Nimnul.e D:\Program Files (x86)\FreeTime\FormatFactory\FFModules\Encoder\codecs\xanlib.dll High


Kapersky automatic scan report:

600 meg, too large to post or upload unless you reaaaaally want it (aussie internet, will likely take on the order of a day to upload ).

Panda ActiveScan

;***********************************************************************************************************************************************************************************
ANALYSIS: 2012-11-09 14:19:05
PROTECTIONS: 2
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET NOD32 Antivirus 5.2 Yes No
Microsoft Security Essentials No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/smd1quay.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\3l6lwuie.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/vnzccgm0.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/vnzccgm0.txt]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\smd1quay.txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/smd1quay.txt]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\2fg8v783.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\50w143bv.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/qn2fqagz.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/5u0ljkus.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\nw3u5tbc.txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/nw3u5tbc.txt]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/nw3u5tbc.txt]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/xwt3tmx7.txt]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\xwt3tmx7.txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/xwt3tmx7.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/low/3ryl2eo9.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/low/02ih20hg.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\low\p0r5n58b.txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\qoobox\quarantine\d\users\ahmad\appdata\local\cdgijwjg.log.vir[ie cookies/q80b4rgi.txt]
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\roaming\microsoft\windows\cookies\q80b4rgi.txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No d:\users\ahmad\appdata\local\cdgijwjg.log[ie cookies/q80b4rgi.txt]
03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{63c29f66-2041-5298-3e2f-969df3a6eeba}-maintenanceservice_tmp.exe
03009106 W32/Xor-encoded.A Virus No 0 Yes No d:\programdata\microsoft\windows defender\localcopy\{80e32ccc-04bd-e09f-09b6-e7eca3f59afe}-plugin-container.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

[Jay Pfoutz]

Something tells me this didn't go well... let's do the following: http://www.howtogeek.com/howto/36403/how-to-use-the-kaspersky-rescue-disk-to-clean-your-infected-pc/

 

[Nereth]

Is it ok with you if I use the USB flash disk version of that? I don't even have an optical disk around I think.

 

[Jay Pfoutz]

Go for it.

 

[Nereth]

Hrmmm I tried it twice, went to the "boot from" menu in my MOBO and chose, there were two options: 1) my flash disk and 2) something like "UEFA flash disk" (I don't remember the acronym) Tried the first one first and it said no boot partition found, I tried the second one second and it tried to boot into windows but failed IIRC and I just powered down (it was super late and I guess I wasn't paying enough attention, sorry!). Anyway the next day when I tried to start up normally windows complained that it couldn't boot properly and had to repair stuff (which it failed to do according to it, but it started up properly anyway after a restart).

Anyway I'm kind of scared that I came close to an unbootable PC just now D: I'll have a look over the instructions a bit more and if I can't find what I did wrong perhaps I will try the normal kapersky scan again instead of the rescue disk, maybe it will work this time XD

 

[Nereth]

Hi again,

So I didn't want to risk the flash drive again and I had to wait till tomorrow to get a CD ROM, so instead I've just finished trying the normal scan again. This time it completed in a much more reasonable 4 hours and 17 minutes.

Now, I once again have the detected threats scan (will post after thiis note), but the automatic scan report is now 607 megs. I managed to open it in word pad by being patient - actually it's still opening now, page by page, it's not corrupt or anything it's literally just a couple of lines for every single file on my computer, so it's no real surprise that it's so big.

Is this not normal? Have I saved the log incorrectly?

I haven't run the panda activescan yet, pending your instructions regarding Kapersky.

Kapersky Detected threats report:

Status: Vulnerability (events: 8)
12/11/2012 9:15:57 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/44681 C:\Program Files (x86)\Altium\AD 10\Subversion Client\svn.exe Low
12/11/2012 9:16:45 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files (x86)\Java\jre7\bin\java.exe Low
12/11/2012 9:18:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 C:\Program Files (x86)\Opera\opera.exe Low
12/11/2012 9:23:55 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\System32\Macromed\Flash\NPSWF64_11_4_402_287.dll Low
12/11/2012 9:24:04 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\SysWOW64\msxml4.dll Low
12/11/2012 9:24:16 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low
12/11/2012 11:15:42 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51183 c:\Program Files (x86)\Opera\opera.exe Low
12/11/2012 11:15:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51213 c:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll Low

Thanks for your time,
Nereth

 

[Jay Pfoutz]

Looks fine. How does the operating system operate, in general?

 

[Nereth]

It has run perfectly fine ever since that second cleaning script you made for me, although given how despite this, every second scan has been uncovering stuff, I don't know if that means it is OK or not.

 

[Jay Pfoutz]

Hi there. It all appears to be good, so we will finish up to make sure your computer is protected from malware in the future.

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name I.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive I.e. C
• For a few moments the system will make some calculations:
  
  
• Select the More Options tab
  
  
• In the System Restore and Shadow Backups select Clean up
  
  
• Select Delete on the pop up
• Select OK
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
• Double click OTC.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner Slim and save it to your Desktop - Alternate download link

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

• Double-click the CCleaner shortcut on the desktop to start the program.
• A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
• On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
• Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

[Nereth]

I think the guide for the restore point cleanup might be outdated:

I managed to get to Performance Information and Tools Using the win7 start->search functionality (couldn't find it under system and security, which is what I assumed was meant when you said system and maintenance), once there I clicked open disk cleanup, there was no setting, menu, or drop down box pertaining to selecting 'files from all users', although I did immediately get a drop down box in which I selected the C drive. After that, there was no "more options" tab in the dialog box that opened, which pretty much stopped me short on continuing your guide .

 

[Jay Pfoutz]

It's not outdated. Just some people's computers, for some reason, do not show that option. I'm thinking about changing my guide so people can just delete the old restore points with OTL or CCleaner...

Just go in to CCleaner, press the Tools tab...System Restore. Delete all listed.

Once that's done, continue on cleanup.

 

[Nereth]

Hey there,

All done, here is the contents of checkup.txt:

Results of screen317's Security Check version 0.99.54
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET NOD32 Antivirus 5.2
Microsoft Security Essentials
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spyder3Pro
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.1
Java(TM) 7 Update 5
Java version out of Date!
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.2)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````


It doesn't look very pretty does it XD

 

[Jay Pfoutz]

Update service pack, if you can: http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1

If you have trouble with the service pack, we can provide help in the Windows OS section of this site.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Read more about Java exploit problems


Personal Tips on Preventing Malware

See this page for more info about malware and prevention.


Any other questions before I mark this topic solved?

 

[Nereth]

I installed win 7 sp1.

Regarding java, I installed the new java update and it seemed to remove the old one automatically. There was nothing in add/remove programs called 'j2se runtime environment' The only things related to jave were "JavaFX 2.1.1" and "Java 7 update 5", but now that I installed update 9, update 5 is gone and replaced with "Java update 9". Is there a problem here?

In terms of any other questions, I have two: First, is there any other scan I can run to double check that it's clean? Since kapersky was a little sketchy. Perhaps another Nod32 scan?

Second, in your opinion, have we negated the need for a reformat? Earlier the plan was to clean the computer and then reformat to deal with all the brokenness but still transfer across important documents and working programs. Some programs are broken but outside of that it seems OK, if I just reinstall these programs would it be OK? Or would you still suggest the reformat?

 

[Jay Pfoutz]

Good on the Java update.

Altogether, if you can reformat and reinstall the operating system soon, it'll be a good idea.

You can test the files at this time, and see if they will function. But, as for reinstalling programs, and doing other stuff, it's at your own risk. I cannot say the computer is 100% clean. This is because technically the damage makes the files unclean in the first place. However, is it infected anymore? Probably not.

Here are a small list of scanners to run at your convenience:

ESET Online Scan www.eset.com/onlinescan
SUPERAntiSpyware www.superantispyware.com
Dr. Web CureIt! www.freedrweb.com/cureit/?lng=en

Other than that, there are no other big suggestions.

Topic marked solved.