Jump to content
Sign in to follow this  
Kylla4

Had Exploit:Jave/cve-2012-4681 don't think it's all gone

Recommended Posts

Thanks for the update, there are no guarantees that this will work but lets wait and see... If it does fail I have another step, it will mean registry editing... Is that ok with you...

Share this post


Link to post
Share on other sites

The only thing I care about on the infected computer are the pictures and video of my dogs that died last year, so as long as I don't lose those I'm ok.  I did something stupid when I first found the virus and did a backup on an external drive so I'm guessing that's infected, too?  If you think we can save my pics from that, then I'm ok with whatever you think will work.

Share this post


Link to post
Share on other sites

I`d always advise that you back up any important data that you cannot afford to lose. I do not believe your system is still infected, we are dealing with damage to the registry presently. The windows repair tool is very good and will try to fix whatever has been exploited or damaged, lets wait for the outcome of the log and a fresh FSS log... I`m starting to watch the time, its midnight local time for me.....

Share this post


Link to post
Share on other sites

And here is the FSS log:

Farbar Service Scanner Version: 03-01-2016

Ran by Patricia (administrator) on 17-01-2016 at 19:37:40

Running from "C:\Users\Patricia\Downloads"

Microsoft Windows 7 Home Premium Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Attempt to access Google IP returned error. Google IP is unreachable

Google.com is accessible.

Yahoo.com is accessible.

Windows Firewall:

=============

MpsSvc Service is not running. Checking service configuration:

The start type of MpsSvc service is OK.

The ImagePath of MpsSvc service is OK.

The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to retrieve start type of bfe. The value does not exist.

Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of bfe. The value does not exist.

Unable to retrieve ServiceDll of bfe. The value does not exist.

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Policy:

========================

Action Center:

============

Windows Update:

============

Windows Autoupdate Disabled Policy:

============================

Windows Defender:

==============

Other Services:

==============

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\SDRSVC.dll => File is digitally signed

C:\Windows\System32\vssvc.exe => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

Share this post


Link to post
Share on other sites

Although several fixes have been acheived we still have a problem with bfe.dll. We need to try replace the registry entry and amend permissions to get this service to work.... If we fail again probably a repair install will be the next step....

 

I want you to delete all files and logs related to BFE that we have already d/l to your system to avoid confusion. When that is done continue as follows:

 

I note your default browser is Internet Explorer, I would like you to change the download folder to the Desktop....

IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Download bfe.reg from the following link, save it direct to your Desktop, do not save anywhere else. <<<--- Very important

http://download.bleepingcomputer.com/win-services/7/BFE.reg

right click on the saved reg file and select "Run as Administrator" agree UAC and any merge prompts...

When complete re-boot your PC

When the PC has started select these keys together Windows Key + R key the "Run" box will open...

Type regedit into the box and click ok. regedit will open. Expand the following keys

> HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > services > BFE

Do not expand BFE  Right click direct on that folder  and select Permissions

Click on ADD and type Everyone and click ok

Now select Everyone

Below you have permission for users, Select full control and click ok... Close regedit

Open the RUN box again, type services.msc and click ok

If you receive the User Account Control prompt, click Yes or Continue.

In the Services window, under the Name column, locate and double-click Base Filtering Engine (BFE)

To the right of Startup type, verify that Automatic appears.

If Startup type is not Automatic, then open the drop-down, from the list, click Automatic

To the right of Service Status, verify that Started appears.

If the Service status is not Started, then click Start.

Click OK.

Exit the Services window.

Restart the computer then run FSS again and post a fresh log..... Its almost 1 am for me so i`ll catch up later...

 

Thank you,

 

Kevin....

Share this post


Link to post
Share on other sites

I'm sorry, but how do I find all the bfe files and logs? I'm getting confused (that's not difficult for me) and if you would prefer to do this tomorrow or another day, I am fine with that. I know it's late for you!

Share this post


Link to post
Share on other sites

Here is another strange thing I'm still finding - if I try to Google Microsoft Security Scanner and click on the link (www.microsoft.com/security/scanner/), it just keeps clicking and won't access the page. I can access it on two other computers, but not this one.

Share this post


Link to post
Share on other sites

We really need to get the bfe.dll issue cleared before we can make any progress. The latest problem you mention is also an issue I did not expect, maybe there is hidden maware that w have yet to find.

 

The files I refer to are what I had you download, they will be either on your desktop or your downloads folder; I would rather they were deleted to avoid confusion with new d/l... Reply #56 starts with instructions to alter the download folder for Internet Explorer, that needs to be done if the Desktop is not currently the download default folder...

 

Next,

 

Leave the rest of reply #56 instructions for now, I want to run an offline scan with Windows Defeneder, maybe there is a hidden entry we have missed...

 

Do you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…
It can be created from the PC with issues, but a different clean PC is preferred!

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

WD2.png

In the new window accept the agreement:

WD2a.png

In the new window select your USB Flash Drive, then select "Next"

WD3.png

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

WD3a.png

In the new window accept the formatting alert by selecting "Next"

WD3b.png

Files will be Downloaded:

WD4.png

Files will be processed and created

WD5.png

Flash drive will be formatted and prepared

WD6.png

Files will be added to the Flash Drive and the tool will be created.

WD7.png

The procedure is finished and the Tool created, click on "Finish" to complete.

WD8.png

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.
 

Thank you,

 

Kevin

Share this post


Link to post
Share on other sites

It's running now - I had it on a DVD because that's how I found the Java Exploit malware - I downloaded it from a laptop instead of the infected computer.  I'll update when it finishes; even the quick scan is kind of slow.  Thanks!

Share this post


Link to post
Share on other sites

I can't find the log file at all - I copied and pasted it without the quotes  into the Start search and it says it can't find the file. 

Share this post


Link to post
Share on other sites

I also somehow got to an event viewer and now have this error message: MMC  has detected an error in a snap-in and will unload it.  What's that? And it won't let me close it without doing something!

Share this post


Link to post
Share on other sites

Are these the options you get, there is no real need to report to MS so go for option 2 and see what happens....

  1. Report this error to Microsoft, and then shut down MMC.
  2. Unload the snap-in and continue running.

I`m not going try and explain fully what Microsoft Management Console (MMC)  and Snap-ins are/do... Basically Microsoft Management Console is a host for an administrative tool called a Snap-in. A snap-in is an Active-X module that is used to run a specific function, but without a snap-in a console fails....

You may see many references to such entries via event viewer, usually you would not be aware they happened unless you check EV for error....

 

WD logs are found here C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt  MM/DD/YYYY/MM/SS is the date and time and will show as numerals, if you open the Windows folder do you see Windows Defender Offline folder?

Share this post


Link to post
Share on other sites

I may have found it, but I have to leave for an appointment and will be gone for a while.  I tried to post the report, but it wouldn't post because it says it's too long and now I can't delete it but for one character at a time so it's going to take me forever.  Not sure how to do it other than to post it one small piece at a time?

Share this post


Link to post
Share on other sites

Attach the file, zip it up if necessary. I gave you those instructions earlier. Did the scan actually report anything?

Share this post


Link to post
Share on other sites

Also, the infected computer says "The path specified to D:\backup\backup.pst is not valid" when I try to open Outlook.  I can open it, but I can't back it up.

Share this post


Link to post
Share on other sites

I downloaded BFE to the desktop, but there is no option to Run as Administrator. Also, from search I have found more things relating to BFE. Maybe I didn't get it all deleted. There is a whole list of BFE things, like SafeBoot, SharedAccess, HKLM keys permissions - I'm not sure what all to delete?

Share this post


Link to post
Share on other sites

If you right click on BFE.reg is the option to run as Administer not present in the context menu... If not just double click on the file, agree any alerts or merges.... When the file is merged to the registry it will overwrite the old entries....

 

When complete re-boot your PC

When the PC has started select these keys together Windows Key + R key the "Run" box will open...

Type regedit into the box and click ok. regedit will open. Expand the following keys

> HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > services > BFE

Do not expand BFE  Right click direct on that folder  and select Permissions

Click on ADD and type Everyone and click ok

Now select Everyone

Below you have permission for users, Select full control and click ok... Close regedit

Open the RUN box again, type services.msc and click ok

If you receive the User Account Control prompt, click Yes or Continue.

In the Services window, under the Name column, locate and double-click Base Filtering Engine (BFE)

To the right of Startup type, verify that Automatic appears.

If Startup type is not Automatic, then open the drop-down, from the list, click Automatic

To the right of Service Status, verify that Started appears.

If the Service status is not Started, then click Start.

Click OK.

Exit the Services window.

Restart the computer then run FSS again and post a fresh log..... Its almost 1 am for me so i`ll catch up later...

 

Thank you,

 

Kevin....

Share this post


Link to post
Share on other sites

I get this message after agreeing to everything:  Cannot import C:\Users|Patricia\Desktop\BFE.reg. Not all data was successfully written to the registry. Some keys are open by the system or other processes.

Share this post


Link to post
Share on other sites

Ok, leave the reg merge for now, follow the rest of the instructions, re-boot then try to merge BFE.reg again...

Share this post


Link to post
Share on other sites

You mean from the windows + R key on down or should I reboot first?  Sorry, I just don't want to do the wrong thing :-).

Share this post


Link to post
Share on other sites

No need to re-boot, just follow from Windows Key plus R key, reboot when permisions complete, then reboot and try the merge..

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.