Jump to content

Had Exploit:Jave/cve-2012-4681 don't think it's all gone


Recommended Posts

  • Replies 207
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Ok, obviously this is where the problem lies, I guess the permissions were changed somewhere down the line after your system became infected.... Try this please;

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Post that log...

Fixlist.txt

Link to post
Share on other sites

Well, I feel stupid.  The FRST program is in the downloads folder, but when I open that folder to save this program, only the FRST text file is there, not the program.  Now I don't know how to save them together.  I'm so sorry I'm an idiot :-(.

Link to post
Share on other sites

If I just save it into downloads, might I see them together after that and be able to move this one into the FRST folder? Unless there is more than one downloads folder, I can't imagine why I'm not seeing any downloaded programs when I use Save As.

Link to post
Share on other sites

Ok, here are the results:

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016

Ran by Patricia (2016-01-19 15:32:45) Run:2

Running from C:\Users\Patricia\Desktop\FRST

Loaded Profiles: Patricia (Available Profiles: Patricia)

Boot Mode: Normal

==============================================

fixlist content:

*****************

Start

ListPermissions: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\BFE

end

*****************

===================================

permissions of "HKEY_LOCAL_MACHINE\system\currentcontrolset\services\BFE":

Owner: NT AUTHORITY\SYSTEM

DACL(AI):

BUILTIN\Users ALLOW READ (I)

BUILTIN\Users ALLOW READ (CI-I-OI)

BUILTIN\Administrators ALLOW FULL (I)

BUILTIN\Administrators ALLOW FULL (CI-I-OI)

NT AUTHORITY\SYSTEM ALLOW FULL (I)

NT AUTHORITY\SYSTEM ALLOW FULL (CI-I-OI)

CREATOR OWNER ALLOW FULL (CI-I-OI)

===================================

==== End of Fixlog 15:32:45 ====

Link to post
Share on other sites

I can't be sure, unfortunately, because little things happened that I didn't pay much attention to. It could have been quite some time before that or it could have been right around that time. I know I've been working on it for over a week now.

Link to post
Share on other sites

Well we are making no real headway, the logs do not really give a clue about any infection or malware being present. The BFE reg key is certainly causing problems, yet we cannot carry out what is normally a simple task of overwriting the reg key. It certainly seems to be a permissions issue, yet the permissions for that key look correct....

 

i did want to carry out a task with FRST of replacing the registry hives with a full set created on the date I posted in my previous reply.... That task will have to be done via the recovery environment, is that a task you would be comfortable with?

 

That action may or may not take us back to an infected position, I believe it is well worth trying as we are not making any real headway....

Link to post
Share on other sites

I will do whatever you think you can explain to this idiot :-). As long as, if I lose everything, you think you can help me recover the files off my external hard drive even though I did the back up to that drive while the computer was infected (I am KICKING myself for that one).

Link to post
Share on other sites

You will not lose anything, the fix is fairly straightforward, we boot the system to the recovery environment, run the reg fix with FRST, the full registy is overwritten with a copy from the date I gave earlier....

 

regarding the external hard drive we can install software to protect your system when the external drive is connect to your PC, we then check the files....

 

To make the fix you will need a usb flash drive (memory stick). I`ll post the instuctions, have a read through a couple of times. see what you think...

 

Please download Farbar Recovery Scan Tool from here:
                                                                  
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Download attached fixlist.txt file (end of reply) and save it to the flash drive you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.


Plug the flash drive into the infected PC.

If you are using Vista or Windows 7 enter System Recovery Options.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer. (if applicable)
  • Press Fix button.
  • It will make a log (fixlog.txt) on the flash drive. Please copy and paste it to your reply.

 

 

Thank you,

 

Kevin

Fixlist.txt

Link to post
Share on other sites

I will check it out - I'm thinking of logging out of Windows and just trying passwords until I figure it out.  I have tried most of the pw's I would have used so this is just weird.  I can always try the other if this doesn't work, right?  Kind of at a loss as to which is the best idea.

Link to post
Share on other sites

No, I have it set to open Windows without a password.  The more I think about it, the more I'm nearly positive that one of the passwords I tried is correct so that's what is confusing me at this time.  I will keep thinking about it and try to come up with a solution; this is really strange.

Link to post
Share on other sites

Ok, the reason I couldn't get the password to work was because I DON'T HAVE ONE! I can't believe it took me that much time to figure it out - I left it blank and it worked. SO SORRY :-( Here is the file from the fix:

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016

Ran by SYSTEM (2016-01-20 13:17:14) Run:3

Running from f:\

Boot Mode: Recovery

==============================================

fixlist content:

*****************

Start

LastRegBack: 2016-01-09 02:39

end

*****************

DEFAULT => copied successfully to System32\config\HiveBackup

DEFAULT => restored successfully from registry back up

SAM => copied successfully to System32\config\HiveBackup

SAM => restored successfully from registry back up

SECURITY => copied successfully to System32\config\HiveBackup

SECURITY => restored successfully from registry back up

SOFTWARE => copied successfully to System32\config\HiveBackup

SOFTWARE => restored successfully from registry back up

SYSTEM => copied successfully to System32\config\HiveBackup

SYSTEM => restored successfully from registry back up

==== End of Fixlog 13:17:30 ====

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.