Avast WEBforum
Other => Viruses and worms => Topic started by: 2globose on December 18, 2012, 07:48:55 AM
-
Something is disabling functions on my machine. Cannot open most of the applications in the Control Panel. I think it is Exploit:Jsvs/CVE-2012-1723
I tried to include a DDS.txt log but it was too long and Avast system would not let me post because the message exceded the 10000 character limit.
-
Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
-
is your java updated?
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AJava%2FCVE-2012-1723
The following versions of Java are vulnerable to this exploit:
JDK and JRE 7 Update 4 and earlier Java SE
JDK and JRE 6 Update 32 and earlier Java SE
JDK and JRE 5.0 Update 35 and earlier Java SE
SDK and JRE 1.4.2_37 and earlier Java SE
-
No I don't think Java is up to date. I am in the process of creating logs as instructed.
-
her they are
-
Tried to run the antiroot program and it unexpectedly stopped working.
-
Tried to run the antiroot program and it unexpectedly stopped working.
you may try run it from safe mode....if no success essexboy have more tools if needed ;)
-
Here is the aswMBR log.
-
Do I need to continue with the next steps starting with:
SPECIFIC INFECTIONS LOGS
If you have the hard drive infection and are no longer able to see your files/folders/start menu then do not run any temporary file cleaners but download and run the following programme:
Download RogueKiller and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
Quit all programs
Start RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan
-
Could you delete the copy of combofix that you have
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\xqtpcpmu.sys -- (xqtpcpmu)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\wdmiuyya.sys -- (wdmiuyya)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
[2012/10/22 06:56:33 | 000,097,641 | ---- | C] () -- C:\ProgramData\puisyngkqqeuabd
[2011/11/24 23:43:08 | 000,000,240 | ---- | C] () -- C:\ProgramData\~EcQdpl2SHOEmMXr
[2011/05/02 10:29:23 | 000,000,088 | -HS- | C] () -- C:\Users\USER\AppData\Roaming\27FGHDTZQ43K327FV6JFD8LTD7
:Files
C:\Users\keithf\AppData\Local\{8527c484-1c70-49fc-e80c-ca7403d90f70}
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here is the first log requested, from the OTL scan.
-
Tried to run Combofix but I get a warning that Microsoft Security Essentials is running. I cannot open it to disable it. I get a dialogue box that goes away so fast that I cannot read it but I saw .dll at the end of the program listed.
I have no system tray icon for Microsoft Security Essentials nor can I access the uninstall feature in Control Panel. Should I run the combofix scan even the it states that results will be unpredictable?
-
Yes accept the warning
-
HEre is the Combofix log
-
What problems remain
-
Cannot open recovery from contol panel along with other features, However I can open the program list which I could not do before.
Cannot run latest version of Java
PlanPlus Add in cannot be select from the manage addins settings
I cannot install and run Microsfot Security Solutions
Upon Starting the machine I get the following errors
GfXui not working
WD Drive Manager error
Microsoft C++ Runtime Library Runtime Error
I downloaded some drivers from the HP website in an attempt to fix yesterday. Could this be relevant?
-
Possibly, lets run a system repair now and see what it looks like after that
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
Cannot open recovery from contol panel along with other features, However I can open the program list which I could not do before.
Cannot run latest version of Java
PlanPlus Add in cannot be select from the manage addins settings
I cannot install and run Microsfot Security Solutions
Upon Starting the machine I get the following errors
GfXui not working
WD Drive Manager error
Microsoft C++ Runtime Library Runtime Error
I downloaded some drivers from the HP website in an attempt to fix yesterday. Could this be relevant?
-
What problems remain
Cannot open recovery from contol panel along with other features, However I can open the program list which I could not do before.
Cannot run latest version of Java
PlanPlus Add in cannot be select from the manage addins settings
I cannot install and run Microsfot Security Solutions
Upon Starting the machine I get the following errors
GfXui not working
WD Drive Manager error
Microsoft C++ Runtime Library Runtime Error
I downloaded some drivers from the HP website in an attempt to fix yesterday. Could this be relevant?
-
Doing it now.
-
Once done could you run a fresh OTL scan and I will look at any errors you are receiving
-
doing it now. A number of problems were solved but some remain. Would you like me to list the remainning problems or will the OTL scan give you the info you need?
-
Did you need me to cut and paste anything into the Custom Scans/Fixes box?
-
Here are logs from the OTL scan. I did not cut and paste anything into the Custom Scans/Fixes box?
-
Could you list the remaining problems please
-
One thing you should know. I ran Reimage Repair last night and it seemed to solve some of the remaining problems. What I can confirm that is not working is:
I cannot open Windows update. I get error code 8024419.
PlanPlusCOMAddInShim is not loading and I cannot activate it in the options feature in Outlook 2010.
Java does not show up in the in the program list from the start menu. Java does show up in the control panel.
-
OK lets try the update problem first
Run the fixit on this MS page http://support.microsoft.com/kb/299357 let me know if that cures it
-
I used the fix it tool, it did not work.
-
Do you use a router ?
If so do any other computers experience the same problem
-
Yes. I usa an Apple Airport Extream. The other computer is a Mac. I don't know how to find out if it is having a similar proble.
-
OK could you reset the router and then try the updates again please
To reset there should be a small hole at the back of the computer marked reset
Using a biro or pin push that in and release
-
Rather than a solid green light I now have a flashing amber on the airport. I googled the solution and apple says I should download new software. I downloaded it. It is a setup program. Before I run it I thought I better check with you.
-
If it is the right software then yes
-
Ran new Airport Utility, it upgraded my software. Hahve solid green light. Ran fixit application and still getting error on windows update.
-
Run the following OTL fix and then in IE address type http://fe1.update.microsoft.com/windowsupdate/v6/vistadefault.aspx?ln=en-GB
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-3961973716-4210694825-4076522416-1002\Software\Policies\Microsoft\Internet Explorer\Restrictions present
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Her it is
-
Could you try this link now and let me know what happens
http://fe1.update.microsoft.com/windowsupdate/v6/vistadefault.aspx?ln=en-GB
-
Same error code. Can't access windows udates.
-
Start an elevated command prompt
Go Start > All Programs > Accessories
Right click command prompt and select run as administrator
In the black box type the following
ipconfig /flushdns
Then try again
-
Again same error code
-
It is a DNS problem of some sort.. Lets look at the registry next
Run OTL and copy/paste the following script into the custom scans box, then press run scan
hklm\software\clients\startmenuinternet|command /rs
-
Here you go.
-
Well they look good as well .. I missed one element so I shall kill that now.. When did this first appear ? Was it before or after you installed the VPN ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Could you try Opendns to see if that alleviates the problem
http://use.opendns.com/#win7
-
Having trouble with step 6. I don't see a radio button. Should I click install at this point in step 6 in place of the radio button?
Windows 7
1. Click the Start Orb, then select Control Panel.
2. Click on Network and Sharing Center.
3. Click on your primary connection or Local Area Connection under Active Networks.
4. Click the Properties button.
Windows 7 may prompt you for permission to make network setting changes.
5. Highlight 'Internet Protocol Version 4' and click Properties.
6. Click the radio button 'Use the following DNS server addresses:' and type 208.67.222.222 and 208.67.220.220 in the Preferred DNS server and Alternate DNS server fields.
7. Click OK button, then the Close button, then Close again. Finally, close the Network and Sharing Center window.
At this point, we highly suggest that you flush your DNS resolver cache and web browser caches to ensure that your new configuration settings take effect
-
Forgot to include the log from the last otl fix
-
OK there should be a 2a. by the looks of that
On the left click on change adapter settings
-
I ended up at the same place. The attached image shows the screen where I am supposed to execute step 6. This is where there is supposed to be a radio button. I don't know what to do once I get to the screen you see in the attachment.
-
I figured it out. I guess I am being dense today.
-
I just tried windows update again and received the sam error code.
-
I had a message in the action center that read "solve a problem with PSIKey". I opened the message clicked on the link and it resolved it's self. I had the same thing happen yesterday. I have included an image.
I also tried the update from the control panel again and received an entirely different code than I have been getting; it read "windows could not search for updates" with error code 80072EFD.
The original warning read "windows could not search for new updates" with error code 8024419. THe word new is left out of the new error.
I don't know if that is relevant or not
-
Was it before or after you installed the VPN ?
These are all connection errors so did the problems first appear after you installed The OpenVPN Project
-
I did not recently install an open VPN.
New info. I ran a disk repair last night. Afterward I was able to update through my internet connection from Microsoft. I was not able to do that. I downloaded and installed 116 updates.
-
Hmm would not have thought a disc check would have cured it.. But if it works don't knock it ;D
What other problems need resolving ?
-
One thing you should know. I ran Reimage Repair last night and it seemed to solve some of the remaining problems. What I can confirm that is not working is:
I cannot open Windows update. I get error code 8024419.
PlanPlusCOMAddInShim is not loading and I cannot activate it in the options feature in Outlook 2010.
Java does not show up in the in the program list from the start menu. Java does show up in the control panel.
I am including to screen captures. In the capture labeled window update capture you can see the link for "check on line for windows updates" This is how I have been getting updates. When I try to use the updater tool I continue to get the same message we have been trying to fix. This is kinda fixed.
I was curious about the update history link. The capture labeled update history capture show that the updates I downloaded this morning failed. I find that odd since last night I was able to install 116 updates.
I cannnot get the planplus addin to work.
Java is working but it still is not listed in the program.
-
forgot the screen captures
-
kb2505438 has probably been pulled see here http://support.microsoft.com/kb/2505438 this page includes a hotfix to download
For the administrator thing follow the steps here http://www.technibble.com/forums/showthread.php?t=22840
-
First direction is complete
Second direction I am having trouble with. I don't know how to get to HKLM\Software\Policies\Microsoft\ Windows\WindowsUpdate from Rdgedit. Can you provide direction please?
-
OK lets use OTL to remove the key and then replace with a blank one, follow this up with the msfixit
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Reg
[-HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate]
[HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate]
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ran Otl. It did not reboot automatically. I had to manually reboot.
Ran fixit using this link http://support.microsoft.com/mats/windows_update/ Still getting same error code.
-
OK bear with me I will ask around
-
No problem. I appreciate your help!
-
any word?
-
Not so far, at the moment we have tried all the fixes I know of and have yet been unable to find a different approach for this