Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCEU Met Police Ukash malware encrypted files


  • This topic is locked This topic is locked
17 replies to this topic

#1 tomdestry

tomdestry

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 19 January 2013 - 10:05 AM

My computer was infected with the PCEU/Metropolitan Police/UKASH ransomware virus. The computer was locked and I could not re-boot in safe mode with or without networking. I tried booting with a Hitman Pro rescue program on a USB stick. This was successful, but after detecting Malware, the program reported that it had failed to delete the infected files, and a re-boot showed that the malware had not been removed. I then booted from an Anvisoft rescue program which gave me back control of my PC. I then ran a system restore and after that was able to boot normally. I checked the computer with Anvisoft, Hitman Pro, Malwarebytes Anti-Malware and Comodo and after detecting further infected files, I got "no infections" messages form all of them.

This happened over a period of about 24 hours, and it seems that before I managed to get rid of it, the malware was busily encrypting files. It has now encrypted all files in all personal folders for all users. A file called WARNING_ATTENTION.txt was left on my desktop with the following text:

=======================================================================

Warning! Files on your hard drives were encrypted.
In a case you want get your data unencrypted, you will need to purchase 100 pounds Ukash voucher and send to our e-mail the unique 19 digit number of voucher.
An e-mail must be sent as wtitten below. All letters that did not fit the form will be ignored.
You will recieve an e-mail with an instruction how to decrypt data after we check the Ukash code you have sent.

------mail_form-----------------

to: crimeunit@yandex.com
Subject: decoding of files 080763F1474749425245

ID of your computer: 080763F1474749425245
Ukash code:

--------------------------------

What's Ukash: www.ukash.com/en-GB/whats-ukash/
Get Ukash: www.ukash.com/en-GB/where-to-get/

=====================================================================

I tried feeding a pair of encrypted/original files to a Kaspersky decrypter, but this failed because the program reported that the files were not the same size. This is true, but I am 100% certain that (encryption aside) the files are identical. I can supply pairs of identical files in encrypted and non-encrypted versions and in .txt or .doc format if this helps.

I read that these malware encryptions sometimes delete the unencrypted originals, allowing them to be recovered. I ran Stella Phoenix Data Recovery to try this, but the files it found seemed to be encrypted also -- according to the preview pane provided.


And that's as far as I have got... Great woe as like most optimists/idiots I don't back up much and have lost six years of family photos, amongst many other things. So, any help you may be able to give will be a lifesaver.

The DDS file text is posted below...

========================================================

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by Giles at 14:26:57 on 2013-01-19
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3070.1970 [GMT 0:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WinTV\EPG Services\System\EPGService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Real\realplayer\Update\realsched.exe
C:\Users\Giles\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Users\Giles\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=83&bd=Pavilion&pf=cndt
uURLSearchHooks: {ba14329e-9550-4989-b3f2-9732e92d17cc} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Do Not Track Plus: {6E45F3E8-2683-4824-A6BE-08108022FB36} - c:\program files\donottrackplus\ie\DNTPAddon.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Browser protection: {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} -
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Spotify Web Helper] "c:\users\giles\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\users\giles\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\giles\appdata\roaming\dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {6E45F3E8-2683-4824-A6BE-08108022FB36} - {23249465-AA46-4DED-BD4B-8EFB20F968FE} - c:\program files\donottrackplus\ie\DNTPAddon.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{22623090-3756-4A34-B222-7D5DCD9E3A20} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{22623090-3756-4A34-B222-7D5DCD9E3A20} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{CFF30C26-C10C-42C7-A492-252AC8F59F83} : NameServer = 8.26.56.26,156.154.70.22
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2012-8-21 16064]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2012-11-7 19632]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-11-7 494416]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-1-5 172032]
R2 EPGService;EPGService;c:\program files\wintv\epg services\system\EPGService.exe [2009-1-18 437028]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-7-14 1443584]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-17 21104]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-12-12 30312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 hitmanpro36;HitmanPro 3.6 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-8-29 27424]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-12-12 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-12-12 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-12-12 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2011-12-12 114280]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-11-2 52224]
.
=============== File Associations ===============
.
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-01-17 01:45:37 -------- d-sh--w- C:\found.000
2013-01-17 01:19:17 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-17 01:19:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-17 01:18:54 -------- d-----w- c:\users\giles\appdata\local\Programs
2013-01-16 18:39:54 -------- d---a-w- C:\$Anvi Rescue Disk$
2013-01-16 13:34:09 -------- d-----w- c:\program files\HitmanPro
.
==================== Find3M ====================
.
2012-11-26 18:15:45 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-26 18:15:45 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-10 02:23:37 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-11-07 23:37:56 494416 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-11-07 23:37:56 36072 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-11-07 23:37:54 19632 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37:36 34024 ----a-w- c:\windows\system32\cmdcsr.dll
2012-11-07 23:37:36 301264 ----a-w- c:\windows\system32\guard32.dll
.
============= FINISH: 14:28:46.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,668 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 24 January 2013 - 10:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/482279 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 24 January 2013 - 10:38 AM

Still unable to decrypt these files...

I am away from the troubled computer right now, but will generate a new set of logs when I return.

Thank you.

#4 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 25 January 2013 - 06:37 PM

Hello and Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

With that out of the way, Can I get a bit more information about the encrypted files?

Have they been edited in some way?

Have extensions changed at all?

Can you still open them?

Edited by CStew23, 25 January 2013 - 06:38 PM.

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#5 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 25 January 2013 - 08:13 PM

Hi Chris, thanks for replying.

The files will open. They do not have new extensions. I cannot tell whether they have been edited.

Word tells you they have been encoded and asks you if you would like to convert them. When you open them, they look like some gobbeldegook representation of the binary code, streams of characters most of which you don't recognise... They look like, for instance, Word files opened in a text editor.

Do you see anything in the logs that suggests the infection remains? I keep virus-checking and getting a clean report, but I'm no expert and this infection seems quite complex...

#6 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 26 January 2013 - 12:25 PM

Hi tom,

Can you submit an affected file to the following link - http://www.bleepingcomputer.com/submit-malware.php?channel=105

Please submit one that doesn't contain confidential data. Thanks.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#7 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 29 January 2013 - 07:28 AM

File sent as requested. The zip contains the original Word file and the Malware-encrypted version. Note that they are slightly different sizes, but I am sure the original is identical to the encrypted version prior to encryption. Also attach a copy of the text file left on my desktop.

Thanks.

#8 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 30 January 2013 - 11:58 AM

Hi,

Unfortunately there's nothing we can do as far as the encryption goes. The malware is known, but specific criteria need to be met in order to decrypt the files.

We can however, ensure the machine is clean. If you have a backup of the files I urge you to use that.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#9 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 30 January 2013 - 12:06 PM

I don't have a backup, but have just been trying Windows 7 restore previous versions function, which seems to be working well.

How can I ensure my machine is clean?

#10 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 31 January 2013 - 06:05 PM

Hi,

Can you please open Malwarebytes Anti-Malware again, click over to the Updates tab, choose Check For Updates

Then run a Quick Scan from the Scanner tab and post the results in your reply?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#11 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 01 February 2013 - 06:23 AM

Malware bytes log below. I've removed the PUP.offerware files it found...

======================================

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.31.09

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Giles :: BIGGERG [administrator]

31/01/2013 18:32:47
mbam-log-2013-01-31 (18-32-47).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 611602
Time elapsed: 2 hour(s), 33 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Louis\Documents\FastDownload ff.exe (PUP.Offerware) -> Quarantined and deleted successfully.
C:\Users\Louis\Documents\FastDownload.exe (PUP.Offerware) -> Quarantined and deleted successfully.

(end)

#12 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 02 February 2013 - 05:09 PM

Hi Tom,

We're almost done, I'd like you to do one more scan to confirm all is good and we'll go from there

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#13 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 03 February 2013 - 11:08 AM

Here is what Eset found...

+++++++++++++++++++++++++++++++++++++++

C:\Users\Giles\AppData\Local\Temp\jar_cache6130376882659474561.tmp multiple threats
C:\Users\Giles\AppData\Local\Temp\jar_cache6899016518085175538.tmp Java/Exploit.CVE-2012-1723.DS trojan
C:\Users\Giles\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\19e410ad-15760554 a variant of Java/Exploit.CVE-2012-1723.EB trojan
C:\Users\Giles\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\248313ae-373e32fd multiple threats
C:\Users\Giles\Desktop\WARNING_ATTENTION.txt Win32/Trustezeb.D trojan
C:\Users\Giles\Documents\Computer\Downloads\antivirus\SpyNoMore Nov 2011\Spynomore.exe Win32/Adware.SpyNoMore application
C:\Users\Giles\Documents\Computer\Downloads\antivirus\winzip160.exe Win32/OpenCandy application
C:\Users\Giles\Downloads\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Giles\Downloads\iLividSetup.exe Win32/Toolbar.SearchSuite application
C:\Users\Louis\Downloads\avc-free (1).exe Win32/OpenCandy application
C:\Users\Louis\Downloads\avc-free.exe Win32/OpenCandy application
C:\Users\Louis\Downloads\GraboidVideoSetup-2.03b-Complete.exe Win32/Graboid application
C:\Users\Louis\Links\War_Rock_20100921.exe Win32/OpenCandy application

++++++++++++++++++++++++++++++++++++++++++++++++++

Had to disable energy saving mode as well as anti-virus in order to get a clear run at it!

Cheers,

Giles

#14 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:42 PM

Posted 04 February 2013 - 02:44 PM

Hi,

That's shown the source of this infection to be a Java exploit. Since your version is outdated, a security flaw was exploited. Information about it can be found here. Given that Java is being actively exploited I would recommend you not just disable it as the Department of Homeland Security suggests but uninstall it completely from your machine.
====

Your machine appears clean!

Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:

You can delete any tools from your desktop that we've used that have not been removed already

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)
  • AVG (slightly poorer performance as of late)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:
If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#15 tomdestry

tomdestry
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 04 February 2013 - 07:48 PM

Hi there, I've uninstalled Java via control panel, but the folder C:\Users\Giles\AppData\LocalLow\Sun remains, along with the infected files.

Are there any other places I need to go to uninstall Java?

Shall I just delete the entire Sun folder?

Is it safe to re-install the latest version of Java?

Thanks for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users