Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Opened infected .doc file - CVE-2012-0158


  • Please log in to reply
5 replies to this topic

#1 mttime73

mttime73

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 15 May 2013 - 05:40 PM

Hello,

A user received an email from an unknown source and promptly clicked on the Word .doc attachment.  AVG is installed, but it didn't flag anything.  We've scanned the computer using AVG, MalwareBytes Anti-Malware, and MBAR.  We are going to decomission the machine just to be on the safe side, but wanted to post here to see if you kind folks could provide some steps to determine if the decomissioned machine is in fact infected.  The computer is used in HR and accesses a lot of banking sites as well as highly sensitive info.  We want to be on the safe side.

 

This post explains the exact issue we encountered, but unfortunately we haven't found any definitive steps for resolution or even how to determine if the machine is actually infected:

http://blogs.mcafee.com/mcafee-labs/cve-2012-0158-exploit-in-the-wild

 

Thanks!



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:36 AM

Posted 15 May 2013 - 08:13 PM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 mttime73

mttime73
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 16 May 2013 - 06:13 PM

Wondeful.  Thanks for the prompt reply.  I downloaded and ran all the tools.  Below are the logs you requested.

 

Security Check:

 Results of screen317's Security Check version 0.99.63  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
AVG AntiVirus Business Edition 2013   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
````````Process Check: objlist.exe by Laurent````````  
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 

FSS:

Farbar Service Scanner Version: 14-04-2013
Ran by MackOwen (administrator) on 16-05-2013 at 15:48:35
Running from "C:\Users\MackOwen\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

 

 

Minitoolbox:

MiniToolBox by Farbar  Version:21-04-2013
Ran by MackOwen (administrator) on 16-05-2013 at 15:50:52
Running from "C:\Users\MackOwen\Desktop"
Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: kok2:8080
========================= Hosts content: =================================



========================= IP Configuration: ================================

Broadcom NetLink ™ Gigabit Ethernet = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : MACKOWEN
   Primary Dns Suffix  . . . . . . . : kok.lan
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : kok.lan

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink ™ Gigabit Ethernet
   Physical Address. . . . . . . . . : 18-03-73-B7-66-D6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d10b:347c:59f6:7fb6%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.108(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, May 16, 2013 3:42:28 PM
   Lease Expires . . . . . . . . . . : Friday, May 17, 2013 3:42:28 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 242756555
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-52-5C-17-78-2B-CB-99-17-9A
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{0322F32F-B0B5-489C-A872-50BEFF612EF7}:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.108%13(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:183f:693:3f57:fe93(Preferred)
   Link-local IPv6 Address . . . . . : fe80::183f:693:3f57:fe93%21(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  KokPublic
Address:  192.168.1.1

Name:    google.com.kok.lan
Address:  67.215.65.132


Pinging google.com [74.125.239.103] with 32 bytes of data:
Reply from 74.125.239.103: bytes=32 time=20ms TTL=53
Reply from 74.125.239.103: bytes=32 time=19ms TTL=53

Ping statistics for 74.125.239.103:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 20ms, Average = 19ms
Server:  KokPublic
Address:  192.168.1.1

Name:    yahoo.com.kok.lan
Address:  67.215.65.132


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=123ms TTL=50
Reply from 206.190.36.45: bytes=32 time=62ms TTL=50

Ping statistics for 206.190.36.45:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 62ms, Maximum = 123ms, Average = 92ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 10...18 03 73 b7 66 d6 ......Broadcom NetLink ™ Gigabit Ethernet
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 21...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.108     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.108    276
    192.168.1.108  255.255.255.255         On-link     192.168.1.108    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.108    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.108    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.108    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 21     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 21     58 2001::/32                On-link
 21    306 2001:0:9d38:6ab8:183f:693:3f57:fe93/128
                                    On-link
 10    276 fe80::/64                On-link
 21    306 fe80::/64                On-link
 13    281 fe80::5efe:192.168.1.108/128
                                    On-link
 21    306 fe80::183f:693:3f57:fe93/128
                                    On-link
 10    276 fe80::d10b:347c:59f6:7fb6/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
 21    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (05/14/2013 11:06:59 AM) (Source: Application Error) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0xc9c
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3

Error: (05/14/2013 11:06:40 AM) (Source: Application Error) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0x8bc
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3

Error: (03/26/2013 03:04:32 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_FontCache, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: fntcache.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c648
Exception code: 0x40000015
Fault offset: 0x000000000003d472
Faulting process id: 0x7f8
Faulting application start time: 0xsvchost.exe_FontCache0
Faulting application path: svchost.exe_FontCache1
Faulting module path: svchost.exe_FontCache2
Report Id: svchost.exe_FontCache3

Error: (03/07/2013 02:59:29 PM) (Source: Application Hang) (User: )
Description: The program CSAAPP.EXE version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1678

Start Time: 01ce1b7e8cc448f1

Termination Time: 0

Application Path: F:\WINCSI\CSA\CSAAPP.EXE

Report Id: 46000964-8772-11e2-925b-180373b766d6

Error: (01/24/2013 00:32:02 PM) (Source: Application Hang) (User: )
Description: The program CSAAPP.EXE version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 171c

Start Time: 01cdfa694572d446

Termination Time: 0

Application Path: F:\WINCSI\CSA\CSAAPP.EXE

Report Id: b23f0b19-665c-11e2-8cc4-180373b766d6

Error: (01/10/2013 11:46:10 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16457 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 7a4

Start Time: 01cdef623f75ed44

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: e8cf3b8e-5b55-11e2-ad34-180373b766d6

Error: (11/27/2012 09:41:30 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16455 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 79c

Start Time: 01cdccbc8195fe06

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (09/18/2012 02:21:38 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16448 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: cf0

Start Time: 01cd95e2e0b8613e

Termination Time: 0

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (08/20/2012 00:43:24 PM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16448 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1524

Start Time: 01cd7f0bd481d14a

Termination Time: 10

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id: 48a661e5-eaff-11e1-bea2-180373b766d6


System errors:
=============
Error: (05/16/2013 03:41:38 PM) (Source: Microsoft-Windows-GroupPolicy) (User: KOK)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (05/16/2013 03:35:33 PM) (Source: TermService) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (05/16/2013 03:33:38 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (05/16/2013 03:33:08 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain KOK due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (05/16/2013 07:48:48 AM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (05/15/2013 06:08:50 PM) (Source: Service Control Manager) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (05/15/2013 04:36:15 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.

Error: (05/15/2013 04:36:14 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.

Error: (05/15/2013 04:36:13 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.

Error: (05/15/2013 04:36:13 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.


Microsoft Office Sessions:
=========================
Error: (05/14/2013 11:06:59 AM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cdc9c01ce50cdd37ef285G:\IT\Utilities\SysinternalsSuite\RootkitRevealer.exeG:\IT\Utilities\SysinternalsSuite\RootkitRevealer.exe117c698c-bcc1-11e2-b236-180373b766d6

Error: (05/14/2013 11:06:40 AM) (Source: Application Error)(User: )
Description: RootkitRevealer.exe1.71.0.044e255aaRootkitRevealer.exe1.71.0.044e255aac0000005000040cd8bc01ce50cdc437c56aG:\IT\Utilities\SysinternalsSuite\RootkitRevealer.exeG:\IT\Utilities\SysinternalsSuite\RootkitRevealer.exe06859801-bcc1-11e2-b236-180373b766d6

Error: (03/26/2013 03:04:32 PM) (Source: Application Error)(User: )
Description: svchost.exe_FontCache6.1.7600.163854a5bc3c1fntcache.dll6.1.7601.175144ce7c64840000015000000000003d4727f801ce2a2f2bf068d8C:\Windows\system32\svchost.exec:\windows\system32\fntcache.dll22e1fad4-9661-11e2-aae2-180373b766d6

Error: (03/07/2013 02:59:29 PM) (Source: Application Hang)(User: )
Description: CSAAPP.EXE0.0.0.0167801ce1b7e8cc448f10F:\WINCSI\CSA\CSAAPP.EXE46000964-8772-11e2-925b-180373b766d6

Error: (01/24/2013 00:32:02 PM) (Source: Application Hang)(User: )
Description: CSAAPP.EXE0.0.0.0171c01cdfa694572d4460F:\WINCSI\CSA\CSAAPP.EXEb23f0b19-665c-11e2-8cc4-180373b766d6

Error: (01/10/2013 11:46:10 AM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.164577a401cdef623f75ed440C:\Program Files (x86)\Internet Explorer\iexplore.exee8cf3b8e-5b55-11e2-ad34-180373b766d6

Error: (11/27/2012 09:41:30 AM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.1645579c01cdccbc8195fe060C:\Program Files (x86)\Internet Explorer\iexplore.exe

Error: (09/18/2012 02:21:38 PM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.16448cf001cd95e2e0b8613e0C:\Program Files (x86)\Internet Explorer\iexplore.exe

Error: (08/20/2012 00:43:24 PM) (Source: Application Hang)(User: )
Description: iexplore.exe9.0.8112.16448152401cd7f0bd481d14a10C:\Program Files (x86)\Internet Explorer\iexplore.exe48a661e5-eaff-11e1-bea2-180373b766d6


=========================== Installed Programs ============================

ACH Editor - EBC1351 (Version: 1.2.0.3)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
ALERE Accounting 6.6
AVG 2013 (Version: 13.0.3162)
AVG 2013 (Version: 13.0.3336)
AVG 2013 (Version: 2013.0.3336)
Creative Solutions Accounting
Creative Solutions Accounting - Workstation
CutePDF Writer 2.8
DataLink Viewer 9 (Version: 6.2001.0.90)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Edoc Viewer (Version: 1.0.0)
DirectX 9 Runtime (Version: 1.00.0000)
EMET (Version: 3.0.0)
Intel® Processor Graphics (Version: 8.15.10.2253)
Intel® Rapid Storage Technology (Version: 10.0.0.1046)
Kyocera Scanner File Utility
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Business 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft OLE DB Provider for Visual FoxPro (Version: 9.0.0.3504)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
PDF-XChange Viewer (Version: 2.5.194.0)
PhotoShowExpress (Version: 2.0.063)
RBVirtualFolder64Inst (Version: 1.00.0000)
Realtek High Definition Audio Driver (Version: 6.0.1.6141)
Roxio Activation Module (Version: 1.0)
Roxio BackOnTrack (Version: 1.3.3)
Roxio Burn (Version: 1.8)
Roxio Creator Starter (Version: 1.0.439)
Roxio Creator Starter (Version: 12.1.77.0)
Roxio Creator Starter (Version: 5.0.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio File Backup (Version: 1.3.2)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
Visual FoxPro ODBC Driver (Version: 1.0.0)
Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)
Windows Small Business Server 2011 Standard ClientAgent (Version: 6.1.7900.1)
Windows Small Business Server 2011 Standard WMI Provider (Version: 6.1.7900.1)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 3944.44 MB
Available physical RAM: 2392.21 MB
Total Pagefile: 7887.07 MB
Available Pagefile: 6260.11 MB
Total Virtual: 4095.88 MB
Available Virtual: 3974.32 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:297.32 GB) (Free:248.34 GB) NTFS
3 Drive e: (KINGSTON) (Removable) (Total:3.65 GB) (Free:2.76 GB) FAT32

========================= Users: ========================================

User accounts for \\MACKOWEN

Administrator            Guest                    Kokatat                  


**** End of log ****
 

 

MBAM:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.16.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
MackOwen :: MACKOWEN [administrator]

5/16/2013 3:53:44 PM
mbam-log-2013-05-16 (15-53-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 318490
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

MBAR:

Malwarebytes Anti-Rootkit BETA 1.05.0.1001
www.malwarebytes.org

Database version: v2013.05.16.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
MackOwen :: MACKOWEN [administrator]

5/16/2013 4:04:50 PM
mbar-log-2013-05-16 (16-04-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28989
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Rkill:

Rkill 2.4.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/16/2013 04:06:39 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Windows\csasvc.exe (PID: 1876) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\MackOwen\Desktop\rkill\rkill-05-16-2013-04-06-42.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/16/2013 04:06:49 PM
Execution time: 0 hours(s), 0 minute(s), and 10 seconds(s)
 

 

Thanks!



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:36 AM

Posted 16 May 2013 - 06:41 PM

Looks clean so far...

 

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


=============================================================================

p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


=======================================

p22002970.gif Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 mttime73

mttime73
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 17 May 2013 - 11:28 AM

I think we are clean...  Here are the logs you requested.

 

AdwCleaner:

# AdwCleaner v2.301 - Logfile created 05/16/2013 at 16:54:11
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : MackOwen - MACKOWEN
# Boot Mode : Normal
# Running from : C:\Users\MackOwen\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16483

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [521 octets] - [16/05/2013 16:54:11]

########## EOF - C:\AdwCleaner[S1].txt - [580 octets] ##########
 

 

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by MackOwen on Thu 05/16/2013 at 16:59:56.03
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\ctTOOLBAR.ctToolBarCtrl.4



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 05/16/2013 at 17:02:11.97
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

ESET came up clean, so no log was generated.

 

Thanks!



#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:06:36 AM

Posted 17 May 2013 - 11:39 AM

Your computer is clean p3879546.jpg

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/
Windows 8: http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/#disable

2. Make sure Windows Updates are current.

3. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

12. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users