Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

swf/cve-2014-0515 showing up repeatedly...


  • Please log in to reply
4 replies to this topic

#1 GrayAnderson

GrayAnderson

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 22 October 2014 - 02:46 AM

This seems to be my month for having issues, doesn't it?  I keep getting a warning about a "swf/cve-2014-0515" exploit from Windows Defender.  Malwarebytes Anti-Malware comes back negative on this one, while the baseline Malwarebytes Anti-Exploit also comes back blank.  So...either Windows Defender is being a bit hyper or everyone else is asleep at the wheel.  Do I have an issue or not (and if so, how do I deal with this one, since it keeps popping back after a quarantine)?



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,512 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:31 AM

Posted 22 October 2014 - 05:20 AM

Make sure your Adobe Flash Player is up to date. Adobe - Flash Player

Click on the link above and it will tell you what player you are now using and what the latest version is.

 

Use CCleaner to remove the temporary files, caches, logs, cookies, etc. Use the Default settings. Pay attention while installing

and UNcheck offers of toolbars...especially Yahoo. No need to use the Registry Cleaner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Run a scan using Eset Online Free Scanner.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 24 October 2014 - 02:24 AM

Ok, I updated Adobe...and then I ran ESET.  Oh boy...

 

 

 

C:\FRST\Quarantine\C\ProgramData\Windows Genuine Advantage\{01F5C7D9-FEB9-4A73-BE42-CD3EB36565CD}\msiexec.exe.xBAD    Win32/TrojanDownloader.Cerabit.A trojan
C:\FRST\Quarantine\C\ProgramData\Windows Genuine Advantage\{685955DB-0ECF-458E-813C-5720B4E1FA1E}\msiexec.exe.xBAD    Win32/TrojanDownloader.Cerabit.A trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\qolwtrt.dll.xBAD    Win32/TrojanDownloader.Tracur.AM trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\Search\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\Search\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\f\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\f\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\f\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\f\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.HTML.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT.xBAD    Win32/Filecoder.CR trojan
C:\FRST\Quarantine\C\Users\William\AppData\Roaming\ftbmt.dll.xBAD    a variant of MSIL/Injector.FWI trojan
C:\FRST\Quarantine\C\Users\William\Documents\bitcoin-0.8.5-win32-setup.exe.xBAD    a variant of Win32/BitCoinMiner.BJ potentially unsafe application
C:\Users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EG4FETMF\thisistheindex[1].htm    JS/Exploit.Agent.NHN trojan
C:\Users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYHKAD4Q\abhgtnedg[1].htm    JS/Exploit.Agent.NHN trojan
C:\Users\William\AppData\LocalLow\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\Search\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\f\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\f\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\INSTALL_TOR.URL    Win32/Filecoder.CR trojan
C:\Users\William\Documents\SC3K\SC2K\2knet\upnpc\upnpc-static.exe    a variant of Win32/MiniUPnP.C potentially unsafe application
 


Looks like we're going back next door...

 

Edit: I just realized that almost all of these break into three categories:
(1) Quarantined files caught last time.

(2) The Install_Tor files that we never bothered to remove last time.

(3) The final one, the SC2K, is one I know is safe (it's SimCity 2000-related).

 

Ergo...a lot of this is probably a false alarm and I just need to clean out those Install_Tor files to avoid having them trip.


Edited by GrayAnderson, 24 October 2014 - 03:17 AM.


#4 buddy215

buddy215

  • Moderator
  • 13,512 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:31 AM

Posted 24 October 2014 - 06:15 AM

Have you run CCleaner? If not, do so and use the default settings.

 

After installing and cleaning using CCleaner reopen CCleaner and click on Tools. Click on Uninstall. At the bottom of that

page is a button when clicked will allow you to copy and paste the listed programs. Please post that list.

 

Looking at your earlier topic you used Delfix to remove FRST and its logs but it didn't delete the quarantined files. Hmmmm....

I'll ask someone else about that. It may be just as simple as following the path and deleting the folder containing the items.

I'll let you know.


Edited by buddy215, 24 October 2014 - 06:45 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,512 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:31 AM

Posted 24 October 2014 - 08:47 PM

Go to C:\FRST and delete the FRST folder. Then rerun Eset and choose to delete/ quarantine all that it finds.

If you are sure about the last...your #3... then you can just delete all the others.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users