Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I smell a RAT


  • Please log in to reply
17 replies to this topic

#1 TimeTheAvenger

TimeTheAvenger

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 13 August 2017 - 01:37 AM

I think I have a Remote Access Trojan or worse. I don't even know where to begin.

I am running Windows 7 Professional 32 bit, fully patched, Java and Flash updates, protected with Kaspersky Total Security. I don't do torrents or visit dodgy websites. This is a standalone PC, Ethernet only, no wireless card, not joined to a domain, no file sharing. SMB, Net Bios over TCP/IP disabled. I read my Event Viewer and router logs regularly. I use a standard user account. Router and PC accounts are protected with 11-12 digit passwords with upper/lowercase letters, numbers, and symbols.

I was having trouble in late July with Internet Explorer. It wouldn't page backwards or forwards after a Google search, and I found this annoying. A Microsoft site suggested resetting IE's settings. I did this, and it seemed worse. I wondered if it might have been a recent Windows update?

I'll cut to the chase. Looking more closely at the Windows Event Viewer, I saw things in Security that bothered me, attempts to register and unregister a security audit source, several times a day. I looked at my router logs and discovered that suddenly IPv6 was configured and enabled, where it had never been before.

I called technical support, and they suggested updating the firmware. I did so, and the IPv6 settings are still there.

I saw more in the Windows Event Viewer that bugged me: A reference to MSDTC 2, which I have never installed on my system. Virtual Disk Service, which I have never enabled. Under Directory Services-SAM, "Remote Calls to the SAM database restricted using the default security descriptor."

I have run Kaspersky Scans in aggressive mode, a Trend Micro Scan, and Malware Bytes. I have run sfc /scannow, CHKDSK, sigverif, and have examined the disk, partitions, and volumes with DISKPART. Nothing unusual showed up with these scans.

 

I decided to do a system restore to see if I could get IE functioning normally. After rebooting, the event viewer reported that read/write on Volume Shadow Copy Service was screwed up, Path is \\?\GLOBALROOT\Device\Harddisk. Don't the double slashes mean it's a network share?

I looked at System Information>Software Environment>Startup Programs. The first of three startup tasks is as below and the second is like it with a p.

?□f 

When I look at this same page under the administrator account, these tasks are in Chinese characters that mean "Picking Up" according to Google Translate.

 

Still looking at Software Environment, if I look at loaded modules and drivers, several are running although the service has been stopped and disabled through Services. The one entry that bothers me the most is DFS Namespace Client Driver. This is not something that I enabled/set up. All kinds of remote access services and drivers are shown as loaded and running, as is the Dynamic Volume Manager. I did not create any Dynamic volumes on my disk!

 

Oh, I also ran vssadmin. The Device Manager shows that I have 13 Volume Shadow Copies. vssadmin shows that I have #3-15. Lots more in the registry.

Last night I turned off Remote Differential Compression, and the Virtual Disk Service stopped.

 

Finally, the real kicker: The Environment Variables.

 

[Environment Variables]

Variable Value User Name

ComSpec %SystemRoot%\system32\cmd.exe <SYSTEM>

FP_NO_HOST_CHECK NO <SYSTEM>

OS Windows_NT <SYSTEM>

 

Path C:\ProgramData\Oracle\Java\javapath;C:\Program Files\Common Files\Microsoft Shared\Windows Li

ve;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerSh

ell\v1.0\;C:\Program Files\Intel\Services\IPT\;C:\Program Files\Windows Live\Shared;C:\Program Files\

Common Files\HP\Digital Imaging\bin;C:\Program Files\HP\Digital Imaging\bin\;C:\Program Files\HP\Digi

tal Imaging\bin\Qt\Qt 4.3.3;C:\Program Files\Intel\OpenCL SDK\2.0\bin\x86 <SYSTEM>

 

PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC <SYSTEM>

PROCESSOR_ARCHITECTURE x86 <SYSTEM>

TEMP %SystemRoot%\TEMP <SYSTEM>

TMP %SystemRoot%\TEMP <SYSTEM>

USERNAME SYSTEM <SYSTEM>

windir %SystemRoot% <SYSTEM>

PSModulePath %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\ <SYSTEM>

NUMBER_OF_PROCESSORS 4 <SYSTEM>

PROCESSOR_LEVEL 6 <SYSTEM>

PROCESSOR_IDENTIFIER x86 Family 6 Model 42 Stepping 7, GenuineIntel <SYSTEM>

PROCESSOR_REVISION 2a07 <SYSTEM>

windows_tracing_logfile C:\BVTBin\Tests\installpackage\csilogfile.log <SYSTEM>

windows_tracing_flags 3 <SYSTEM>

DellClientSystemUpdatePath C:\Program Files\Dell\ClientSystemUpdate\ <SYSTEM>

 

How screwed am I? Is it just a matter of reformat/reinstall, or could I have a boot virus that will persist through that?

I have Event viewer logs copied, screenshots of all this mess--I just thought I'd start with the worst because there might not be any point in bringing up the rest if it's as bad as I think it looks.

 

Thanks for your patience in wading through all this. I appreciate any advice y'all can give me.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 15 August 2017 - 11:38 AM

Hi, I would try this before a reinstall. May need to run more than once.



Tweaking.com - Windows Repair All-In-One (Portable)

- Download Windows Repair All-In-One (Portable Version) from here.

- Extract tweaking.com_windows_repair_aio.zip to your Desktop.

- Disable all your antivirus and antimalware software - see how to do that here.
- Right click on QfBzvq1.png and select Run as Administrator (XP users just double click) to start Windows Repair All-In-One.
(Windows Vista/7/8 users: Accept UAC warning if it is enabled.)

- A window will appear. Click Step 2.
2f8o60N.png

- Click the Open Pre-Scan button, then click Start Scan. Wait for Windows Repair to finish scanning.

- Depending on which error Windows Repair found, click Repair Reparse Point or Repair Environment Variable accordingly. When the button changes to "Done!", click the close button to return to Windows Repair.

- Go to Step 3, then click Check in the See If Check Disk Is Needed.

- If Windows Repair stated that errors are found, click Open Check Disk At Next Boot. Choose (/R) Fixes errors on the disk also locate bad sectors and recovers readable information, then click Add To Next Boot. Reboot the computer to let Windows check the disk.
Ymy7crZ.png

- Go to Step 4, then click Do It.
zDtdN75.png

- Go to Step 5. Under System Restore click Create.
f7lEe1N.png

- Go to Repairs and click Open Repairs. Leave all checkmarks as they are, then click Start Repairs.
PGv2vtD.png
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 August 2017 - 10:29 AM

Hello. Thanks for your reply. I have run the program and have done a little forensics that might shed further light on the issue. I will post the results here. I'm just now writing them up.

 

Thanks again.



#4 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 August 2017 - 01:37 PM

I ran tweaking.com's Windows Repair as an Administrator in Safe Mode with Networking with Antivirus disabled as instructed at about 1:30 p.m.

I did the pre-scan and Step 2 before attempting any repairs. It found nothing wrong with my Environment Variables--I did some investigating and discovered that starting with Java 8, it prepends itself to the PATH environment variable instead of appending itself.

There is a new version of this utility out, so I un-checked the boxes for Windows 8/10 components and let it run. It found nothing remarkable, fixed Windows Update, Network, Firewall, cleaned Temporary files, etc.  

When it fixed Windows Update, something interesting happened: Suddenly, updates I had hidden, because they had been superceded or because they didn't apply to me reappeared. I re-hid them. When the Firewall was fixed, it re-enabled all the firewall rules I had disabled, so I went back and fixed those.  

 

I had meant to write you the night before you replied to let you know that using Process Explorer, I looked at several core Windows components, in particular lsass.exe. Most portions of it are "Access Denied", including its Disk Activity, but I was able to look at its Properties. Looking at its list of Privileges, I saw two that were Disabled that concerned me: SeSecurity Privilege and SeAssign Primary Token Privilege. 

After running the Windows Repair, I looked at lsass.exe again with Process Explorer and discovered that it had a new Default Enabled Privilege that had NOT been there before: Create Token. Also, access to its Disk Activity was now visible. It doesn't tell me much, but these are changes. I wonder if there has been some sort of code injection into lsass.exe and a complete takeover of this system?

 

At about 4:30 p.m. I decided to change the Computer Name.

At 5:15, I called my ISP and asked them if they are now providing IPv6 connectivity, since they recently merged with two other providers. This might explain why IPv6 suddenly appeared in my router configuration and logs. They said No, not at this time.

So I disabled the IPv6 through the Ethernet Adapter and through the Firewall.

 

I checked my Services: CNG Key Isolation , Credential Manager, and Office Software Protection Platform were all set to Manual (fine) They were all stopped, and under Recovery/Restart, all three were "Take No Action". I don't know whether this is significant or not. I thought it odd.

 

I checked the Event Log again at this point. Lots of interesting things going on here. For brevity, I won't post the logs unless you ask me to; I will give you a synopsis of the events. I apologize for the verbosity, but I think the following events are significant:

 

The first five entries in the Event Log after the Computer Name Change are Adding Members to Security-Enabled Local Groups.

The first entry is SID NT Service\Trusted Installer S-1-5-80    Group SID: Built-in Admins

The second is SID System SID S-1-5-18 Member System Group Built-in Admins  Group Name Admins  Group Domain  Built-In

 

I will post the third entry, because it appears to make ALL services members of the Local Administrators Group. I read here

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Security/DontaddserviceaccountstothelocalAdministratorsgroup.html

 

that it is a very bad idea to do so. (The article did apply to servers) I didn't do it. I will compress the entry as much as possible:

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/15/2017 3:28:57 PM

Event ID:      4732

Task Category: Security Group Management

Level:         Information

Keywords:      Audit Success

User:          N/A

Computer:      NOVALEVERGA

Description:

A member was added to a security-enabled local group.

 

Subject:

              Security ID:                       SYSTEM

              Account Name:               NOVALEVERGA$

              Account Domain:                          WORKGROUP

              Logon ID:                          0x3e7

Member:

              Security ID:                       NT AUTHORITY\SERVICE

              Account Name:               -

Group:

              Security ID:                       BUILTIN\Administrators

              Group Name:                   Administrators

              Group Domain:               Builtin

Additional Information:

              Privileges:                         -

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4732</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>13826</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8020000000000000</Keywords>

    <TimeCreated SystemTime="2017-08-15T20:28:57.640351400Z" />

    <EventRecordID>96806</EventRecordID>

    <Correlation />

    <Execution ProcessID="556" ThreadID="1672" />

    <Channel>Security</Channel>

    <Computer>NOVALEVERGA</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="MemberName">-</Data>

    <Data Name="MemberSid">S-1-5-6</Data>

    <Data Name="TargetUserName">ADMINISTRATORS</Data>

    <Data Name="TargetDomainName">Builtin</Data>

    <Data Name="TargetSid">S-1-5-32-544</Data>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">NOVALEVERGA$</Data>

    <Data Name="SubjectDomainName">WORKGROUP</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="PrivilegeList">-</Data>

  </EventData>

</Event>

 

Isn't this entry making ALL services members of the Local Administrators Group? Or am I reading something into this that isn't there?

 

Reason: after these entries, There is a logon 4624 System/NT Authority Process: Services.exe. Logon Process: Advapi   Authorization Package: Negotiate.

 

At the same time, there is a Login 4672. Special Privileges Assigned to New Login. Privileges are SeAssignPrimaryTokenPrivilege,

 SeTcbPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, SeRestorePrivilege,

 SeDebugPrivilege, SeAuditPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege

 

Four seconds later, another Services.exe process logon. Everything above is the same except 

In the first one the

Subject User ID S-1-5-18

User Name SYSTEM

Domain Name NT AUTHORITY

 

In the second one the

Subject User ID S-1-5 18

User Name COMPUTERNAME$

Domain Name WORKGROUP

 

Four seconds later

 

SID: SYSTEM

Account Name: COMPUTER NAME$

Account Domain: Workgroup

Login Type 5

 

NEW LOGIN:

SID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Process Name: services.exe

Logon Process: Advapi

Authentication Package: Negotiate

 

Looking over the event log, it appears that whenever there is a services or system process logon (anything except a user account) the logon type 4624 is followed by this type 4672 Special Privileges Assigned, as above.

 

That afternoon, there were these two sets of those logins, then 1:14 seconds later, the Firewall stopped.

9 seconds later, an anonymous connection over the Network: Null SID S-1-0-0 Anonymous Logon Target Domain Name NT Authority

Logon Proces Name: NtLmSsp, Authorization Package NTLM, Lm Package Name NTLM v. 1

 

5 seconds later, the Firewall starts. 4 seconds later, it stops. 12 seconds later, it starts again.

 

There is still the issue with the loaded modules and running tasks including remote access/Terminal server/RAS stuff that I had disabled the moment I set up this computer. Do I need to disable these processes using the command line? Is it safe to leave the drivers running if the processes have been terminated?

 

There's a lot going on here, I know. I changed the computer name to see what the Event Viewer would show in the Security Audit Events afterwards. I have disabled every process (except in loaded modules and running tasks) in Services. I'm not comfortable doing a registry edit without guidance. If Microsoft TechNet had a straightforward "Here's how to shut this off" how to change the values in the registry keys, I'd be fine. But I'm not a registry tinkerer in general.

 

I have blathered on long enough. Thank you for your time. I appreciate any advice you can give me.

 



#5 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 August 2017 - 06:47 PM

Quick (I promise!) update:

I ran dir/q/a on the user accounts. On the Administrator account in particular, there are both Directories and Junctions. The Junctions appear in 5 user paths with the same pattern: <JUNCTION> NTAUTHORITY\System

Send to[C:\Users\Adminuser\AppData\Roaming\Microsoft\Windows\SendTo] Same pattern for

Start Menu, Templates, Recent, and PrintHood\PrinterShortcuts.

 

My understanding is that AppData\Roaming stores user application data and settings for network-based logons for roaming profiles. This saved data will sync to the computer once I log in at the local console.

 

I don't roam. I don't even have a wireless card. No portable/handheld Windows devices to store and sync this data back to this system.

I checked the file paths of these Junctions and there is data in these locations, some dated as recently as this afternoon. There's even a System Certificate, dated at the end of July, in this Roaming profile.

 

Once again, thanks for your time.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 18 August 2017 - 10:09 AM

Well it appears thee are some files out of line.. I would think it can still be malware or we need to run a repair or complete install of the OS.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 18 August 2017 - 11:15 AM

Thank you for your time.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 19 August 2017 - 06:09 PM

Can you run this on line scan?

ESET OnlineScan:
  • It is recommended to turn off your antivirus program. Click on the E5rfZI9.png button to see which antivirus is currently enabled:
c4VVzVO.png
  • Turn off your antivirus program. See here how to do this.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth Technology
  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.
yKulboi.jpg
  • Push the dtoGjAL.png button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8L8IBHJ.png
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
imxEgHt.png
  • Push thecRhRYZ8.png button and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the 9IjfdXq.png button.
  • Check the box beside RHzfZB1.png to uninstall the application when closed.
  • Push Vc3btaC.png and the close the application clicking the X in upper right corner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 August 2017 - 06:15 PM

I will do this. I have some coupon printing applications on my computer that are adware. They'll probably show up.

I will run the scan as Administrator and see what happens. Thank you very much.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 19 August 2017 - 06:33 PM

You can unselect those if you use them..

Don't fret I'll Stand by You  :wink: 
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 August 2017 - 08:16 PM

I'm somewhat relieved to see that these 22 threats are all pretty much what I expected--toolbars and such. I am aware that my coupon programs are adware, and I'm OK with that. Also, it seems that starting with Java 8, every time I update it from the Java Updater site (not a mirror or third party site) the Java installation does a "drive by", although I uncheck the box for all the extra crap at install. It always installs extra toolbars and ask.com search engines, which I then have to remove with AdwCleaner.

 

C:\$Recycle.Bin\S-1-5-21-3618591344-3695950669-519290804-1000\$R7QNXEB\browser\plugins\npMozCouponPrinter.dll a variant of Win32/Adware.Coupons.AA application 
C:\Documents and Settings\All Users\Adobe\AIH.49dbd6b0d921c3a2c60b1b42436423780301305f\GTB.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application 
C:\Documents and Settings\redchow\Desktop\New folder (3)\CouponPrinter.exe a variant of Win32/Adware.Coupons.AA application 
C:\Documents and Settings\redchow\Downloads\couponprinter.exe a variant of Win32/Adware.Coupons.AA application 
C:\Documents and Settings\redchow\Downloads\CouponPrinterCPS (1).exe a variant of Win32/Adware.Coupons.AA application 
C:\Documents and Settings\redchow\Downloads\wmatomp3_setup-50647742.exe Win32/WinWrapper.J potentially unwanted application 
C:\Documents and Settings\redchow\Downloads\wmatomp3_setup.msi a variant of Win32/InstallCore.ADX.gen potentially unwanted application 
C:\Program Files\Coupons\CouponPrinterService.exe a variant of Win32/Adware.Coupons.AA application 
C:\Program Files\Coupons\uninstall.exe a variant of Win32/Adware.Coupons.AA application 
C:\Program Files\Google\Chrome\Application\plugins\npMozCouponPrinter.dll a variant of Win32/Adware.Coupons.AA application 
C:\Program Files\Safari\Plugins\npMozCouponPrinter.dll a variant of Win32/Adware.Coupons.AA application 
C:\ProgramData\Adobe\AIH.49dbd6b0d921c3a2c60b1b42436423780301305f\GTB.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application 
C:\Users\All Users\Adobe\AIH.49dbd6b0d921c3a2c60b1b42436423780301305f\GTB.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application 
C:\Users\redchow\Desktop\New folder (3)\CouponPrinter.exe a variant of Win32/Adware.Coupons.AA application 
C:\Users\redchow\Downloads\couponprinter.exe a variant of Win32/Adware.Coupons.AA application 
C:\Users\redchow\Downloads\CouponPrinterCPS (1).exe a variant of Win32/Adware.Coupons.AA application 
C:\Users\redchow\Downloads\wmatomp3_setup-50647742.exe Win32/WinWrapper.J potentially unwanted application 
C:\Users\redchow\Downloads\wmatomp3_setup.msi a variant of Win32/InstallCore.ADX.gen potentially unwanted application 
C:\Windows\CouponPrinter.ocx a variant of Win32/Adware.Coupons.AA application 
C:\Windows\Installer\3ffc124.msi a variant of Win32/Bundled.Toolbar.Ask.C potentially unsafe application 
C:\Windows\Temp\cpnprt2win32.cid a variant of Win32/Adware.Coupons.AA application 
Autostart locations a variant of Win32/Adware.Coupons.AA application

 

Thanks once again for your help. What's next? 
 



#12 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 19 August 2017 - 08:17 PM

Do I run the application again, and clean the undesirable programs this time? I have never seen these toolbars anywhere, just references to them.



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 20 August 2017 - 08:10 PM

Sorry was away .. Yes clean it all..

Does any thing you run actually ask for Java to run or need it too run?
Next please run JavaRa.
  • Please download JavaRa 2.6 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.
You can choose between 2 variants:

1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java SE 8).

2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 TimeTheAvenger

TimeTheAvenger
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 21 August 2017 - 03:56 AM

JavaRa Successfully Run. 15 items deleted. The only applications on my computer that use Java are my coupon printers and it may be time to investigate another way to run the software without Java. One thing I thought was weird: JavaRa tried to install a new plug in for Internet Explorer after it ran, for HP Smart Web Enchancer (which I have disabled anyway,) Kaspersky Total Security notified me of the impending change to the file system, so I denied the installation and so I denied it.

Thank you for your help. I had noticed older versions of JRE 7 in my registry but didn't know how to install them. I was running Java 8 141 but uninstalled it before running JavaRa. Here's the logfile:

 

User initialised redundant data purge.
......................

Removed registry subkey tree: JavaSoft
Removed registry subkey tree: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Removed registry subkey tree: {5852F5ED-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Removed registry subkey: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Removed registry subkey tree: {5852F5EC-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: application/java-deployment-toolkit
Removed registry subkey tree: {5852F5E0-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey tree: JavaWebStart.isInstalled
Removed registry subkey tree: JavaWebStart.isInstalled.1.7.0.0
Removed registry subkey: {5852F5ED-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey tree: Browser Helper Objects
Exception encountered in module [JavaRa]
Message: Cannot delete a subkey tree because the subkey does not exist.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTreeInternal(String subkey)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey)
   at JavaRa.routines_registry.delete_key(String key)

Removed registry subkey: JreMetrics
Removed registry subkey tree: JavaPlugin.10402
Removed registry subkey tree: JavaPlugin.10512
Removal routine completed successfully. 15 items have been deleted.
User initialised redundant data purge.
......................

Exception encountered in module [JavaRa]
Message: Cannot delete a subkey tree because the subkey does not exist.
   at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTreeInternal(String subkey)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey)
   at JavaRa.routines_registry.delete_key(String key)

Removal routine completed successfully. 15 items have been deleted.

 

I think I have more than a Java issue, though. Poking around in the registry (I peek, I don't tinker) I can see virtual devices, , that the LSA and SAM database are disabled under HKLM\Software\Policies\Microsoft. I did some more detailed Event logging and enabled Security Audit Success and failure for Logins, Sensitive Privileges, etc. If you'll indulge me, I'd like to attach three that I found significant. I apologize for the verbosity and thank you for your patience:

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/21/2017 1:13:44 AM

Event ID:      4625

Task Category: Logon

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      COMPUTERNAME

Description:

An account failed to log on.

Subject:

              Security ID:                       SYSTEM

              Account Name:               COMPUTERNAME$

              Account Domain:                          WORKGROUP

              Logon ID:                          0x3e7

Logon Type:                                    11

Account For Which Logon Failed:

              Security ID:                       NULL SID

              Account Name:               ADMINNAME (This is my administrator account)

              Account Domain:                          COMPUTERNAME

Failure Information:

              Failure Reason:               An Error occurred during Logon.

              Status:                               0xc000010b

              Sub Status:                       0x0

Process Information:

              Caller Process ID:            0x1cbc

              Caller Process Name:     C:\Windows\System32\consent.exe

 

Network Information:

              Workstation Name:        COMPUTERNAME

              Source Network Address:            ::1

              Source Port:                     0

Detailed Authentication Information:

              Logon Process:                CredPro

              Authentication Package:              Negotiate

              Transited Services:         -

              Package Name (NTLM only):       -

              Key Length:                      0           

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4625</EventID>

    <Version>0</Version>

    <Level>0</Level>

    <Task>12544</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8010000000000000</Keywords>

    <TimeCreated SystemTime="2017-08-21T06:13:44.441422300Z" />

    <EventRecordID>191924</EventRecordID>

    <Correlation />

    <Execution ProcessID="688" ThreadID="2652" />

    <Channel>Security</Channel>

    <Computer>COMPUTERNAME</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">COMPUTERNAME$</Data>

    <Data Name="SubjectDomainName">WORKGROUP</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="TargetUserSid">S-1-0-0</Data>

    <Data Name="TargetUserName">ADMINNAME</Data>

    <Data Name="TargetDomainName">COMPUTERNAME</Data>

    <Data Name="Status">0xc000010b</Data>

    <Data Name="FailureReason">%%2304</Data>

    <Data Name="SubStatus">0x0</Data>

    <Data Name="LogonType">11</Data>

    <Data Name="LogonProcessName">CredPro</Data>

    <Data Name="AuthenticationPackageName">Negotiate</Data>

    <Data Name="WorkstationName">COMPUTERNAME</Data>

    <Data Name="TransmittedServices">-</Data>

    <Data Name="LmPackageName">-</Data>

    <Data Name="KeyLength">0</Data>

    <Data Name="ProcessId">0x1cbc</Data>

    <Data Name="ProcessName">C:\Windows\System32\consent.exe</Data>

    <Data Name="IpAddress">::1</Data>

    <Data Name="IpPort">0</Data>

  </EventData>

</Event>

 

END

 

 

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          8/21/2017 1:13:45 AM

Event ID:      4688

Task Category: Process Creation

Level:         Information

Keywords:      Audit Success

User:          N/A

Computer:      COMPUTERNAME

Description:

A new process has been created.

 

Subject:

              Security ID:                       SYSTEM

              Account Name:               COMPUTERNAME$

              Account Domain:                          WORKGROUP

              Logon ID:                          0x3e7

 

Process Information:

              New Process ID:                            0x1fb8

              New Process Name:       C:\Windows\System32\dllhost.exe

              Token Elevation Type:   TokenElevationTypeDefault (1)

              Creator Process ID:        0x340

              Process Command Line:             

 

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

 

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

    <EventID>4688</EventID>

    <Version>1</Version>

    <Level>0</Level>

    <Task>13312</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8020000000000000</Keywords>

    <TimeCreated SystemTime="2017-08-21T06:13:45.481423800Z" />

    <EventRecordID>191930</EventRecordID>

    <Correlation />

    <Execution ProcessID="4" ThreadID="48" />

    <Channel>Security</Channel>

    <Computer>COMPUTERNAME</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="SubjectUserSid">S-1-5-18</Data>

    <Data Name="SubjectUserName">COMPUTERNAME$</Data>

    <Data Name="SubjectDomainName">WORKGROUP</Data>

    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="NewProcessId">0x1fb8</Data>

    <Data Name="NewProcessName">C:\Windows\System32\dllhost.exe</Data> [ Is dllhost.exe a service?]

    <Data Name="TokenElevationType">%%1936</Data>

    <Data Name="ProcessId">0x340</Data>

    <Data Name="CommandLine">

    </Data>

  </EventData>

</Event>

 

END

 

Log Name:      Application

Source:        Microsoft-Windows-Search

Date:          8/15/2017 3:51:59 PM

Event ID:      3036

Task Category: Gatherer

Level:         Warning

Keywords:      Classic

User:          N/A

Computer:      COMPUTERNAME

Description:

The content source <csc://{S-1-5-21-3618591344-3695950669-519290804-1000}/> cannot be accessed.

 

Context:  Application, SystemIndex Catalog

 

Details:

              The object was not found.  (HRESULT : 0x80041201) (0x80041201)

 

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />

    <EventID Qualifiers="32768">3036</EventID>

    <Version>0</Version>

    <Level>3</Level>

    <Task>3</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2017-08-15T20:51:59.000000000Z" />

    <EventRecordID>90370</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>Application</Channel>

    <Computer>COMPUTERNAME</Computer>

    <Security />

  </System>

  <EventData>

    <Data Name="ExtraInfo">

 

Context:  Application, SystemIndex Catalog

 

Details:

              The object was not found.  (HRESULT : 0x80041201) (0x80041201)

</Data>

    <Data Name="URL">csc://{S-1-5-21-3618591344-3695950669-519290804-1000}/</Data> Network Share?

  </EventData>

</Event>

 

 

 

Once again, thank you for your help. I really appreciate it.



#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:40 AM

Posted 21 August 2017 - 10:01 AM

You don't need Java.

Using Java is an unnecessary security risk...especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.Although Java is commonly used in business, banking, educational environments and many VPN providers still use it, the average user does not need to install Java software. While there are business applications that run on servers and some websites that will not work unless Java is installed, most folks will never encounter them during their daily use of computing.I recommend just uninstalling Java if you don't use it.If you must use Java, many security researchers and computer security organizations caution users to limit their usage and to disable Java Plug-ins or add-ons in your browsers.

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Krebs On Security: ...Java

To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

US CERT: Disable Java in web browsersborrowed from quietman7

If you find that you need it
https://java.com/en/download/

Oh and You are welcome!!

Edited by boopme, 21 August 2017 - 10:01 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users