Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: After MSE removed virus have unusual log messages


06 Oct 2012   #1

Windows 7 Pro x64
 
 
After MSE removed virus have unusual log messages

A few days ago I had trouble with backup, and it was due to an infected file which quick scans and real time protection had not picked up. I ran a full scan with MSE and removed it (Exploit:Java/CVE-2012-1723.AQQ).

I've noticed some unusual entries in the log and wonder if the virus
has not been removed. More details:

I notice now each time I boot up, the following appears



Log Name: System
Source: Microsoft Antimalware
Date: 7/10/2012 8:55:11 a.m.
Event ID: 3007
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Bill-PC
Description:
Microsoft Antimalware Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
Feature: Network Inspection System
Reason: Real-time protection has recovered from an unknown failure. It is recommended that you run a quick scan.

Quick scan finds nothing.

Also after the last MSE update, I found this in the same log

Log Name: System
Source: Microsoft Antimalware
Date: 6/10/2012 11:35:58 p.m.
Event ID: 5007
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Bill-PC
Description:
Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\TemporaryPaths\\\?\C:\Users\Bill\AppData\LocalLow\Sun\Java\Deployment\cache\6 .0\55\60e9d0b7-3a1207a1 = 0x5A
New value:

This is refering to where it found the virus. Had the virus set up that exclusion, and now MSE 'realized' this and removed it?

Also my machine has regularly displayed this error in the adminsitrative log source: Kernel-EventTracing event ID 3
Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D

Thanks.


My System SpecsSystem Spec
.

06 Oct 2012   #2

64-Bit W7 Ult_sp1
 
 

- try this:
What is Windows Defender Offline?

NB. read the instructions carefully..

I did the full scan after pulling the plug on the internet, and booting in safe mode..
seems to work really well, it takes quite a while to do the scouring, so be patient..

it sounds as though it's one of those "drive-by" trojans, they often compromise your AV/Firewall settings,
- so get those repaired, as soon as you've removed all traces of the trojan's dropper..
My System SpecsSystem Spec
07 Oct 2012   #3

Windows 7 Pro x64
 
 

Hi BugMeister, I created a Windows Defender Offline CD using my XP machine which is has had a clean scan. I used it to scan my Win 7 machine which had the problem. I had the win 7 machine disconnected from the internet while I did this, but was given no option to boot from the CD in safe mode, in fact windows defender offline gave me no options, and ran a quick scan automatically. I then ran a full scan using it. Both report a clean machine.

However I'm still getting message ID 3007 and ID 3 as I first mentioned.

How do I check and repair AV/Firewall settings? (Windows Firewall and MSE).

Thanks.
PS - I uploaded MSE again from microsoft, and reinstalled it. Still getting same
messages. Also a few times now after doing the window defender scan, my machine goes in slow motion. If reboot comes right again.
PPS - I ran sfc /scannow at a command prompt boot from the tutorial, and got "windows resource protection did not find any integrity violations"
My System SpecsSystem Spec
.


08 Oct 2012   #4

64-Bit W7 Ult_sp1
 
 

- did you set up the PC to boot from the CD..?
- it's a BIOS setting - check your motherboard manual for instructions

- leave the CD in the machine during the boot-up process, and it will start it's scan automatically..

- when the full scan is finished - it takes a while to complete - you can re-set the Boot option to run from the Hard drive as normal..

- patience is the key - so make a cup of tea while it does it's scouring operation..
My System SpecsSystem Spec
08 Oct 2012   #5

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

It looks likely that you have a Java exploit, related to an old version of Java not being updated:

The rise of a new Java vulnerability - CVE-2012-1723 - Microsoft Malware Protection Center - Site Home - TechNet Blogs

After the scan recommended by BugMeister, you should complete uninstall all versions of Java, and consider leaving it off your system if you don't need it.

Regards,
Golden
My System SpecsSystem Spec
08 Oct 2012   #6
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Clean up the Java infection .... download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

After rebooting, update Java:

Update Java:
  • Download the latest version of Java Runtime Environment (JRE) 7u7.
    Java SE Downloads
  • Scroll over to the right (JRE)
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u7-windows-i586-p.exe to install the newest version.
My System SpecsSystem Spec
08 Oct 2012   #7

Windows 7 Pro x64
 
 

Quote   Quote: Originally Posted by BugMeister View Post
- did you set up the PC to boot from the CD..?
- it's a BIOS setting - check your motherboard manual for instructions

- leave the CD in the machine during the boot-up process, and it will start it's scan automatically..

- when the full scan is finished - it takes a while to complete - you can re-set the Boot option to run from the Hard drive as normal..

- patience is the key - so make a cup of tea while it does it's scouring operation..
Hi BugMeister, Yes, windows defender offline booted and ran from the CD. (My comment was that I couldn't boot from the CD in safe mode, but my understanding of windows defender offline is that it runs before windows boots up.) I used F12 and selected the CDDVD drive to boot from, the scan did start immediately but was a quick scan which didn't take long. That evening I repeated the procedure, but when the quick scan started, I stopped it, and selected full scan. Then went to bed! In the morning it reported no problems. Yet I'm still getting the information message ID 3007.
My System SpecsSystem Spec
08 Oct 2012   #8

Windows 7 Pro x64
 
 

Thanks Golden and Jacee, Yes I realized I was hit by the java exploit CVE-2012-1723. I ran TFC and I've uninstalled the Java that show as installed from the control panel (Java 1.7.0_07 and JavaFX 2.1.1).

I'm still get message ID 3007 from the antimalware log. And also the machine now seems to take a longer time to shut down

Before I uninstalled I looked at the the Java control panel - it only showed the one JRE, but when I searched for more JRE's it found one in MATLAB. MATLAB documentation says it comes with it's own JVM and that it may not work with another version, so I've left that on the machine.
1.6 1.6.0 http://java.sun.com/products/autodl/j2se C:\Program Files\MATLAB\R2007b\uninstall\java\jre\win64\jre\bin\javaw.exe
1.6 1.6.0 http://java.sun.com/products/autodl/j2se C:\Program Files\MATLAB\R2007b\sys\java\jre\win64\jre1.6.0\bin\javaw.exe
My System SpecsSystem Spec
09 Oct 2012   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
My System SpecsSystem Spec
09 Oct 2012   #10

Windows 7 Pro x64
 
 

Hi Jacee, I ran ESET as you suggest scanning the archives. It scanned C: and D: (my USB drive used for backups X: and W: was not plugged in). Reports No problems. When it installed it said it detected MSE and this might affect the ability to scan, but I didn't want to uninstall MSE.

Before I got your post, I had downloaded windows performance toolkit and used it to look at boot and shutdown performance (as in a tutorial on this site). I noticed a large amount of time was taken accessing drive my usb backup drive W:. My machine would not let me remove it saying it was in use by another program, but after that the boot up and shutdown times went back to normal.

After shutdown, I unplugged it. The boot/shutdown times are still normal. This is when I ran ESET and it gives the all clear. However I'm still getting the information message ID 3007.
My System SpecsSystem Spec
Reply

 After MSE removed virus have unusual log messages




Thread Tools



Similar help and support threads for2: After MSE removed virus have unusual log messages
Thread Forum
Login name removed after ransom virus removed General Discussion
contant script error messages due to virus System Security
Helo to send all fax messages without getting any error messages? Network & Sharing
Windows 7 won't boot up after Norton removed virus General Discussion
Solved Conficker virus already, removed but what would you do next? System Security
Removed Win 7 2012 Security Virus now Limited Connectivity Network & Sharing
Solved A bit of unusual Chillout Room

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:38 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33