Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Win Def Offline - no access to results, no log created

06 Nov 2015   #21
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
RecycleBin emptied: 63597 bytes
Process complete!

Total Files Cleaned = 411.00 mb
Looks like TFC got rid of a lot of temporary files!

Run the computer for a bit, then let me know what's going on with it.


My System SpecsSystem Spec
.
07 Nov 2015   #22
UberGoober

Windows 7 Pro 64 bit
 
 

Yep. It appears to me the scum hides a lot of its instructions and net logon info to allow hundreds of connections in there. I'm sure TFC got a bunch I never could see.

Still being redirected in Firefox; wasn't hijacked from IXQuick to another home page, but my settings won't hold.

Logging in to my ISP webmail, these were exposed:

Win Def Offline - no access to results, no log created-pagehijack.png

Hijack.txt

Win Def Offline - no access to results, no log created-r_search_yahoo.png

r.search.yahoo.com.txt

Win Def Offline - no access to results, no log created-twcwebmail.png

I find this folder structure suspect, too.

Win Def Offline - no access to results, no log created-explore.png

Thanks for all your time and effort helping me, Jacee. UG


My System SpecsSystem Spec
07 Nov 2015   #23
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Looks like the scan report of that URL shows malware site. https://www.virustotal.com/en/url/93...cae3/analysis/

Flush the DNS cache and restore MS's Hosts file.

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop.
Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Now look in these browsers and disable any browser add-ons:
How to disable add-ons/extensions in your browser?

Reset your home page.
My System SpecsSystem Spec
.

08 Nov 2015   #24
UberGoober

Windows 7 Pro 64 bit
 
 

Thanks, Jacee

Ran the batch file. Mozilla seems OK. Should I accept version 42 I'm being offered?

IE is still under the control of the malware, I think.

Win Def Offline - no access to results, no log created-ie_noremove.png

Win Def Offline - no access to results, no log created-ie_noremove2.png

Win Def Offline - no access to results, no log created-bingie_noremove.png


My System SpecsSystem Spec
08 Nov 2015   #25
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Updating Java:
  • Download the latest version of Java SE Runtime Environment 8 - Downloads.
  • Scroll down to where it says "Java Runtime Environment (JRE) 8u66 allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Programs and Features programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on
    Windows x6454.38 MB jre-8u66-windows-x64.exe to install the newest version.
You need to read this about enabling Java SSV plug-in Tech ARP - ED#143 : Java Plug-In SSV Helper - Should It Stay Or Should It Go? Rev. 3.0
My System SpecsSystem Spec
08 Nov 2015   #26
UberGoober

Windows 7 Pro 64 bit
 
 

Before I follow your instructions, I'd like to make sure the malware isn't messing in our business.

The page with the article keeps trying to redirect, but Firefox doesn't allow it. The Java page doesn't match your description. Is this what you saw?
Win Def Offline - no access to results, no log created-javasnip.png

Here are the settings I see in Firefox now for plug-ins. There's nothing in Extensions, Appearance or Services.
Win Def Offline - no access to results, no log created-addons.png

I wonder if the SSV architecture is 32-bit because the OS of the VM the malware installed in my C: partition is XP. It's controlled from a remote server, so they might need the Java stuff. I certainly don't want any Browser Helper Objects.

Should I uninstall Java 6 Update 65, reboot and reinstall it? That's the only Java thing in Add/Remove Programs.

Do you recommend having JRE anyway?

Thanks, UG


My System SpecsSystem Spec
08 Nov 2015   #27
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote:
I wonder if the SSV architecture is 32-bit because the OS of the VM the malware installed in my C: partition is XP. It's controlled from a remote server, so they might need the Java stuff. I certainly don't want any Browser Helper Objects.

Should I uninstall Java 6 Update 65, reboot and reinstall it? That's the only Java thing in Add/Remove Programs.
Please forgive me, but I don't understand/follow what you're saying.
Are you double booting both Windows7 Pro (X64) and Windows XP (X32)? I'm not sure how that's possible.

Java 6 Update 65 is way, way out of date!
My System SpecsSystem Spec
09 Nov 2015   #28
UberGoober

Windows 7 Pro 64 bit
 
 

Oh, boy, did I mess that up! And hit "submit" without checking it over well.

Mis-typed Java "6" - should be "8". Installed 11/3.
Attachment 375474

As the article you linked to said, these Java SSV Browser Helper Objects are automatically included with the Java updates so network administrators in domains using old Java applications can easily change all domain computers' Java settings with one click. I just remove them (don't always remember to immediately.)

The SSV BHOs were removable in Firefox, but not IE, where the option is greyed out. I think this is malware behavior.
Attachment 375475

Here are 4 blog posts at InfoSec describing mechanisms this malware uses for stealth and persistence. I've seen symptoms of each. I don't feel competent to follow their procedures, though.

Part 1 File Associations Hijacking and BITS Backdoor
Part 2 Program.exe and Service Failure Recovery Startups
Part 3 Service Triggers based on ETW and Attach a debugger with ImageFileExecutionOptions
Part 4 Winlogon Events and Scheduled Tasks

So...

I bought this PC refurbished. It had only the 100MB "System Reserved" Partition and W7 Pro on the rest of the HDD. I never set up a virtual machine or drive on it. I never added another OS to dual boot.

My local tech said that Time Warner Cable's redirect (when you mistype a URL and it takes you to their website) leaves open a backdoor vulnerability that was exploited by the malware I have now. It locked me out of my modem with a new password, reconfigured it to allow hundreds of remote users to connect, messed with IP addresses and DHCP.

The first symptom was a glitchy mouse - I actually threw away a perfectly good USB optical mouse. PS/2 drivers had been substituted within the USB serial bus controllers somehow. I physically removed the serial adapter and uninstalled it, but it's still listed in device manager as active and working fine!

Long story shorter (but not much, I'm afraid), I DBANed the HDD since a W7Pro disc came with the PC. Then I booted without any disc or USB device. The PC booted to "X:/v::", Windows XP Pro on a hidden, virtual HDD (not just a hidden partition within C!

This XP installation is SYSTEM, Trusted Installer, etc. It wouldn't let me do anything to it without being an Authenticated User, the Group that's allowed remote access to take every document, piece of media, and visited webpage on my PC.

I reinstalled clean from my W7Pro disc to get online to research the problem. The virtual drive was obviously still in control. I couldn't override it with the hidden admin account turned on through lusrmgr.msc command.

Later I tried booting from a 2000 Pro disc to get low-level format. The malware simply installed its cached altered version of my W7 Pro! The DVD drive whirred - I think they were copying it. Certainly 2000 didn't become available. Same with Vista Business and XP Pro. Tried Ubuntu - it appeared to begin installation, but some fake "fatal error" forced a reboot.

Every boot, whether a cable is connected to the modem or not, is PXE through HP (was Intel, but they changed it when I tried HP Support) Boot Agent. I'm locked out of BIOS setup (the HP procedure to clear CMOS and passwords doesn't work). Of course there are lots more symptoms I won't go into here.

This why I keep asking (in several other posts/threads) if there's another way to wipe the whole HDD while this VM is hiding on it.

I realize this is intensive and time-consuming, Jacee. I can't tell you how much I appreciate the attention you've been able to give this. Hope I've cleared up the confusion.

Thanks much, UG

UH-oh!!! Look at the "do" in the URL for the page I'm on...
http://www.sevenforums.com/newreply.php?do=newreply&noquote=1&p=3172809
It shows up in hijacked page URLs I get sent to. I'm showing as logged in on this page, but it sent me to the login page when I pressed "Submit Reply".

My System SpecsSystem Spec
09 Nov 2015   #29
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I think you should talk to the person you bought the computer from. The one who refurbished it should have an idea, as to if it was updated from Windows XP to Windows 7 pro, and what media they used.
My System SpecsSystem Spec
09 Nov 2015   #30
UberGoober

Windows 7 Pro 64 bit
 
 

I bought it through Newegg, refurbished by Joy Systems. The old HP sticker is Windows 7 so it came with that, and Joy had to change the license # "For Authentication Only."

Sub Virt is probably what's controlling my PC, Jacee.

U.Mich and Microsoft Research published a paper about it in 2006. (web.eecs.umich.edu/virtual/papers/king06.pdf) Here's a simple description
Win Def Offline - no access to results, no log created-vmmalware.png

Does Microsoft have any solutions yet? If I could break the VM's armor that keeps disk wipers from removing it, that should do the trick, huh? Know of anything?

Thanks again! UG


My System SpecsSystem Spec
Reply

 Win Def Offline - no access to results, no log created




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
failed to sync offline file - access denied
Hi, seems like my case is quite different..offline status = offline (need to sync), i try to sync again but getting error = "access is denied"
Network & Sharing
Created Partition on Hard Drive but now cannot access rest of HDD
Hello all, I have a WD 750GB GB 2.5-INCH 5400 RPM SATA II HDD that I recently installed on my computer. When I attempted to do a clean install of windows, the windows setup could not find any drives. I formatted the HDD and created a primary partition. I admit I was rushing, and I clicked the...
Hardware & Devices
Cannot access Win 7 OS asking for P/W that I never created!
On my dual boot system while trying to get into SAFE MODE in 7-64 I made the mistake of hitting F-8 repeatedly. Now I get a screen with my name on it in the center and it's asking for a P/W. When I built the machine I never entered one because I am the only user. I have tried all the P/W that I...
General Discussion
Results of Windows Defender Offline Full Scan
Results of the Windows Defender Offline Full Scan: Trojan:Win32/Dynamer!dtc Severe Active Remove Exploit:Java/CVE-2012-1723.AQT Severe Active Remove Trojan:Win32/Alureon Severe Active Remove Providing the above per gregrocker in the...
System Security
Windows defender offline scan results problem
While using Windows Defender Offline (WDO) scans show that it detects some sort of virus. The problem is at the end of scan it doesn't allow me to review or remove the virus. I need Help.
System Security
Unable to access desktop a new one is created
Today when I loaded windows 7 I clicked on my account and after a slight delay a message appeared "preparing your desktop". When it appeared it was a new desktop and a message on the task bar stated "you can not access you files and folders". I have followed a few steps about unlocking locked...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:15.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App