New
#21
Looks like TFC got rid of a lot of temporary files!RecycleBin emptied: 63597 bytes
Process complete!
Total Files Cleaned = 411.00 mb
Run the computer for a bit, then let me know what's going on with it.
Win Def Offline - no access to results, no log created
-
-
New #22
Yep. It appears to me the scum hides a lot of its instructions and net logon info to allow hundreds of connections in there. I'm sure TFC got a bunch I never could see.
Still being redirected in Firefox; wasn't hijacked from IXQuick to another home page, but my settings won't hold.
Logging in to my ISP webmail, these were exposed:
Hijack.txt
r.search.yahoo.com.txt
I find this folder structure suspect, too.
Thanks for all your time and effort helping me, Jacee. UGLast edited by UberGoober; 07 Nov 2015 at 10:17. Reason: forgot folder image
-
New #23
Looks like the scan report of that URL shows malware site. https://www.virustotal.com/en/url/93...cae3/analysis/
Flush the DNS cache and restore MS's Hosts file.
Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop.
Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.
Now look in these browsers and disable any browser add-ons:
How to disable add-ons/extensions in your browser?
Reset your home page.
-
New #24
Thanks, Jacee
Ran the batch file. Mozilla seems OK. Should I accept version 42 I'm being offered?
IE is still under the control of the malware, I think.
-
New #25
Updating Java:
- Download the latest version of Java SE Runtime Environment 8 - Downloads.
- Scroll down to where it says "Java Runtime Environment (JRE) 8u66 allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Programs and Features programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on
Windows x6454.38 MB jre-8u66-windows-x64.exe to install the newest version.
You need to read this about enabling Java SSV plug-in Tech ARP - ED#143 : Java Plug-In SSV Helper - Should It Stay Or Should It Go? Rev. 3.0
-
New #26
Before I follow your instructions, I'd like to make sure the malware isn't messing in our business.
The page with the article keeps trying to redirect, but Firefox doesn't allow it. The Java page doesn't match your description. Is this what you saw?
Here are the settings I see in Firefox now for plug-ins. There's nothing in Extensions, Appearance or Services.
I wonder if the SSV architecture is 32-bit because the OS of the VM the malware installed in my C: partition is XP. It's controlled from a remote server, so they might need the Java stuff. I certainly don't want any Browser Helper Objects.
Should I uninstall Java 6 Update 65, reboot and reinstall it? That's the only Java thing in Add/Remove Programs.
Do you recommend having JRE anyway?
Thanks, UG
-
New #27
Please forgive me, but I don't understand/follow what you're saying.I wonder if the SSV architecture is 32-bit because the OS of the VM the malware installed in my C: partition is XP. It's controlled from a remote server, so they might need the Java stuff. I certainly don't want any Browser Helper Objects.
Should I uninstall Java 6 Update 65, reboot and reinstall it? That's the only Java thing in Add/Remove Programs.
Are you double booting both Windows7 Pro (X64) and Windows XP (X32)?
I'm not sure how that's possible.
Java 6 Update 65 is way, way out of date!
-
New #28
Oh, boy, did I mess that up! And hit "submit" without checking it over well.
Mis-typed Java "6" - should be "8". Installed 11/3.
Attachment 375474
As the article you linked to said, these Java SSV Browser Helper Objects are automatically included with the Java updates so network administrators in domains using old Java applications can easily change all domain computers' Java settings with one click. I just remove them (don't always remember to immediately.)
The SSV BHOs were removable in Firefox, but not IE, where the option is greyed out. I think this is malware behavior.
Attachment 375475
Here are 4 blog posts at InfoSec describing mechanisms this malware uses for stealth and persistence. I've seen symptoms of each. I don't feel competent to follow their procedures, though.
Part 1 File Associations Hijacking and BITS Backdoor
Part 2 Program.exe and Service Failure Recovery Startups
Part 3 Service Triggers based on ETW and Attach a debugger with ImageFileExecutionOptions
Part 4 Winlogon Events and Scheduled Tasks
So...
I bought this PC refurbished. It had only the 100MB "System Reserved" Partition and W7 Pro on the rest of the HDD. I never set up a virtual machine or drive on it. I never added another OS to dual boot.
My local tech said that Time Warner Cable's redirect (when you mistype a URL and it takes you to their website) leaves open a backdoor vulnerability that was exploited by the malware I have now. It locked me out of my modem with a new password, reconfigured it to allow hundreds of remote users to connect, messed with IP addresses and DHCP.
The first symptom was a glitchy mouse - I actually threw away a perfectly good USB optical mouse. PS/2 drivers had been substituted within the USB serial bus controllers somehow. I physically removed the serial adapter and uninstalled it, but it's still listed in device manager as active and working fine!
Long story shorter (but not much, I'm afraid
), I DBANed the HDD since a W7Pro disc came with the PC. Then I booted without any disc or USB device. The PC booted to "X:/v::", Windows XP Pro on a hidden, virtual HDD (not just a hidden partition within C:)!
This XP installation is SYSTEM, Trusted Installer, etc. It wouldn't let me do anything to it without being an Authenticated User, the Group that's allowed remote access to take every document, piece of media, and visited webpage on my PC.
I reinstalled clean from my W7Pro disc to get online to research the problem. The virtual drive was obviously still in control. I couldn't override it with the hidden admin account turned on through lusrmgr.msc command.
Later I tried booting from a 2000 Pro disc to get low-level format. The malware simply installed its cached altered version of my W7 Pro! The DVD drive whirred - I think they were copying it. Certainly 2000 didn't become available. Same with Vista Business and XP Pro. Tried Ubuntu - it appeared to begin installation, but some fake "fatal error" forced a reboot.
Every boot, whether a cable is connected to the modem or not, is PXE through HP (was Intel, but they changed it when I tried HP Support) Boot Agent. I'm locked out of BIOS setup (the HP procedure to clear CMOS and passwords doesn't work). Of course there are lots more symptoms I won't go into here.
This why I keep asking (in several other posts/threads) if there's another way to wipe the whole HDD while this VM is hiding on it.
I realize this is intensive and time-consuming, Jacee. I can't tell you how much I appreciate the attention you've been able to give this. Hope I've cleared up the confusion.
Thanks much, UG
UH-oh!!! Look at the "do" in the URL for the page I'm on...
https://www.sevenforums.com/newreply.php?do=newreply&noquote=1&p=3172809
It shows up in hijacked page URLs I get sent to. I'm showing as logged in on this page, but it sent me to the login page when I pressed "Submit Reply".
-
New #29
I think you should talk to the person you bought the computer from. The one who refurbished it should have an idea, as to if it was updated from Windows XP to Windows 7 pro, and what media they used.
-
New #30
I bought it through Newegg, refurbished by Joy Systems. The old HP sticker is Windows 7 so it came with that, and Joy had to change the license # "For Authentication Only."
Sub Virt is probably what's controlling my PC, Jacee.
U.Mich and Microsoft Research published a paper about it in 2006. (web.eecs.umich.edu/virtual/papers/king06.pdf) Here's a simple description
Does Microsoft have any solutions yet? If I could break the VM's armor that keeps disk wipers from removing it, that should do the trick, huh? Know of anything?
Thanks again! UG
Quote
Related Discussions