New 0-day exploit rises dramatically

Discussion in 'ESET Smart Security' started by w00oo007, Jan 10, 2013.

Thread Status:
Not open for further replies.
  1. w00oo007

    w00oo007 Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    2
    Hi,

    right now the news are covering the rise of a new 0-day exploit:
    http://www.net-security.org/secworld.php?id=14216
    http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/

    Unfortunately, on tuesday i visited a corrupted website and my pc got infected.
    Im running smart security - always updated. It detected the thread, the red notification window of smart security in the right corner popped up and imediately ( about half of a second ) later my pc crashed totally with a grey screen and i had to manually hard-reboot it.

    When i did an in-depth scan of my whole computer right after that, smart security told me it found about 8 threats which where some kinds of trojans etc. in the java temp and bin folders.
    I told smart security to clean them all - and it told me it did... o_O
    After a reboot i ran the same in-depth-scan again and OF COURSE smart security found different threads in different locations again... :oops:

    So please tell me - is the updated smart security vers. 5 able to REALLY clean the threads which come with that exploit or should i format everything for security reasons? (online-banking etc....)
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It would help if you post the appropriate records from your Threat log. Also make sure that:
    - your ESS has been updating properly
    - all modules are enabled (especially real-time and web protection)
    - startup scan tasks are enabled in Scheduler
     
  3. w00oo007

    w00oo007 Registered Member

    Joined:
    Jan 10, 2013
    Posts:
    2
    :thumb:
    :thumb:
    :thumb:

    Everything double-checked but its not a surprise - the setting is on max all the time...

    The records:

    Code:
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\swapfile.sys - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.log - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.log - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\pk\NTUSER.DAT - error opening [4]
    C:\Users\pk\ntuser.dat.LOG1 - error opening [4]
    C:\Users\pk\ntuser.dat.LOG2 - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmp - error opening [4]
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » jusched - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\30099957-6a246c6d » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\30099957-6a246c6d » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\1568f805-3e6faf81 » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\1568f805-3e6faf81 » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\1c6aa8b3-646e88dd » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\1c6aa8b3-646e88dd » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan
    C:\Windows\AppCompat\Programs\Amcache.hve - error opening [4]
    C:\Windows\AppCompat\Programs\Amcache.hve.LOG1 - error opening [4]
    C:\Windows\AppCompat\Programs\Amcache.hve.LOG2 - error opening [4]
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQ-1+BCE-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQQU-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQ-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\SoftwareDistribution\Download\13c119a7abe90292690371dc32ee7aa8\adc6c2bd94f86be85509a9cc918425d10de01826_4 » ZIP » AppConfiguration.xml - error - unknown compression method 
    C:\Windows\SoftwareDistribution\Download\13c119a7abe90292690371dc32ee7aa8\adc6c2bd94f86be85509a9cc918425d10de01826_4 » ZIP »  - archive damaged
    C:\Windows\SoftwareDistribution\Download\1dae8fa9e52d371fdd232d4750da696d\10e4bffc9ebd15df5154791c8a6f81d9b01aa5fe_2 » ZIP » mslogo24x24.png - error reading archive
    C:\Windows\SoftwareDistribution\Download\3f155605e1bcdcb5ec5816304a7a93be\95537bbd671d7236f1f4c60f3116910bbb94f4a9_2 » ZIP » mslogo24x24.png - error reading archive
    '\AppData\Local\Mozilla\Firefox\Profiles\8j8bvguo.default\Cache\3\E8\D086Fd01 » CWS » file.swf - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\30099957-6a246c6d » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan - was a part of the deleted object
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\30099957-6a246c6d » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan - was a part of the deleted object
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\1568f805-3e6faf81 » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan - was a part of the deleted object
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\1568f805-3e6faf81 » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan - was a part of the deleted object
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\1c6aa8b3-646e88dd » ZIP » hw.class - a variant of Java/Exploit.CVE-2012-5076.AD trojan - was a part of the deleted object
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\1c6aa8b3-646e88dd » ZIP » test.class - a variant of Java/Exploit.Agent.NEE trojan - was a part of the deleted object
    also:
    Code:
    Scan Log
    Version of virus signature database: 7874 (20130109)
    Date: 09.01.2013  Time: 10:34:24
    Scanned disks, folders and files: Operating memory;Boot sector;C:\Boot sector;C:\;D:\Boot sector;D:\;F:\Boot sector;F:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\swapfile.sys - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.log - error opening [4]
    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.log - error opening [4]
    C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb - error opening [4]
    C:\Users\pk\NTUSER.DAT - error opening [4]
    C:\Users\pk\ntuser.dat.LOG1 - error opening [4]
    C:\Users\pk\ntuser.dat.LOG2 - error opening [4]
    C:\Users\pk\wgsdgsdgdsgsd.dll - a variant of Win32/Kryptik.ARUD trojan - cleaned by deleting - quarantined [1]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - error opening [4]
    C:\Users\pk\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmp - error opening [4]
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » jusched - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    C:\Users\pk\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\c7d81c-7e996c16 - a variant of Win32/Kryptik.ARUD trojan - cleaned by deleting - quarantined [1]
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQ-1+BCE-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQQU-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\Installer\7e320.msi » MSI » libreoffice1.cab » CAB » template7.bau » ZIP » +BBcEEQ-/Pictures/2000001B00000CD200000CED63AA5866.svm - incorrect CRC checksum, the file may be damaged
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 - error opening [4]
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 - error opening [4]
    C:\Windows\SoftwareDistribution\Download\13c119a7abe90292690371dc32ee7aa8\adc6c2bd94f86be85509a9cc918425d10de01826_4 » ZIP » AppConfiguration.xml - error - unknown compression method 
    C:\Windows\SoftwareDistribution\Download\13c119a7abe90292690371dc32ee7aa8\adc6c2bd94f86be85509a9cc918425d10de01826_4 » ZIP »  - archive damaged
    C:\Windows\SoftwareDistribution\Download\1dae8fa9e52d371fdd232d4750da696d\10e4bffc9ebd15df5154791c8a6f81d9b01aa5fe_2 » ZIP » mslogo24x24.png - error reading archive
    C:\Windows\SoftwareDistribution\Download\3f155605e1bcdcb5ec5816304a7a93be\95537bbd671d7236f1f4c60f3116910bbb94f4a9_2 » ZIP » mslogo24x24.png - error reading archive
    '\AppData\Local\Mozilla\Firefox\Profiles\8j8bvguo.default\Cache\3\E8\D086Fd01 » CWS » file.swf - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » jusched - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » task.xml - archive damaged - the file could not be extracted.
    '\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe » CAB » task64.xml - archive damaged - the file could not be extracted.
    '\AppData\Roaming\Thunderbird\Profiles\nyvw90ke.default\Mail\pop.googlemail.com\Inbox » MBOX » mail073.eml » MIME » part000.htm - error reading archive
    '\AppData\Roaming\Thunderbird\Profiles\nyvw90ke.default\Mail\pop.googlemail.com\Trash » MBOX » mail085.eml » MIME » part000.htm - error reading archive
    Boot sector of disk F: - error opening [4]
    F:\ - error opening [4]
    Number of scanned objects: 558026
    Number of threats found: 2
    Number of cleaned objects: 2
    Time of completion: 10:59:26  Total scanning time: 1502 sec (00:25:02)
    
    Notes:
    [1] Object has been deleted as it only contained the virus body.
    [4] Object cannot be opened. It may be in use by another application or operating system.
    last but not least - the most frightening part:
    Code:
    09.01.2013 03:10:09	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:09	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:08	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:07	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:07	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:06	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:06	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:05	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:04	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:04	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:03	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:02	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:02	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:01	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:01	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:10:00	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:09:59	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:09:59	Real-time file system protection	file	C:\PROGRA~3\dsgsdgdsgdsgw.js	JS/Agent.NID trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.
    09.01.2013 03:09:59	Real-time file system protection	file	C:\Users\pk\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\runctf.lnk	Win32/Reveton.M trojan	cleaned by deleting - quarantined	pk-desktop\pk	Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.




    What does that mean:
    Event occurred on a new file created by the application: C:\Windows\SysWOW64\rundll32.exe.

    Am i f*cked?
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please create a SysInspector log via the shortcut in the Start menu, upload it to a safe location and PM me the download link.
     
Thread Status:
Not open for further replies.