Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

cannot open pdf file


  • This topic is locked This topic is locked
16 replies to this topic

#1 hoholin

hoholin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 21 June 2013 - 11:09 AM

Hi,

 

I have tried your suggestion but after I uninstall Adobe and my pc does not let me re-install again and getting this error message below.     I am using Win 7.

 

install_reader11_en_gtbd_chrd_dn_aaa_aih.exe contained a virus and was deleted.

 

 

 

 

thanks



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 22 June 2013 - 06:44 AM

Hello hoholin, and welcome!

I have moved this topic from introductions to Windows 7 due to your operating system version.

Who suggested you uninstall Adobe, and exactly where are you getting your download from?

Are you experiencing any other problems?

bloopie

#3 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 11:12 AM

Hi Bloopie,

 

I read some of post at Beepling Computer and they suggested for me uninstall Adobe and I tried to reinstall from http://get.adobe.com/reader/

 but now I can't install anything and getting same error message as  "install_reader11_en_gtbd_chrd_dn_aaa_aih.exe contained a virus and was deleted"  

 

yes I have another problem when I tried to remove the Microsoft Security Essentials there is an error message " You do no have sufficient access to uninstall Microsoft Security Essentials

 

 Please contact your system administrator"

 

thanks



#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 23 June 2013 - 11:56 AM

Hello again,
 
Normally, we would reinstall (or update) Adobe after an infection has been cleaned...not before.

 

yes I have another problem when I tried to remove the Microsoft Security Essentials there is an error message " You do no have sufficient access to uninstall Microsoft Security Essentials
 
 Please contact your system administrator"

 
Why are you trying to uninstall Microsoft Security Essentials in the first place? If your account is not an administrator account, you will get that message when trying to install/uninstall any program. Who is the administrator on this machine?
 
==========
 
That download you linked above is safe...and if your system is telling you that file contains a virus, then your system is probably infected, so I will move this topic again from Windows 7, to the Am I Infected? forum .
 
Now try the below scan and post the log here for us:

Please download Malwarebytes Anti-Malware mbamicontw5.gif and save it to your desktop.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions
  • for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

 

bloopie



#5 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 12:43 PM

Hi thanks again.

 

I tried to download Malwarebytes Anti-Malware but looks like my pc is not allowing to download any program.   I have this error message at the bottom  "  mbam-setip-1.75.0.1300.exe contained a virus and deleted.

 

I am the only user of the pc and I am the administrator.     Not sure if I sure uninstall Microsoft Security Essentials try to fix this pdf error? 

 

thanks



#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 23 June 2013 - 01:10 PM

Hello again,
 
No, it seems your system is infected. Do you know how to boot into safemode? Please select "Safe Mode with Networking".
 
Once booted into safemode with networking, please follow the below instructions:
 
Please download another tool:
 
Step :step1:
 
Please download Rkill by Grinler and save it to your desktop.

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

Do not reboot the computer after running this tool, or you will need to run the application again.
 
==========
 
Step :step2:
 
Now, without rebooting...try and install and update Malwarebytes as instructed earlier. Please run a Full Scan, and post the log in your next reply.

 

==========

 

Note: Please copy and paste both the RKill log and the MBAM log in your next reply!

 

Also, if both tools run successfully, please let me know how the computer is running now!

 

bloopie



#7 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 01:17 PM

thanks I will try your instruction now.

 

I am using Windows 7 should I follow your instructor and  Run As Administrator.?

 

I am having problem to copy and paste the log, please advise.

 

thanks



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 23 June 2013 - 01:32 PM

I am using Windows 7 should I follow your instructor and  Run As Administrator.?

Yes please, run as admin.
 

I am having problem to copy and paste the log, please advise.

Have you run both tools as advised above? Have you booted into safe mode as instructed?

bloopie


Edited by bloopie, 23 June 2013 - 01:34 PM.


#9 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 01:47 PM

I am in safe mode but the same error message pop up and not allowing me to save the file at desktop as your step#1 Rkill.  

please advise, thanks



I am in "Safe Mode with Networking". I could not run neither tool.

Error message: rkill.com container a virus and deleted.

#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 23 June 2013 - 02:16 PM

Hello again,
 
We're going to need some bigger tools...I'm moving this topic to the Malware Removal Logs forum where it will stay:
  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
bloopie

#11 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 02:50 PM

thanks Bloopie,   I will follow your last instruction,  afterwards do I still need to download  Malwarebytes Anti-Malware as suggested earlier.

 

 

Will Farbar Recovery Scan Tool  impact any of my program or files that I should saved before I perform?

 

 

thanks



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 23 June 2013 - 03:05 PM

You will need to later on, but for now, abandon all else...just follow my instructions from post #10. Start there and post that log!

 

...and after a fix or two...then we'll get back to MalwareBytes Antimalware (MBAM).

 

bloopie



#13 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 23 June 2013 - 03:50 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-06-2013
Ran by SYSTEM on 23-06-2013 16:45:22
Running from H:\
Windows 7 Home Premium (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKU\May Ho\...\Run: [BAIDUMEDIA] C:\Program Files\Baidu\BaiduPlayer\1.17.0.149\BaiduPlayer.exe minimize [ 2012-09-03] ()

========================== Services (Whitelisted) =================

S4 Basics Service; C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [124280 2007-10-09] (Seagate Technology LLC)
S4 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()

==================== Drivers (Whitelisted) ====================

S0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2009-07-13] (Microsoft Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [734208 2009-05-25] (Ralink Technology Corp.)
S1 klroajmk; \??\C:\Windows\system32\drivers\klroajmk.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-23 16:45 - 2013-06-23 16:45 - 00000000 ____D C:\FRST
2013-06-21 22:46 - 2013-06-23 12:12 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-21 22:46 - 2013-06-21 22:46 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-21 22:46 - 2013-06-21 22:46 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-21 21:27 - 2013-06-23 12:23 - 00000999 ____A C:\Windows\setupact.log
2013-06-21 21:27 - 2013-06-21 21:27 - 00000000 ____A C:\Windows\setuperr.log
2013-06-21 19:50 - 2013-06-21 19:50 - 00000000 ____D C:\Windows\pss
2013-06-20 07:18 - 2013-06-20 07:18 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 07:14 - 2013-06-21 21:17 - 00001671 ____A C:\Users\May Ho\AppData\Local\rogerscookie
2013-06-13 00:48 - 2013-06-08 03:42 - 01141248 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-13 00:48 - 2013-06-08 03:40 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-13 00:48 - 2013-06-08 03:40 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-13 00:48 - 2013-06-08 03:13 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-13 00:47 - 2013-06-08 03:40 - 14327808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-13 00:47 - 2013-06-08 03:40 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-13 00:45 - 2013-05-16 17:26 - 00042496 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-13 00:45 - 2013-05-16 17:25 - 02877440 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 01767936 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00690688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00493056 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00109056 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00061440 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00039424 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-13 00:45 - 2013-05-16 17:25 - 00033280 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-13 00:45 - 2013-05-14 00:40 - 00071680 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-12 08:09 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-12 08:09 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-12 08:09 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-12 08:09 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-12 08:09 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-12 08:09 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-12 08:09 - 2013-05-07 21:38 - 01293672 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-12 08:09 - 2013-05-05 21:06 - 03968872 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-12 08:09 - 2013-05-05 21:06 - 03913576 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-12 08:09 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-12 08:09 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-12 08:09 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 09:42 - 2013-06-21 06:34 - 00000000 ____D C:\Users\May Ho\Desktop\trip
2013-06-05 13:20 - 2013-06-20 07:49 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-05-30 08:57 - 2013-05-30 08:57 - 00010092 ____A C:\Users\May Ho\Desktop\Brad- Ins.xlsx

==================== One Month Modified Files and Folders ========

2013-06-23 16:45 - 2013-06-23 16:45 - 00000000 ____D C:\FRST
2013-06-23 12:26 - 2012-03-10 00:09 - 01510299 ____A C:\Windows\WindowsUpdate.log
2013-06-23 12:26 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-23 12:26 - 2009-07-13 20:34 - 00013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-23 12:23 - 2013-06-21 21:27 - 00000999 ____A C:\Windows\setupact.log
2013-06-23 12:23 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-23 12:21 - 2012-03-10 12:24 - 00000000 ____D C:\Users\May Ho\Documents\Outlook Files
2013-06-23 12:14 - 2012-03-09 21:17 - 00782838 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-23 12:12 - 2013-06-21 22:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-23 11:07 - 2012-10-24 20:35 - 00000000 ____D C:\baidu player
2013-06-23 10:51 - 2012-10-24 20:36 - 00000138 ____A C:\Windows\vsfilter.INI
2013-06-23 09:09 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\Microsoft.NET
2013-06-23 08:34 - 2012-03-10 17:31 - 00000000 ____D C:\Users\May Ho\Desktop\Expense
2013-06-22 00:35 - 2012-03-09 22:43 - 00000000 ____D C:\ProgramData\GreenPoint
2013-06-21 22:46 - 2013-06-21 22:46 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-21 22:46 - 2013-06-21 22:46 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-21 22:28 - 2013-04-09 17:12 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-06-21 21:27 - 2013-06-21 21:27 - 00000000 ____A C:\Windows\setuperr.log
2013-06-21 21:27 - 2012-03-09 22:22 - 00320526 ____A C:\Windows\PFRO.log
2013-06-21 21:17 - 2013-06-20 07:14 - 00001671 ____A C:\Users\May Ho\AppData\Local\rogerscookie
2013-06-21 20:40 - 2012-03-09 23:59 - 00000000 ____D C:\Users\May Ho\AppData\Local\Google
2013-06-21 20:35 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\System32\DriverStore
2013-06-21 20:33 - 2012-03-10 06:20 - 00000000 ____D C:\Users\May Ho\AppData\Roaming\Skype
2013-06-21 20:33 - 2012-03-10 00:05 - 00000000 ____D C:\ProgramData\Skype
2013-06-21 20:32 - 2012-03-10 12:15 - 00000000 ____D C:\Users\May Ho\AppData\Roaming\Mozilla
2013-06-21 20:31 - 2012-11-17 09:33 - 00000000 ____D C:\Program Files\Google
2013-06-21 20:19 - 2013-03-17 13:29 - 00000000 ____D C:\Users\May Ho\AppData\Local\Deployment
2013-06-21 19:50 - 2013-06-21 19:50 - 00000000 ____D C:\Windows\pss
2013-06-21 10:11 - 2012-03-10 17:32 - 00000000 ____D C:\Users\May Ho\Desktop\May
2013-06-21 06:34 - 2013-06-11 09:42 - 00000000 ____D C:\Users\May Ho\Desktop\trip
2013-06-20 11:22 - 2009-07-13 18:37 - 00000000 ____D C:\Windows\rescache
2013-06-20 07:49 - 2013-06-05 13:20 - 00000000 ____D C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-06-20 07:47 - 2013-04-19 21:03 - 00000000 ____D C:\Users\May Ho\AppData\Roaming\Octoshape
2013-06-20 07:18 - 2013-06-20 07:18 - 00263592 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00175016 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2013-06-20 07:18 - 2013-06-20 07:18 - 00094632 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge.dll
2013-06-20 07:18 - 2012-10-18 16:54 - 00867240 ____A (Oracle Corporation) C:\Windows\System32\npdeployJava1.dll
2013-06-20 07:18 - 2012-03-10 00:02 - 00789416 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2013-06-20 07:18 - 2012-03-10 00:01 - 00000000 ____D C:\Program Files\Java
2013-06-13 00:46 - 2012-03-10 07:19 - 73381792 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-06-10 20:34 - 2013-04-10 17:25 - 00000000 ____D C:\Users\May Ho\AppData\Roaming\U3
2013-06-08 03:42 - 2013-06-13 00:48 - 01141248 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 03:40 - 2013-06-13 00:48 - 13760512 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 03:40 - 2013-06-13 00:48 - 00391168 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 03:40 - 2013-06-13 00:47 - 14327808 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 03:40 - 2013-06-13 00:47 - 02046976 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 03:13 - 2013-06-13 00:48 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-04 09:55 - 2013-01-19 10:35 - 00010746 ____A C:\Users\May Ho\Desktop\ins.xlsx
2013-05-30 08:57 - 2013-05-30 08:57 - 00010092 ____A C:\Users\May Ho\Desktop\Brad- Ins.xlsx
2013-05-25 10:42 - 2012-03-10 15:21 - 00000000 ____D C:\Users\May Ho\Desktop\Tax File

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2896460143-2695579188-1248688663-1000\$4d648a890c73f1bccf21bb46d0983b8f

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$4d648a890c73f1bccf21bb46d0983b8f

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-05-21 22:36:18
Restore point made on: 2013-05-22 06:29:33
Restore point made on: 2013-05-25 06:41:54
Restore point made on: 2013-05-29 10:02:29
Restore point made on: 2013-06-02 10:17:05
Restore point made on: 2013-06-10 10:57:40
Restore point made on: 2013-06-13 00:44:41
Restore point made on: 2013-06-20 07:17:16
Restore point made on: 2013-06-20 07:18:13
Restore point made on: 2013-06-20 07:48:08
Restore point made on: 2013-06-21 06:59:19
Restore point made on: 2013-06-21 07:09:51
Restore point made on: 2013-06-21 11:26:22
Restore point made on: 2013-06-21 20:32:10
Restore point made on: 2013-06-21 20:32:47
Restore point made on: 2013-06-21 20:33:36
Restore point made on: 2013-06-21 20:34:05
Restore point made on: 2013-06-21 20:34:59

==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 2037.66 MB
Available physical RAM: 1610.25 MB
Total Pagefile: 2037.66 MB
Available Pagefile: 1610.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1918.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:212.63 GB) NTFS
Drive g: (FreeAgent Drive) (Fixed) (Total:232.88 GB) (Free:174.24 GB) NTFS
Drive h: (Lexar) (Removable) (Total:7.32 GB) (Free:6.98 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 00000001)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 233 GB) (Disk ID: A4B57300)
Partition 1: (Not Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7 GB) - (Type=0C)

LastRegBack: 2013-06-20 11:15

==================== End Of Log ============================



#14 hoholin

hoholin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:53 PM

Posted 25 June 2013 - 01:39 AM

my pc is fixed.  thanks for your help



#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:53 PM

Posted 25 June 2013 - 10:07 PM

Hello again,

 

my pc is fixed.  thanks for your help

 

Your logs are showing that that is not an accurate statement! your logs are still showing signs of infection...could you tell me what you have done to clean this infection, and why you believe your machine is fixed now?

 

The infection that is showing in your logs is a new variant, and probably will need a bit more work. I'd be happy to continue helping you with this issue, as long as you still wish to receive my help!

 

==========

 

If you don't want to receive any further help with this issue, then please confirm with me again in your next reply and I will close this topic...but your machine is not yet fixed from what I can tell.

 

bloopie






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users