Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Antivirus


  • Please log in to reply
18 replies to this topic

#1 tobitobitobi

tobitobitobi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 07 January 2012 - 01:31 PM

Hi, I just recently got infected with Win 7 Antivirus.

It pretty much disabled all exe files and access to internet but I was able to run Malwarebyte Antimalware by running as administrator.

It removed Win 7 Antivirus but it messed up system settings (firewall, cant use exe files, etc)

I ran ComboFix and everything seems to be back in order but I want a piece of mind knowing that the virus is wiped for good

Note: I also received some warning about Rootkit Zeroaccess when I ran ComboFix

Thanks for the help!

Edited by tobitobitobi, 07 January 2012 - 01:31 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 07 January 2012 - 01:33 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 07 January 2012 - 02:55 PM

Results of screen317's Security Check version 0.99.24
Windows 7 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player ( 10.1.102.64) Flash Player Out of Date!
Mozilla Firefox (3.6.20) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
``````````End of Log````````````




Farbar Service Scanner
Ran by family (administrator) on 07-01-2012 at 13:41:19
Microsoft Windows 7 Professional K (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2009-07-13 18:53] - [2009-07-13 20:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 18:54] - [2009-07-13 20:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 18:23] - [2009-07-13 20:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 18:24] - [2009-07-13 20:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 19:15] - [2009-07-13 20:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 18:30] - [2009-07-13 20:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 18:33] - [2009-07-13 20:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****




MiniToolBox by Farbar
Ran by family (administrator) on 07-01-2012 at 13:42:34
Microsoft Windows 7 Professional K (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.no_proxies_on", "*.local"
"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

NVIDIA nForce Networking Controller = 로컬 영역 연결 (Connected)


# ----------------------------------
# IPv4 구성
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# IPv4 구성 끝



Windows IP 구성

호스트 이름 . . . . . . . . : jay
주 DNS 접미사 . . . . . . . :
노드 유형 . . . . . . . . . : 혼성
IP 라우팅 사용. . . . . . . : 아니요
WINS 프록시 사용. . . . . . : 아니요

이더넷 어댑터 로컬 영역 연결:

연결별 DNS 접미사. . . . :
설명. . . . . . . . . . . . : NVIDIA nForce Networking Controller
물리적 주소 . . . . . . . . : 00-1B-FC-24-77-DC
DHCP 사용 . . . . . . . . . : 예
자동 구성 사용. . . . . . . : 예
링크-로컬 IPv6 주소 . . . . : fe80::2872:e715:a725:79cb%11(기본 설정)
IPv4 주소 . . . . . . . . . : 192.168.1.10(기본 설정)
서브넷 마스크 . . . . . . . : 255.255.255.0
임대 시작 날짜. . . . . . . : 2012년 1월 7일 토요일 오후 1:07:57
임대 만료 날짜. . . . . . . : 2012년 1월 8일 일요일 오후 1:12:55
기본 게이트웨이 . . . . . . : 192.168.1.1
DHCP 서버 . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . : 234888188
DHCPv6 클라이언트 DUID. . . : 00-01-00-01-14-A0-EB-4D-00-1B-FC-24-77-DC
DNS 서버. . . . . . . . . . : 192.168.1.1
Tcpip를 통한 NetBIOS. . . . : 사용 안 함

터널 어댑터 isatap.{559D1BFC-F54D-432B-AC0B-6B1D096DB5FE}:

미디어 상태 . . . . . . . . : 미디어 연결 끊김
연결별 DNS 접미사. . . . :
설명. . . . . . . . . . . . : Microsoft ISATAP Adapter
물리적 주소 . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 사용 . . . . . . . . . : 아니요
자동 구성 사용. . . . . . . : 예

터널 어댑터 로컬 영역 연결*:

미디어 상태 . . . . . . . . : 미디어 연결 끊김
연결별 DNS 접미사. . . . :
설명. . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
물리적 주소 . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 사용 . . . . . . . . . : 아니요
자동 구성 사용. . . . . . . : 예
서버: UnKnown
Address: 192.168.1.1

이름: google.com
Addresses: 74.125.113.105
74.125.113.99
74.125.113.147
74.125.113.104
74.125.113.106
74.125.113.103


Ping google.com [74.125.113.103] 32바이트 데이터 사용:
74.125.113.103의 응답: 바이트=32 시간=45ms TTL=51
74.125.113.103의 응답: 바이트=32 시간=49ms TTL=51

74.125.113.103에 대한 Ping 통계:
패킷: 보냄 = 2, 받음 = 2, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 45ms, 최대 = 49ms, 평균 = 47ms
서버: UnKnown
Address: 192.168.1.1

이름: yahoo.com
Addresses: 98.137.149.56
98.139.180.149
209.191.122.70
72.30.2.43


Ping yahoo.com [72.30.2.43] 32바이트 데이터 사용:
72.30.2.43의 응답: 바이트=32 시간=92ms TTL=53
72.30.2.43의 응답: 바이트=32 시간=89ms TTL=53

72.30.2.43에 대한 Ping 통계:
패킷: 보냄 = 2, 받음 = 2, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 89ms, 최대 = 92ms, 평균 = 90ms
서버: UnKnown
Address: 192.168.1.1

이름: bleepingcomputer.com
Address: 208.43.87.2


Ping bleepingcomputer.com [208.43.87.2] 32바이트 데이터 사용:
208.43.87.2의 응답: 대상 호스트에 연결할 수 없습니다.
208.43.87.2의 응답: 대상 호스트에 연결할 수 없습니다.

208.43.87.2에 대한 Ping 통계:
패킷: 보냄 = 2, 받음 = 2, 손실 = 0 (0% 손실),

Ping 127.0.0.1 32바이트 데이터 사용:
127.0.0.1의 응답: 바이트=32 시간<1ms TTL=128
127.0.0.1의 응답: 바이트=32 시간<1ms TTL=128

127.0.0.1에 대한 Ping 통계:
패킷: 보냄 = 2, 받음 = 2, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 0ms, 최대 = 0ms, 평균 = 0ms
===========================================================================
인터페이스 목록
11...00 1b fc 24 77 dc ......NVIDIA nForce Networking Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 경로 테이블
===========================================================================
활성 경로:
네트워크 대상 네트워크 마스크 게이트웨이 인터페이스 메트릭
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 21
127.0.0.0 255.0.0.0 연결됨 127.0.0.1 306
127.0.0.1 255.255.255.255 연결됨 127.0.0.1 306
127.255.255.255 255.255.255.255 연결됨 127.0.0.1 306
192.168.1.0 255.255.255.0 연결됨 192.168.1.10 276
192.168.1.10 255.255.255.255 연결됨 192.168.1.10 276
192.168.1.255 255.255.255.255 연결됨 192.168.1.10 276
224.0.0.0 240.0.0.0 연결됨 127.0.0.1 306
224.0.0.0 240.0.0.0 연결됨 192.168.1.10 276
255.255.255.255 255.255.255.255 연결됨 127.0.0.1 306
255.255.255.255 255.255.255.255 연결됨 192.168.1.10 276
===========================================================================
영구 경로:
없음

IPv6 경로 테이블
===========================================================================
활성 경로:
IF 메트릭 네트워크 대상 게이트웨이
1 306 ::1/128 연결됨
11 276 fe80::/64 연결됨
11 276 fe80::2872:e715:a725:79cb/128
연결됨
1 306 ff00::/8 연결됨
11 276 ff00::/8 연결됨
===========================================================================
영구 경로:
없음
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/07/2012 01:18:57 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: mbam.exe, 버전: 1.51.0.1118, 타임스탬프: 0x4e5e8e67
오류 있는 모듈 이름: mbamnet.DLL, 버전: 1.51.2.0, 타임스탬프: 0x4e530b76
예외 코드: 0xc0000005
오류 오프셋: 0x00102a37
오류 있는 프로세스 ID: 0x81c
오류 있는 응용 프로그램 시작 시간: 0xmbam.exe0
오류 있는 응용 프로그램 경로: mbam.exe1
오류 있는 모듈 경로: mbam.exe2
보고서 ID: mbam.exe3

Error: (01/06/2012 07:08:13 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: 다음 오류와 함께 <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>의 자동 업데이트 CAB에서 제3 루트 목록의 추출에 실패하였습니다. RPC 서버를 사용할 수 없습니다.

Error: (01/05/2012 11:20:01 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: DFO.exe, 버전: 1.0.44.1, 타임스탬프: 0x4ee571f9
오류 있는 모듈 이름: DFO.exe, 버전: 1.0.44.1, 타임스탬프: 0x4ee571f9
예외 코드: 0xc0000005
오류 오프셋: 0x00a6e6a4
오류 있는 프로세스 ID: 0x1250
오류 있는 응용 프로그램 시작 시간: 0xDFO.exe0
오류 있는 응용 프로그램 경로: DFO.exe1
오류 있는 모듈 경로: DFO.exe2
보고서 ID: DFO.exe3

Error: (01/03/2012 10:43:38 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: iexplore.exe, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bc69e
오류 있는 모듈 이름: mshtml.dll, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bda8a
예외 코드: 0xc0000005
오류 오프셋: 0x0022ad5a
오류 있는 프로세스 ID: 0x17b8
오류 있는 응용 프로그램 시작 시간: 0xiexplore.exe0
오류 있는 응용 프로그램 경로: iexplore.exe1
오류 있는 모듈 경로: iexplore.exe2
보고서 ID: iexplore.exe3

Error: (01/03/2012 10:43:21 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: iexplore.exe, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bc69e
오류 있는 모듈 이름: mshtml.dll, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bda8a
예외 코드: 0xc0000005
오류 오프셋: 0x0022ad5a
오류 있는 프로세스 ID: 0x6cc
오류 있는 응용 프로그램 시작 시간: 0xiexplore.exe0
오류 있는 응용 프로그램 경로: iexplore.exe1
오류 있는 모듈 경로: iexplore.exe2
보고서 ID: iexplore.exe3

Error: (01/03/2012 10:09:29 AM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: iexplore.exe, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bc69e
오류 있는 모듈 이름: mshtml.dll, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bda8a
예외 코드: 0xc0000005
오류 오프셋: 0x000c5dd5
오류 있는 프로세스 ID: 0xf80
오류 있는 응용 프로그램 시작 시간: 0xiexplore.exe0
오류 있는 응용 프로그램 경로: iexplore.exe1
오류 있는 모듈 경로: iexplore.exe2
보고서 ID: iexplore.exe3

Error: (01/02/2012 10:25:49 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: DFO.exe, 버전: 1.0.44.1, 타임스탬프: 0x4ee571f9
오류 있는 모듈 이름: DFO.exe, 버전: 1.0.44.1, 타임스탬프: 0x4ee571f9
예외 코드: 0xc0000005
오류 오프셋: 0x00a6e6a4
오류 있는 프로세스 ID: 0x15f4
오류 있는 응용 프로그램 시작 시간: 0xDFO.exe0
오류 있는 응용 프로그램 경로: DFO.exe1
오류 있는 모듈 경로: DFO.exe2
보고서 ID: DFO.exe3

Error: (01/01/2012 06:15:48 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: bf3.exe, 버전: 1.0.0.0, 타임스탬프: 0x4e9d3315
오류 있는 모듈 이름: bf3.exe, 버전: 1.0.0.0, 타임스탬프: 0x4e9d3315
예외 코드: 0xc0000005
오류 오프셋: 0x006b3da0
오류 있는 프로세스 ID: 0x1b4
오류 있는 응용 프로그램 시작 시간: 0xbf3.exe0
오류 있는 응용 프로그램 경로: bf3.exe1
오류 있는 모듈 경로: bf3.exe2
보고서 ID: bf3.exe3

Error: (12/30/2011 06:44:27 PM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: Fallout3.exe, 버전: 1.7.0.3, 타임스탬프: 0x4a40f18b
오류 있는 모듈 이름: Fallout3.exe, 버전: 1.7.0.3, 타임스탬프: 0x4a40f18b
예외 코드: 0xc0000005
오류 오프셋: 0x001878f8
오류 있는 프로세스 ID: 0xa3c
오류 있는 응용 프로그램 시작 시간: 0xFallout3.exe0
오류 있는 응용 프로그램 경로: Fallout3.exe1
오류 있는 모듈 경로: Fallout3.exe2
보고서 ID: Fallout3.exe3

Error: (12/30/2011 11:14:31 AM) (Source: Application Error) (User: )
Description: 오류 있는 응용 프로그램 이름: iexplore.exe, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bc69e
오류 있는 모듈 이름: mshtml.dll, 버전: 8.0.7600.16385, 타임스탬프: 0x4a5bda8a
예외 코드: 0xc0000005
오류 오프셋: 0x0022ad5a
오류 있는 프로세스 ID: 0xddc
오류 있는 응용 프로그램 시작 시간: 0xiexplore.exe0
오류 있는 응용 프로그램 경로: iexplore.exe1
오류 있는 모듈 경로: iexplore.exe2
보고서 ID: iexplore.exe3


System errors:
=============
Error: (01/07/2012 01:17:34 PM) (Source: VDS Basic Provider) (User: )
Description: 예상치 못한 오류입니다. 오류 코드: 490@01010004

Error: (01/07/2012 01:08:26 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser 서비스가 다음 오류 때문에 종료되었습니다.
%%1060

Error: (01/07/2012 01:07:56 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser 서비스가 다음 오류 때문에 종료되었습니다.
%%1060

Error: (01/07/2012 01:07:51 PM) (Source: EventLog) (User: )
Description: ?2012-?01-?07의 오후 1:06:48에서 이전에 예기치 않은 시스템 종료가 있었습니다.

Error: (01/07/2012 01:02:31 PM) (Source: Service Control Manager) (User: )
Description: PEVSystemStart 서비스가 대화식 서비스로 표시되어 있습니다. 그러나 시스템이 대화식 서비스를 허용하지 않습니다. 이 서비스가 제대로 작동하지 않을 수도 있습니다.

Error: (01/07/2012 00:56:49 PM) (Source: Service Control Manager) (User: )
Description: PEVSystemStart 서비스가 대화식 서비스로 표시되어 있습니다. 그러나 시스템이 대화식 서비스를 허용하지 않습니다. 이 서비스가 제대로 작동하지 않을 수도 있습니다.

Error: (01/07/2012 00:55:59 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy Agent 서비스는 BFE 서비스에 종속적입니다. 이 서비스가 설치되지 않았을 수 있습니다.

Error: (01/07/2012 00:55:59 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: 로컬 호스트 파일을 읽는 동안 오류가 발생했습니다.

Error: (01/07/2012 00:55:59 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying Modules 서비스는 BFE 서비스에 종속적입니다. 이 서비스가 설치되지 않았을 수 있습니다.

Error: (01/07/2012 00:55:51 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser 서비스가 다음 오류 때문에 종료되었습니다.
%%1060


Microsoft Office Sessions:
=========================
Error: (01/07/2012 01:18:57 PM) (Source: Application Error)(User: )
Description: mbam.exe1.51.0.11184e5e8e67mbamnet.DLL1.51.2.04e530b76c000000500102a3781c01cccd6877789da0C:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamnet.DLL0fe4e8a0-395c-11e1-abe0-001bfc2477dc

Error: (01/06/2012 07:08:13 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabRPC 서버를 사용할 수 없습니다.

Error: (01/05/2012 11:20:01 PM) (Source: Application Error)(User: )
Description: DFO.exe1.0.44.14ee571f9DFO.exe1.0.44.14ee571f9c000000500a6e6a4125001cccc289441e798C:\Nexon\DFO\DFO.exeC:\Nexon\DFO\DFO.exeb2b7f1c0-381d-11e1-abdf-001bfc2477dc

Error: (01/03/2012 10:43:38 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69emshtml.dll8.0.7600.163854a5bda8ac00000050022ad5a17b801ccca5216a32b58C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll491f7b18-3686-11e1-a7f0-001bfc2477dc

Error: (01/03/2012 10:43:21 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69emshtml.dll8.0.7600.163854a5bda8ac00000050022ad5a6cc01ccca2c89b11770C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll3eae7238-3686-11e1-a7f0-001bfc2477dc

Error: (01/03/2012 10:09:29 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69emshtml.dll8.0.7600.163854a5bda8ac0000005000c5dd5f8001ccca2972548f60C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dllee20ba60-361c-11e1-a7f0-001bfc2477dc

Error: (01/02/2012 10:25:49 PM) (Source: Application Error)(User: )
Description: DFO.exe1.0.44.14ee571f9DFO.exe1.0.44.14ee571f9c000000500a6e6a415f401ccc98212070860C:\Nexon\DFO\DFO.exeC:\Nexon\DFO\DFO.exea114f540-35ba-11e1-ad6e-001bfc2477dc

Error: (01/01/2012 06:15:48 PM) (Source: Application Error)(User: )
Description: bf3.exe1.0.0.04e9d3315bf3.exe1.0.0.04e9d3315c0000005006b3da01b401ccc8dab5763f28C:\Users\Public\Battlefield 3\bf3.exeC:\Users\Public\Battlefield 3\bf3.exe898ed888-34ce-11e1-860f-001bfc2477dc

Error: (12/30/2011 06:44:27 PM) (Source: Application Error)(User: )
Description: Fallout3.exe1.7.0.34a40f18bFallout3.exe1.7.0.34a40f18bc0000005001878f8a3c01ccc74a3d1eb834C:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exeC:\Program Files\Bethesda Softworks\Fallout 3\Fallout3.exe35927fe4-3340-11e1-a3a8-001bfc2477dc

Error: (12/30/2011 11:14:31 AM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.7600.163854a5bc69emshtml.dll8.0.7600.163854a5bda8ac00000050022ad5addc01ccc70dff1e4d60C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\System32\mshtml.dll5abaffb0-3301-11e1-a3a8-001bfc2477dc


=========================== Installed Programs ============================

AC3Filter 1.63b (Version: 1.63b)
Ad-Aware (Version: 9.0.1)
Adobe AIR (Version: 2.5.1.17730)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Reader X (Version: 10.0.0)
AMD APP SDK Runtime (Version: 10.0.831.4)
AMD Catalyst Install Manager (Version: 3.0.855.0)
AMD Drag and Drop Transcoding (Version: 2.00.0000)
AMD Fuel (Version: 2011.1109.2212.39826)
AMD Media Foundation Decoders (Version: 1.0.61109.2218)
AMD VISION Engine Control Center (Version: 2011.1109.2212.39826)
Apple Application Support (Version: 1.3.2)
Apple Mobile Device Support (Version: 3.2.0.47)
Apple Software Update (Version: 2.1.2.120)
AviSynth 2.5
Batman: Arkham Asylum (Version: 1.0.0.0)
Bonjour (Version: 2.0.3.0)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2011.1109.2212.39826)
Catalyst Control Center InstallProxy (Version: 2011.1109.2212.39826)
ccc-utility (Version: 2011.1109.2212.39826)
CCC Help English (Version: 2011.1109.2211.39826)
CCleaner (Version: 3.07)
CDisplay 1.8
Combat Arms
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
CoreAAC Audio Decoder (remove only)
D3DX10 (Version: 15.4.2368.0902)
DFOLauncher
Dragon Age: Origins (Version: 1.00)
DragonNest
Dual-Core Optimizer (Version: 1.1.4.0169)
Fallout 3 (Version: 1.00.0000)
Game Booster (Version: 2.4.1.0)
iTunes (Version: 10.0.1.22)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
League of Legends (Version: 1.3)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Games for Windows - LIVE (Version: 3.3.24.0)
Microsoft Games for Windows - LIVE Redistributable (Version: 3.2.3.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 4.0.50917.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Mozilla Firefox (3.6.20) (Version: 3.6.20 (ko))
MSVCRT (Version: 15.4.2862.0708)
MyVideoConverter 2.43 (Version: 2.43)
NVIDIA PhysX (Version: 9.09.0720)
OpenAL
Pando Media Booster (Version: 2.3.5.2)
QuickTime (Version: 7.68.75.0)
Realtek High Definition Audio Driver (Version: 6.0.1.5953)
Samsung Kies (Version: 2.0.0.11014_49)
SAMSUNG USB Driver for Mobile Phones (Version: 1.3.2000.0)
STREET FIGHTER IV (Version: 1.00.3013)
Super Street Fighter IV: Arcade Edition (Version: 1.0.0000.129)
Ventrilo Client (Version: 3.0.7)
Videora iPod Converter 6 (Version: 6)
VLC media player 1.1.9 (Version: 1.1.9)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live 필수 패키지 (Version: 15.4.3502.0922)
곰오디오 (Version: 1.9.10.0140)
곰플레이어 (Version: 2.1.28.5039)
알약 (Version: v2.1)
알집 (Version: v8.21)
알툴즈 업데이트 (Version: v11.4.28.1)
화이트데이

========================= Memory info: ===================================

Percentage of memory in use: 66%
Total physical RAM: 2046.55 MB
Available physical RAM: 676.9 MB
Total Pagefile: 4093.11 MB
Available Pagefile: 2479.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1925.11 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:118.75 GB) (Free:36.46 GB) NTFS
2 Drive d: () (Fixed) (Total:114.13 GB) (Free:31.74 GB) NTFS

========================= Users: ========================================

\\JAY에 대한 사용자 계정

Administrator family Guest
명령을 잘 실행했습니다.


**** End of log ****



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2012-01-07 오후 2:17:24
mbam-log-2012-01-07 (14-17-24).txt

Scan type: Quick scan
Objects scanned: 174900
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-07 14:37:23
Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000060 SAMSUNG_ rev.VT10
Running: bz5pdxy9.exe; Driver: C:\Users\family\AppData\Local\Temp\uxldqpog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 1212 830623DE 5 Bytes JMP 8E618E80 \SystemRoot\system32\drivers\EstRtw.sys (RealTime Kernel Driver/ESTsoft Corp)
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83062579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83086F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\sprx.sys 지정된 경로를 찾을 수 없습니다. !
.text USBPORT.SYS!DllUnload 8E94ECA0 5 Bytes JMP 865371D8
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FC0E000, 0x3BEEC5, 0xE8000020]
.text asvinsmi.SYS 8F4DA000 12 Bytes [44, 48, 43, 83, EE, 46, 43, ...]
.text asvinsmi.SYS 8F4DA00D 9 Bytes [27, 43, 83, 48, 4B, 43, 83, ...] {DAA ; INC EBX; OR DWORD [EAX+0x4b], 0x43; ADD DWORD [EAX], 0x0}
.text asvinsmi.SYS 8F4DA017 170 Bytes [00, DE, 57, F1, 88, E6, 55, ...]
.text asvinsmi.SYS 8F4DA0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text asvinsmi.SYS 8F4DA0CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\Windows\system32\Drivers\PROCEXP113.SYS 지정된 파일을 찾을 수 없습니다. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye[1920] kernel32.dll!GetModuleFileNameA 75B91074 5 Bytes JMP 00E91468 C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye (RealTime Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye[1920] kernel32.dll!LoadLibraryA 75B92864 5 Bytes JMP 00E923A8 C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye (RealTime Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye[1920] kernel32.dll!LoadLibraryW 75B928B2 5 Bytes JMP 00E92348 C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye (RealTime Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye[1920] kernel32.dll!GetModuleHandleA 75B928D7 5 Bytes JMP 00E91428 C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye (RealTime Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye[1968] kernel32.dll!GetModuleFileNameA 75B91074 5 Bytes JMP 009797D8 C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye (Update Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye[1968] kernel32.dll!LoadLibraryA 75B92864 5 Bytes JMP 0097A718 C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye (Update Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye[1968] kernel32.dll!LoadLibraryW 75B928B2 5 Bytes JMP 0097A6B8 C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye (Update Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye[1968] kernel32.dll!GetModuleHandleA 75B928D7 5 Bytes JMP 00979798 C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye (Update Service/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] kernel32.dll!GetModuleFileNameA 75B91074 5 Bytes JMP 001C0F18 C:\Program Files\ESTsoft\ALYac\AYAgent.aye (Tray Application/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] kernel32.dll!LoadLibraryA 75B92864 5 Bytes JMP 001C8048 C:\Program Files\ESTsoft\ALYac\AYAgent.aye (Tray Application/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] kernel32.dll!LoadLibraryW 75B928B2 5 Bytes JMP 001C7FE8 C:\Program Files\ESTsoft\ALYac\AYAgent.aye (Tray Application/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] kernel32.dll!GetModuleHandleA 75B928D7 5 Bytes JMP 001C0ED8 C:\Program Files\ESTsoft\ALYac\AYAgent.aye (Tray Application/ESTsoft Corp)
.text C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] SHLWAPI.dll!StrStrIA 7767DAFE 5 Bytes JMP 001C0F58 C:\Program Files\ESTsoft\ALYac\AYAgent.aye (Tray Application/ESTsoft Corp)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88E19042] \SystemRoot\System32\Drivers\sprx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88E196D6] \SystemRoot\System32\Drivers\sprx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88E19800] \SystemRoot\System32\Drivers\sprx.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88E1913E] \SystemRoot\System32\Drivers\sprx.sys
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\asvinsmi.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)
IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)
IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)
IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)
IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)
IAT C:\Program Files\ESTsoft\ALYac\AYAgent.aye[3808] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75545D3D] C:\Windows\system32\apphelp.dll (응용 프로그램 호환성 클라이언트 라이브러리/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 852751F8
Device \Driver\sptd \Device\1023520672 sprx.sys
Device \Driver\volmgr \Device\VolMgrControl 852701F8
Device \Driver\usbohci \Device\USBPDO-0 865381F8
Device \Driver\usbehci \Device\USBPDO-1 8654C1F8
Device \Driver\nvstor \Device\00000060 852731F8
Device \Driver\PCI_PNP6672 \Device\00000054 sprx.sys
Device \Driver\nvstor \Device\00000061 852731F8
Device \Driver\volmgr \Device\HarddiskVolume1 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 863AD1F8
Device \Driver\atapi \Device\Ide\IdePort0 852721F8
Device \Driver\atapi \Device\Ide\IdePort1 852721F8
Device \Driver\volmgr \Device\HarddiskVolume3 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 863AD1F8
Device \Driver\volmgr \Device\HarddiskVolume4 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume5 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume6 852701F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\nvstor \Device\RaidPort0 852731F8
Device \Driver\USBSTOR \Device\0000006b 8641A1F8
Device \Driver\usbohci \Device\USBFDO-0 865381F8
Device \Driver\USBSTOR \Device\0000006c 8641A1F8
Device \Driver\usbehci \Device\USBFDO-1 8654C1F8
Device \Driver\USBSTOR \Device\0000006d 8641A1F8
Device \Driver\USBSTOR \Device\0000006e 8641A1F8
Device \Driver\USBSTOR \Device\0000006f 8641A1F8
Device \Driver\asvinsmi \Device\Scsi\asvinsmi1Port3Path0Target0Lun0 8652A1F8
Device \Driver\asvinsmi \Device\Scsi\asvinsmi1 8652A1F8
Device \Driver\00000627 \GLOBAL??\f4baeed9 864D4880

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x35 0x55 0xF8 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDF 0xB5 0xC7 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBE 0xE3 0xD1 0x35 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x08 0x94 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDF 0xB5 0xC7 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBE 0xE3 0xD1 0x35 ...

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 07 January 2012 - 03:05 PM

You're not running any AV program.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

Next...

We'll try to fix your Windows firewall issue.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/


Download Seven.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Double click on mpssvc.reg
file and confirm the prompt.
Restart computer, check on Windows firewall and post new FSS log

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 06:00 PM

Broni,

I had another issue

Out of nowhere, today I got Trojan.Generic.KDV which one of my anti-virus Al-Yac found.

I ran the software and managed to quarantine everything; havent found it during 2nd run

What should I do to make sure all trojan/win 7 traces are gone?

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 09 January 2012 - 06:05 PM

You didn't have any AV program installed and your Windows firewall is not running.
Complete steps from my previous reply as soon as possible.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 06:15 PM

Will do them asap.

Also, I reran AV and it found 4 viruses including a backdoor...

I am installing Avast at the moment

On another note, I am not sure why it's displaying that I dont have AV, I'm actually running two :

Al-Yac (korean AV) and MBAM

Edited by tobitobitobi, 09 January 2012 - 06:21 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 09 January 2012 - 06:29 PM

Al-Yac (korean AV)

In that case do NOT install Avast.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 06:47 PM

Hey Broni,

Here is the latest FSS

The firewall setting is a "green checkmark" so I am assuming it's working now

Farbar Service Scanner
Ran by family (administrator) on 09-01-2012 at 18:46:03
Microsoft Windows 7 Professional K (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2009-07-13 18:53] - [2009-07-13 20:15] - 0565760 ____A (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 18:54] - [2009-07-13 20:14] - 0493568 ____A (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll
[2009-07-13 18:23] - [2009-07-13 20:16] - 0125952 ____A (Microsoft Corporation) 5FD90ABDBFAEE85986802622CBB03446

C:\Windows\system32\vssvc.exe
[2009-07-13 18:24] - [2009-07-13 20:14] - 1025536 ____A (Microsoft Corporation) 7EA2BCD94D9CFAF4C556F5CC94532A6C

C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 19:15] - [2009-07-13 20:16] - 1912832 ____A (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 18:30] - [2009-07-13 20:16] - 0589312 ____A (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-07-13 18:33] - [2009-07-13 20:15] - 0135680 ____A (Microsoft Corporation) 9C231178CE4FB385F4B54B0A9080B8A4

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 09 January 2012 - 07:00 PM

Good job :)

How is computer doing?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 07:30 PM

It seems to be running ok

I ran TFC but having issues running ESET scanner; something about update errors

Is there an alternative

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 09 January 2012 - 07:58 PM

I need to know exact error.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 08:25 PM

Another Trojan picked up by AV protection...

Possible false positive?

Gen: Trojan.heur.gen

found in: Windows//Temp//_avast_

and just recently autoprotect from Avast blocked a "malware" off Al-yac (AV) folder???

Are they interacting with each other?

I ll remove Avast as you said

Edited by tobitobitobi, 09 January 2012 - 08:30 PM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:46 PM

Posted 09 January 2012 - 08:30 PM

Please read my previous reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 tobitobitobi

tobitobitobi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 09 January 2012 - 08:36 PM

Please read my previous reply.


Oh sorry, missed that reply

The exact error said: Unknown error after it reached 100% on update

When I tried relaunching it, it said something about a proxy error




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users