Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random audio ads in the background


  • This topic is locked This topic is locked
53 replies to this topic

#1 ATV1010

ATV1010

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 06 April 2014 - 07:49 PM

I've posted this at the wrong place before, so I'm re-posting it:

 

It seems like this is a known issue and I've followed instructions from other websites to remove the malware....to no avail. Everytime I reboot, the noise is back. When I disable the internet connection, the noise stops. Again, as soon as I enable the connection, the random commercial/interview noise is in the background without any popup windows.

 

At this point, even my internet has stopped working properly unless I'm in safe mode with networking. I've tried various malware removal tools, Malwarebytes, adwcleaner, HitmanPro, TDSS, RogueKiller and others I can't even remember.

 

Please help me!

 

 

-atv

 

 

 

 



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 06 April 2014 - 07:53 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 
Even though you said that you had already ran some tools, let's do the following....
 

Please download DDS from either of these links
 
LINK 1
LINK 2
 
and save it to your desktop.

  • Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:
 
DDS.txt
 
Attach.txt
----------
 

LlJESjW.jpgMalwarebytes Anti-Rootkit
 
Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
  • If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.

If there is no malware found, please let me know as well.
----------
 

81mYIKe.jpg  AdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 06 April 2014 - 09:09 PM

Hello Jeff,

 

Thanks for helping me out! I'm currently running all scans under Normal mode with internet connection.

 

Malwarebytes Anti-rootkit detected no malware but the log seems a bit odd to me. Should I run it again? Here're are the 4 logs in order:

 

1. DDS.txt log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by USER at 18:12:15 on 2014-04-06
Microsoft Windows 7 Home Premium K   6.1.7601.1.949.82.1042.18.3893.2286 [GMT -7:00]
.
AV: V3 Lite *Disabled/Updated* {E3F3177F-EA7A-2C73-98E5-1824D7AE4022}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: V3 Lite *Disabled/Updated* {5892F69B-CC40-23FD-A255-2356AC290A9F}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\nPStarterSVC.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\SysWOW64\npnj5Agent.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\USADISK\WEBHARD_Agent.exe
C:\Program Files\AhnLab\V3Lite30\ASDSvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler64.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\AhnLab\V3Lite30\V3Lite.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_170_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AutorunsDisabled - <orphaned>
BHO: Microsoft 계정 로그인 도우미: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Microsoft Excel로 내보내기(&X) - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: dacom.net
Trusted Zone: ebs.co.kr
Trusted Zone: ebsi.co.kr
Trusted Zone: lgdacom.net
Trusted Zone: uplus.co.kr
DPF: {0349EF81-B9C1-4B97-86F7-7B931D0E2532} - hxxp://sticube.clubbox.co.kr/sticubeupdate/cab/NowStarter2.cab
DPF: {063F7D71-5E0B-48F2-87D5-F63C5917947E} - hxxp://ahnlabdownload.nefficient.co.kr/aos/plugin/aosmgr.cab
DPF: {1219B6C3-CD4D-4243-9A4F-4C9F12FCC6E7} - hxxps://ck.softforum.co.kr/CKKeyPro/yessign/CKKeyProInst.cab
DPF: {1A000B1F-B285-4FBF-B3CD-B50845003EBA} - hxxp://cesi.kedi.re.kr/Miplatform/install320A/MiPlatform_Updater320_20070809_1500.cab
DPF: {1B5EE264-CCAB-48A4-B8DA-04D4BB004CC3} - hxxp://202.31.182.175/Miplatform/miUpdate/MiUpdater310.cab
DPF: {1D4FC3AF-3253-43A4-B346-5D1198D1EB8E} - hxxp://img.shinhan.com/rib/common/INISWebPlus/INISWebPlus10.cab
DPF: {20BBA18F-5BC8-47B5-8FC9-5DFCA8E56A4B} - hxxps://mpi.dacom.net/XMPI/js/LGUplus_XMPI_20110503.cab
DPF: {24F6E6A8-852C-45A8-ADD3-C4AB0D6FD231} - hxxps://plugin.inicis.com/wallet61/INIwallet61_vista.cab
DPF: {2587A1BE-8046-4FC3-A957-C489945110E1} - hxxp://pgdownload.uplus.co.kr/dacom/IssacWebProCMS_4_3_1_3_LG_UPLUS.cab
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxp://image.cjmall.com/initech/plugin/download_2011/INIS60.cab
DPF: {2DB4AD78-12DE-4BD4-97E5-ED3C0381DB26} - hxxp://its.gccity.go.kr/docs/ocx/SBMapAX.cab
DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} - hxxp://img.shinhan.com/shttp/install/72012/down/INIS70.cab
DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} - hxxp://img.shinhan.com/nexrib2/common/keyStroke/SoftCamp/403196/SCSK4_WOW64.cab
DPF: {3C36DCBE-5CDF-4C35-9D0B-4A1882B2EB0A} - hxxps://tx.allatpay.com/component/AllatPayRE.cab
DPF: {48ECCD73-123C-4C25-A64C-76E8E8A30CAF} - hxxps://mpi.dacom.net/XPayMPI/XPayMPI.cab
DPF: {51B1D5ED-67DC-43F0-A3F8-8502F1A5E404} - hxxps://supdate.nprotect.net/nprotect2007/lottecom/npstarter_0812151.cab
DPF: {646232F1-8C70-4806-9499-BA01A59FDA74} - hxxps://www.yessign.or.kr/main/yessignCert/yessign7.cab
DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} - hxxp://img.shinhan.com/rib/common/ProWorksGrid_86.cab
DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} - hxxps://www.yessign.or.kr/main/yessignCert/CKKeyPro3026_32k.cab
DPF: {77CDF0B2-CDD6-4624-8BC5-0673695457D3} - hxxps://www.yessign.or.kr/main/yessignCert/yessign7CMP.cab
DPF: {78530AB7-7AC1-48E6-961E-A8D4EED52BAA} - hxxp://ems.epost.go.kr:8080/AIViewer/AIGeneratorOcx.cab
DPF: {7DF7072E-921F-49DD-BA6F-4E9EB65DD55F} - hxxp://www.tworld.co.kr/bin/common/upload/SKTFileUploader.cab
DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} - hxxps://vbv.shinhancard.com/XecureObject/xw_install.cab
DPF: {8768D5EA-5412-4810-A032-09AD2A726C69} - hxxp://bgweb.nowcdn.co.kr/Bin/DownStarter2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} - hxxp://www.nophishing.co.kr/softrun/SH02/SRNPSH.cab
DPF: {91F1F5BA-866F-47D1-86A3-955EF0DD1717} - hxxp://www.ebsi.co.kr/ebs/ebsi/common/activeX/webboard20100628/SetupCallerAX.cab
DPF: {95A57FEB-0909-4FEA-B819-63DA7C4D9E1E} - hxxp://img.shinhan.com/rib/ko/print/PrintmadeActiveX.cab
DPF: {99C709C7-4F58-46C1-855B-90213C760395} - hxxps://v3d.kcp.co.kr/file/kcp_ansimclick.cab
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} - hxxp://download.signgate.com/download/2048/ews/ewsinstaller_full.cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxp://kings.nefficient.co.kr/kings/kdfx/kdfx337/kdfense8.cab
DPF: {AC6D4501-1A42-4E5D-91AF-395406EF4303} - hxxp://o2jam.nopp.co.kr/ActiveX/NowSmartLauncher.cab
DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} - hxxps://www.bankpay.or.kr/BankPayEFT.cab
DPF: {B7DF6B14-7F2A-49C2-A8C8-21AAD560B0BC} - hxxp://cdn.usadisk.com/client/USAControl.CAB
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_1_4/DaumActiveX.cab?ver=2,0,1,4
DPF: {BD35F007-4FDB-11D5-8AA8-00AA00BC6F1D} - hxxp://ems.epost.go.kr:8080/serviceCab/hybrid/hybrid.cab
DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} - hxxps://vbv.shinhancard.com/infovine/VineTransfer.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {DFA2898C-FB7D-4352-B8E8-51D2B96885B8} - hxxp://service.epost.go.kr/serviceCab/hybrid/neolistctl.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E42F7FEB-DE20-43F4-A342-47F1DA77F667} - hxxp://pgdownload.uplus.co.kr/lguplus/XPayPlugin_3.0.0.1.cab
DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} - hxxp://www.vpay.co.kr/kvpfiles_new/KVPISPCTLD_VISTA64.cab
DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - hxxp://www.tworld.co.kr/initech/plugin/down/INIS50.cab
DPF: {F30E6BE6-F620-4DD7-B67C-47920AEC2F4E} - hxxp://o2jam.nopp.co.kr/ActiveX/systeminfo.cab
DPF: {FFD77E35-1C34-4EAC-B5A7-414CC5D007DA} - hxxps://www.akmall.com/common/js/order/ilk/ilkactx2011.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\05340235562767963656023456E6475627 : DHCPNameServer = 192.168.17.1
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\16474777966696 : DHCPNameServer = 10.12.16.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\96074796D656 : DHCPNameServer = 168.126.63.1 168.126.63.2
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\A457869757E676 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\C696E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{70725585-AC56-4D01-8FF3-7ECB194D5F4A}\C696E6B6379737F5355435F52373132313 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{846C2A76-3A5B-494C-AC15-4AB6D6696E6D} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E228BEA4-432F-4F0C-8DF7-EA7FD9C680C6} : DHCPNameServer = 192.168.0.1
Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files (x86)\INITECH\SHTTP\InitechSHTTPInterface.11015.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files (x86)\INITECH\SHTTP\InitechSHTTPInterface.11015.dll
SSODL: WebCheck - <orphaned>
x64-BHO: AutorunsDisabled - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [V3 Application] "C:\Program Files\AhnLab\V3Lite30\V3Lite.exe" /tray
x64-Handler: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Name-Space Handler: http\s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\144h0lxi.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 2
.
============= SERVICES / DRIVERS ===============
.
R1 AMonLWLH;Ahnlab Light Weight Filter;C:\Windows\System32\drivers\AMonLWLH.sys [2014-1-16 51960]
R1 AMonTDLH;AMonTDLH;C:\Windows\System32\drivers\AmonTDLh.sys [2011-6-5 141048]
R1 ATamptNt_V3LITE30;ATamptNt_V3LITE30;C:\PROGRA~1\AhnLab\V3Lite30\ATamptNt.sys [2014-1-16 302336]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\Windows\System32\drivers\SABI.sys [2011-4-12 13824]
R2 nPStarterSVC;nProtect Starter;C:\Windows\System32\nPStarterSVC.exe --> C:\Windows\System32\nPStarterSVC.exe [?]
R2 USADISK_AGENT;USADISK UPDATE SERVICE;C:\Program Files (x86)\USADISK\WEBHARD_Agent.exe [2013-2-18 150528]
R2 V3 Service;V3 Lite Service;C:\Program Files\AhnLab\V3Lite30\ASDSvc.exe [2014-1-16 486152]
R3 AhnRghNt;AhnRghNt;C:\Windows\System32\drivers\AhnRghNt.sys [2014-1-16 58032]
R3 Cdm2DrNt;Cdm2DrNt;C:\Windows\System32\drivers\Cdm2DrNt.sys [2014-1-16 89856]
R3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2013-6-19 283064]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2011-4-13 136192]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-4-13 158976]
R3 IntcDAud;인텔® 디스플레이 오디오;C:\Windows\System32\drivers\IntcDAud.sys [2011-4-13 289280]
R3 MeDCoreD_V3LITE30;MeDCoreD_V3LITE30;C:\Program Files\AhnLab\V3Lite30\MeDCoreD.sys [2014-1-16 907504]
R3 MeDVpDrv_V3LITE30;MeDVpDrv_V3LITE30;C:\Program Files\AhnLab\V3Lite30\MeDVpDrv.sys [2014-1-16 488176]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S1 ascrts_V3LITE30;ascrts_V3LITE30;C:\Program Files\AhnLab\V3Lite30\asc\ascrts.sys [2014-1-16 3552984]
S1 TSFLTDRV_V3LITE30;TSFLTDRV_V3LITE30;C:\PROGRA~1\AhnLab\V3Lite30\TSFLTDRV.sys [2014-1-16 263416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-3-25 1809720]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-3-25 857912]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 AhnFlt2K;AhnFlt2K;C:\Windows\System32\drivers\AhnFlt2k.sys [2014-1-16 74488]
S3 AhnRec2K;AhnRec2K;C:\Windows\System32\drivers\AhnRec2k.sys [2014-1-16 27384]
S3 AntiStealth_V3LITE30;AntiStealth_V3LITE30;C:\Program Files\AhnLab\V3Lite30\AHAWKENT.SYS [2014-1-16 42752]
S3 AntiStealth_V3LITE30F;AntiStealth_V3LITE30F;C:\Program Files\AhnLab\V3Lite30\TFFREGNT.SYS [2014-1-16 177920]
S3 CdmDrvNt;CdmDrvNt;C:\Windows\System32\drivers\CdmDrvNt.sys [2011-6-3 25656]
S3 cleanhlp;cleanhlp;C:\Users\USER\Desktop\쥐를 잡자\Run\cleanhlp64.sys [2014-4-4 57024]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-12 111616]
S3 JRSKD24;JRSKD24;C:\Windows\System32\JRSKD24.SYS [2012-1-9 13896]
S3 kcrtx64;kcrtx64;C:\Windows\System32\kcrtx64.sys [2012-1-9 141848]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-4-2 25816]
S3 MfFWEnt;MfFWEnt;C:\Program Files\AhnLab\ASP\MyFirewall 4.0\mffwent.sys [2011-6-5 126072]
S3 MfIPSEnt;MfIPSEnt;C:\Program Files\AhnLab\ASP\MyFirewall 4.0\mfipsent.sys [2011-6-5 155256]
S3 Mkd2Bthf;Mkd2Bthf;C:\Windows\System32\drivers\Mkd2BthF.sys [2014-3-27 98552]
S3 Mkd2Nadr;Mkd2Nadr;C:\Windows\System32\drivers\Mkd2Nadr.sys [2014-3-27 112888]
S3 Mkd3kfNt;Mkd3kfNt;C:\Windows\System32\drivers\mkd3kfnt.sys [2014-3-27 168184]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-7 59392]
S3 WatAdminSvc;Windows 정품 인증 기술 서비스;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-5 1255736]
S4 NoPhishing;NoPhishing;C:\Users\Public\SoftRun\NoPhishing\NPNTService --> C:\Users\Public\SoftRun\NoPhishing\NPNTService [?]
.
=============== File Associations ===============
.
ShellExec: Hwp.exe: print=C:\HNC\Hwp70\HwpPrnMng.exe /p "%1"
.
=============== Created Last 30 ================
.
2014-04-07 00:59:11 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7CF20E13-9AF2-4202-B8E1-7FFD2D030799}\offreg.dll
2014-04-06 23:08:16 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-04-06 00:07:24 -------- d-sh--w- C:\$RECYCLE.BIN
2014-04-05 07:11:01 -------- d-----w- C:\Windows\ERUNT
2014-04-05 06:57:25 -------- d-----w- C:\AdwCleaner
2014-04-05 03:28:58 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2014-04-05 02:55:56 -------- d-----w- C:\Program Files\HitmanPro
2014-04-05 02:53:07 -------- d-----w- C:\ProgramData\HitmanPro
2014-04-05 02:45:23 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-04-04 19:55:59 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-04 19:49:44 10521840 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7CF20E13-9AF2-4202-B8E1-7FFD2D030799}\mpengine.dll
2014-04-02 23:01:20 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-29 05:35:32 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-03-27 22:12:24 119512 ----a-w- C:\Windows\System32\drivers\678418BE.sys
2014-03-27 22:12:16 119512 ----a-w- C:\Windows\System32\drivers\48230029.sys
2014-03-27 17:38:15 98552 ----a-w- C:\Windows\System32\drivers\Mkd2BthF.sys
2014-03-27 17:38:15 168184 ----a-w- C:\Windows\System32\drivers\mkd3kfnt.sys
2014-03-27 17:38:15 166792 ----a-w- C:\Windows\System32\drivers\klb64mkd.sys
2014-03-27 17:38:15 112888 ----a-w- C:\Windows\System32\drivers\Mkd2Nadr.sys
2014-03-25 08:02:17 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-03-25 08:02:16 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-03-22 20:19:49 -------- d-----w- C:\ProgramData\Nexon
2014-03-21 21:26:07 344064 ----a-w- C:\Windows\SysWow64\msvcr70.dll
2014-03-21 21:26:05 964608 ----a-w- C:\Windows\SysWow64\mfc70u.dll
2014-03-21 21:26:02 974848 ----a-w- C:\Windows\SysWow64\mfc70.dll
2014-03-21 21:25:59 1053184 ----a-w- C:\Windows\SysWow64\mfc71u.dll
2014-03-12 18:32:59 484864 ----a-w- C:\Windows\System32\wer.dll
2014-03-12 18:32:59 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-03-12 18:32:58 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-03-12 18:32:57 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-03-12 18:32:57 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-03-12 18:32:24 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-12 18:32:24 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
.
==================== Find3M  ====================
.
2014-04-03 12:13:00 3322072 ----a-w- C:\Windows\System32\btscan.exe
2014-03-15 06:40:27 967 ----a-w- C:\Windows\ScUnin.pif
2014-03-15 06:40:26 94208 ----a-w- C:\Windows\ScUnin.exe
2014-03-07 10:35:52 50608 ----a-w- C:\Windows\SysWow64\drivers\SCSK5.sys
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-16 06:43:30 65536 ----a-w- C:\Windows\IFinst27.exe
2014-02-02 11:23:23 194048 ----a-w- C:\Windows\SysWow64\elshyph.dll
2014-02-02 11:23:02 645120 ----a-w- C:\Windows\SysWow64\jsIntl.dll
2014-02-02 11:23:02 235008 ----a-w- C:\Windows\System32\elshyph.dll
2014-02-02 11:23:01 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-02-02 11:23:01 182272 ----a-w- C:\Windows\SysWow64\msls31.dll
2014-02-01 00:56:26 283064 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-16 08:13:38 1644888 ----a-w- C:\Windows\SHTTPSandBoxMonitor.10029.exe
2014-01-16 08:13:37 80728 ----a-w- C:\Windows\INISBDrvUnit.10002.dll
.
============= FINISH: 18:15:22.09 ===============
 

 

2. Attach.txt log

 

This is zipped and attached as instructed.

 

3. Malwarebytes Anti-rootkit log

 

Malwarebytes Anti-Rootkit BETA 0.00.0.0000

 v2014.04.06.10

Windows 7 Service Pack 1 x64 NTFS
 11.0.9600.16521
USER :: USER1-PC

2014-04-06 오후 6:26:07
mbar-log-2014-04-06 (18-26-07).txt

 
 
 
 293932
 19 , 56

 0

 0

 0

 0

 0

 0

 0

 0

 

 

 

4. AdwCleaner log

 

# AdwCleaner v3.023 - Report created 06/04/2014 at 18:51:12
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : USER - USER1-PC
# Running from : C:\Users\USER\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\USERs\USER\AppData\Roaming\Mozilla\Firefox\Profiles\144h0lxi.default\prefs.js ]

-\\ Google Chrome v

[ File : C:\Users\USER\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [1459 octets] - [04/04/2014 23:57:35]
AdwCleaner[R1].txt - [1009 octets] - [05/04/2014 16:26:33]
AdwCleaner[R2].txt - [1130 octets] - [06/04/2014 15:50:58]
AdwCleaner[R3].txt - [1240 octets] - [06/04/2014 18:49:09]
AdwCleaner[S0].txt - [1536 octets] - [05/04/2014 00:02:31]
AdwCleaner[S1].txt - [1070 octets] - [05/04/2014 16:30:14]
AdwCleaner[S2].txt - [1192 octets] - [06/04/2014 15:51:54]
AdwCleaner[S3].txt - [1162 octets] - [06/04/2014 18:51:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1222 octets] ##########

 

 

 

 

-atv

Attached Files



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 07 April 2014 - 06:45 AM

Before we continue....is your system set to connect to a proxy server by chance??


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 07 April 2014 - 08:55 AM

Yes, I've set it up with Firefox in order to access school library website off-campus. Do I need to disable it?

#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 07 April 2014 - 09:05 AM

No no....   :)
 
1QYkxTZ.jpg Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 07 April 2014 - 10:15 PM

Hello Jeff,

 

I had to run the scanner twice since it froze for about two hours the first time. Here's the aswMBR log: 

 

-atv

 

 

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

 

Run date: 2014-04-07 17:05:21

 

-----------------------------

 

17:05:21.318    OS Version: Windows x64 6.1.7601 Service Pack 1

 

17:05:21.318    Number of processors: 2 586 0x2505

 

17:05:21.318    ComputerName: USER1-PC  UserName: USER

 

17:05:22.208    Initialize success

 

17:05:55.243    AVAST engine defs: 14040700

 

17:10:36.192    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

 

17:10:36.192    Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 610480MB BusType: 3

 

17:10:36.602    Disk 0 MBR read successfully

 

17:10:36.602    Disk 0 MBR scan

 

17:10:36.612    Disk 0 unknown MBR code

 

17:10:36.642    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        20480 MB offset 2048

 

17:10:36.682    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 41945088

 

17:10:36.722    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       236544 MB offset 42149888

 

17:10:36.732    Disk 0 Partition - 00     0F Extended LBA            353354 MB offset 526592000

 

17:10:36.822    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       353353 MB offset 526594048

 

17:10:37.392    Disk 0 scanning C:\Windows\system32\drivers

 

17:11:41.273    Service scanning

 

17:12:11.640    Modules scanning

 

17:12:11.980    Disk 0 trace - called modules:

 

17:12:12.000    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

 

17:12:12.010    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80044e5060]

 

17:12:12.020    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80042f3050]

 

17:12:12.780    AVAST engine scan C:\Windows

 

17:13:10.467    AVAST engine scan C:\Windows\system32

 

17:23:07.887    AVAST engine scan C:\Windows\system32\drivers

 

17:23:50.621    AVAST engine scan C:\Users\USER

 

19:31:29.421    AVAST engine scan C:\ProgramData

 

19:34:52.794    Scan finished successfully

 

20:05:25.314    Disk 0 MBR has been saved successfully to "C:\Users\USER\Desktop\MBR.dat"

 

20:05:25.324    The log file has been saved successfully to "C:\Users\USER\Desktop\aswMBR.txt"



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 08 April 2014 - 06:32 AM

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 08 April 2014 - 11:52 AM

Hello Jeff,

 

I've just finished running ComboFix but the log is nowhere to be seen on the desktop. Is it saved somewhere else? I expected it to just show up automatically but so far it hasn't.

 

-atv



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 08 April 2014 - 12:06 PM

Take a look at C:\ComboFix.txt   :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 08 April 2014 - 06:54 PM

I found the ComboFix log but it looks very odd. Seems like the scan wasn't properly completed after all. Please let me know whether I should run it again. Here's the odd-looking partial log.

 

ComboFix 14-04-08.01 - USER 8/2014 Tue   9:20:34.3.2 - x64

 

Microsoft Windows 7 Home Premium K   6.1.7601.1.949.82.1042.18.3893.2176 [GMT -7:00]

Running from: C:\Users\USER\Desktop\ComboFix.exe

AV: V3 Lite *Disabled/Updated* {E3F3177F-EA7A-2C73-98E5-1824D7AE4022}

SP: V3 Lite *Disabled/Updated* {5892F69B-CC40-23FD-A255-2356AC290A9F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 08 April 2014 - 07:01 PM

If that was all that was there, please go ahead and run ComboFix again.  :)  Thanks.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 09 April 2014 - 02:22 AM

Hello Jeff,

 

I'm afraid I having a bit of problem here. ComboFix would run smoothly (or I thought it did). But when I went to C and clicked the log, it would give me an error message: registry marked for deletion. I can't open up the log either:(



#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 09 April 2014 - 06:53 AM

Just go ahead and reboot your system once or twice.  Nothing to worry about.  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 ATV1010

ATV1010
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 09 April 2014 - 09:36 PM

Another no go:( ComboFix says it'll prepare the log and the system reboots. When I click the log this is all there is:

 

ComboFix 14-04-08.01 - USER 9/2014 Wed  17:54:41.13.2 - x64

 

Microsoft Windows 7 Home Premium K   6.1.7601.1.949.82.1042.18.3893.2660 [GMT -7:00]

Running from: C:\Users\USER\Desktop\ComboFix.exe

AV: V3 Lite *Disabled/Updated* {E3F3177F-EA7A-2C73-98E5-1824D7AE4022}

SP: V3 Lite *Disabled/Updated* {5892F69B-CC40-23FD-A255-2356AC290A9F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users