4 replies to this topic

[dhdhor]

Hello

I've been searching .fsharproj solution for few days since I'm keep getting redirected to the strange web site(ask the crew,etc). and backspace or alt+<- key doesn't work, as many as I click it, it puts me back to the site where I was. and also I'M Having random random pop up ads like "congratulation! you won blah blah"
please help! your aid will be greatly appreciated!

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8243

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/27/2011 2:32:32 PM
mbam-log-2011-11-27 (14-32-32).txt

Scan type: Quick scan
Objects scanned: 192189
Time elapsed: 13 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by USER at 14:19:34 on 2011-11-27
Microsoft Windows XP Professional 5.1.2600.3.949.1.1033.18.3069.1861 [GMT -8:00]
.
AV: 알약 *Enabled/Updated* {B9431E5A-E196-4B6F-843A-10E01DB25461}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESTsoft\ALYac\AYRTSrv.aye
C:\Program Files\ESTsoft\ALYac\AYUpdSrv.aye
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Clubfos.com\Clubfos(fast)\WinCloud.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Naver\QuickManager2\MRDaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESTsoft\ALYac\AYAgent.aye
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\conime.exe
c:\program files\estsoft\alyac\ALYac.aye
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.naver.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MRDaemon.exe] c:\program files\naver\quickmanager2\MRDaemon.exe
uRun: [AppleData] rundll32.exe "c:\documents and settings\user\local settings\application data\apple computer\appledata\Appledata.dll",DllRegisterServer
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ALYac] "c:\program files\estsoft\alyac\AYLaunch.exe" /run
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AppleData] rundll32.exe "c:\documents and settings\user\local settings\application data\apple computer\appledata\Appledata.dll",DllRegisterServer
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4222484B-6567-4C76-A078-A733022E6AE4} - hxxp://www.clubfos.com/scripts/clubfos/mmsv/ClubfosFileControl.CAB
DPF: {FE342FC7-4374-4EBE-86DB-D73AE861F779} - hxxp://music.naver.com/NaverAXGuide.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7081B436-05D0-4BCE-A433-2F41E3AB3E1C} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 EstRtwIFDrv;EstRtwIFDrv;c:\windows\system32\drivers\EstRtw.sys [2011-10-19 205112]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/08/20 15:57:33];c:\program files\cyberlink\powerdvd9\000.fcl [2009-2-28 87536]
R2 ALYac_RTSrv;ALYac RealTime Service;c:\program files\estsoft\alyac\AYRTSrv.aye [2011-8-24 377656]
R2 ALYac_UpdSrv;ALYac Update Service;c:\program files\estsoft\alyac\AYUpdSrv.aye [2011-8-24 657720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-20 366152]
R2 WinCloud;WinCloud;c:\program files\clubfos.com\clubfos(fast)\WinCloud.exe [2011-6-4 1341528]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-8-20 112128]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-8-20 193840]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-7-20 100184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-20 22216]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-8-20 91496]
R3 scskusbf;USB SCSK Filter Driver Service;c:\windows\system32\drivers\scskusbf.sys [2011-8-19 18184]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-27 41272]
S3 AhnFlt2k;AhnFlt2k;\??\c:\windows\system32\drivers\ahnflt2k.sys --> c:\windows\system32\drivers\AhnFlt2k.sys [?]
S3 AhnRec2k;AhnRec2k;\??\c:\windows\system32\drivers\ahnrec2k.sys --> c:\windows\system32\drivers\AhnRec2k.sys [?]
S3 cdspacex;cdspacex;c:\windows\system32\drivers\cdspacex.sys --> c:\windows\system32\drivers\CDSPACEX.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 JRSKD24;JRSKD24;c:\windows\system32\JRSKD24.SYS [2010-12-31 37688]
S3 JRSUKD25;JRSUKD25;c:\windows\system32\JRSUKD25.SYS [2010-8-26 12728]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 scsk5;SCSK5 Driver Service;c:\windows\system32\drivers\scsk5.sys --> c:\windows\system32\drivers\scsk5.sys [?]
S3 scskusbs;USB SCSK Driver Service;c:\windows\system32\drivers\scskusbs.sys [2011-8-19 175872]
S3 TwoRabts;Two Rabbits Live Bus;c:\windows\system32\drivers\tworabts.sys --> c:\windows\system32\drivers\TwoRabts.sys [?]
.
=============== Created Last 30 ================
.
2011-11-27 22:07:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-11-27 19:50:25 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-27 18:15:38 -------- d-----w- c:\windows\pss
2011-11-17 18:50:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-10-24 11:09:41 205112 ----a-w- c:\windows\system32\drivers\EstRtw.sys
2011-10-14 01:04:38 790528 ----a-w- c:\windows\system32\ffdshow.ax
2011-10-14 01:04:15 921600 ----a-w- c:\windows\system32\vorbisenc.dll
2011-10-14 01:04:09 188416 ----a-w- c:\windows\system32\vorbis.dll
2011-10-14 01:04:07 237568 ----a-w- c:\windows\system32\OggDS.dll
2011-10-14 01:04:05 45056 ----a-w- c:\windows\system32\ogg.dll
2011-10-14 01:04:04 102160 ----a-w- c:\windows\system32\vb6ko.dll
2011-10-14 01:04:02 1385744 ----a-w- c:\windows\system32\MSVBVM60.DLL
2011-10-12 02:45:00 2159696 ----a-w- c:\windows\system32\btscan.exe
2011-09-28 00:02:30 18184 ----a-w- c:\windows\system32\drivers\scskusbf.sys
2011-09-28 00:02:30 175872 ----a-w- c:\windows\system32\drivers\scskusbs.sys
2011-09-16 09:26:12 108472 ----a-w- c:\windows\system32\NSAppHelper.dll
2011-09-01 01:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 14:20:51.56 ===============

Attached Files

•  attach.txt   14.84K   15 downloads

[dhdhor]

additionally, everytime when I shut iexplorer, my cookie setting resets to the lowest level which is accept all cookies and cookies already saved on this computer can be read by the website who made it.

[Elise]

Hello and

Unfortunately you have a nasty rootkit on your computer. Please read the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!