Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me with this Hijackthis log


  • Please log in to reply
11 replies to this topic

#1 vaviah

vaviah

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 04 July 2005 - 01:04 PM

Hello!

I'm a new user in this excellent forum, and not an expert in removing
viruses. I already have F-secure Client security, but it seems to be useless
in removing certain viruses. Yesterday I had ANTIVIRUS GOLD -virus with the
blue box in the background and black desktop image with warnings. I tried to
remove the virus three times with the detailed instruction in this forum. All the three
instructions I used, were a little bit different from each other. Anyway, now the background image is gone and the red circle with white cross in the lower right bar also gone.

Here are some problems I have at this time:
- sometimes MSMSGS.EXE tries to make a connection to the Internet
- Internet Explorer opens every time I start the computer
- "Scrip Host" tries to make connection
- when I tried to scan the computer with "Spybot", the program
stalled in the position "Z-demon" with some german text

Here is the result
from hijacthis.exe:

Logfile of HijackThis v1.99.1
Scan saved at 21:00:42, on 4.7.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMA32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\BACKWEB\7681197\PROGRAM\FSBWSYS.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FCH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\BACKWEB\7681197\PROGRAM\BACKWEB-7681197.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FNRB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FAMEH32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSGK32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FIH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSSM32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSAV32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\OHJELMATIEDOSTOT\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\OHJELMATIEDOSTOT\WINDOWS CE SERVICES\DCCMAN.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSM32.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\OHJELMATIEDOSTOT\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.univadis.fi/medical_and_more/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\OHJELMATIEDOSTOT\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL (file missing)
O2 - BHO: Class - {28A5E86A-BEB3-2A6B-44A8-08239C13BA8E} - C:\WINDOWS\NETIA.DLL (file missing)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Ohjelmatiedostot\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Ohjelmatiedostot\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\OHJELM~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [H/PC Connection Agent] "C:\Ohjelmatiedostot\Windows CE Services\DCCMAN.EXE"
O4 - HKLM\..\Run: [Windows SyncroAd] C:\PROGRAM FILES\WINDOWS SYNCROAD\SYNCROAD.EXE
O4 - HKLM\..\Run: [dePloy] borlandg.exe
O4 - HKLM\..\Run: [systemdll] dePloy.exe
O4 - HKLM\..\Run: [72B1.TMP] C:\WINDOWS\TEMP\72B1.TMP.exe 0 10001
O4 - HKLM\..\Run: [8155.TMP] C:\WINDOWS\TEMP\8155.TMP.exe 0 10001
O4 - HKLM\..\Run: [xedhFIa] C:\VCTEJD.EXE
O4 - HKLM\..\Run: [D353.TMP] C:\WINDOWS\TEMP\D353.TMP.exe 0 10001
O4 - HKLM\..\Run: [A3A4.TMP] C:\WINDOWS\TEMP\A3A4.TMP.exe 0 10001
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [A3A4.TMP.EXE] C:\WINDOWS\TEMP\A3A4.TMP.EXE 0 10001
O4 - HKLM\..\Run: [C283.TMP] C:\WINDOWS\TEMP\C283.TMP.exe 0 10001
O4 - HKLM\..\Run: [C283.TMP.EXE] C:\WINDOWS\TEMP\C283.TMP.EXE 0 10001
O4 - HKLM\..\Run: [7125.TMP] C:\WINDOWS\TEMP\7125.TMP.exe 0 10001
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Ohjelmatiedostot\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Ohjelmatiedostot\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [7125.TMP.EXE] C:\WINDOWS\TEMP\7125.TMP.EXE 0 10001
O4 - HKLM\..\Run: [D353.TMP.EXE] C:\WINDOWS\TEMP\D353.TMP.EXE 0 10001
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [8155.TMP.EXE] C:\WINDOWS\TEMP\8155.TMP.EXE 0 10001
O4 - HKLM\..\Run: [72B1.TMP.EXE] C:\WINDOWS\TEMP\72B1.TMP.EXE 1 10001
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Ohjelmatiedostot\F-Secure\Common\FSMA32.EXE
O4 - HKCU\..\Run: [WareOut] "C:\Ohjelmatiedostot\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [JAguAr] lpt.exe
O4 - HKCU\..\Run: [SAPSTR] sound64.exe
O4 - HKCU\..\Run: [Uint32] sysmon12.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [WareOut] "C:\Ohjelmatiedostot\WareOut\WareOut.exe"
O4 - HKCU\..\RunServices: [JAguAr] lpt.exe
O4 - HKCU\..\RunServices: [SAPSTR] sound64.exe
O4 - HKCU\..\RunServices: [Uint32] sysmon12.exe
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Ohjelmatiedostot\F-Secure\BackWeb\7681197\Program\backweb-7681197.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\OHJELMATIEDOSTOT\SIDEFIND\SIDEFIND.DLL (file missing)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...8a29296baabe1d6
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/fi/games4.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


And here are the viruses found by ActiveScan:
Incident Status Location
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\MSMSGS.EXE
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\Minigolf_Affiliate.exe
Adware:Adware/SearchAid No disinfected Windows Registry
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.???
Adware:Adware/MediaTickets No disinfected Windows Registry
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\multimpp.inf
Adware:Adware/WUpd No disinfected Windows Registry
Virus:Trj/Downloader.CFJ Disinfected Operating system
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM\ole32vbs.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\SYSTEM\hookdump.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\DMIJ.0LL
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\LAJACA.0LL
Adware:Adware/Startpage.GX No disinfected C:\WINDOWS\SYSTEM\WINUPD.0XE
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\OLEADM.0LL
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\SYSHI32.0XE
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\EMFCFE.0LL
Adware:Adware/Winshow No disinfected C:\WINDOWS\SYSTEM\SOSZW.0LL
Adware:Adware/Startpage.OM No disinfected C:\WINDOWS\SYSTEM\NATAAAAA.0XE
Virus:Trj/Downloader.HK Disinfected C:\WINDOWS\SYSTEM\msbar.exe
Adware:Adware/Startpage.OM No disinfected C:\WINDOWS\SYSTEM\bducaaaa.0xe
Spyware:Spyware/FastSearchWeb No disinfected C:\WINDOWS\SYSTEM\snnpapi.0ll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\gcme.0ll
Adware:Adware/Tubby No disinfected C:\WINDOWS\SYSTEM\MTC.ini
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msmsgs.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM\ole32vbs.exe
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\SYSTEM\hookdump.exe
Adware:Adware/Smitfraud No disinfected C:\WINDOWS\SYSTEM\wp.bmp
Adware:Adware/MultiMPP No disinfected C:\WINDOWS\INF\MULTIMPP.INF
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\LOCALNRD.INF
Adware:Adware/GloboSearch No disinfected C:\WINDOWS\SYSTEM32\wosysdll.dll
Adware:Adware/Startpage.CEX No disinfected C:\WINDOWS\SYSTEM32\rundll32.0be
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SDKUW32.0XE
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Application Data\uonb.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Downloaded Program Files\on-line.0xe
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\ActiveX.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\count1.jar-1858bda0-5eadcfb7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-6c4eaaf9.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-6c4eaaf9.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-6c4eaaf9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-6c4eaaf9.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-3a0490a9.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-3a0490a9.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-3a0490a9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\jar\1.0\classload.jar-11faa9ed-3a0490a9.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\file\1.0\stat.class-2b2f67ac-5d54dfc5.class
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\.jpi_cache\file\1.0\Dummy.class-7813d85e-4f7c89aa.class
Adware:Adware/SearchAid No disinfected C:\WINDOWS\JQIKH.0LL
Adware:Adware/SearchAid No disinfected C:\WINDOWS\OOIYH.0LL
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ADDQR32.0XE
Possible Virus. No disinfected C:\WINDOWS\MSXMIDI.0XE
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\IPQM32.0XE
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ADDZQ.0XE
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ATLTP.0XE
Spyware:Spyware/Overpro No disinfected C:\WINDOWS\WildApp.dll
Possible Virus. No disinfected C:\WINDOWS\MSXMIDI.1XE
Virus:Trj/Harnig.AD Disinfected C:\WINDOWS\loadnew.0xe
Adware:Adware/Apropos No disinfected C:\WINDOWS\minigolf_affiliate.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\cfzzf.dll
Adware:Adware/Startpage.SE No disinfected C:\WINDOWS\msxmidi.2xe
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\tmp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\4.dat
Adware:Adware/StartPage.gen No disinfected C:\WINDOWS\msupdsrv.0xe
Virus:Trj/Downloader.ANZ Disinfected C:\WINDOWS\LOADCLEAN.0XE
Virus:Trj/Downloader.FI Disinfected C:\WINDOWS\ploint.0xe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows SyncroAd\SYNCROAD.EX$
Spyware:Spyware/ISTbar No disinfected C:\hijackthis\backups\backup-20050703-224129-349.inf
Spyware:Spyware/XXXToolbar No disinfected C:\hijackthis\backups\backup-20050703-224129-349

So, lots of viruses, or at least something left of them...
Could I please have some help in removing the rest of the infected stuff.
Thanks,

Valtteri
Finland

BC AdBot (Login to Remove)

 


#2 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 04 July 2005 - 01:55 PM

Some additions:

I manually removed some components seen in the HJT report. Now the IE does not open anymore when starting windows, and the MSMSGS.EXE has disappeared. Actually the only problem left is, that the options to adjust the desktop wallpaper image are not normal. The only file accepted is .BMP and you cannot i.e. fit the picture to the display. In addition, when trying to activate the active desktop, gray box starts to blink in the background and the windows stalls.

Suggestions?

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:04:28 AM

Posted 05 July 2005 - 02:01 PM

You still have a mess. :thumbsup:

Please confirm that you have run the following scans or run them now. Save any logs that you generate - we may need them later. Also, please provide me with a description of the problem you are experiencing. Before you ask for help read this.

Anti-spyware

Please download, update and run (one at a time of course!) Spybot Search & Destroy v1.4and Ad-aware SE v1.06. Fix whatever they suggest.

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.


Anti-trojan
Please download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.


Anti-virus

Also, run this pc through the Panda Scan Online virus scanner.
Online Virus Scanners FAQ


Next, please reboot & post a fresh HijackThis log. If you have any problems with one part of this instruction make a note of it and continue onto the next section. Let me know any problems in your next post.

#4 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 06 July 2005 - 01:18 AM

Thanks,

Is it better to post the HJT log from normal or safe mode? I've ran all exept A2. Will do it today! As I earlier posted, the only problem is the malfunction in the active desktop and the restricted options in setting the desktop image. Updated F-secure scan results in 0 (zero) viruses! I'll post the updated log afted running all the virus-scans kindly mentioned above.

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:04:28 AM

Posted 06 July 2005 - 10:11 AM

Post a log from normal mode please.

#6 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 06 July 2005 - 12:49 PM

Ok. All the scans mentioned above are now completed with updated programs.
Problems at this time:
- Message "Invalid Backweb ID" with some numers appears when Windows is started. This Backweb with the numbercode has been activated for months (in running tasks, ctrl+alt+del). The numbercode is seen also in HJT log below
- The same problem with desktop image and active desktop as mentioned above

All the scans found viruses. Each program found about 100 problems. Finally Panda scan found 27. During Spybot scan, also the F-secure found TrojanDownloader.

This is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 20:35:43, on 6.7.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMA32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FCH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\BACKWEB\7681197\PROGRAM\FSBWSYS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FNRB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FAMEH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FIH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSGK32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSSM32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSAV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\OHJELMATIEDOSTOT\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\OHJELMATIEDOSTOT\WINDOWS CE SERVICES\DCCMAN.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSM32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.univadis.fi/medical_and_more/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmatiedostot\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Ohjelmatiedostot\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Ohjelmatiedostot\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\OHJELM~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [H/PC Connection Agent] "C:\Ohjelmatiedostot\Windows CE Services\DCCMAN.EXE"
O4 - HKLM\..\Run: [72B1.TMP] C:\WINDOWS\TEMP\72B1.TMP.exe 0 10001
O4 - HKLM\..\Run: [8155.TMP] C:\WINDOWS\TEMP\8155.TMP.exe 0 10001
O4 - HKLM\..\Run: [D353.TMP] C:\WINDOWS\TEMP\D353.TMP.exe 0 10001
O4 - HKLM\..\Run: [A3A4.TMP] C:\WINDOWS\TEMP\A3A4.TMP.exe 0 10001
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [A3A4.TMP.EXE] C:\WINDOWS\TEMP\A3A4.TMP.EXE 0 10001
O4 - HKLM\..\Run: [C283.TMP] C:\WINDOWS\TEMP\C283.TMP.exe 0 10001
O4 - HKLM\..\Run: [C283.TMP.EXE] C:\WINDOWS\TEMP\C283.TMP.EXE 0 10001
O4 - HKLM\..\Run: [7125.TMP] C:\WINDOWS\TEMP\7125.TMP.exe 0 10001
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Ohjelmatiedostot\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Ohjelmatiedostot\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [7125.TMP.EXE] C:\WINDOWS\TEMP\7125.TMP.EXE 0 10001
O4 - HKLM\..\Run: [D353.TMP.EXE] C:\WINDOWS\TEMP\D353.TMP.EXE 0 10001
O4 - HKLM\..\Run: [8155.TMP.EXE] C:\WINDOWS\TEMP\8155.TMP.EXE 0 10001
O4 - HKLM\..\Run: [72B1.TMP.EXE] C:\WINDOWS\TEMP\72B1.TMP.EXE 1 10001
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Ohjelmatiedostot\F-Secure\Common\FSMA32.EXE
O4 - HKCU\..\Run: [JAguAr] lpt.exe
O4 - HKCU\..\Run: [SAPSTR] sound64.exe
O4 - HKCU\..\Run: [Uint32] sysmon12.exe
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Ohjelmatiedostot\F-Secure\BackWeb\7681197\Program\backweb-7681197.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:04:28 AM

Posted 06 July 2005 - 04:07 PM

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [72B1.TMP] C:\WINDOWS\TEMP\72B1.TMP.exe 0 10001
O4 - HKLM\..\Run: [8155.TMP] C:\WINDOWS\TEMP\8155.TMP.exe 0 10001
O4 - HKLM\..\Run: [D353.TMP] C:\WINDOWS\TEMP\D353.TMP.exe 0 10001
O4 - HKLM\..\Run: [A3A4.TMP] C:\WINDOWS\TEMP\A3A4.TMP.exe 0 10001
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [A3A4.TMP.EXE] C:\WINDOWS\TEMP\A3A4.TMP.EXE 0 10001
O4 - HKLM\..\Run: [C283.TMP] C:\WINDOWS\TEMP\C283.TMP.exe 0 10001
O4 - HKLM\..\Run: [C283.TMP.EXE] C:\WINDOWS\TEMP\C283.TMP.EXE 0 10001
O4 - HKLM\..\Run: [7125.TMP] C:\WINDOWS\TEMP\7125.TMP.exe 0 10001
O4 - HKCU\..\Run: [SAPSTR] sound64.exe
O4 - HKCU\..\Run: [Uint32] sysmon12.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Ohjelmatiedostot\F-Secure\BackWeb\7681197\Program\backweb-7681197.exe

***********************************************************************

Reboot and post a new log. :thumbsup:

#8 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 07 July 2005 - 11:08 AM

Ok. Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 19:01:45, on 7.7.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMA32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FCH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\BACKWEB\7681197\PROGRAM\FSBWSYS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FNRB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FAMEH32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSGK32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FIH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSSM32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSAV32.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\OHJELMATIEDOSTOT\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\OHJELMATIEDOSTOT\WINDOWS CE SERVICES\DCCMAN.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSM32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.univadis.fi/medical_and_more/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmatiedostot\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Ohjelmatiedostot\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Ohjelmatiedostot\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\OHJELM~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [H/PC Connection Agent] "C:\Ohjelmatiedostot\Windows CE Services\DCCMAN.EXE"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Ohjelmatiedostot\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Ohjelmatiedostot\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [7125.TMP.EXE] C:\WINDOWS\TEMP\7125.TMP.EXE 0 10001
O4 - HKLM\..\Run: [D353.TMP.EXE] C:\WINDOWS\TEMP\D353.TMP.EXE 0 10001
O4 - HKLM\..\Run: [8155.TMP.EXE] C:\WINDOWS\TEMP\8155.TMP.EXE 0 10001
O4 - HKLM\..\Run: [72B1.TMP.EXE] C:\WINDOWS\TEMP\72B1.TMP.EXE 1 10001
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Ohjelmatiedostot\F-Secure\Common\FSMA32.EXE
O4 - HKCU\..\Run: [JAguAr] lpt.exe
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Still the same problems with Backweb and background image.

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:04:28 AM

Posted 07 July 2005 - 05:03 PM

Some of the entries are still there. Make sure IE is closed when making the fixes.

Remove the following with HJT yet:
O4 - HKLM\..\Run: [7125.TMP.EXE] C:\WINDOWS\TEMP\7125.TMP.EXE 0 10001
O4 - HKLM\..\Run: [D353.TMP.EXE] C:\WINDOWS\TEMP\D353.TMP.EXE 0 10001
O4 - HKLM\..\Run: [8155.TMP.EXE] C:\WINDOWS\TEMP\8155.TMP.EXE 0 10001
O4 - HKLM\..\Run: [72B1.TMP.EXE] C:\WINDOWS\TEMP\72B1.TMP.EXE 1 10001
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

I am not sure why you are getting a Backweb Error..it isn't even running anymore. Looking back through your posts, which sets of instructions did you use? I have this nagging feeling that you used instructions that were geared more towards XP.

The other problem that you are having with oyur background is due to the infection nuking file associations. I would suggest, once the infection is cleaned, doing a repair/reinstall to correct any problems.

Smitfraud attaches itself to system critical files, and if those are not cleaned properly, then there are huge system stability issues. I'll need to investigate what it does to your particular OS.

Either way, it sucks...

#10 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 08 July 2005 - 01:13 AM

Here are the instructions I've used. I also did the operations suggested in the linked pages (Smitfraud and Spysheriff, Not AdWare):
http://www.bleepingcomputer.com/forums/How...old-t22397.html

I'll post a new log after a couple of days!

#11 vaviah

vaviah
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 10 July 2005 - 09:03 AM

Here is the new log file:

Logfile of HijackThis v1.99.1
Scan saved at 16:59:17, on 10.7.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMA32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSMB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FCH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\BACKWEB\7681197\PROGRAM\FSBWSYS.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FNRB32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FAMEH32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSGK32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\FWES\PROGRAM\FSDFWD.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FIH32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSSM32.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\ANTI-VIRUS\FSAV32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\OHJELMATIEDOSTOT\CREATIVE\LAUNCHER\CTLAUNCHER.EXE
C:\OHJELMATIEDOSTOT\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\OHJELMATIEDOSTOT\WINDOWS CE SERVICES\DCCMAN.EXE
C:\OHJELMATIEDOSTOT\F-SECURE\COMMON\FSM32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.univadis.fi/medical_and_more/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hzz1zwrh.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Ohjelmatiedostot\Spybot\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Ohjelmatiedostot\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Ohjelmatiedostot\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\OHJELM~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [H/PC Connection Agent] "C:\Ohjelmatiedostot\Windows CE Services\DCCMAN.EXE"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Ohjelmatiedostot\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Ohjelmatiedostot\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [F-Secure Management Agent] C:\Ohjelmatiedostot\F-Secure\Common\FSMA32.EXE
O4 - HKCU\..\Run: [JAguAr] lpt.exe
O4 - Startup: Microsoft Office Pikahaku.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

There are some running tasks that haven't always been there. At least "ahgtb" and Pdesk.

#12 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:04:28 AM

Posted 10 July 2005 - 09:44 AM

One is for your video card, and one is for your sound card. They are both legitimate, and your log looks just fine. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users