Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and IE HiJacked


  • This topic is locked This topic is locked
16 replies to this topic

#1 van1313van

van1313van

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 19 January 2010 - 06:49 AM

whenever i open the computer firefox opens this site http://big-goals.info/biz/setting-investing-goals.html and some others.
i tried to update my anti-virus and anti-spyware but i cant because it always says there is something wrong with my internet connection
here is my HJT log
just tell me if i need to give more details. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:44 AM, on 1/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = WMSU CET Hawks Rule
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - :C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - :C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca634762019d82) (gupdate1ca634762019d82) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MRMUDZ - Unknown owner - C:\DOCUME~1\Van\LOCALS~1\Temp\MRMUDZ.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OKFOZDWKTQZ - Unknown owner - C:\DOCUME~1\Van\LOCALS~1\Temp\OKFOZDWKTQZ.exe (file missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

--
End of file - 9209 bytes






BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 19 January 2010 - 08:09 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Click the "Run Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 19 January 2010 - 08:13 PM

i cant finish the OTL log because it is stucked at Checking service: cstcgz
ill just post my HJT log thanks for helping me out

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:18 AM, on 1/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - :C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - :C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wbsys.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca634762019d82) (gupdate1ca634762019d82) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MRMUDZ - Unknown owner - C:\DOCUME~1\Van\LOCALS~1\Temp\MRMUDZ.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OKFOZDWKTQZ - Unknown owner - C:\DOCUME~1\Van\LOCALS~1\Temp\OKFOZDWKTQZ.exe (file missing)
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe

--
End of file - 9495 bytes


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 20 January 2010 - 08:11 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


=================



Download Kenco.exe to your desktop
  • Close all windows and run the program
  • It wont take long to run. Post the log it gives you ( it will also be saved in the same place as Kenco.exe

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 January 2010 - 07:40 AM

sorry if i my reply is a bit late
here is the log from gooredfix

GooredFix by jpshortstuff (08.01.10.1)
Log created at 09:47 on 21/01/2010 (Van)
Firefox version 3.5.7 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:05 19/03/2009]
{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} [22:56 18/03/2009]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [07:02 19/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [01:47 14/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [16:24 11/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [04:12 03/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [13:48 25/11/2009]

C:\Documents and Settings\Van\Application Data\Mozilla\Firefox\Profiles\g322255l.default\extensions\
{07b2a769-ed19-4483-87ce-c643914c9626} [22:55 07/11/2009]
{33A8946C-B859-4f7d-8382-ADAB29623DEE} [03:19 19/08/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [03:11 20/03/2009]
{81514210-E22A-4e69-93D5-E1EFD45B4620} [10:58 31/12/2009]
{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [00:07 16/12/2009]
{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} [02:30 16/01/2010]
{ded0fc70-7215-4802-afeb-b2982d3e7225} [16:26 02/11/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:54 11/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [07:02 19/03/2009]

-=E.O.F=-

here is the one from kenco

Kenco by jpshortstuff (31.12.09.1)
Log created at 09:49 on 21/01/2010 (Van)

========== Task Unlocker ==========

========== KencoScan ==========

========== C:\WINDOWS\Tasks ==========
GoogleUpdateTaskMachineCore.job -> [03:36 12/11/2009] 882 bytes
GoogleUpdateTaskMachineUA.job -> [03:36 12/11/2009] 886 bytes
NSSstub.job -> [11:23 29/11/2009] 376 bytes

-=E.O.F=-

thank you for your help

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 21 January 2010 - 08:19 AM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 22 January 2010 - 06:25 AM

here is the log you requested
thanks to you i can now update my anti-virus


ComboFix 10-01-21.06 - Van 01/22/2010 5:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.261 [GMT 8:00]
Running from: c:\documents and settings\Van\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HanaAylani\Application Data\FunWebProducts
c:\program files\Cheat Engine\dbk32.sys
c:\program files\win32
c:\program files\win32\logs.dat
c:\program files\win32\plugin.dat
c:\recycler\S-1-5-21-3700474591-4369137082-675348875-4491
c:\recycler\S-1-5-21-4319591866-1639299738-359765467-7949
c:\recycler\S-1-5-21-8855767346-6226721731-041476846-8919
c:\recycler\S-1-5-21-9692110236-9334297725-212124345-7088
c:\recycler\S-1-5-21-9692110236-9334297725-212124345-7088\MsMxEng.exe
c:\windows\system32\hgvizgp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSTCGZ
-------\Legacy_ILVMONEYDRIVER53
-------\Service_cstcgz
-------\Service_IlvMoneyDRIVER53


((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 01:30 . 2010-01-19 13:13 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-21 01:30 . 2010-01-19 11:48 269904 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-01-21 01:30 . 2010-01-19 11:42 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-21 01:30 . 2010-01-19 11:46 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-21 01:30 . 2010-01-19 11:43 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-21 01:30 . 2010-01-19 11:43 100304 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-21 01:30 . 2010-01-19 11:43 94672 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-21 01:30 . 2010-01-19 11:42 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-21 01:27 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-21 01:27 . 2010-01-19 11:57 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-21 01:27 . 2010-01-21 01:27 -------- d-----w- c:\program files\Alwil Software
2010-01-21 01:27 . 2010-01-21 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-20 22:13 . 2010-01-20 22:13 -------- d-----w- c:\documents and settings\Cel\Local Settings\Application Data\AVG Security Toolbar
2010-01-18 23:37 . 2010-01-18 23:43 -------- d-----w- c:\documents and settings\Van\Application Data\FreeFixer
2010-01-18 23:37 . 2010-01-18 23:37 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\FreeFixer
2010-01-18 23:32 . 2010-01-18 23:33 -------- d-----w- c:\program files\FreeFixer
2010-01-18 13:50 . 2010-01-18 13:51 -------- d-----w- c:\documents and settings\Van\Application Data\dvdcss
2010-01-18 13:47 . 2010-01-18 13:47 0 ----a-w- c:\windows\system32\SBRC.dat
2010-01-18 12:36 . 2010-01-18 12:36 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\AVG Security Toolbar
2010-01-18 12:16 . 2010-01-18 12:16 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\Media Player Classic
2010-01-18 10:13 . 2010-01-18 10:16 -------- d-----w- C:\$AVG
2010-01-10 10:37 . 2010-01-10 10:37 -------- d-----w- c:\documents and settings\Van\Application Data\MiKTeX
2010-01-10 10:35 . 2010-01-10 10:35 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\MiKTeX
2010-01-09 11:56 . 2010-01-09 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MiKTeX
2010-01-09 11:53 . 2010-01-09 11:55 -------- d-----w- c:\program files\MiKTeX 2.8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 21:56 . 2009-03-20 02:26 -------- d-----w- c:\program files\Cheat Engine
2010-01-21 01:42 . 2009-09-23 13:07 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\Free Download Manager
2010-01-20 22:33 . 2009-10-14 08:46 -------- d-----w- c:\documents and settings\Cel\Application Data\Free Download Manager
2010-01-20 06:36 . 2009-08-21 22:08 25 ----a-w- c:\windows\popcinfot.dat
2010-01-19 18:28 . 2010-01-19 18:28 105 ----a-w- c:\documents and settings\Van\Application Data\netstat.bat
2010-01-19 18:28 . 2010-01-19 18:28 105 ----a-w- c:\documents and settings\Van\Application Data\netstat.bat
2010-01-18 14:51 . 2009-11-14 10:05 -------- d-----w- c:\documents and settings\Van\Application Data\vlc
2010-01-18 12:57 . 2009-07-15 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-01-18 10:12 . 2009-03-18 22:50 -------- d-----w- c:\program files\AVG
2010-01-18 06:45 . 2009-03-19 00:09 -------- d-----w- c:\program files\Garena
2010-01-10 01:03 . 2009-03-30 23:31 -------- d-----w- c:\documents and settings\Van\Application Data\FrostWire
2010-01-02 13:44 . 2009-04-11 03:58 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\LimeWire
2010-01-02 11:14 . 2009-03-19 11:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 16:48 . 2009-04-30 21:52 68584 ----a-w- c:\documents and settings\HanaAylani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 00:36 . 2009-04-08 19:14 -------- d-----w- c:\program files\MYGAME Launcher
2009-12-19 09:35 . 2009-09-19 00:59 -------- d-----w- c:\documents and settings\Van\Application Data\BitTorrent
2009-12-16 05:20 . 2009-11-04 00:11 -------- d-----w- c:\documents and settings\Van\Application Data\Azureus
2009-12-07 23:10 . 2009-12-07 23:10 -------- d-----w- c:\program files\AC3Filter
2009-12-02 06:57 . 2009-12-02 06:57 -------- d-----w- c:\program files\Veoh Networks
2009-12-02 03:23 . 2009-12-02 03:23 -------- d-----w- c:\documents and settings\Van\Application Data\fofix
2009-12-01 11:50 . 2009-12-01 11:45 -------- d-----w- c:\documents and settings\Van\Application Data\fretsonfire
2009-12-01 11:46 . 2009-05-25 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-01 11:44 . 2009-05-25 17:31 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-01 11:28 . 2009-12-01 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-29 13:00 . 2009-03-20 16:37 68584 ----a-w- c:\documents and settings\Van\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-29 12:59 . 2009-11-29 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-29 12:51 . 2009-03-19 11:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 12:49 . 2009-11-29 12:49 -------- d-----w- c:\program files\Adobe Media Player
2009-11-29 12:45 . 2009-11-29 12:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-29 11:28 . 2009-11-29 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-29 11:11 . 2009-11-29 11:05 -------- d-----w- c:\program files\Common Files\Macromedia
2009-11-29 11:11 . 2009-11-29 11:05 -------- d-----w- c:\program files\Macromedia
2009-11-29 11:05 . 2009-11-29 11:05 45056 ----a-r- c:\documents and settings\Van\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-11-25 13:48 . 2009-03-19 11:04 -------- d-----w- c:\program files\Java
2009-11-25 13:47 . 2009-11-25 13:47 152576 ----a-w- c:\documents and settings\Van\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 13:43 . 2009-11-25 13:43 79488 ----a-w- c:\documents and settings\Van\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-15 00:46 . 2009-11-15 00:46 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-02 13:01 . 2009-05-25 18:20 10 ----a-w- c:\windows\popcinfo.dat
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2009-03-18 22:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-18 22:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-18 22:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------


[-] 2005-11-28 . 9103FE3967CC3446A7BDE004ECA0B946 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-01-19 11:45 135168 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 73728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 07:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
2009-01-30 19:45 3399727 ----a-w- c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-20 22:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"dmadmin"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Persona\\Persona.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MYGAME\\Special Force\\specialforce.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Freestyle\\FreeStyle\\FreeStyle.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"d:\\CS1.6\\hl.exe"=
"d:\\CS1.3\\HalfLife\\hl.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\HanaAylani\\My Documents\\Hana\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2938:TCP"= 2938:TCP:tnumg
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/28/2009 12:42 PM 721904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [1/21/2010 9:30 AM 269904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/21/2010 9:30 AM 162640]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [3/19/2009 7:35 PM 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/21/2010 9:30 AM 19024]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [9/29/2009 11:34 PM 12672]
S2 gupdate1ca634762019d82;Google Update Service (gupdate1ca634762019d82);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2009 11:22 AM 133104]
S3 ALIENZDRVR;ALIENZDRVR;\??\c:\documents and settings\Van\My Documents\Downloads\Pangya\Radical Engin Server\Alienz32.sys --> c:\documents and settings\Van\My Documents\Downloads\Pangya\Radical Engin Server\Alienz32.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Van\LOCALS~1\Temp\OKS35.tmp --> c:\docume~1\Van\LOCALS~1\Temp\OKS35.tmp [?]
S3 MRMUDZ;MRMUDZ;c:\docume~1\Van\LOCALS~1\Temp\MRMUDZ.exe --> c:\docume~1\Van\LOCALS~1\Temp\MRMUDZ.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 OKFOZDWKTQZ;OKFOZDWKTQZ;c:\docume~1\Van\LOCALS~1\Temp\OKFOZDWKTQZ.exe --> c:\docume~1\Van\LOCALS~1\Temp\OKFOZDWKTQZ.exe [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\d:\haha\SoRa 4.6\SoRa_.sys --> d:\haha\SoRa 4.6\SoRa_.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-12 03:22]

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-12 03:22]

2009-11-29 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-11-29 11:23]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\g322255l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - component: c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\g322255l.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Van\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
.
------- File Associations -------
.
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - :c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-My Web Search Bar - c:\progra~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
ActiveSetup-{D3JH5L72-61DQ-E4X1-X464-Q38373HI0TIY} - c:\program files\win32\win32.exe
AddRemove-Final Fantasy VII - d:\final fantasy vii\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-22 06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x825DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86aafc3
\Driver\ACPI -> ACPI.sys @ 0xf8424cb8
\Driver\atapi -> 0x825de1f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf82c3ba0
PacketIndicateHandler -> aswSP.SYS @ 0xf4dfb718
SendHandler -> aswSP.SYS @ 0xf4dfb776
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Van\LOCALS~1\Temp\OKS35.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-162531612-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\program files\AlienGUIse\fastload.dll
c:\windows\system32\CLBCATQ.DLL

- - - - - - - > 'explorer.exe'(3972)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msls31.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\MSCTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-01-22 06:09:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 22:09

Pre-Run: 39,591,305,216 bytes free
Post-Run: 40,536,084,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 07CA7791F72C1741BB499A2B748654F7


#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 22 January 2010 - 09:03 AM


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Please post the contents of the log from DrWeb in your next reply.


Let me know how your computer is behaving after this step.



Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 24 January 2010 - 06:59 AM

sorry but i cant finish scanning because of
an error ill just upload the log because it is too long

Attached Files



#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 25 January 2010 - 08:53 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

CODE
Driver::
GarenaPEngine
MRMUDZ
OKFOZDWKTQZ

MBR::

Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.



This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 27 January 2010 - 02:39 AM

here is the log you requested


ComboFix 10-01-26.02 - Van 01/26/2010 7:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.213 [GMT 8:00]
Running from: c:\documents and settings\Van\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Van\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\Fonts\MyriadPro-Regular.otf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MRMUDZ
-------\Legacy_OKFOZDWKTQZ
-------\Service_MRMUDZ
-------\Service_OKFOZDWKTQZ


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-23 04:59 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-23 04:59 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-23 04:59 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-23 04:59 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-23 04:59 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-23 04:59 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-23 04:59 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-23 04:59 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-23 04:59 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-23 01:04 . 2010-01-23 01:04 -------- d-----w- c:\documents and settings\Van\DoctorWeb
2010-01-22 12:50 . 2010-01-22 12:50 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\Stardock
2010-01-21 01:27 . 2010-01-22 15:15 -------- d-----w- c:\program files\Alwil Software
2010-01-21 01:27 . 2010-01-21 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-20 22:13 . 2010-01-20 22:13 -------- d-----w- c:\documents and settings\Cel\Local Settings\Application Data\AVG Security Toolbar
2010-01-18 23:37 . 2010-01-18 23:43 -------- d-----w- c:\documents and settings\Van\Application Data\FreeFixer
2010-01-18 23:37 . 2010-01-18 23:37 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\FreeFixer
2010-01-18 23:32 . 2010-01-18 23:33 -------- d-----w- c:\program files\FreeFixer
2010-01-18 13:50 . 2010-01-18 13:51 -------- d-----w- c:\documents and settings\Van\Application Data\dvdcss
2010-01-18 13:47 . 2010-01-18 13:47 0 ----a-w- c:\windows\system32\SBRC.dat
2010-01-18 12:36 . 2010-01-18 12:36 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\AVG Security Toolbar
2010-01-18 12:16 . 2010-01-18 12:16 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\Media Player Classic
2010-01-18 10:13 . 2010-01-18 10:16 -------- d-----w- C:\$AVG
2010-01-10 10:37 . 2010-01-10 10:37 -------- d-----w- c:\documents and settings\Van\Application Data\MiKTeX
2010-01-10 10:35 . 2010-01-10 10:35 -------- d-----w- c:\documents and settings\Van\Local Settings\Application Data\MiKTeX
2010-01-09 11:56 . 2010-01-09 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MiKTeX
2010-01-09 11:53 . 2010-01-09 11:55 -------- d-----w- c:\program files\MiKTeX 2.8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 18:07 . 2009-09-24 02:12 -------- d-----w- c:\documents and settings\Rolando\Application Data\Free Download Manager
2010-01-25 17:55 . 2009-10-14 08:46 -------- d-----w- c:\documents and settings\Cel\Application Data\Free Download Manager
2010-01-25 16:59 . 2009-08-21 22:08 25 ----a-w- c:\windows\popcinfot.dat
2010-01-25 13:42 . 2009-03-19 00:09 -------- d-----w- c:\program files\Garena
2010-01-23 22:13 . 2009-03-19 11:03 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-22 12:49 . 2009-03-19 00:50 -------- d-----w- c:\program files\AlienGUIse
2010-01-21 21:56 . 2009-03-20 02:26 -------- d-----w- c:\program files\Cheat Engine
2010-01-21 01:42 . 2009-09-23 13:07 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\Free Download Manager
2010-01-19 18:28 . 2010-01-19 18:28 105 ----a-w- c:\documents and settings\Van\Application Data\netstat.bat
2010-01-19 18:28 . 2010-01-19 18:28 105 ----a-w- c:\documents and settings\Van\Application Data\netstat.bat
2010-01-18 14:51 . 2009-11-14 10:05 -------- d-----w- c:\documents and settings\Van\Application Data\vlc
2010-01-18 12:57 . 2009-07-15 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-01-18 10:12 . 2009-03-18 22:50 -------- d-----w- c:\program files\AVG
2010-01-10 01:03 . 2009-03-30 23:31 -------- d-----w- c:\documents and settings\Van\Application Data\FrostWire
2010-01-02 13:44 . 2009-04-11 03:58 -------- d-----w- c:\documents and settings\HanaAylani\Application Data\LimeWire
2010-01-02 11:14 . 2009-03-19 11:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 16:48 . 2009-04-30 21:52 68584 ----a-w- c:\documents and settings\HanaAylani\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 00:36 . 2009-04-08 19:14 -------- d-----w- c:\program files\MYGAME Launcher
2009-12-19 09:35 . 2009-09-19 00:59 -------- d-----w- c:\documents and settings\Van\Application Data\BitTorrent
2009-12-16 05:20 . 2009-11-04 00:11 -------- d-----w- c:\documents and settings\Van\Application Data\Azureus
2009-12-07 23:10 . 2009-12-07 23:10 -------- d-----w- c:\program files\AC3Filter
2009-12-02 06:57 . 2009-12-02 06:57 -------- d-----w- c:\program files\Veoh Networks
2009-12-02 03:23 . 2009-12-02 03:23 -------- d-----w- c:\documents and settings\Van\Application Data\fofix
2009-12-01 11:50 . 2009-12-01 11:45 -------- d-----w- c:\documents and settings\Van\Application Data\fretsonfire
2009-12-01 11:46 . 2009-05-25 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-01 11:44 . 2009-05-25 17:31 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-12-01 11:28 . 2009-12-01 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-29 13:00 . 2009-03-20 16:37 68584 ----a-w- c:\documents and settings\Van\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-29 12:59 . 2009-11-29 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-11-29 12:51 . 2009-03-19 11:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-29 12:49 . 2009-11-29 12:49 -------- d-----w- c:\program files\Adobe Media Player
2009-11-29 12:45 . 2009-11-29 12:45 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-29 11:28 . 2009-11-29 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-29 11:11 . 2009-11-29 11:05 -------- d-----w- c:\program files\Common Files\Macromedia
2009-11-29 11:11 . 2009-11-29 11:05 -------- d-----w- c:\program files\Macromedia
2009-11-29 11:05 . 2009-11-29 11:05 45056 ----a-r- c:\documents and settings\Van\Application Data\Microsoft\Installer\{885A63EA-382B-4DD4-A755-14809B8557D6}\ARPPRODUCTICON.exe
2009-11-25 13:47 . 2009-11-25 13:47 152576 ----a-w- c:\documents and settings\Van\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-25 13:43 . 2009-11-25 13:43 79488 ----a-w- c:\documents and settings\Van\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-15 00:46 . 2009-11-15 00:46 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-02 13:01 . 2009-05-25 18:20 10 ----a-w- c:\windows\popcinfo.dat
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2009-03-18 22:56 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-18 22:56 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-18 22:56 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------


[-] 2005-11-28 . 9103FE3967CC3446A7BDE004ECA0B946 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-01-21_22.02.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-25 23:33 . 2010-01-25 23:33 16384 c:\windows\Temp\Perflib_Perfdata_614.dat
+ 2010-01-23 17:41 . 2010-01-23 17:41 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
+ 2010-01-25 23:33 . 2010-01-25 23:33 16384 c:\windows\Temp\Perflib_Perfdata_448.dat
+ 2009-03-19 11:03 . 2010-01-23 22:13 2722 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2009-03-19 11:03 . 2010-01-23 22:12 8972 c:\windows\pchealth\helpctr\Config\Cntstore.bin
+ 2010-01-21 22:32 . 2010-01-21 22:32 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-10-27 73728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-06 413696]
"EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-04 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 07:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
2009-01-30 19:45 3399727 ----a-w- c:\program files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-02-20 22:22 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)
"helpsvc"=2 (0x2)
"ERSvc"=2 (0x2)
"dmadmin"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Persona\\Persona.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MYGAME\\Special Force\\specialforce.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"d:\\Freestyle\\FreeStyle\\FreeStyle.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"d:\\CS1.6\\hl.exe"=
"d:\\CS1.3\\HalfLife\\hl.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Documents and Settings\\HanaAylani\\My Documents\\Hana\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2938:TCP"= 2938:TCP:tnumg
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/28/2009 12:42 PM 721904]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/23/2010 12:59 PM 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [3/19/2009 7:35 PM 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/23/2010 12:59 PM 20560]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [9/29/2009 11:34 PM 12672]
S2 gupdate1ca634762019d82;Google Update Service (gupdate1ca634762019d82);c:\program files\Google\Update\GoogleUpdate.exe [11/12/2009 11:22 AM 133104]
S3 ALIENZDRVR;ALIENZDRVR;\??\c:\documents and settings\Van\My Documents\Downloads\Pangya\Radical Engin Server\Alienz32.sys --> c:\documents and settings\Van\My Documents\Downloads\Pangya\Radical Engin Server\Alienz32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\d:\haha\SoRa 4.6\SoRa_.sys --> d:\haha\SoRa 4.6\SoRa_.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-12 03:22]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-12 03:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://google.com
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZCfox000
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\g322255l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - component: c:\documents and settings\Van\Application Data\Mozilla\Firefox\Profiles\g322255l.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\Van\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 07:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x825DE1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86aafc3
\Driver\ACPI -> ACPI.sys @ 0xf8424cb8
\Driver\atapi -> 0x825de1f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80577edc
ParseProcedure -> ntkrnlpa.exe @ 0x80576af8
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf82c3ba0
PacketIndicateHandler -> NDIS.sys @ 0xf82d0b21
SendHandler -> NDIS.sys @ 0xf82ae87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-162531612-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(3480)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-26 07:42:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 23:42
ComboFix2.txt 2010-01-21 22:09

Pre-Run: 39,032,594,432 bytes free
Post-Run: 39,875,354,624 bytes free

- - End Of File - - A5222F35FB14EF9335CE2C64CADF87BD


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 27 January 2010 - 08:32 AM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 28 January 2010 - 07:07 AM

i think its okay now thanks to you guys
you were a big help for people like us thanks! thumbup2.gif

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:26 PM

Posted 28 January 2010 - 08:01 AM

I'm still concerned about a possible mbr infection.


Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 van1313van

van1313van
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 29 January 2010 - 09:25 AM

here is the log you requested

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users