Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown rootkit fixed by ComboFix


  • This topic is locked This topic is locked
8 replies to this topic

#1 SuperGeniusWizard

SuperGeniusWizard

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 30 July 2010 - 01:10 PM

This week I've encountered two computers seemingly infected with some unknown virus that McAfee, Trend, and Malwarebytes were all unable to detect.

The symptoms were:
-“Generic Host Process for Win32 services has encountered a problem and needs to close” message keeps coming up.
-“Just in time debugging” keeps popping up.
-Unable to view the Windows Update page windowsupdate.microsoft.com, it says the page cannot be displayed.

This was my first time using ComboFix, so for the one computer I simply made a new hard drive and ran ComboFix on the infected drive. ComboFix indicated that it found a rootkit, rebooted, and continued running. Problems fixed! Unfortunately, the log file doesn't identify the rootkit by name so I can't research this further. I am seeking an identification of the malwares that were involved. Below is the log:




ComboFix 10-07-29.04 - Administrator 07/30/2010 13:17:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.775 [GMT -4:00]
Running from: \\filesrv1\shared\TB\Antivirus\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator.DJ-XP\Local Settings\Application Data\{6786A10E-6F12-419C-8471-4747B3573EEB}
c:\documents and settings\Administrator.DJ-XP\Local Settings\Application Data\{6786A10E-6F12-419C-8471-4747B3573EEB}\chrome.manifest
c:\documents and settings\Administrator.DJ-XP\Local Settings\Application Data\{6786A10E-6F12-419C-8471-4747B3573EEB}\chrome\content\_cfg.js
c:\documents and settings\Administrator.DJ-XP\Local Settings\Application Data\{6786A10E-6F12-419C-8471-4747B3573EEB}\chrome\content\overlay.xul
c:\documents and settings\Administrator.DJ-XP\Local Settings\Application Data\{6786A10E-6F12-419C-8471-4747B3573EEB}\install.rdf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://lc-wsus
Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.

2010-07-30 16:58 . 2001-08-17 17:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-07-30 16:58 . 2001-08-17 17:52 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-07-28 12:46 . 2008-03-02 07:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-07-28 12:46 . 2010-07-28 12:46 -------- d-----w- c:\program files\Trend Micro
2010-07-28 12:45 . 2010-07-28 12:45 -------- d-----w- c:\documents and settings\DJ_.MAIN\Application Data\InstallShield
2010-07-28 12:22 . 2010-07-28 19:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\windows\system32\drivers\NSS
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\program files\Norton Security Scan
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\program files\NortonInstaller
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-28 12:08 . 2010-07-28 12:08 503808 ----a-w- c:\documents and settings\DJ_.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\msvcp71.dll
2010-07-28 12:08 . 2010-07-28 12:08 499712 ----a-w- c:\documents and settings\DJ_.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\jmc.dll
2010-07-28 12:08 . 2010-07-28 12:08 348160 ----a-w- c:\documents and settings\DJ_.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\msvcr71.dll
2010-07-28 12:08 . 2010-07-28 12:08 12800 ----a-w- c:\documents and settings\DJ_.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11ff8f48-n\decora-d3d.dll
2010-07-28 12:08 . 2010-07-28 12:08 61440 ----a-w- c:\documents and settings\DJ_.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11ff8f48-n\decora-sse.dll
2010-07-28 12:08 . 2010-07-28 12:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 11:41 . 2010-07-28 11:41 -------- d-----w- c:\documents and settings\Administrator.DJ-XP\Application Data\MSNInstaller
2010-07-27 13:10 . 2010-07-27 13:10 -------- d-----w- c:\documents and settings\Administrator.DJ-XP\Application Data\Malwarebytes
2010-07-27 13:09 . 2010-07-27 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 12:42 . 2010-07-27 12:28 0 ----a-w- c:\windows\Execi.bin
2010-07-26 12:42 . 2010-07-27 12:28 120 ----a-w- c:\windows\Mkisexilahetila.dat
2010-07-26 12:42 . 2010-07-26 12:42 -------- d-----w- c:\documents and settings\DJ_.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}
2010-07-20 02:00 . 2010-07-20 02:00 -------- d-----w- c:\windows\system32\winrm
2010-07-20 02:00 . 2010-07-20 02:00 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-20 02:00 . 2010-07-20 02:00 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-19 18:26 . 2008-05-09 10:53 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2010-07-19 18:26 . 2008-05-09 10:53 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2010-07-19 18:26 . 2008-05-09 10:53 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2010-07-19 18:26 . 2008-05-09 08:45 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2010-07-19 18:26 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2010-07-19 18:25 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-07-19 02:13 . 2008-04-14 09:41 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 14:56 . 2009-03-27 18:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 12:46 . 2007-10-09 17:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-28 12:13 . 2008-03-27 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 12:08 . 2008-03-27 12:23 -------- d-----w- c:\program files\Java
2010-07-19 02:21 . 2007-10-09 17:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-12 12:00 . 2009-04-29 02:04 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-02 05:22 . 2004-08-04 05:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-05-26 1400944]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-07-08 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143299002-405541030-623647154-2566\Scripts\Logon\0\0]
"Script"=\\MAIN.MAIN.LOCAL\sysvol\MAIN.MAIN.LOCAL\scripts\lclogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4128779970-1068091417-628957002-11320\Scripts\Logon\0\0]
"Script"=\\GOVERNMENT.MAIN.LOCAL\sysvol\GOVERNMENT.MAIN.LOCAL\scripts\lclogon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [7/28/2010 8:46 AM 582992]
S3 EMCORemoteAdminServer;EMCO Remote Administration Server;c:\windows\System32\EMCOAdministrationServer.exe 6203 --> c:\windows\System32\EMCOAdministrationServer.exe 6203 [?]
S3 OnePointDomainAdminService;Active Directory Migration Agent;c:\windows\OnePointDomainAgent\DCTAgentService.exe [10/16/2008 12:59 PM 39424]
S3 RCLService;Remote Command Line Service;c:\windows\System32\RCLServer.exe 6203 --> c:\windows\System32\RCLServer.exe 6203 [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [7/28/2010 8:46 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 1:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-29 c:\windows\Tasks\Norton Security Scan for dj_.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-28 01:38]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = proxy.MAIN.local:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Reminder - c:\windows\Creator\Remind_XP.exe
HKLM-Run-Recguard - c:\windows\SMINST\RECGUARD.EXE
HKLM-Run-SigmatelSysTrayApp - sttray.exe
MSConfigStartUp-eatuctfs - c:\documents and settings\DJ_.MAIN\Local Settings\Application Data\qpggwyoqk\kadcheatssd.exe
MSConfigStartUp-Equpelewizutero - c:\windows\evupeqepijovapu.dll
MSConfigStartUp-qxknctgk - c:\documents and settings\DJ_.MAIN\Local Settings\Application Data\keryoc\hsjxsysguard.exe
MSConfigStartUp-Utumecilu - c:\windows\mlesadfc.dll
MSConfigStartUp-xbvfngqj - c:\documents and settings\DJ_.MAIN\Local Settings\Application Data\dkowahkca\lyxrhwxtssd.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-07-30 13:23:51
ComboFix-quarantined-files.txt 2010-07-30 17:23

Pre-Run: 66,097,512,448 bytes free
Post-Run: 66,328,866,816 bytes free

- - End Of File - - 37A71A1084668F76EA27810A7A2A3E7C


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:29 AM

Posted 07 August 2010 - 08:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 SuperGeniusWizard

SuperGeniusWizard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 09 August 2010 - 02:22 PM

Ok, I'm tracking this topic now.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:29 AM

Posted 09 August 2010 - 05:37 PM

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Not installing the recovery console could have been a disaster.


The malware found was the TDL3 rootkit, a variant of the TDSS rootkit. You also have malware still on the log so we need to rerun Combofix (allowing any updates) and post that log.


Posted Image
m0le is a proud member of UNITE

#5 SuperGeniusWizard

SuperGeniusWizard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 10 August 2010 - 07:15 AM

ComboFix 10-08-09.03 - Administrator 08/10/2010 7:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.720 [GMT -4:00]
Running from: c:\documents and settings\Administrator.DJ-XP\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\DJ-XP.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}
c:\documents and settings\DJ-XP.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}\chrome.manifest
c:\documents and settings\DJ-XP.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}\chrome\content\_cfg.js
c:\documents and settings\DJ-XP.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}\chrome\content\overlay.xul
c:\documents and settings\DJ-XP.MAIN\Local Settings\Application Data\{AAE5E411-47B4-4488-8432-CEEAE1B494E4}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-10 11:49 . 2010-08-10 11:49 503808 ----a-w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3220bae7-n\msvcp71.dll
2010-08-10 11:49 . 2010-08-10 11:49 499712 ----a-w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3220bae7-n\jmc.dll
2010-08-10 11:49 . 2010-08-10 11:49 348160 ----a-w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3220bae7-n\msvcr71.dll
2010-08-10 11:49 . 2010-08-10 11:49 61440 ----a-w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-38073e50-n\decora-sse.dll
2010-08-10 11:49 . 2010-08-10 11:49 12800 ----a-w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-38073e50-n\decora-d3d.dll
2010-07-30 16:58 . 2001-08-17 17:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-07-30 16:58 . 2001-08-17 17:52 36736 ----a-w- c:\windows\system32\drivers\ultra.sys
2010-07-28 12:22 . 2010-07-28 19:26 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\windows\system32\drivers\NSS
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\program files\Norton Security Scan
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\program files\NortonInstaller
2010-07-28 12:15 . 2010-07-28 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-07-28 12:08 . 2010-07-28 12:08 503808 ----a-w- c:\documents and settings\DJ-XP.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\msvcp71.dll
2010-07-28 12:08 . 2010-07-28 12:08 499712 ----a-w- c:\documents and settings\DJ-XP.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\jmc.dll
2010-07-28 12:08 . 2010-07-28 12:08 348160 ----a-w- c:\documents and settings\DJ-XP.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-215b87f8-n\msvcr71.dll
2010-07-28 12:08 . 2010-07-28 12:08 12800 ----a-w- c:\documents and settings\DJ-XP.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11ff8f48-n\decora-d3d.dll
2010-07-28 12:08 . 2010-07-28 12:08 61440 ----a-w- c:\documents and settings\DJ-XP.MAIN\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-11ff8f48-n\decora-sse.dll
2010-07-28 12:08 . 2010-07-28 12:08 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 11:41 . 2010-07-28 11:41 -------- d-----w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\MSNInstaller
2010-07-27 13:10 . 2010-07-27 13:10 -------- d-----w- c:\documents and settings\Administrator.DJ-XPXP\Application Data\Malwarebytes
2010-07-27 13:09 . 2010-07-27 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-26 12:42 . 2010-07-27 12:28 0 ----a-w- c:\windows\Execi.bin
2010-07-26 12:42 . 2010-07-27 12:28 120 ----a-w- c:\windows\Mkisexilahetila.dat
2010-07-20 02:00 . 2010-07-20 02:00 -------- d-----w- c:\windows\system32\winrm
2010-07-20 02:00 . 2010-07-20 02:00 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-20 02:00 . 2010-07-20 02:00 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-19 18:26 . 2008-05-09 10:53 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2010-07-19 18:26 . 2008-05-09 10:53 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2010-07-19 18:26 . 2008-05-09 10:53 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2010-07-19 18:26 . 2008-05-09 08:45 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2010-07-19 18:26 . 2008-05-08 11:24 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2010-07-19 18:25 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-07-19 02:13 . 2008-04-14 09:41 4255 ------w- c:\windows\system32\drivers\adv01nt5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 11:49 . 2009-03-27 18:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 12:46 . 2007-10-09 17:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-28 12:13 . 2008-03-27 12:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 12:08 . 2008-03-27 12:23 -------- d-----w- c:\program files\Java
2010-07-19 02:21 . 2007-10-09 17:51 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-12 12:00 . 2009-04-29 02:04 -------- d-----w- c:\program files\Microsoft Silverlight
.

((((((((((((((((((((((((((((( SnapShot@2010-07-30_17.22.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-10 11:43 . 2010-08-10 11:43 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
+ 2001-08-17 22:36 . 2004-08-04 05:00 13824 c:\windows\system32\wowfaxui.dll
+ 1999-11-24 22:40 . 1999-11-24 22:40 40960 c:\windows\system32\VBAME.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 49211 c:\windows\system32\usrvpa.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 45116 c:\windows\system32\usrvoica.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 49209 c:\windows\system32\usrv80a.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 41019 c:\windows\system32\usrsvpia.dll
+ 2001-08-17 22:37 . 2004-08-04 05:00 69700 c:\windows\system32\usrshuta.exe
+ 2001-08-17 22:36 . 2004-08-04 05:00 49211 c:\windows\system32\usrsdpia.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 77883 c:\windows\system32\usrrtosa.dll
+ 2001-08-17 22:37 . 2004-08-04 05:00 61508 c:\windows\system32\usrprbda.exe
+ 2001-08-17 22:37 . 2004-08-04 05:00 77891 c:\windows\system32\usrmlnka.exe
+ 2001-08-17 22:36 . 2004-08-04 05:00 53305 c:\windows\system32\usrlbva.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 86073 c:\windows\system32\usrfaxa.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 77890 c:\windows\system32\usrdpa.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 69699 c:\windows\system32\usrcoina.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 61500 c:\windows\system32\usrcntra.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 72192 c:\windows\system32\sprio800.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 70656 c:\windows\system32\sprio600.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 69632 c:\windows\system32\spnike.dll
+ 1998-03-25 01:54 . 1998-03-25 01:54 15872 c:\windows\system32\SCP32.DLL
+ 2003-04-18 20:29 . 2003-04-18 20:29 82432 c:\windows\system32\msxml4r.dll
+ 1998-08-09 15:07 . 1998-08-09 15:07 94208 c:\windows\system32\MSSTKPRP.DLL
+ 1998-06-17 23:08 . 1998-06-17 23:08 53248 c:\windows\system32\MFC42ENU.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 55296 c:\windows\system32\dvdplay.exe
+ 2001-08-17 14:02 . 2004-08-04 05:00 58112 c:\windows\system32\drivers\vdmindvd.sys
+ 2001-08-17 14:03 . 2008-04-14 04:15 25728 c:\windows\system32\drivers\usbcamd2.sys
+ 2001-08-17 14:03 . 2008-04-14 04:15 25600 c:\windows\system32\drivers\usbcamd.sys
+ 2001-08-17 14:06 . 2004-08-04 05:00 21376 c:\windows\system32\drivers\tsbvcap.sys
+ 2001-08-17 14:01 . 2004-08-04 05:00 51712 c:\windows\system32\drivers\tosdvd.sys
+ 2001-08-17 13:24 . 2004-08-04 05:00 12032 c:\windows\system32\drivers\riodrv.sys
+ 2001-08-17 13:24 . 2004-08-04 05:00 12032 c:\windows\system32\drivers\rio8drv.sys
+ 2001-08-17 13:24 . 2004-08-04 05:00 12032 c:\windows\system32\drivers\nikedrv.sys
+ 2001-08-17 13:57 . 2004-08-04 05:00 12160 c:\windows\system32\drivers\fsvga.sys
+ 2001-08-17 13:24 . 2004-08-04 05:00 11776 c:\windows\system32\drivers\cpqdap01.sys
+ 2001-08-17 13:52 . 2004-08-04 05:00 18688 c:\windows\system32\drivers\cdaudio.sys
+ 2003-03-19 02:05 . 2003-03-19 02:05 89088 c:\windows\system32\atl71.dll
+ 2001-06-05 12:13 . 2001-06-05 12:13 40972 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OCRVC.DAT
+ 2001-10-23 04:13 . 2001-10-23 04:13 53260 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OCRHC.DAT
+ 2001-06-05 12:13 . 2001-06-05 12:13 65536 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\LOOKUP.DAT
+ 2001-06-05 12:13 . 2001-06-05 12:13 18844 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\JFONT.DAT
+ 2001-06-05 12:13 . 2001-06-05 12:13 34168 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\ENGIDX.DAT
+ 2003-01-17 18:03 . 2003-01-17 18:03 59466 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\XSCAN32.DAT
+ 2002-10-07 13:49 . 2002-10-07 13:49 81983 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWRECS.DLL
+ 2002-10-07 13:49 . 2002-10-07 13:49 81984 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\REVERSE.DLL
+ 2003-05-09 01:54 . 2003-05-09 01:54 77824 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 16384 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 35328 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIUI.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 18944 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 17920 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIMON.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 3200 c:\windows\system32\wowfax.dll
+ 2001-08-17 22:36 . 2009-11-27 16:07 8704 c:\windows\system32\tsbyuv.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 8192 c:\windows\system32\streamci.dll
+ 2003-06-18 21:31 . 2003-06-18 21:31 6144 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\OCRPS.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 102457 c:\windows\system32\usrv42a.dll
+ 2001-08-17 22:36 . 2004-08-04 05:00 323641 c:\windows\system32\usrdtea.dll
+ 2000-04-03 21:52 . 2000-04-03 21:52 151552 c:\windows\system32\RDOCURS.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 157696 c:\windows\system32\paqsp.dll
+ 2000-05-24 02:45 . 2000-05-24 02:45 118784 c:\windows\system32\MSSTDFMT.DLL
+ 2000-05-11 17:06 . 2000-05-11 17:06 397312 c:\windows\system32\MSRDO20.DLL
+ 2001-08-17 22:36 . 2004-08-04 05:00 147968 c:\windows\system32\mdwmdmsp.dll
+ 2001-08-17 14:02 . 2004-08-04 05:00 262528 c:\windows\system32\drivers\cinemst2.sys
+ 2001-06-05 12:13 . 2001-06-05 12:13 289926 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\ENGDIC.DAT
+ 2002-10-07 13:51 . 2002-10-07 13:51 221252 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWSTRUCT.DLL
+ 2002-10-07 13:50 . 2002-10-07 13:50 118847 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWRECE.DLL
+ 2002-10-07 13:51 . 2002-10-07 13:51 102467 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWORIENT.DLL
+ 2002-10-07 13:51 . 2002-10-07 13:51 147520 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWLAY32.DLL
+ 2002-10-07 13:51 . 2002-10-07 13:51 180289 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWCUTLIN.DLL
+ 2002-10-07 13:50 . 2002-10-07 13:50 241729 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\TWCUTCHR.DLL
+ 2002-10-07 13:53 . 2002-10-07 13:53 106561 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\THOCRAPI.DLL
+ 2002-10-07 14:11 . 2002-10-07 14:11 167997 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\PSOM.DLL
+ 2003-06-19 20:05 . 2003-06-19 20:05 364648 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-06-19 20:05 . 2003-06-19 20:05 128104 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSPSCAN.EXE
+ 2003-06-18 21:31 . 2003-06-18 21:31 788480 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSPFILT.DLL
+ 2002-04-10 00:14 . 2002-04-10 00:14 187560 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL
+ 2002-12-17 23:08 . 2002-12-17 23:08 359600 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 443904 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 252928 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-06-18 21:31 . 2003-06-18 21:31 758784 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL
+ 2002-10-07 13:49 . 2002-10-07 13:49 192573 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\FORM.DLL
+ 2003-04-30 15:52 . 2003-04-30 15:52 1581120 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\XPAGE3C.DLL
+ 2002-10-07 14:03 . 2002-10-07 14:03 1794113 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\XIMAGE3B.DLL
+ 2003-07-03 19:19 . 2003-07-03 19:19 2502656 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2003-07-07 17:36 . 2003-07-07 17:36 2058343 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-06-18 21:31 . 2003-06-18 21:31 1033216 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2002-12-17 23:09 . 2002-12-17 23:09 2071752 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL
+ 2002-12-17 23:08 . 2002-12-17 23:08 1383592 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-05-26 1400944]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-07-08 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2143299002-405541030-623647154-2566\Scripts\Logon\0\0]
"Script"=\\MAIN.MAIN.LOCAL\sysvol\MAIN.MAIN.LOCAL\scripts\lclogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4128779970-1068091417-628957002-11320\Scripts\Logon\0\0]
"Script"=\\GOVERNMENT.MAIN.LOCAL\sysvol\GOVERNMENT.MAIN.LOCAL\scripts\lclogon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 EMCORemoteAdminServer;EMCO Remote Administration Server;c:\windows\System32\EMCOAdministrationServer.exe 6203 --> c:\windows\System32\EMCOAdministrationServer.exe 6203 [?]
S3 OnePointDomainAdminService;Active Directory Migration Agent;c:\windows\OnePointDomainAgent\DCTAgentService.exe [10/16/2008 12:59 PM 39424]
S3 RCLService;Remote Command Line Service;c:\windows\System32\RCLServer.exe 6203 --> c:\windows\System32\RCLServer.exe 6203 [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 1:00 AM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-07-29 c:\windows\Tasks\Norton Security Scan for DJ-XP.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-07-28 01:38]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = proxy.MAIN.org:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-08-10 07:55:22
ComboFix-quarantined-files.txt 2010-08-10 11:55
ComboFix2.txt 2010-07-30 17:23

Pre-Run: 66,244,980,736 bytes free
Post-Run: 66,244,882,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 46E22335FF672EAE57A0A94F84FF4337


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:29 AM

Posted 10 August 2010 - 12:07 PM

Thanks. That gives me a better picture of what's hapening. thumbup2.gif

Are you aware that you are using remote administration servers? They are EMCO and RCL, if that helps.


Other than that there's a few trash files dropped by malware which we can just remove next.


Posted Image
m0le is a proud member of UNITE

#7 SuperGeniusWizard

SuperGeniusWizard
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 10 August 2010 - 12:11 PM

I saw EMCO and was wondering where that came from. We do not use it but the computer was offsite and it's possible that other vendors installed it. I already installed a freshly imaged harddrive in that computer so it's no longer an issue. My main concern was to identify the malware so we can figure out why Trend Micro OfficeScan didn't find it, nor a few other conventional antivirus tools.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:29 AM

Posted 10 August 2010 - 12:19 PM

Okay, then that's that. thumbup2.gif The reason why the conventional antiviruses have struggled with this is because, first, it's a new variant of a rootkit and second, antiviruses are, as their name suggests, first and foremost a virus remover not a rootkit remover.


Please delete the following files

c:\windows\Execi.bin
c:\windows\Mkisexilahetila.dat


Then uninstall Combofix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.

That's it. Cheers,

m0le
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:29 AM

Posted 14 August 2010 - 06:42 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users