Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP Combofix has deleted the entire user profile inc desktop my docs data


  • This topic is locked This topic is locked
17 replies to this topic

#1 granitecs

granitecs

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 February 2015 - 08:01 AM

Help Please... Combofix has deleted/quarantined the entire user profile folder contents inc desktop & my docs data.

Yesterday (4th Feb 2015 @ approx 17:00hrs GMT) we ran combofix on a suspected infected computer. It had AVG cloudcare, we disabled the realtime scanner until restart. We then downloaded combofix direct from bleepingcomputer.

Combofix run, did its normal stuff, then we noticed it was DELETING what we have found to be EVERYTHING in the users c:\users\%username%\ folder to the point when the computer rebooted, it re-created the appdata folders, etc, etc like a new user was logging into a new PC.

There is a URL that might help here, but its quite old and it was for WinXP. Does anyone know if the same can be run for Win7? And more importantly has anyone had this same experience recently!!!???

URL: http://www.bleepingcomputer.com/forums/t/290138/combofix-problems-and-resolution-for-legitimate-files-being-deleted/

It might just be that this computer is heavily infected and all the profile files are genuinely infected with something. I am fully aware that bleepingcomputer recommend backing up before running this, but I've used this 50-100 times at least, and never ever had this happen. We are also aware that the deleted files are put in C:\QooBox\(the original path)\ and have the extension .vir added to the file name and original file extension. So you can of course without the EXE mentioned in the above URL article just remove the .vir to potentially thousands of files (using a script) and all should be ok again, but ideally we would like to run the tool as this appears to set security/permissions etc as well.

If anyone can help with ref to how this possibly happened i.e. (all files are actually infected) or if this was another bug like what happened a few years back (as per URL), that would be very very much appreciated.



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 February 2015 - 09:56 AM

Before anything, I'd recommend you to upload a few of the deleted files to http://www.virustotal.com so we can have a look if they were infected or not.

It would also be helpful if you could zip up and attach c:\combofix.txt

As for precautions, its clearly stated you should run Combofix only under expert guidance, if you choose not to do that then you risk problems like the one you are describing unfortunately.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 February 2015 - 02:27 PM

Hello Elise,

Thank you for your response, we have managed to get the PC back to the state it was originally in, i.e. "working". When we run the EXE listed in the article to restore all the files back, it prompted to save a log file in the temp dir, we clicked yes, a blank notepad window appeared and the system appeared to do nothing for a while. So we re-run the EXE to then be prompted with a error message: "Error: 0x00007766", after some research on an MajorGeeks article, it appeared this had happened to another user years back and apart from the combofix ppl updating the EXE, there didn’t really appear to be any actual resolution.

However, we are skilled, so after removing the ".vir" extension from 33 thousand files, we re-built the users profile directory offline by moving all the data back to the original locations, booted windows and logged in, still a few blimps with the users bespoke settings such as taskbar pins etc, so we did a system restore and then all was back exactly as it was and working. Even the desktop icons were in the original place, so we knew all was ok! If you've recovered user’s profiles before, you'll know what I mean.

After digging through the quarantine which to be honest I've never ever needed to use, we could see it had quarantined an MBR file, which I presume is certainly not normal, or is it good. We have not seen this when running combofix in the past on other machines. Could this be why combofix quarantined all 33 thousand files? Could they genuinely all be infected with or via a MBR/boot sector root kit?

I will upload a striped out version of the combofix log file, as i'm sure you will appreciate, all personal file names etc are all revealed, I'll leave what I can that’s not sensitive. I'll also upload a few of the quarantined files and the MBR file in the quarantine as well. I'm guessing all in a ZIP file will be acceptable? Is virustotal anything to do with you? I'm guessing it is, but just wanted to confirm.

Thank you again for your assistance.



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 February 2015 - 02:41 PM

Removing the username is okay, you can just replace it with "username" or something else generic.

No need for the MBR dump, the log should give the information necessary for that.

As for VirusTotal, it is part of Google and offers a scan of a file by 56 associated antivirus products. It is not associated with BleepingComputer, but used quite a lot because it gives a lot of information about a file in regards to its malicious potential.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 February 2015 - 03:09 PM

ok, thank you, yes, I see it was owned by google, never used it to be honest, never really had the need to until now!

 

I popped some of the combofix quarantined files in the ZIP as well as the MBR file (did it before you posted, sorry) but all files have come back CLEAN.

 

So.. What on earth next? Put it down to a one off? I'm stumped! Can the combofix devs throw any light on it?

 

Results:

SHA256: 314c55ec7dadc53ecd8cac0e88bea1de1cebe16a310cfcdbdedefa1063fef46d
File name: Uploads for VirusTotal-Combofix-4-Feb-2015-1700hrs-GMT.zip
Detection ratio: 0 / 56  
Analysis date: 2015-02-05 20:01:40 UTC ( 0 minutes ago )  
 

Thank you.



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 February 2015 - 03:30 PM

Please post combofix.txt (you can snip out the Other Deletions section and replace usernames).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 February 2015 - 03:58 PM

Hi,

 

I dont know how to attach it, so have pasted below:

 

 

ComboFix 15-02-02.01 - %username% 04-Feb-15  16:59:37.1.8 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8100.5090 [GMT 0:00]
Running from: c:\ComboFix.exe
AV: AVG CloudCare AntiVirus 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG CloudCare AntiVirus 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
    /wow section - STAGE 6A
.
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-04 to 2015-02-04  )))))))))))))))))))))))))))))))
.
.
2015-02-04 16:48 . 2015-02-04 16:49    129752    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-04 16:48 . 2015-02-04 16:48    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2015-02-04 16:48 . 2015-02-04 16:48    --------    d-----w-    c:\programdata\Malwarebytes
2015-02-04 16:48 . 2014-11-21 06:14    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-02-04 16:48 . 2014-11-21 06:14    93400    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-02-04 16:48 . 2014-11-21 06:14    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-02-04 16:48 . 2015-02-04 16:49    --------    d-----w-    C:\private file
2015-01-12 16:21 . 2015-01-12 16:21    --------    d-----w-    c:\programdata\WebEx
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-29 10:20 . 2014-05-22 16:46    71344    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-29 10:20 . 2014-05-22 16:46    701616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-12-22 17:52 . 2014-07-22 06:59    535576    ----a-w-    c:\windows\system32\drivers\RapportKE64.sys
2014-12-13 05:09 . 2014-12-18 16:33    144384    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-18 16:33    115712    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-12-04 02:50 . 2014-12-10 00:34    413184    ----a-w-    c:\windows\system32\generaltel.dll
2014-12-04 02:50 . 2014-12-10 00:34    741376    ----a-w-    c:\windows\system32\invagent.dll
2014-12-04 02:50 . 2014-12-10 00:34    396800    ----a-w-    c:\windows\system32\devinv.dll
2014-12-04 02:50 . 2014-12-10 00:34    192000    ----a-w-    c:\windows\system32\aepic.dll
2014-12-04 02:44 . 2014-12-10 00:34    1083392    ----a-w-    c:\windows\system32\aeinv.dll
2014-12-01 23:28 . 2014-12-10 00:34    1232040    ----a-w-    c:\windows\system32\aitstatic.exe
2014-11-27 01:43 . 2014-12-10 00:33    389296    ----a-w-    c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 00:33    25059840    ----a-w-    c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 00:33    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 00:33    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 00:33    66560    ----a-w-    c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 00:33    580096    ----a-w-    c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 00:33    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 00:33    2885120    ----a-w-    c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 00:33    88064    ----a-w-    c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 00:33    54784    ----a-w-    c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 00:33    34304    ----a-w-    c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 00:33    633856    ----a-w-    c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 00:33    114688    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 00:33    814080    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 00:33    6039552    ----a-w-    c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 00:33    968704    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 00:33    490496    ----a-w-    c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 00:33    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 00:33    77824    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 00:33    199680    ----a-w-    c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 00:33    92160    ----a-w-    c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 00:33    501248    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 00:33    62464    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 00:33    47616    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 00:33    64000    ----a-w-    c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 00:33    316928    ----a-w-    c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 00:33    620032    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 00:33    718848    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 00:33    800768    ----a-w-    c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 00:33    1359360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 00:33    2125312    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 00:33    14412800    ----a-w-    c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 00:33    60416    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 00:33    4299264    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 00:33    2358272    ----a-w-    c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 00:33    2052096    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 00:33    1155072    ----a-w-    c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 00:33    1548288    ----a-w-    c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 00:33    800768    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 00:33    1888256    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-11-19 04:31 . 2014-11-19 04:31    1217192    ----a-w-    c:\windows\SysWow64\FM20.DLL
2014-11-11 03:09 . 2014-12-10 00:33    1424384    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-11-11 03:08 . 2014-11-19 08:56    241152    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 08:56    728064    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-12-10 00:33    1230336    ----a-w-    c:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44 . 2014-11-19 08:56    186880    ----a-w-    c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 08:56    550912    ----a-w-    c:\windows\SysWow64\kerberos.dll
2014-11-11 01:46 . 2014-12-10 00:33    119296    ----a-w-    c:\windows\system32\drivers\tdx.sys
2014-11-08 03:16 . 2014-12-10 00:32    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-11-08 02:45 . 2014-12-10 00:32    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2013-11-13 134616]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2013-08-15 292848]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-09-06 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
"AVG_UI"="c:\program files (x86)\AVG\AVG2014\avgui.exe" [2014-12-16 5188112]
"AVG CloudCare"="c:\program files (x86)\AVG\CloudCare\AvgTrayApp.exe" [2014-07-25 108312]
"racontrol"="c:\program files (x86)\AVG\CloudCare\AvgRemote\raserver.exe" [2013-08-29 1404080]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Phone Manager.lnk - c:\program files (x86)\Xarios\Xarios Phone Manager\Xarios.PhoneManager.Client.exe [2014-7-7 1498272]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Communication_Gateway;XCS Communication Gateway;c:\program files (x86)\Xarios\Xarios Communications Server\Communicator\Xarios.Communication.Service.exe;c:\program files (x86)\Xarios\Xarios Communications Server\Communicator\Xarios.Communication.Service.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys;c:\windows\SYSNATIVE\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys;c:\windows\SYSNATIVE\drivers\nusb3xhc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe;c:\windows\SYSNATIVE\inetsrv\wmsvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 SQLAgent$CALLRECORDER;SQL Server Agent (CALLRECORDER);c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\SQLAGENT.EXE [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys;c:\windows\SYSNATIVE\Drivers\RapportKE64.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 RapportCerberus_80120;RapportCerberus_80120;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80120.sys;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80120.sys [x]
S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [x]
S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [x]
S2 AvgApiWrapper;AVG CloudCare - AvgApiWrapper;c:\program files (x86)\AVG\CloudCare\AvgApiWrapper.exe;c:\program files (x86)\AVG\CloudCare\AvgApiWrapper.exe [x]
S2 AvgRemote;AVG Remote;c:\program files (x86)\AVG\CloudCare\AvgRemote\AvgRemote.exe;c:\program files (x86)\AVG\CloudCare\AvgRemote\AvgRemote.exe [x]
S2 AvgUpgrade;AVG CloudCare - AvgUpgrade;c:\program files (x86)\AVG\CloudCare\AvgUpgrade.exe;c:\program files (x86)\AVG\CloudCare\AvgUpgrade.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe [x]
S2 ftpsvc;Microsoft FTP Service;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 MSSQL$CALLRECORDER;SQL Server (CALLRECORDER);c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\sqlservr.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\sqlservr.exe [x]
S2 NVWMI;NVIDIA WMI Provider;c:\windows\system32\nvwmi64.exe;c:\windows\SYSNATIVE\nvwmi64.exe [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [x]
S2 raserver;AVG Remote IT Server;c:\program files (x86)\AVG\CloudCare\AvgRemote\raserver.exe;c:\program files (x86)\AVG\CloudCare\AvgRemote\raserver.exe [x]
S2 ReportServer$CALLRECORDER;SQL Server Reporting Services (CALLRECORDER);c:\program files (x86)\Microsoft SQL Server\MSRS10_50.CALLRECORDER\Reporting Services\ReportServer\bin\ReportingServicesService.exe;c:\program files (x86)\Microsoft SQL Server\MSRS10_50.CALLRECORDER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S2 XCS_Watchdog;XCS Watchdog;c:\program files (x86)\Xarios\Xarios Communications Server\Call Recorder\XariosRecorderWatchdog.exe;c:\program files (x86)\Xarios\Xarios Communications Server\Call Recorder\XariosRecorderWatchdog.exe [x]
S2 XmppAuth;AVG CloudCare - XmppAuth;c:\program files (x86)\AVG\CloudCare\XmppAuth.exe;c:\program files (x86)\AVG\CloudCare\XmppAuth.exe [x]
S3 App_Server;XCS Application Server;c:\program files (x86)\Xarios\Xarios Communications Server\AppServer\Application Server.exe;c:\program files (x86)\Xarios\Xarios Communications Server\AppServer\Application Server.exe [x]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
S3 Call_Recorder;XCS Call Recorder/Logger;c:\program files (x86)\Xarios\Xarios Communications Server\Call Recorder\XariosCallRecorder.exe;c:\program files (x86)\Xarios\Xarios Communications Server\Call Recorder\XariosCallRecorder.exe [x]
S3 DB_Archiver;XCS DB Archiver;c:\program files (x86)\Xarios\Xarios Communications Server\DB Archiver\XariosDBArchiver.exe;c:\program files (x86)\Xarios\Xarios Communications Server\DB Archiver\XariosDBArchiver.exe [x]
S3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;c:\windows\system32\DRIVERS\e1d62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1d62x64.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MSSQLFDLauncher$CALLRECORDER;SQL Full-text Filter Daemon Launcher (CALLRECORDER);c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\fdlauncher.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.CALLRECORDER\MSSQL\Binn\fdlauncher.exe [x]
S3 XCS_WCF;XCS WCF;c:\program files (x86)\Xarios\Xarios Communications Server\WCF\Xarios.CallRecorder.WCFService.ServiceHost.exe;c:\program files (x86)\Xarios\Xarios Communications Server\WCF\Xarios.CallRecorder.WCFService.ServiceHost.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs    REG_MULTI_SZ       w3svc was
apphost    REG_MULTI_SZ       apphostsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-04 01:24    1086280    ----a-w-    c:\program files (x86)\Google\Chrome\Application\40.0.2214.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-22 10:20]
.
2015-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-22 16:46]
.
2015-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-22 16:46]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2013-08-19 7202520]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2013-07-29 1321688]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-11-14 2747168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-31 391152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-31 771568]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-31 770544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: livemeeting.com\fwd206
Trusted Zone: webjoin.com\www
TCP: DhcpNameServer = %removed%
FF - ProfilePath - c:\users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles\9xny54sh.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-StereoLinksInstall - c:\program files (x86)\NVIDIA Corporation\3D Vision\nvstlink.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Salesforce for Outlook.lnk - (no file)
AddRemove-GoToMeeting - c:\users\%username%\AppData\Local\Citrix\GoToMeeting\2273\G2MUninstall.exe
AddRemove-JoinMe - c:\users\%username%\AppData\Local\join.me\join.me.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_296.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_296.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_296.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_296.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-04  20:34:47
ComboFix-quarantined-files.txt  2015-02-04 20:33
.
Pre-Run: 860,659,892,224 bytes free
Post-Run: 863,942,803,456 bytes free
.
- - End Of File - - 85052609A16F7DF89B2578B44A2F29B0
A36C5E4F47E84449FF07ED3517B43A31



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 05 February 2015 - 04:46 PM

Since you posted the entire log...I am moving this topic to a more appropriate forum where Elise can continue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 05 February 2015 - 04:56 PM

Sorry, but yes, no problems, if a file can simply be attached, please tell me how and I'll delete and re-post if it helps.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 05 February 2015 - 05:13 PM

Since you already posted the log...there is no need to attach it now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 06 February 2015 - 03:01 AM

There is nothing strange showing up in this log. Are you sure this is fromt he run where CF deleted the userprofile? I see post run there was about 3 GB of space freed up (thats including emptying temporary folders and such). A typical user folder is easy 4, 5 times that size.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 06 February 2015 - 12:38 PM

Hi Elise,

 

This was defientately the combofix log from that computer, when we brought it in, we performed an image before we touched it. I copied/paste’d from it last night myself. I would not actually expect the disk space to be affected at all as the files had been moved to the “C:\Qoobox” not deleted. However if you have confirmed 3GB of disk space had been free’d up, then I have no idea what happened there?! I can only presume, some data was actually deleted then? The users profile folder was 12-13GB total.

 

I would of course be more than happy to send the rest of the log file over, but as literally every single file was quarantined, it details the users file/folder names which are all different and this would be a breach of the data protection act. This is not your average consumers machine. So I am really sorry, not knowing you like a member of my family, I cant release the “other deletions” section of the log. However, just so you know, the "other deletions" section of the log is 30565 lines in size.

 

I am very sorry for this and I cannot thank you enough for your help and assistance with this, it is very much appreciated. Thank you for also confirming that the log file confirms there is nothing strange on the system, that is also appreciated. And for the virustotal site to check the files it had quarantined.

 

I think I am just going to put this down to a life experience, its given me a rude awakening with combofix, never ever have I had this in all the years I’ve been using it (which is not that often), but full DR backups will be done first going forward!

 

Kind regards

 

Tim



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 06 February 2015 - 01:56 PM

You're right about the qoobox folder, still there's nothing that looks out of place besides the fact that obviously a lot of files were deleted that shouldn't have been. There's no need to submit a listing of all files, but can you tell me what the parent folder was that was deleted (I assume c:\users\<username> or was it the entire Users folder)?

 

I'll report this to combofix's developer, but it is possible that in order to investigate this, he would need more information about the computer.

 

Generally speaking, I would really advice against running a powerful tool like Combofix on a corporate computer, in my opinion it is much better to have such a machine maintained by an administrator who can implement adequate security measures to prevent infections. Not doing so will sooner or later lead to very serious (and possibly irrecoverable) problems (like crypto-ransomware infections that encrypts and holds sensitive data hostage until a ransom is paid). 


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 granitecs

granitecs
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 08 February 2015 - 07:39 AM

Hello,

 

I'm back in the office tomorrow, so will drop you a more detailed reply then.



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 08 February 2015 - 07:46 AM

Not a problem.

Edit: I thought I was replying to a similar report by another user in a separate topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users