Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Spybot closes and permissions on its .exe changed

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default Spybot closes and permissions on its .exe changed

    This bug disables all monitoring programs including spybot, symantec antivirus etc. Spybot closes after clicking start scan. It it thereafter unavailable due to altered permissions on the .exe. This occurs for other antivirus programs too. Complete removal and reinstallation results in repeat of same problem.

    thanks

    mike

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.


    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.


    Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default

    Thanks for helping!

    The three "here" links downloaded dds.com, dds.scr and dds.pif respectively

    dds.scr wouldn't run with double click as windows didn't recognize association type. Launching from command prompt produced a 1/2 second run in separate command prompt. Neither dds.txt nor attach.txt were created anywhere on disk. Trying dds.com and dds.pif produced same result. Didn't continue as I assumed these steps may need to occur in sequence....

    sorry if I'm being dense

    mike

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Please continue to GMER run. We'll see that issue with DDS later.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default

    GMER was running when I left work last night. This morning it I find that it had crashed and the permissions on the executable had been changed. I added myself back and have launched it again. I imagine, however, this will lead to the same result. This is the same thing that happens to spybot.

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Yes, that's known symptom caused by this infection. See if you're able to finish GMER run.

    After that, please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default

    thanks for your patience....

    Here is an interim report from gmer. It is still running but has not added a new entry in a while....

    GMER 1.0.15.15077 [9hxt8ng4.exe] - http://www.gmer.net
    Rootkit scan 2009-09-04 07:00:03
    Windows 5.1.2600 Service Pack 3


    ---- Kernel code sections - GMER 1.0.15 ----

    ? win32k.sys:1 The system cannot find the file specified. !
    ? win32k.sys:2 The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\windows\system32\svchost.exe[2040] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\system32\svchost.exe[2040] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\system32\svchost.exe[2040] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Eudora\Eudora.exe[4424] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Eudora\Eudora.exe[4424] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Eudora\Eudora.exe[4424] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] USER32.DLL!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\windows\system32\svchost.exe[2040] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\system32\svchost.exe[2040] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\Explorer.EXE[2816] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\Explorer.EXE[2816] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[3620] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[3620] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Eudora\Eudora.exe[4424] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Eudora\Eudora.exe[4424] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!CreateWindowExA] [004171AA] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\WININET.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\WININET.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [004171AA] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [264] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [312] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [444] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [612] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1396] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [1436] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1596] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1636] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\spoolsv.exe [1884] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [2040] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\System32\alg.exe [2088] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\Explorer.EXE [2816] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [3472] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [3620] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Eudora\Eudora.exe [4424] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe [4452]

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    I think you can kill GMER process and run that other program linked in my previous reply. Post back its report.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default

    Just after I sent previous post gmer flagged something bad and I was able to copy report before it crashed. The gmer report is too big to post in one reply. So here is the win32kDiag report. Then I'll post the gmer report broken up into pieces...



    Log file is located at: C:\Documents and Settings\mmauk\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\windows'...



    Could not query reparse information for C:\windows\$hf_mig$\KB887472\KB887472: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB893066\KB893066: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB899587\KB899587: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB900485\KB900485: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB900725\KB900725: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB905414\KB905414: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB908531\KB908531: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB911280\KB911280: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB912945\KB912945: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB913446\KB913446: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB913580\KB913580: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB916595\KB916595: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB918118\KB918118: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB920213\KB920213: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB920685\KB920685: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB920872\KB920872: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB921398\KB921398: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB923414\KB923414: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB923980\KB923980: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB924270\KB924270: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB925902\KB925902: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB926255\KB926255: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB926436\KB926436: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB927779\KB927779: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB927802\KB927802: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB928255\KB928255: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB928843\KB928843: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB929123\KB929123: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB930178\KB930178: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB930916\KB930916: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB931261\KB931261: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB931784\KB931784: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB932168\KB932168: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB935839\KB935839: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB935840\KB935840: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB936357\KB936357: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB937894\KB937894: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB938828\KB938828: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB941202\KB941202: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB941693\KB941693: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB943055\KB943055: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB943485\KB943485: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB944653\KB944653: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB945553\KB945553: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB946026\KB946026: 1450
    Could not query reparse information for C:\windows\$hf_mig$\KB948590\KB948590: 1450
    Could not query reparse information for C:\windows\addins\addins: 1450
    Cannot access: C:\windows\assembly\PublisherPolicy.tme



    Cannot access: C:\windows\assembly\pubpol17.dat



    Cannot access: C:\windows\assembly\pubpol20.dat



    Cannot access: C:\windows\Blue Lace 16.bmp



    Cannot access: C:\windows\bootstat.dat



    Cannot access: C:\windows\clock.avi



    Cannot access: C:\windows\cmsetacl.log



    Cannot access: C:\windows\Coffee Bean.bmp



    Cannot access: C:\windows\COM+.log



    Cannot access: C:\windows\comsetup.log



    Cannot access: C:\windows\control.ini



    Cannot access: C:\windows\desktop.ini



    Cannot access: C:\windows\desktopset.exe



    Cannot access: C:\windows\DLA.EXE



    Cannot access: C:\windows\DPINST.LOG



    Cannot access: C:\windows\DtcInstall.log



    Cannot access: C:\windows\explorer.exe



    Cannot access: C:\windows\explorer.scf



    Cannot access: C:\windows\FaxSetup.log



    Cannot access: C:\windows\FeatherTexture.bmp



    Cannot access: C:\windows\Gone Fishing.bmp



    Cannot access: C:\windows\Greenstone.bmp



    Cannot access: C:\windows\hh.exe



    Cannot access: C:\windows\IDNMitigationAPIs.log



    Cannot access: C:\windows\ie7.log



    Cannot access: C:\windows\ie7_main.log



    Cannot access: C:\windows\ie8.log



    Cannot access: C:\windows\ie8_main.log



    Cannot access: C:\windows\iis6.log



    Cannot access: C:\windows\imsins.BAK



    Cannot access: C:\windows\imsins.log



    Cannot access: C:\windows\KB873339.log



    Cannot access: C:\windows\KB883517.log



    Cannot access: C:\windows\KB883523.log



    Cannot access: C:\windows\KB884020.log



    Cannot access: C:\windows\KB884575.log



    Cannot access: C:\windows\KB884868.log



    Cannot access: C:\windows\KB885250.log



    Cannot access: C:\windows\KB885835.log



    Cannot access: C:\windows\KB885836.log





    Finished!

  10. #10
    Junior Member
    Join Date
    Aug 2009
    Posts
    15

    Default

    GMER 1.0.15.15077 [9hxt8ng4.exe] - http://www.gmer.net
    Rootkit scan 2009-09-04 09:44:29
    Windows 5.1.2600 Service Pack 3


    ---- Kernel code sections - GMER 1.0.15 ----

    ? win32k.sys:1 The system cannot find the file specified. !
    ? win32k.sys:2 The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\windows\system32\svchost.exe[2040] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\system32\svchost.exe[2040] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\system32\svchost.exe[2040] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\windows\Explorer.EXE[2816] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\iTunes\iTunesHelper.exe[3620] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\Hotsync.exe[3832] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Eudora\Eudora.exe[4424] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Eudora\Eudora.exe[4424] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\Eudora\Eudora.exe[4424] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] USER32.DLL!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    .text C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\CD125F8E.x86.dll

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\windows\system32\svchost.exe[2040] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\system32\svchost.exe[2040] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\Explorer.EXE[2816] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\windows\Explorer.EXE[2816] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[3620] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Program Files\iTunes\iTunesHelper.exe[3620] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Eudora\Eudora.exe[4424] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\Eudora\Eudora.exe[4424] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\CD125F8E.x86.dll
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!CreateWindowExA] [004171AA] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\ole32.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\WININET.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\WININET.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [004171AA] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\SHLWAPI.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!CreateWindowExW] [00417224] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!ShowWindow] [0041729E] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe
    IAT C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe[4452] @ C:\windows\system32\shell32.dll [USER32.dll!SetWindowPos] [00417350] C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [264] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [312] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [444] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [612] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1396] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\System32\svchost.exe [1436] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1596] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [1636] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\spoolsv.exe [1884] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\system32\svchost.exe [2040] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\System32\alg.exe [2088] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\windows\Explorer.EXE [2816] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [3472] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [3620] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\Eudora\Eudora.exe [4424] 0x35670000
    Library \\?\globalroot\Device\__max++>\CD125F8E.x86.dll (*** hidden *** ) @ C:\DOCUME~1\mmauk\LOCALS~1\Temp\a.exe [4452] 0x35670000

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •