Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

CLB driver infection

Started by Mindy530, May 30 2009 08:36 PM

This topic is locked
Go to first unread post

9 replies to this topic

#1
Mindy530

Posted 30 May 2009 - 08:36 PM

New Member

Members
5 posts

Was hit with WinPC. Tried to run Malwarebytes; however, won't or update. Can't download HijackThis either. Went to self help forums and tried all three suggestions for "won't run". Below is my root repeal log. Any help would be greatly appreciated. Am new to this. Hope I am providing enough info.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/30 15:43
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UACamsnukrjmvltlwq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACimpskbgknlmgvrl.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClovqppxmnpotxew.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACoxvnkxbipibxcoe.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqiojdaudgmupxir.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrsrsaltvtxengkt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwyktudovdyiukqa.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACcb69.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACwbppqoiyblvbrpb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\UACb112.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O6W7T7AE\UACAXPKMXLCAY0RCEXCAGDHZQACA0891EECAAQ5TF8CA35DK7XCAF0G3YDCAJS1DQCCAZH3MDFC
AGGZCWTCARIK2INCAOZJK2RCALFXL8JCAQXJEF0CAMXRUUUCAU6UMFTCA5XKLAJCAPZKJWFCABFEFOP
Status: Invisible to the Windows API!

#2
kahdah

Posted 31 May 2009 - 02:15 AM

Forum Deity

Experts
4,051 posts

Gender:Male
Location:Florida

Hello Mindy530

Welcome to Malwarebytes.
=====================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here

#3
Mindy530

Posted 31 May 2009 - 02:12 PM

New Member

Members
5 posts

Hello, ran the combo-fix. Below is the report. Was able to update and run malwarebytes. Thank you, thank you, thank you. Everything seems to be running well once again.

Mindy

ComboFix 09-05-30.04 - Administrator 05/31/2009 9:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.734 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Google\T-Scan
c:\documents and settings\Administrator\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Administrator\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Administrator\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\sysguard.exe
c:\windows\system32\drivers\UACwbppqoiyblvbrpb.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\TDSSxwqforor.dat
c:\windows\system32\UACamsnukrjmvltlwq.dll
c:\windows\system32\UACimpskbgknlmgvrl.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClklhxdigeebvpqp.log
c:\windows\system32\UAClovqppxmnpotxew.dll
c:\windows\system32\UACoxvnkxbipibxcoe.log
c:\windows\system32\UACqiojdaudgmupxir.dll
c:\windows\system32\UACrsrsaltvtxengkt.dll
c:\windows\system32\UACvjdljbibfmxjuow.log
c:\windows\system32\UACwyktudovdyiukqa.dll
c:\windows\system32\uniq.tll
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 13:41 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-05-31 13:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-05-31 12:34 . 2009-05-31 12:35 -------- d-s---w- C:\Comb-Fix
2009-05-24 13:16 . 2009-05-26 22:36 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-23 19:23 . 2009-05-23 19:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-23 19:09 . 2009-05-23 19:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-23 19:08 . 2009-05-23 19:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-23 19:07 . 2009-05-23 19:07 -------- d-----w- c:\windows\ie8updates
2009-05-23 19:06 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-23 19:05 . 2009-05-23 19:05 -------- dc-h--w- c:\windows\ie8
2009-05-23 16:27 . 2009-05-23 16:27 194 ----a-w- c:\documents and settings\Administrator\Application Data\asd.bat
2009-05-20 20:12 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-05-20 20:12 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-20 20:00 . 2009-05-20 20:01 -------- d-----w- c:\program files\iTunes
2009-05-20 20:00 . 2009-05-20 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-20 19:58 . 2009-05-20 19:58 -------- d-----w- c:\program files\QuickTime
2009-05-20 19:56 . 2009-03-26 19:23 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-20 19:52 . 2009-05-20 19:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-20 19:49 . 2009-05-20 19:50 -------- d-----w- c:\program files\Safari
2009-05-10 18:37 . 2009-05-10 18:37 422 ----a-w- c:\documents and settings\Administrator\Application Data\Apple Computer\socks1.exe
2009-05-10 18:37 . 2009-05-10 18:37 16141 ----a-w- c:\documents and settings\Administrator\Application Data\Creative\lego.exe
2009-05-10 18:37 . 2009-05-10 18:37 145131 ----a-w- c:\documents and settings\Administrator\Application Data\Canon\nomad.exe
2009-05-10 18:37 . 2009-05-10 18:37 13221 ----a-w- c:\documents and settings\Administrator\Application Data\AdobeUM\rengo.dll
2009-05-10 18:37 . 2009-05-10 18:37 11410 ----a-w- c:\documents and settings\Administrator\Application Data\CyberLink\msgdi.dll
2009-05-10 18:37 . 2009-05-10 18:37 11232 ----a-w- c:\documents and settings\Administrator\Application Data\Adobe\shalom.exe
2009-05-10 18:37 . 2009-05-10 18:37 10121 ----a-w- c:\documents and settings\Administrator\Application Data\Help\kern.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 00:56 . 2008-12-22 19:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-30 20:04 . 2008-12-06 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 17:19 . 2008-12-06 15:38 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 20:12 . 2006-05-07 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-05-20 20:01 . 2007-12-30 16:48 -------- d-----w- c:\program files\Common Files\Apple
2009-05-20 20:01 . 2006-05-07 19:29 -------- d-----w- c:\program files\iPod
2009-05-10 18:37 . 2007-01-13 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-04-19 18:13 . 2009-04-19 18:13 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-17 19:51 . 2006-04-28 09:24 -------- d-----w- c:\program files\McAfee
2009-04-16 19:43 . 2006-04-28 09:15 -------- d-----w- c:\program files\BigFix
2009-04-12 18:40 . 2009-01-18 14:04 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-12 18:37 . 2009-04-12 18:32 -------- d-----w- c:\program files\SiteAdvisor
2009-04-12 18:32 . 2008-12-21 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-04-09 16:24 . 2006-05-25 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-04-06 19:32 . 2008-12-06 15:38 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-02 19:54 . 2008-01-06 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2009-03-26 19:23 . 2008-12-25 19:09 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-25 15:06 . 2008-12-21 15:13 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2008-12-21 15:13 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2008-12-21 15:13 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2008-12-21 15:13 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2008-12-21 15:13 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2006-09-19 20:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2005-01-09 23:48 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-01-09 23:48 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-01-09 23:47 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-01-09 23:48 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-01-09 23:47 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-01-09 23:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-01-09 23:48 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-01-09 23:48 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-01-09 23:48 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-01-09 23:48 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-01-09 23:48 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7393280]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-06-18 16384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-05 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-5-25 217088]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-7 553021]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

kahdah, on May 30 2009, 10:15 PM, said:

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt

#4
kahdah

Posted 31 May 2009 - 02:18 PM

Forum Deity

Experts
4,051 posts

Gender:Male
Location:Florida

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\documents and settings\Administrator\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Administrator\Application Data\Creative\lego.exe
c:\documents and settings\Administrator\Application Data\Canon\nomad.exe
c:\documents and settings\Administrator\Application Data\AdobeUM\rengo.dll
c:\documents and settings\Administrator\Application Data\CyberLink\msgdi.dll
c:\documents and settings\Administrator\Application Data\Adobe\shalom.exe
c:\documents and settings\Administrator\Application Data\Help\kern.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt
.

=============

#5
Mindy530

Posted 01 June 2009 - 08:09 PM

New Member

Members
5 posts

Combofix.txt

please find combofix.txt below. Again, thank you so much

Mindy

ComboFix 09-05-30.04 - Administrator 06/01/2009 15:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.711 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Administrator\Application Data\Adobe\shalom.exe"
"c:\documents and settings\Administrator\Application Data\AdobeUM\rengo.dll"
"c:\documents and settings\Administrator\Application Data\Apple Computer\socks1.exe"
"c:\documents and settings\Administrator\Application Data\Canon\nomad.exe"
"c:\documents and settings\Administrator\Application Data\Creative\lego.exe"
"c:\documents and settings\Administrator\Application Data\CyberLink\msgdi.dll"
"c:\documents and settings\Administrator\Application Data\Help\kern.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Adobe\shalom.exe
c:\documents and settings\Administrator\Application Data\AdobeUM\rengo.dll
c:\documents and settings\Administrator\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Administrator\Application Data\Canon\nomad.exe
c:\documents and settings\Administrator\Application Data\Creative\lego.exe
c:\documents and settings\Administrator\Application Data\CyberLink\msgdi.dll
c:\documents and settings\Administrator\Application Data\Help\kern.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-05-31 13:41 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-05-31 13:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-05-31 12:34 . 2009-05-31 12:35 -------- d-s---w- C:\Comb-Fix
2009-05-24 13:16 . 2009-05-26 22:36 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-23 19:23 . 2009-05-23 19:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-05-23 19:09 . 2009-05-23 19:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-05-23 19:08 . 2009-05-23 19:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-05-23 19:07 . 2009-05-23 19:07 -------- d-----w- c:\windows\ie8updates
2009-05-23 19:06 . 2009-04-25 05:30 102400 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-05-23 19:05 . 2009-05-23 19:05 -------- dc-h--w- c:\windows\ie8
2009-05-20 20:12 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-05-20 20:12 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-05-20 20:00 . 2009-05-20 20:01 -------- d-----w- c:\program files\iTunes
2009-05-20 20:00 . 2009-05-20 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-20 19:58 . 2009-05-20 19:58 -------- d-----w- c:\program files\QuickTime
2009-05-20 19:56 . 2009-03-26 19:23 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-20 19:52 . 2009-05-20 19:52 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-20 19:49 . 2009-05-20 19:50 -------- d-----w- c:\program files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 19:59 . 2007-01-13 21:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
2009-06-01 19:59 . 2006-04-28 09:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Creative
2009-06-01 19:59 . 2008-01-06 18:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Canon
2009-06-01 19:59 . 2006-11-14 21:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM
2009-06-01 19:59 . 2006-05-07 19:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-05-31 13:53 . 2008-12-06 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-31 00:56 . 2008-12-22 19:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-05-26 17:20 . 2008-12-06 15:38 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2008-12-06 15:38 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 20:01 . 2007-12-30 16:48 -------- d-----w- c:\program files\Common Files\Apple
2009-05-20 20:01 . 2006-05-07 19:29 -------- d-----w- c:\program files\iPod
2009-04-19 18:13 . 2009-04-19 18:13 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-04-17 19:51 . 2006-04-28 09:24 -------- d-----w- c:\program files\McAfee
2009-04-16 19:43 . 2006-04-28 09:15 -------- d-----w- c:\program files\BigFix
2009-04-12 18:40 . 2009-01-18 14:04 2967799 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-12 18:37 . 2009-04-12 18:32 -------- d-----w- c:\program files\SiteAdvisor
2009-04-12 18:32 . 2008-12-21 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-04-09 16:24 . 2006-05-25 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-03-26 19:23 . 2008-12-25 19:09 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-25 15:06 . 2008-12-21 15:13 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 15:06 . 2008-12-21 15:13 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 15:06 . 2008-12-21 15:13 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 15:06 . 2008-12-21 15:13 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 15:05 . 2008-12-21 15:13 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 20:32 . 2006-09-19 20:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 08:34 . 2005-01-09 23:48 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2005-01-09 23:48 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2005-01-09 23:47 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2005-01-09 23:48 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2005-01-09 23:47 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2005-01-09 23:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2005-01-09 23:48 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2005-01-09 23:48 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2005-01-09 23:48 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2005-01-09 23:48 156160 ----a-w- c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-01-09 23:48 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_13.43.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-01-10 01:17 . 2009-06-01 19:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-01-10 01:17 . 2009-05-31 12:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-01-10 01:17 . 2009-06-01 19:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-01-10 01:17 . 2009-05-31 12:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-10 01:17 . 2009-06-01 19:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-10 01:17 . 2009-05-31 12:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-05 7393280]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-02 77312]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-06-18 16384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-05 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2006-5-25 217088]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-7 553021]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/21/2008 11:16 AM 210216]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2008-12-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-21 14:53]

2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-12-21 14:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://www.hackerwatch.org/library/app/feedback/?Md5=665736AA8D4845069617804CA98EAF71
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 16:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-460211180-2363588690-585989571-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,ff,88,1a,4f,6b,d3,4c,8a,0c,35,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f8,ff,88,1a,4f,6b,d3,4c,8a,0c,35,\
.
Completion time: 2009-06-01 16:06
ComboFix-quarantined-files.txt 2009-06-01 20:06
ComboFix2.txt 2009-05-31 13:44

Pre-Run: 121,261,592,576 bytes free
Post-Run: 121,551,888,384 bytes free

216 --- E O F --- 2009-05-12 23:35

kahdah, on May 31 2009, 10:18 AM, said:

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\documents and settings\Administrator\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Administrator\Application Data\Creative\lego.exe
c:\documents and settings\Administrator\Application Data\Canon\nomad.exe
c:\documents and settings\Administrator\Application Data\AdobeUM\rengo.dll
c:\documents and settings\Administrator\Application Data\CyberLink\msgdi.dll
c:\documents and settings\Administrator\Application Data\Adobe\shalom.exe
c:\documents and settings\Administrator\Application Data\Help\kern.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt
.

=============

#6
kahdah

Posted 01 June 2009 - 10:42 PM

Forum Deity

Experts
4,051 posts

Gender:Male
Location:Florida

You are welcome. :huh:

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

#7
Mindy530

Posted 02 June 2009 - 09:44 PM

New Member

Members
5 posts

Malware log below. Your help is so appreciated.

Mindy

Malwarebytes' Anti-Malware 1.37
Database version: 2216
Windows 5.1.2600 Service Pack 3

6/2/2009 5:36:03 PM
mbam-log-2009-06-02 (17-36-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 174345
Time elapsed: 46 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\qoobox\quarantine\c\windows\system32\UACamsnukrjmvltlwq.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UAClovqppxmnpotxew.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACqiojdaudgmupxir.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACrsrsaltvtxengkt.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\UACwyktudovdyiukqa.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\qoobox\quarantine\c\windows\system32\drivers\UACwbppqoiyblvbrpb.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{593f298f-b7d6-4a3d-a260-6d7e68e3f587}\rp50\A0011245.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{593f298f-b7d6-4a3d-a260-6d7e68e3f587}\rp50\A0011247.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{593f298f-b7d6-4a3d-a260-6d7e68e3f587}\rp50\A0011248.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{593f298f-b7d6-4a3d-a260-6d7e68e3f587}\rp50\A0011249.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{593f298f-b7d6-4a3d-a260-6d7e68e3f587}\rp50\A0011246.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Mindy530, on Jun 1 2009, 04:09 PM, said:

#8
kahdah

Posted 02 June 2009 - 10:57 PM

Forum Deity

Experts
4,051 posts

Gender:Male
Location:Florida

Looks good.

Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
======================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your all set. :huh:

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

#9
Mindy530

Posted 04 June 2009 - 08:22 PM

New Member

Members
5 posts

Again, I can't thank you enough! I will be taking more precautions to keep from getting infected again. You have been more than patient and incredibly thorough. All of your instructions were easy to understand. Thanks again,
Mindy

kahdah, on Jun 2 2009, 06:57 PM, said: