Win32:MBRoot-J [Trj] reported by Avast. Please help essexboy or anyone...

Viruses and worms
1

All –

Avast showed a "“rootkit found” message and the reported information regarding the rootkit was very brief and “truncated”; see attachment (Rootkit .png)
I instructed Avast to delete it followed by running a boot scan however it keeps reappearing everytime my computer is started.

After having had a closer look in the “aswAr.log” the rootkit was identified as Win32:MBRoot-J [Trj].

This forum does list quite a few similar topics however it is also mentioned that all fixes are system specific.

Please help me to eliminate this rootkit and post what I should do.

Thank you, Xander

PS. System seems to start slower but definitely IE is extremely slow…

2

follow guide http://forum.avast.com/index.php?topic=53253.0 attach all logs here on next reply.

Dont panic! your issue is very minor and will be fixed in a jiffy! :wink:

3

True Indian:

Attached the reuested logs by Malwarebytes’ Anti-Malware, OTL and aswMBR.

  • MBAM didn’t report any “malicious items”
  • OTL did report an error “Windows - No Disk” during the process; see attachment in next post. This error was reported several times (identical errors) right after each other.
  • aswMBR did report several “RED” colored lines

I didn’t execute RogueKiller since I didnt think this was neccesary based on the information in the guide.

Thank you, Xander

4

Attached the OTL “Windows - No Disk” error

5

True Indian:

Sorry to be so impatient but I guess that’s normal when your PC seems to be / is infected by a rootkit or any other malware. Do you already have an answer or instructions towards removal of the Win32:MBRoot-J.

Xander

6

Hi,

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Once that has been completed, boot into Safe Mode and run OTL from there. If there is a log created attach that to your next reply along with the TDSSKiller log.

7

Jeffce –

Sorry for not replying any earlier but I had to work around the kids evening schedule (kids soccer, dinner, shower and bringing them to bed)…

Attached the requested logs based on your request.

Please note:

  1. After I ran TDSSKiller I rebooted to normal mode and Windows did report a warning: “Generic Host Process for Win32 Services encountered a problem and needed to close”.
  2. OTL was executed in Safe Mode however I was not sure which options to use. I selected All Users in combination with Quick Scan; I did not include any text as part of the Custom Scan box. OTL didn’t produce an Extras.TXT log file.
  3. OTL reported a “Windows - No Disk” error during the process; see attachment. I used continue and the error was reported 5 times in total.

Thank you for all your help and please let me know how to proceed, Xander

8

Hi,

The error message you are getting has to do with possibly you removed a USB device from your computer recently improperly. If you plug in the last device that you had attached to your system and then remove it using “remove software safely” option you should be fine.

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\5.2\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\SearchScopes,DefaultScope = {D28129E3-DE2E-46F6-AB12-BE250F5A63D6}
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=WBR&o=13997&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=W6&apn_dtid=&apn_uid=B9C98BE6-1ADA-4238-BA98-F94F2ECD11AE&apn_sauid=1C510AE8-FBB4-483A-8D5B-39C559613AE0
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = server:9999
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\5.2\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\5.2\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-2295562274-2768663926-1085581501-1005\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O33 - MountPoints2\{0cf11954-665d-11de-854c-001d09cd34c8}\Shell - "" = AutoRun
O33 - MountPoints2\{0cf11954-665d-11de-854c-001d09cd34c8}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0cf11954-665d-11de-854c-001d09cd34c8}\Shell\AutoRun\command - "" = F:\setup_vmc_lite.exe /checkApplicationPresence
O33 - MountPoints2\{782f5232-6162-11de-853e-001e37f28d2e}\Shell - "" = AutoRun
O33 - MountPoints2\{782f5232-6162-11de-853e-001e37f28d2e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{782f5232-6162-11de-853e-001e37f28d2e}\Shell\AutoRun\command - "" = G:\AutoRun.exe
O33 - MountPoints2\{8d4c6e0d-4895-11dd-9a13-001e37f28d2e}\Shell\AutoRun\command - "" = J:\InstallTomTomHOME.exe
O33 - MountPoints2\{8df2fee4-60c4-11de-852f-001f3b6cedc5}\Shell - "" = AutoRun
O33 - MountPoints2\{8df2fee4-60c4-11de-852f-001f3b6cedc5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8df2fee4-60c4-11de-852f-001f3b6cedc5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{8df2fee5-60c4-11de-852f-001f3b6cedc5}\Shell - "" = AutoRun
O33 - MountPoints2\{8df2fee5-60c4-11de-852f-001f3b6cedc5}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8df2fee5-60c4-11de-852f-001f3b6cedc5}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{a7c3e786-6158-11de-8536-001e37f28d2e}\Shell - "" = AutoRun
O33 - MountPoints2\{a7c3e786-6158-11de-8536-001e37f28d2e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a7c3e786-6158-11de-8536-001e37f28d2e}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{a7c3e787-6158-11de-8536-001e37f28d2e}\Shell - "" = AutoRun
O33 - MountPoints2\{a7c3e787-6158-11de-8536-001e37f28d2e}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a7c3e787-6158-11de-8536-001e37f28d2e}\Shell\AutoRun\command - "" = F:\AutoRun.exe
[2012/04/04 21:47:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Spigot
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/04/12 20:01:02 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2012/03/29 12:20:30 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\Xander\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

9

Jeffce –

Is it normal for the OTL program to run without any visible interaction?

It is already running for a while and displaying “Killing processes. DO NOT INTERRUPT…” however I don’t see any harddisk activity.

Xander

Note: I’m running in normal mode and OTL is executed from an USB stick.

10

Just go ahead and run it for a little bit. Sometimes it can take a little bit of time to complete. :slight_smile:

11

Jeffce:

Yesterday evening the process ran for about 2 hours without any activity before I decided to reboot my laptop. CTRL-ALT-DEL didn’t work and as such did I use the power on/off button. The computer booted-up fine and I restarted the process. In the beginning did I notice harddisk activity but that faded away after some time. I decided to let it run overnight however this morning after about 9 hours did it still show the same message “Killing processes. DO NOT INTERRUPT…” without any harddisk activity. I decided again to reboot my laptop. OTL did create two _OTL\MovedFiles\date_time folders without any contents. I was not able to locate any log file.

I’m running OTL in NORMAL MODE from a USB-stick and as described using the listed text written inside of the code box into the Custom Scans/Fixes. The buttons “Scan all users”, “LOP Check” and “Purity” are NOT checked. Note: Avast is running in the background; Laptop (DELL) is docked and two external USB drives are also connected.

I started an aswMBR scan and this time it didn’t list “Win32:MBRoot-J [Trj]” or “[Win32:MBRoot] ROOTKIT” but it did list “malicious Win32:MBRoot code @ sector”; see attachment.

Please help and instruct how to go forward.
Thank you, Xander

12

Hi XanderK,

Don’t worry about the entry in aswMBR. It is fine even though it looks like it is bad. That is a residual entry but the main infection has been taken care of.

Since you are having trouble with OTL…

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

13

Hello Jeffce,

Attached the requested files; before starting DDS did I disable the Avast! Script Shield.

Before reading your post did I once more try to use OTL from my C-Drive without any external USB drives connected however it gave the same result as previous; I stopped it after 1 hour. I guess it is just not able to kill all the processes; it beeps once but then… The “normal” OTL procedure as instructed by true indian in the 2nd post did work as expected.

Xander

14

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

15

Jeffce –

Attached the output of ComboFix.

The 1st time I executed ComboFix it resulted into a blue screen during the process; it listed information in regards to Plug & Play.
(*** STOP: 0x000000CA etc). I turned off my computer and disconnected my USB-stick,

After rebooting I executed ComboFix again and it seemed to have executed just fine since it created a log file at the end of the process. It seemed to have some problems closing down my laptop since it took quite a while before it rebooted the computer. The following window (also last window) was open for quite some time:

drwin.exe - DLL Initialization Failed
The application failed to initialize because the window station is shutting down.
[OK]

I did manually press OK.

Note: ComboFix did report that Avast! was still running while starting ComboFix. I could not easily locate instructions on how to completely shut-off Avast!; I used “disable permanently” (avast! shields control) via right click on the System Tray icon.

Xander

16

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uInternet Settings,ProxyServer = server:9999
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - c:\program files\youtube downloader toolbar\ie\5.4\youtubedownloaderToolbarIE.dll
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

File::
c:\windows\system32\drivers\xtskhh.sys
c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
c:\program files\Ask.com\UpdateTask.exe
Folder::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2382:UDP"=-
"2428:UDP"=-
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Driver::
70381320
xtskhh.sys

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

17

Jeffce –

I followed your procedures and please find attached the requested log file.

During the process at around the step “Completed Stage _5” did the following pop-up appear:

PEV.exe - Application Error
The instruction at “0x0072007b” referenced memory at “0x0072a780”. The memory could not be “written”.

The pop-up automatically dissapeared during the reboot process.

The reboot process seemed to stall since it took quite some time with minimal harddisk activity while several “debug windows” were open. I eventually clicked “Don’t Send” on all the open “debug” windows and the computer rebooted fine. I hope this didn’t affect the process.

Xander

18

Hi Xander,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.

19

Hello Jeff –

Finally after 12+ hours ESET completed the scan and it did locate quite some threats however I’m not sure how severe they are; see attached logs of MBAM and ESET.

Enjoy the remainder of the weekend and I’ll be waiting for the next set of instructions.

Thank you, Xander

20

Hi,

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then attach the contents in your next reply