Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help: Another "a.doginhispen" Infection/infestation...


  • Please log in to reply
13 replies to this topic

#1 Mike T

Mike T

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 03 February 2008 - 04:44 PM

I too have succumbed to a.doginhispen adware - or whatever it is. My 16 y.o. son is likely the culprit - we will be having yet another (this will be the LAST) conversation regarding his surfing habits. Anyway, I performed the standard BleepingComputer tests to no avail - HiJack-This logs appear clean. I then saw a few other posts from people with the same problem, and realized I need some assitance.

System info: Win XP SP-2 (new computer - XP was completely patched 2 weeks ago); Trend Micro PC-cilliin 2007, SSD 1.5 and HJTT 2.02 I have also installed - but not yet run - SuperAntiSpyware and FindAWF.

All help greatly appreciated - please advise how I should proceed. Thanks! MikeT

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 03 February 2008 - 05:06 PM

You have a downloader Trojan called Downloader.Agent.awf (Downloader.Agent.ayy). This is a particularly complex infection to remove. The Trojan replaces many egitimate program files with a copy of itself in the original folder and moves the legitimate program's file into a 'bak' folder created by the malware. The files in the original folders are the bad ones and running at each startup. This means when the program affected is run, what is actually running is the malware.

Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups, then restore them.

Download FindAWF.exe by noahdfear and save to your desktop.
  • Double-click on FindAWF.exe to start.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 1 then 'Enter' to scan for bak folders
  • When complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop.
  • Copy and paste the contents of the awf.txt file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 03 February 2008 - 10:42 PM

Quietman: Thank you for your quick reply. the axf.txt file contents are posted below. Note that I have my MyDocuments directories located on my D:\ drive - if this makes a difference in how I should run FindAWF. Also - I disabled System Restore earlier today.

Thank you for your assistance! MikeT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sun 02/03/2008
The current time is: 21:31:44.56


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 08:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\PROGRA~1\INTEL\IDU\BAK

02/03/2008 03:47 PM 0 dataobj.dat
12/28/2006 06:07 PM 2,242,328 iptray.exe
2 File(s) 2,242,328 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

10256 Jan 30 2008 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
0 Jan 30 2008 "C:\Program Files\Intel\IDU\dataobj.dat"
0 Feb 3 2008 "C:\Program Files\Intel\IDU\bak\dataobj.dat"
14348 Jan 31 2008 "C:\Program Files\Intel\IDU\iptray.exe"
2242328 Dec 28 2006 "C:\Program Files\Intel\IDU\bak\iptray.exe"


end of report

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 03 February 2008 - 10:48 PM

You should not have disable System Restore. Read "System Restore and malware removal - what is best practice?".

Double-click the FindAWF icon once again.
  • If a "Security Alert" shows, allow the program to run.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 2 then 'Enter' to restore files from bak folders
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
"C:\Program Files\Intel\IDU\bak\dataobj.dat"
"C:\Program Files\Intel\IDU\bak\iptray.exe

  • Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
    • It attempts to terminate the process represented by each filename on the list (if running).
    • Deletes the rogue file from the parent folder (if present).
    • Copies the original file to the parent folder.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 03 February 2008 - 11:13 PM

Quietman: My bad on turning off SystemRestore. Seemed like the right thing to do at the time, but after reading the article you linked, I see why I would be better off not doing it. Consider it a lesson learned. This is a new computer build (I ran a P2-400 with Win98 for 9 years on the original installation before this). Some upgrade - I've had this beast less than a month, and already it's paralyzed! Anyway, results are below.

Thanks!

Mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 02/03/2008
The current time is: 22:06:09.78


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 08:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\PROGRA~1\INTEL\IDU\BAK

02/03/2008 03:47 PM 0 dataobj.dat
12/28/2006 06:07 PM 2,242,328 iptray.exe
2 File(s) 2,242,328 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

204288 Oct 18 2006 "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
0 Feb 3 2008 "C:\Program Files\Intel\IDU\dataobj.dat"
0 Feb 3 2008 "C:\Program Files\Intel\IDU\bak\dataobj.dat"
2242328 Dec 28 2006 "C:\Program Files\Intel\IDU\iptray.exe"
2242328 Dec 28 2006 "C:\Program Files\Intel\IDU\bak\iptray.exe"


end of report

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 04 February 2008 - 08:06 AM

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 3 then 'Enter' to remove bak folders.
  • A text file named files.txt will then open.
  • Click below the line and copy/paste the following list of folders in the quote box into the text file:

C:\Program Files\Windows Media Player\bak
C:\Program Files\Intel\IDU\bak
C:\Program Files\Intel\IDU\bak

  • Close the text file and click Yes to save the changes.
  • When done, it automatically runs a new scan and opens a new log.
  • Please copy/paste the contents of the new awf.txt log in your reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 04 February 2008 - 07:50 PM

Latest awf.txt file contents attached.

Mike
~~~~~~~~~~~~

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Mon 02/04/2008
The current time is: 18:39:26.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\TRENDM~1\INTERN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 05 February 2008 - 08:11 AM

Double-click the FindAWF icon once again.
  • A command prompt will open and ask you to "Press any key to continue...".
  • You will be presented with a Menu.
  • Press 4 then 'Enter' to reset domain zones.
  • You will receive a warning to reset domain zones.
  • Press 1 then 'Enter'.
  • When done, you will receive a message: "Done! Zones have been reset".
  • After resetting the domain zones, the program will return to the main menu.
  • Press E then 'Enter' to EXIT.
  • Note: If you had manually added any sites in the trusted zones, they will need to be re-inserted.
Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 05 February 2008 - 09:44 AM

Quietman: Log posted below. Question: There was one "bak" file listed in my last post. Should it be manually deleted, or does it matter?

Note that ATFCleaner and SuperAntiSpyware both came up clean during the SafeMode scans. However Things are still sluggish on my end. No more re-routes to a.doginhispen.com, etc. though. Also think there are some new entries in my startup list. Also have about a bazillion otems listed in Trend-Micro PC-cillin. I suspect I may have to do a re-install...

Thanks!

Mike
~~~~~~~~~~~~~~~~~~~
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/05/2008 at 08:18 AM

Application Version : 3.9.1008

Core Rules Database Version : 3395
Trace Rules Database Version: 1387

Scan type : Complete Scan
Total Scan Time : 00:15:24

Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 6037
Registry threats detected : 0
File items scanned : 26346
File threats detected : 0

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 05 February 2008 - 09:51 AM

This infection creates duplicate files of bak directories and the tool looks for duplicate files of bak directory contents. No more dups were found otherwise they would be listed at the end of

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~


Your SAS log looks good too.

Now if there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 05 February 2008 - 09:32 PM

Quietman: Latest mission complete. I am also perusing/cleaning my directories, and plan on a defrag, etc. Boot-up is much quicker, but I still notice some lag in performance. A couple questions:

1. Looking through the Start-up report in SSD, there are also a few entries there that I question - though I am not an expert. I also run a utilities program (TuneUp Utilities 2008) that is listing some MS security update programs as missing (might be that the installer copies were purged with the disk cleanup though). Any additional steps you recommend at this time?

If not I'd like to keep this thread open for a couple days to make sure I'm definitely out of the woods. I spent 8+ years learning the ropes with Win98, and thought I had mastered it pretty well. I fear I am back to square one with XP, but enjoy a challange or two. I just don't learn as quickly as I used to. That and I have to balance the computer needs of my wife and I with 2 teenagers. Your help is GREATLY appreciated!!!!!! :thumbsup:

2. Lastly - Does B-C have a "donation" mechanism to help defray the costs of the website? If so I'd like to contribute something to it to help keep it going - I have found nothing but good advice here. I just wish I had come here first with this recent incident. Please advise if - and where - I should go for this.

Of course there are also several hundred entries in Trend-Micro PC-cillin logs that I need to address too (used NAV for years, but it became bloat-ware and went with Trend as per my system-builders recommendation). This is a new AV program for me and I strongly suspect my son authorized the progran that attacked us via Trend's pop-up messages. My next task is to thoroughly review the program documentation and make sure I fully understand how Trend operates.

Thanks again!

Regards,

MikeT

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 05 February 2008 - 11:15 PM

If you are unsure what any of the startup entries are or if they are safe to disable, then search one of the following Startup Databases:
BC's Startup Programs Database
StartupList Index

With SSD or any startup manager, if you untick an entry it will no longer run at startup. This will allow you to experiment and see how your system performs with any of them disabled. Note: some startup programs are necessary so be careful what you disable.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or AnVir TaskManager Free to investigate all startups, running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Does B-C have a "donation" mechanism to help defray the costs of the website?

We appreciate your generous offer but as our other advertisements are able to offset the cost of the site, Bleeping Computer is no longer accepting site donations. The site is by no means a profit making venture, but it is at this point self sustaining. Since it is self sustaining the donation link was removed last year by the site owner.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Mike T

Mike T
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gateway to the West
  • Local time:12:40 AM

Posted 09 February 2008 - 02:55 PM

Quietman: After our last exchange, I removed a suspicious entry from my startup list (it was blank, and SSD didn't list any valid explanation for it). Turned it off initially, and ran the computer for 3 days without a hitch. I also scanned both drives from the Run prompt, and fixed the drive errors Windows found. I also dl'd and ran (in Safe Mode) a couple more anti-spy programs. Nothing was found. My system runs much better - almost back to normal. I suspect a minor corruption of Trend Micro PC-cillin also has occured (I think that explains the remaining minor slowdown), and plan on looking into this with Trend this evening.

One question for you though:

I run TuneUp Utilities 2008 for most of my system cleanup and tweaks. On it's latest quick scan, it notes 119 invalid application entries in the registry - similar to the following:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\KB873339" points to the program "KB873339", which is no longer installed. The entry can therefore be deleted."

All 119 entries are Microsoft updates (i.e.: KBxxxxxx). It notes that the programs are no longer installed, and that the entries can safely be deleted from the registry (I didn't let it delete them yet). I then went to Windows Update, and it indicates I am still current - no updates available.

Any idea what this is about? I was thinking maybe these referenced the backup installer copies of the MS updates, and that one of my file cleanups inadvertently removed them. Never ran across this issue before, and I can't find any information on MS's support site that applies to my situation.

Thanks!

MikeT

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:40 AM

Posted 11 February 2008 - 02:04 PM

I run TuneUp Utilities 2008 for most of my system cleanup and tweaks. On it's latest quick scan, it notes 119 invalid application entries in the registry...

Registry cleaners are extremely powerful applications. There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system unbootable.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly can have disastrous effects on your operating system such as preventing it from ever starting again. For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users