Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 sccomputerguys

sccomputerguys

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 20 July 2012 - 04:08 PM

Hello, I have been infected with the ZeroAccess Virus on my Windows 7 Thin Client. I am unable to get out to the internet, and can't connect to any network.
I have tried using Tdsskiller and Combofix, but have been unsuccessful in removing this stubborn virus.
I ran DDS, but it failed to produce a log for me to post, command prompt comes up like it's it should, but then disappears and no log is shown. I still completed the rest of the guide as best as i could.
Here is the link to my initial thread about the virus.

Here is the GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-21 12:11:54
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 4GB_ATA_Flash_Disk rev.AD_B612J
Running: fdikgsn6.exe; Driver: C:\kwryapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8287F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828A3F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE peauth.sys 912EBE21 100 Bytes [E9, 6D, F9, FF, CC, B1, 68, ...]
PAGE peauth.sys 912EC02D 101 Bytes [E9, 5D, E3, C7, D4, 54, AD, ...]

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 ewf.sys (Enhanced Write Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 ewf.sys (Enhanced Write Filter Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 ewf.sys (Enhanced Write Filter Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\00000452 \GLOBAL??\2476f915 afd.sys

---- EOF - GMER 1.0.15 ----

Here is the ComboFix log as requested:

ComboFix 12-07-20.02 - Administrator 07/21/2012 13:41:39.5.2 - x86
Microsoft Windows Embedded Standard 6.1.7600.0.1252.1.1033.18.1980.1640 [GMT -4:00]
Running from: D:\CFix.exe
* Created a new restore point
* Resident AV is active



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\system32\drivers\afd.sys . . . is infected!! . . . Failed to find a valid replacement.

((((((((((((((((((((((((( Files Created from 2012-06-21 to 2012-07-21 )))))))))))))))))))))))))))))))


2012-07-21 17:51:22 . 2012-07-21 17:51:22 -------- dc----w- C:\Users\User\AppData\Local\temp
2012-07-21 17:51:22 . 2012-07-21 17:51:22 -------- dc----w- C:\Users\Public\AppData\Local\temp
2012-07-21 17:51:22 . 2012-07-21 17:51:22 -------- dc----w- C:\Users\Default\AppData\Local\temp
2012-07-21 17:51:22 . 2012-07-21 17:51:22 -------- dc----w- C:\Users\Administrator\AppData\Local\temp
2012-06-28 17:11:35 . 2012-06-28 17:11:35 -------- dc----w- C:\Users\Administrator\AppData\Roaming\SpeedyPC Software
2012-06-28 17:11:35 . 2012-06-28 17:11:35 -------- dc----w- C:\Users\Administrator\AppData\Roaming\DriverCure
2012-06-28 17:11:06 . 2012-06-28 17:21:48 -------- dc----w- C:\ProgramData\SpeedyPC Software
2012-06-28 16:12:58 . 2012-06-28 17:18:13 -------- d-----w- C:\2nd attempt
2012-06-28 15:59:49 . 2012-06-28 16:01:07 -------- d-----w- C:\GeneFix
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-06-07 18:27:18 . 2012-06-07 18:27:17 338059 ----a-w- C:\FSS.exe
2012-06-07 18:13:42 . 2012-03-02 13:40:38 2062896 ----a-w- C:\TDSSKiller.exe
2012-06-07 18:00:22 . 2012-06-07 18:00:21 302592 ----a-w- C:\i83d71k5.exe
2012-06-07 17:58:58 . 2012-06-07 17:58:57 607260 ------r- C:\dds.scr
2012-06-07 17:57:04 . 2012-06-07 17:57:02 50477 ----a-w- C:\Defogger.exe
2012-06-07 16:35:03 . 2012-06-07 16:35:03 4538658 ------r- C:\GeneFix.exe
2012-06-07 16:26:27 . 2009-07-14 03:26:26 338944 ----a-w- C:\Windows\system32\drivers\afd.sys


((((((((((((((((((((((((((((( SnapShot@2012-06-07_17.09.44 )))))))))))))))))))))))))))))))))))))))))

+ 2011-10-20 18:28:30 . 2012-07-21 17:42:59 22062 C:\Windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-09-30 16:02:56 . 2012-07-21 17:42:57 31924 C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-06-07 20:39:56 . 2011-05-04 15:36:32 27192 C:\Windows\System32\drivers\rspSanity32.sys
+ 2011-09-30 15:37:51 . 2012-07-21 17:42:58 6226 C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3982149815-1093941191-2453676257-500_UserData.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 9560 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_48.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 4280 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_32.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 2456 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_24.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 9560 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_48.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 4280 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_32.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 2456 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_24.bin
+ 2012-07-21 17:40:44 . 2012-07-21 17:40:44 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-07 16:54:18 . 2012-06-07 17:09:10 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-21 17:40:44 . 2012-07-21 17:40:44 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-04-02 05:55:38 . 2012-07-21 15:42:53 622406 C:\Windows\System32\perfh009.dat
- 2010-04-02 05:55:38 . 2012-06-07 17:00:46 622406 C:\Windows\System32\perfh009.dat
- 2010-04-02 05:55:38 . 2012-06-07 17:00:46 106426 C:\Windows\System32\perfc009.dat
+ 2010-04-02 05:55:38 . 2012-07-21 15:42:53 106426 C:\Windows\System32\perfc009.dat
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 425984 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-30 18:53:02 . 2012-07-21 17:40:52 425984 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-02 05:54:38 . 2012-07-21 15:02:18 5767168 C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2010-04-02 05:54:38 . 2012-06-07 17:07:52 5767168 C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 3686400 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-30 18:53:02 . 2012-07-21 17:40:52 3686400 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 8290304 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-30 18:53:02 . 2012-07-21 17:40:52 8290304 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP_EWFStatusNotify"="c:\windows\system32\WFMonSvc.exe" [2010-09-24 15:05:36 220160]
"ConnectionCenter"="C:\Program Files\Citrix\ICA Client\concentr.exe" [2010-06-07 15:17:18 300472]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 17:06:06 254696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest pku2u tspkg wsauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R2 3245;3245;y:\Temp\3245.sys [x]
R2 5689;5689;y:\Temp\5689.sys [x]
R3 hprpusbf;HP Remote Physical USB;C:\Windows\System32\Drivers\hprpusbf.sys [x]
R3 rspSanity;rspSanity;C:\Windows\system32\DRIVERS\rspSanity32.sys [x]
S0 Ewf;Ewf;C:\Windows\system32\drivers\ewf.sys [x]
S0 Fbwf;Fbwf;C:\Windows\system32\drivers\fbwf.sys [x]
S0 Ramdrive;HP RAM Disk Driver;C:\Windows\system32\DRIVERS\ramdrive.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys [x]
S1 RegFilter;RegFilter;C:\Windows\system32\drivers\regflt.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [x]
S2 HPCA-RALF;HPCA Registration And Loading Facility;C:\Program Files\Hewlett-Packard\HPCA\Agent\ralf.exe [x]
S2 HPDMAgent;HP Device Management Agent;C:\Windows\xpeagent\HPDMAgent.exe [x]
S2 iprip;RIP Listener;C:\Windows\System32\svchost.exe [x]
S2 NfsClnt;Client for NFS;C:\Windows\system32\nfsclnt.exe [x]
S2 WFStatusSvc;HP WriteFilter Status Service;c:\windows\system32\WFMonSvc.exe [x]
S2 wsnm;VMware View Client Service;C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [x]
S3 hprpusbh;hprpusbh (display);C:\Windows\system32\drivers\hprpusbh.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60x.sys [x]
S3 NfsRdr;Client for NFS Redirector;C:\Windows\system32\drivers\nfsrdr.sys [x]
S3 PsxDrv;PsxDrv;C:\Windows\system32\drivers\psxdrv.sys [x]
S3 Ramdisk;Windows RAM Disk Driver;C:\Windows\system32\DRIVERS\ramdisk.sys [x]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);C:\Windows\system32\drivers\rpcxdr.sys [x]
S3 WSUSBDMAN;VMware View Virtual Client USB Manager;C:\Windows\system32\DRIVERS\WSUSBDMAN.sys [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ BFE mpssvc DPS PLA WwanSvc
LocalServiceAndNoImpersonation REG_MULTI_SZ SCardSvr SSDPSRV upnphost QWAVE wcncsvc AppIDSvc FontCache fdrespub
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
ipripsvc REG_MULTI_SZ iprip
LPDService REG_MULTI_SZ LPDSVC

Contents of the 'Scheduled Tasks' folder

2012-06-07 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3982149815-1093941191-2453676257-500Core.job
- C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 15:02:54 . 2011-11-16 18:01:57]

2012-06-07 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3982149815-1093941191-2453676257-500UA.job
- C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 15:02:54 . 2011-11-16 18:01:57]


------- Supplementary Scan -------

uStart Page = hxxp://www.hp.com
mStart Page = hxxp://www.hp.com
TCP: Interfaces\{D798591A-73C9-4BD9-9179-6D077E42D6F1}: NameServer = 192.168.1.1,4.2.2.2


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d1,de,f6,48,78,87,40,8b,ab,fc,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(532)
C:\Windows\system32\wsauth.DLL

Completion time: 2012-07-21 13:56:07
ComboFix-quarantined-files.txt 2012-07-21 17:56:05
ComboFix2.txt 2012-06-28 16:33:05
ComboFix3.txt 2012-06-07 20:34:46
ComboFix4.txt 2012-06-07 17:55:22
ComboFix5.txt 2012-07-21 16:25:38

Pre-Run: 464,035,840 bytes free
Post-Run: 431,108,096 bytes free

- - End Of File - - C74F32563E5F981C2E364C2A473B3C2F

I appreciate the help I have received so far.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 25 July 2012 - 10:43 AM

let's try and get this machine back connected


please run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


ComboFix is reporting afd.sys is missing so let's search for a replacement

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 sccomputerguys

sccomputerguys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 July 2012 - 03:38 PM

FSS.exe Scan:

Farbar Service Scanner Version: 26-07-2012
Ran by Administrator (administrator) on 27-07-2012 at 13:39:20
Running from "D:\"
Microsoft Windows Embedded Standard (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of VSS. The value does not exist.


System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.
The ServiceDll of RpcSs service is OK.


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2009-07-13 23:26] - [2012-06-07 12:26] - 0338944 ____A () 868BDF7F16A422E261FD8E055A6B9657

ATTENTION!=====> C:\Windows\system32\Drivers\afd.sys IS INFECTED AND SHOULD BE REPLACED.

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll
[2009-07-13 23:27] - [2009-07-13 21:15] - 0565760 ___AC (Microsoft Corporation) 5CD996CECF45CBC3E8D109C86B82D69E

C:\Windows\system32\bfe.dll
[2009-07-13 23:30] - [2009-07-13 21:14] - 0493568 ___AC (Microsoft Corporation) 85AC71C045CEB054ED48A7841AAE0C11

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

ATTENTION!=====> C:\Windows\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.


ATTENTION!=====> C:\Windows\system32\vssvc.exe FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll
[2009-07-13 23:26] - [2009-07-13 21:16] - 1912832 ___AC (Microsoft Corporation) A33408CC036F9C08142B11BE5E93F0A1

C:\Windows\system32\qmgr.dll
[2009-07-13 23:16] - [2009-07-13 21:16] - 0589312 ___AC (Microsoft Corporation) 53F476476F55A27F580661BDE09C4EC4

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit

ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

FSS.exe afd.sys search scan:

Farbar Service Scanner Version: 26-07-2012
Ran by Administrator (administrator) on 27-07-2012 at 13:35:01
Microsoft Windows Embedded Standard (X86)

************************************************
======== Search: "afd.sys" =========

====== End Of Search ======

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 26 July 2012 - 04:16 PM

as you can see from the Farbar Service Scanner Results, you have a number of missing and infected files

do you have your installation disk? You should try and repair your installation

http://msdn.microsoft.com/en-us/library/dd128782%28v=winembedded.51%29.aspx

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 sccomputerguys

sccomputerguys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 July 2012 - 08:30 PM

I ran the installation disk, and followed the instructions on the link provided, but was unable to locate a repair option on the partition screen. I have included a picture of what I see at the partition screen menu.

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 26 July 2012 - 09:09 PM

Insert the installation DVD.

On the splash page, choose Install, and then choose Run the Windows Embedded Standard installation wizard.

In the Windows Embedded Standard setup page choose Next.

The Windows Embedded Standard Setup wizard inspects your computer. If you have a previous installation of Windows Embedded Standard, the wizard presents the following options: Change, Repair, and Remove.


when you followed those directions > how far did you get? Did you ever get the "Windows Embedded Standard installation wizard"?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 sccomputerguys

sccomputerguys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 26 July 2012 - 10:02 PM

When the installation screen comes up it says "build an image" or "deploy an answer file." The screens I got are the same as this: http://www.intel.com/p/en_US/embedded/hwsw/software/winembedded-installation-guide

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 26 July 2012 - 10:10 PM

ok, yours must be a different version that the version in the previous link

I honestly don't know how successful cleaning your computer will be given the extent of the issues, but we can try

please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 sccomputerguys

sccomputerguys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 27 July 2012 - 03:54 PM

I ran ComboFix as instructed, here is the log:

ComboFix 12-07-27.03 - Administrator 07/28/2012 13:42:23.6.2 - x86
Microsoft Windows Embedded Standard 6.1.7600.0.1252.1.1033.18.1980.1637 [GMT -4:00]
Running from: C:\Users\Administrator\Desktop\hFix.exe
* Created a new restore point
* Resident AV is active



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\system32\drivers\afd.sys . . . is infected!! . . . Failed to find a valid replacement.

((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))


2012-07-28 17:51:37 . 2012-07-28 17:51:37 -------- dc----w- C:\Users\User\AppData\Local\temp
2012-07-28 17:51:37 . 2012-07-28 17:51:37 -------- dc----w- C:\Users\Public\AppData\Local\temp
2012-07-28 17:51:37 . 2012-07-28 17:51:37 -------- dc----w- C:\Users\Default\AppData\Local\temp
2012-07-28 17:51:37 . 2012-07-28 17:51:37 -------- dc----w- C:\Users\Administrator\AppData\Local\temp
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-06-07 18:27:18 . 2012-06-07 18:27:17 338059 ----a-w- C:\FSS.exe
2012-06-07 18:13:42 . 2012-03-02 13:40:38 2062896 ----a-w- C:\TDSSKiller.exe
2012-06-07 18:00:22 . 2012-06-07 18:00:21 302592 ----a-w- C:\i83d71k5.exe
2012-06-07 17:58:58 . 2012-06-07 17:58:57 607260 ------r- C:\dds.scr
2012-06-07 17:57:04 . 2012-06-07 17:57:02 50477 ----a-w- C:\Defogger.exe
2012-06-07 16:35:03 . 2012-06-07 16:35:03 4538658 ------r- C:\GeneFix.exe
2012-06-07 16:26:27 . 2009-07-14 03:26:26 338944 ----a-w- C:\Windows\system32\drivers\afd.sys


((((((((((((((((((((((((((((( SnapShot@2012-06-07_17.09.44 )))))))))))))))))))))))))))))))))))))))))

+ 2011-10-20 18:28:30 . 2012-07-28 17:43:16 22740 C:\Windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2010-09-30 16:02:56 . 2012-07-28 17:43:16 32196 C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-07-28 02:03:08 . 2012-07-27 21:58:50 67584 C:\Windows\System32\LogFiles\Srt\bootstat.dat
+ 2012-06-07 20:39:56 . 2011-05-04 15:36:32 27192 C:\Windows\System32\drivers\rspSanity32.sys
+ 2011-09-30 15:37:51 . 2012-07-28 17:43:16 6298 C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3982149815-1093941191-2453676257-500_UserData.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 9560 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_48.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 4280 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_32.bin
+ 2012-06-07 18:25:49 . 2012-06-07 18:25:49 2456 C:\Windows\System32\networklist\icons\{DD40A04C-BBF0-4045-A612-8D0A5D7EF4C5}_24.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 9560 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_48.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 4280 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_32.bin
+ 2012-07-21 15:25:14 . 2012-07-21 15:25:14 2456 C:\Windows\System32\networklist\icons\{191047B4-61D4-4FED-AE6A-5751C95DECBE}_24.bin
+ 2012-07-28 17:41:22 . 2012-07-28 17:41:22 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-28 17:41:22 . 2012-07-28 17:41:22 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-07 16:54:18 . 2012-06-07 17:09:10 2048 C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-04-02 05:55:38 . 2012-06-07 17:00:46 622406 C:\Windows\System32\perfh009.dat
+ 2010-04-02 05:55:38 . 2012-07-21 15:42:53 622406 C:\Windows\System32\perfh009.dat
- 2010-04-02 05:55:38 . 2012-06-07 17:00:46 106426 C:\Windows\System32\perfc009.dat
+ 2010-04-02 05:55:38 . 2012-07-21 15:42:53 106426 C:\Windows\System32\perfc009.dat
+ 2010-09-30 18:53:02 . 2012-07-28 17:41:29 425984 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 425984 C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-02 05:54:38 . 2012-06-07 17:07:52 5767168 C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-04-02 05:54:38 . 2012-07-27 22:34:58 5767168 C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 3686400 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-30 18:53:02 . 2012-07-28 17:41:29 3686400 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-30 18:53:02 . 2012-07-28 17:41:29 8290304 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-30 18:53:02 . 2012-06-07 17:09:18 8290304 C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP_EWFStatusNotify"="c:\windows\system32\WFMonSvc.exe" [2010-09-24 15:05:36 220160]
"ConnectionCenter"="C:\Program Files\Citrix\ICA Client\concentr.exe" [2010-06-07 15:17:18 300472]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 17:06:06 254696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest pku2u tspkg wsauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R2 3245;3245;y:\Temp\3245.sys [x]
R2 5689;5689;y:\Temp\5689.sys [x]
R3 hprpusbf;HP Remote Physical USB;C:\Windows\System32\Drivers\hprpusbf.sys [x]
R3 rspSanity;rspSanity;C:\Windows\system32\DRIVERS\rspSanity32.sys [x]
S0 Ewf;Ewf;C:\Windows\system32\drivers\ewf.sys [x]
S0 Fbwf;Fbwf;C:\Windows\system32\drivers\fbwf.sys [x]
S0 Ramdrive;HP RAM Disk Driver;C:\Windows\system32\DRIVERS\ramdrive.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys [x]
S1 RegFilter;RegFilter;C:\Windows\system32\drivers\regflt.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [x]
S2 HPCA-RALF;HPCA Registration And Loading Facility;C:\Program Files\Hewlett-Packard\HPCA\Agent\ralf.exe [x]
S2 HPDMAgent;HP Device Management Agent;C:\Windows\xpeagent\HPDMAgent.exe [x]
S2 iprip;RIP Listener;C:\Windows\System32\svchost.exe [x]
S2 NfsClnt;Client for NFS;C:\Windows\system32\nfsclnt.exe [x]
S2 WFStatusSvc;HP WriteFilter Status Service;c:\windows\system32\WFMonSvc.exe [x]
S2 wsnm;VMware View Client Service;C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [x]
S3 hprpusbh;hprpusbh (display);C:\Windows\system32\drivers\hprpusbh.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys [x]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60x.sys [x]
S3 NfsRdr;Client for NFS Redirector;C:\Windows\system32\drivers\nfsrdr.sys [x]
S3 PsxDrv;PsxDrv;C:\Windows\system32\drivers\psxdrv.sys [x]
S3 Ramdisk;Windows RAM Disk Driver;C:\Windows\system32\DRIVERS\ramdisk.sys [x]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);C:\Windows\system32\drivers\rpcxdr.sys [x]
S3 WSUSBDMAN;VMware View Virtual Client USB Manager;C:\Windows\system32\DRIVERS\WSUSBDMAN.sys [x]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ BFE mpssvc DPS PLA WwanSvc
LocalServiceAndNoImpersonation REG_MULTI_SZ SCardSvr SSDPSRV upnphost QWAVE wcncsvc AppIDSvc FontCache fdrespub
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
ipripsvc REG_MULTI_SZ iprip
LPDService REG_MULTI_SZ LPDSVC

Contents of the 'Scheduled Tasks' folder

2012-06-07 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3982149815-1093941191-2453676257-500Core.job
- C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 15:02:54 . 2011-11-16 18:01:57]

2012-06-07 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3982149815-1093941191-2453676257-500UA.job
- C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-17 15:02:54 . 2011-11-16 18:01:57]


------- Supplementary Scan -------

uStart Page = hxxp://www.hp.com
mStart Page = hxxp://www.hp.com
TCP: Interfaces\{D798591A-73C9-4BD9-9179-6D077E42D6F1}: NameServer = 192.168.1.1,4.2.2.2


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d1,de,f6,48,78,87,40,8b,ab,fc,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-3982149815-1093941191-2453676257-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,fd,f7,1e,b6,1a,5c,4f,9c,dc,9d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(532)
C:\Windows\system32\wsauth.DLL

Completion time: 2012-07-28 13:55:52
ComboFix-quarantined-files.txt 2012-07-28 17:55:51
ComboFix2.txt 2012-07-21 17:56:07
ComboFix3.txt 2012-06-28 16:33:05
ComboFix4.txt 2012-06-07 20:34:46
ComboFix5.txt 2012-07-28 17:37:42

Pre-Run: 475,189,248 bytes free
Post-Run: 444,342,272 bytes free

- - End Of File - - 943B619E16E41CD45254BD50B14A9CFC

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 27 July 2012 - 05:06 PM

please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:02 PM

Posted 02 August 2012 - 03:42 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users