Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have Trojan.ZeroAccess and Trojan.Gen?


  • Please log in to reply
13 replies to this topic

#1 TkPin

TkPin

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 30 July 2012 - 04:31 PM

I need help making sure I have removed these.
I have Norton 360 and Windows 7.

Here is the sequence of what I have had happen:

While web browsing I clicked on a suspicious link -> had another suspicious window open
Then I kept getting prompted to install an "Adobe Flash Player Update" - I sais no, and it repeatedly asked to install.
I found an odd exe in Task manager .43298320432904.exe (or similar, not sure of exact name) and killed it
I ran a virus scan and found nothing
Then approximately every 8 minutes, Norton Auto-Protect would show that it blocked a trojan. The log showed these blocks...

Trojan.Gen
Trojan.Gen.2
Trojan.Zeroaccess
Trojan.Zeroaccess.B

I then tried Norton Power Eraser - it found the file with the numeric name and deleted it, but nothing else and I still got more of the above Trojan blocks.
Then found ComboFix.exe and ran it. After words I end up on the site which said to NOT run it.

My computer seems better as I'm not seeing anything in Task Manager and the Norton Auto-Protect is not showing blocked Trojans.

I really need to make sure I don't have a Trojan. Can someone please assist me?

BTW - I previously posted with the ComboFix log, and then I saw that those posts will be ignored.

Thanks,
Tom


DDS.log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by tknorst at 22:59:58 on 2012-07-30
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.8191.5321 [GMT -5:00]
.
AV: Norton Business Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Business Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Business Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\tubeCentric.tv\tubeCentric Service\tubeCentric.Service.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files\Silicondust\HDHomeRun\hdhomerun_service.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Citrix\GoToMeeting\952\g2mstart.exe
C:\Program Files (x86)\Logitech\Vid HD\Vid.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Citrix\GoToMeeting\952\g2mcomm.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Citrix\GoToMeeting\952\g2mlauncher.exe
C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
C:\Windows\ehome\ehShell.exe
C:\Program Files (x86)\Intuit\QuickBooks 2011\QBHelp.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskmgr.exe
C:\Windows\ehome\mcGlidHost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\coIEPlg.dll
uRun: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\952\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Logitech Vid] "C:\Program Files (x86)\Logitech\Vid HD\Vid.exe" -bootmode
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Windows Media Center] RunDLL32.exe C:\Windows\ehome\ehuihlp.dll,BootMediaCenter
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\OSR_TI~1.LNK - C:\Program Files (x86)\Intuit\IDN\Common\TinyWeb\TINY.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - hxxp://download.microsoft.com/download/PowerPoint2002/Install/10.0.2609/WIN98MeXP/EN-US/msorun.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.1.10.2
TCP: Interfaces\{997FAAD4-9360-40E4-91AB-BB5F44785D00} : DhcpNameServer = 10.1.10.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\coIEPlg.dll
mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun-x64: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun-x64: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\tknorst\AppData\Roaming\Mozilla\Firefox\Profiles\zmnhwqb9.default\
.
============= SERVICES / DRIVERS ===============
.
R0 SMR300;Symantec SMR Utility Service 3.0.0;C:\Windows\system32\drivers\SMR300.SYS --> C:\Windows\system32\drivers\SMR300.SYS [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0502020.003\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0502020.003\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0502020.003\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120711.002\BHDrvx64.sys [2012-7-12 1161376]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120728.001\IDSviA64.sys [2012-7-30 509088]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0502020.003\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0502020.003\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0502020.003\SYMNETS.SYS [?]
R2 HDHomeRun Service;HDHomeRun Service;C:\Program Files\Silicondust\HDHomeRun\hdhomerun_service.exe [2012-4-5 16384]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R2 N360;Norton Business Suite;C:\Program Files (x86)\Norton Business Suite\Engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-6-30 1248256]
R2 tubeCentric Service;tubeCentric Service;C:\Program Files (x86)\tubeCentric.tv\tubeCentric Service\tubeCentric.Service.exe [2011-5-28 13568]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-6-7 138912]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 250056]
S3 CamDrL64;Logitech QuickCam Pro 3000(PID_08B0);C:\Windows\system32\DRIVERS\CamDrL64.sys --> C:\Windows\system32\DRIVERS\CamDrL64.sys [?]
S3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\DRIVERS\LVUSBS64.sys --> C:\Windows\system32\DRIVERS\LVUSBS64.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-26 113120]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2012-07-30 18:48:10 96376 ----a-w- C:\Windows\System32\drivers\SMR300.SYS
2012-07-30 17:59:35 -------- d-----w- C:\Users\tknorst\AppData\Roaming\Tific
2012-07-30 17:59:31 -------- d-----w- C:\Users\tknorst\AppData\Local\Symantec
2012-07-30 17:53:06 98816 ----a-w- C:\Windows\sed.exe
2012-07-30 17:53:06 518144 ----a-w- C:\Windows\SWREG.exe
2012-07-30 17:53:06 256000 ----a-w- C:\Windows\PEV.exe
2012-07-30 17:53:06 208896 ----a-w- C:\Windows\MBR.exe
2012-07-30 15:47:48 -------- d-----w- C:\Users\tknorst\AppData\Local\NPE
2012-07-16 20:04:19 912504 ----a-w- C:\Windows\System32\drivers\N360x64\0502020.003\symefa64.sys
2012-07-16 20:04:19 450680 ----a-w- C:\Windows\System32\drivers\N360x64\0502020.003\symds64.sys
2012-07-16 20:04:19 386168 ----a-w- C:\Windows\System32\drivers\N360x64\0502020.003\symnets.sys
2012-07-16 20:04:18 744568 ----a-w- C:\Windows\System32\drivers\N360x64\0502020.003\srtsp64.sys
2012-07-16 20:04:18 40568 ----a-w- C:\Windows\System32\drivers\N360x64\0502020.003\srtspx64.sys
2012-07-16 20:04:18 171128 ----a-r- C:\Windows\System32\drivers\N360x64\0502020.003\ironx64.sys
2012-07-16 20:04:09 -------- d-----w- C:\Windows\System32\drivers\N360x64\0502020.003
.
==================== Find3M ====================
.
2012-07-27 02:02:08 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-27 02:02:08 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 20:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 20:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
.
============= FINISH: 23:00:21.74 ===============

Attached Files


Edited by TkPin, 30 July 2012 - 11:06 PM.


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 01 August 2012 - 02:24 PM

Hello and welcome to Bleeping Computer!

I am D-FRED-BROWN and I will be helping you. :)


Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.


----------Step 1----------------
I know you've already run TDSSKiller before, but please run it one more time so we have an up-to-date idea of what may be remaining on the computer.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Skip is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: Do not choose Cure or Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

----------Step 2----------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.


----------Step 3----------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 4----------------
In your next reply, please include the following:
  • TDSSKiller's logfile
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 02 August 2012 - 08:29 AM

Thanks D-FRED-BROWN

The computer has seemed to be running properly. I had to re-install Norton (before running these) it wasn't running properly after the first problems.
As a reminder, I had run ComboFix previously and things seemed better then, but Norton wasn't working.

I attached the comboFix result, because the post was too long.

Here are the log files...

17:47:36.0876 6120 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
17:47:37.0170 6120 ============================================================
17:47:37.0170 6120 Current date / time: 2012/08/01 17:47:37.0170
17:47:37.0170 6120 SystemInfo:
17:47:37.0170 6120
17:47:37.0170 6120 OS Version: 6.1.7601 ServicePack: 1.0
17:47:37.0170 6120 Product type: Workstation
17:47:37.0171 6120 ComputerName: HPMEDIA
17:47:37.0171 6120 UserName: tknorst
17:47:37.0171 6120 Windows directory: C:\Windows
17:47:37.0171 6120 System windows directory: C:\Windows
17:47:37.0171 6120 Running under WOW64
17:47:37.0171 6120 Processor architecture: Intel x64
17:47:37.0171 6120 Number of processors: 4
17:47:37.0171 6120 Page size: 0x1000
17:47:37.0171 6120 Boot type: Normal boot
17:47:37.0171 6120 ============================================================
17:47:40.0401 6120 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
17:47:40.0415 6120 ============================================================
17:47:40.0416 6120 \Device\Harddisk0\DR0:
17:47:40.0416 6120 MBR partitions:
17:47:40.0416 6120 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
17:47:40.0416 6120 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0xC350000
17:47:40.0416 6120 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC382800, BlocksNum 0x68383800
17:47:40.0416 6120 ============================================================
17:47:40.0436 6120 C: <-> \Device\Harddisk0\DR0\Partition1
17:47:40.0468 6120 D: <-> \Device\Harddisk0\DR0\Partition2
17:47:40.0468 6120 ============================================================
17:47:40.0468 6120 Initialize success
17:47:40.0468 6120 ============================================================
17:47:43.0307 6848 Deinitialize success




ComboFix log --- see attachment




Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Security Suite
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java™ 6 Update 31
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox 13.0.1 Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

Attached Files



#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 02 August 2012 - 02:01 PM

We've got a few bits and pieces left to clean up.


Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::
74097851

File::
C:\Windows\System32\Drivers\74097851.sys

Reboot::


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 03 August 2012 - 05:30 PM

I ran ComboFix as you said, but after it rebooted I could not open any browsers.
I got the following error message:

"Illegal operation attempted on a registry key that has been marked for deletion"

So I rebooted again, and now they work. I don't know if this is a bad sign that there is still an issue.

The ComboFix log is attached.

Thanks

Attached Files



#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 03 August 2012 - 05:32 PM

So I rebooted again, and now they work. I don't know if this is a bad sign that there is still an issue.

It's a common bug, nothing to worry about. :thumbup2:

Your logs appear to be clean. Before we move on, please run this online scan to verify we haven't missed anything:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#7 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 04 August 2012 - 10:04 AM

Here is the text from the log.txt file:
-----------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK



But the scanner popup said it found a threat.
Here is what it listed:
----------------------------------------------

C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}\U\00000008.@ Win64/Agent.BA trojan

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 04 August 2012 - 11:46 AM

Let's get a deeper look at some stuff:
We need to create an OTL Report
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#9 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 05 August 2012 - 10:50 PM

I have attached the 2 OTL logs...

Attached Files



#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 06 August 2012 - 11:03 AM

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}\U\00000008.@
    C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}\@
    
    :Files
    C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}
    C:\Windows\Installer\{ef60596b-0554-71d1-924a-7e3f868015ba}
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 06 August 2012 - 08:17 PM

The OTL app and Internet Explorer locked up when I ran it. I had to reboot and re-run it.
Also, the reboot took a long time, as well as the "Welcome" screen. I unplugged the ethernet cable and the Welcome screen then completed quickly.

I then ran another OTL Scan, since I had the issues.

The results of the FIX and SCAN are attached

Thanks

Attached Files



#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 06 August 2012 - 09:27 PM

Looking better. :thumbup2:

Let's run an online scan to verify we haven't missed anything:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 TkPin

TkPin
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 07 August 2012 - 09:00 AM

It only found 1 threat, in the OTL moved files folder.



All processes killed
========== OTL ==========
========== FILES ==========
C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}\U folder moved successfully.
C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba}\L folder moved successfully.
C:\Users\tknorst\AppData\Local\{ef60596b-0554-71d1-924a-7e3f868015ba} folder moved successfully.
File\Folder C:\Windows\Installer\{ef60596b-0554-71d1-924a-7e3f868015ba} not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 871 bytes
->Flash cache emptied: 57449 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mcx2-QUAD-8G
->Temp folder emptied: 0 bytes

User: Mcx2-QUAD-8G.QUAD-8G
->Temp folder emptied: 0 bytes

User: Mcx2-QUAD-8G.QUAD-8G.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Mcx3-QUAD-8G
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Mcx4-HPMEDIA
->Temp folder emptied: 0 bytes

User: Mcx4-HPMEDIA.HPMEDIA
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 502140 bytes
->Flash cache emptied: 56504 bytes

User: Public
->Temp folder emptied: 0 bytes

User: tknorst
->Temp folder emptied: 3398718 bytes
->Temporary Internet Files folder emptied: 52829528 bytes
->Java cache emptied: 1055798 bytes
->FireFox cache emptied: 233914638 bytes
->Flash cache emptied: 79965 bytes

User: Tom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 804 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1112844 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 280.00 mb


[EMPTYJAVA]

User: administrator

User: All Users

User: Default

User: Default User

User: Mcx2-QUAD-8G

User: Mcx2-QUAD-8G.QUAD-8G

User: Mcx2-QUAD-8G.QUAD-8G.000

User: Mcx3-QUAD-8G

User: Mcx4-HPMEDIA

User: Mcx4-HPMEDIA.HPMEDIA

User: Public

User: tknorst
->Java cache emptied: 0 bytes

User: Tom

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Mcx2-QUAD-8G

User: Mcx2-QUAD-8G.QUAD-8G

User: Mcx2-QUAD-8G.QUAD-8G.000
->Flash cache emptied: 0 bytes

User: Mcx3-QUAD-8G
->Flash cache emptied: 0 bytes

User: Mcx4-HPMEDIA

User: Mcx4-HPMEDIA.HPMEDIA
->Flash cache emptied: 0 bytes

User: Public

User: tknorst
->Flash cache emptied: 0 bytes

User: Tom

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.56.0 log created on 08062012_151737

Files\Folders moved on Reboot...
C:\Users\tknorst\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF032BD55DF893428E.TMP not found!
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF079FDA67E5EF8BBB.TMP not found!
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF0864877A182F9A1F.TMP not found!
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF0B76471C5347D497.TMP not found!
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF8FCAAA7330B26955.TMP not found!
File\Folder C:\Users\tknorst\AppData\Local\Temp\~DF9CA29DEFCA961E2D.TMP not found!
C:\Users\tknorst\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\tknorst\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat moved successfully.

PendingFileRenameOperations files...
File C:\Users\tknorst\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF032BD55DF893428E.TMP not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF079FDA67E5EF8BBB.TMP not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF0864877A182F9A1F.TMP not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF0B76471C5347D497.TMP not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF8FCAAA7330B26955.TMP not found!
File C:\Users\tknorst\AppData\Local\Temp\~DF9CA29DEFCA961E2D.TMP not found!
File C:\Users\tknorst\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat not found!
File C:\Users\tknorst\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\SuggestedSites.dat not found!

Registry entries deleted on Reboot...

#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:10:54 AM

Posted 07 August 2012 - 12:39 PM

Your logs are looking clean. :)

Before we do anything else, please take the time to install the following updates. Using outdated applications leaves you vulnerable to getting infected again.

-------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to Start > Control Panel and open Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).
They will have this icon next to them: Posted Image
Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

-------

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):
Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.

-------

Firefox is out of date. Using an outdated version of a web browser leaves you extremely vulnerable to malware!
Please visit Mozilla site and update it to the latest version.

-------

Please let me know how the updates went, as failed updates may indicate additional malware.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users