Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My folders become shortcut link in my external harddrive and I could not open it


  • Please log in to reply
14 replies to this topic

#1 fasciola

fasciola

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 10 September 2013 - 11:04 PM

Hello,

 

Could someone please help me?

 

The folders on my external harddrive became shortcut links and I could not open all the folders. But I think the files are still there because they are scan-able by my antivirus program.

 

When I tried to open the folder, the following message appeared:

 

H:\.Trashes\c2ca72b3.exe

 

Windows cannot find 'H:\.Trashes\c2ca72b3.exe'. Make sure you typed the name correctly, and then try again.

 

 

I have followed your Preparation Guide Step 6 and attached the two files (i name it attach-compiled and dds-compiled because there are similar names).Attached File  Attach-compiled.txt   12.39KB   15 downloadsAttached File  DDS-compiled.txt   21.56KB   14 downloads

 

I look forward to your immediate reply, thanks :)



BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 11 September 2013 - 09:10 PM

fasciola,

 

:welcome: to the BC forum!

 

 

Let's do the following...

 

:step1:  Safely remove the External drive (and any other removable drives) from the computer.

 

:step2:  Please download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php

Select the version that applies to the system.
Save to the Desktop. We will use the program shortly.

 

:step3:  Next, download UsbFix:
http://www.infospyware.com/utiles/usbfix/

It is a Spanish language website, but the program is in English.
To download. press the button that says: Descagar  (It means: Download)
Also save to the Desktop.

 

:step4:  Connect only the problem External drive while pressing the left Shift key so that autorun is disabled! :exclame:

 

:step5:  After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

>>Please provide the RKreport.txt (Mode: Scan) in your reply.

 

:step6:  Next, right-click the downloaded USBFix file and select: Run as Administrator

Press: Listing

When done, the program closes on its own, and a report appears.
The report file is also found at C:\UsbFix.txt

>>Please post the UsbFix.txt (Listing Mode) report in your reply.

 

Note: If USBFix does not run in normal Windows, please run in Safe Mode:

Restart your computer.
When the computer starts, tap the F8 key on the keyboard repeatedly until presented with the Advanced Boot Options menu
Using the arrow keys, select: Safe Mode
Press the Enter key on your keyboard to boot into the selected mode.


Edited by Aaflac, 11 September 2013 - 09:15 PM.

Old duck...


#3 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 11 September 2013 - 09:59 PM

Hi Aaflac,

 

Thank you so much for the prompt reply.  :thumbup2:

 

I have followed your steps, except that when I did shift+connect my harddrive, the autorun still appeared. Hopefully it wont affect the process.

 

Here are two reports that you need. Attached File  RKreport0_S_09122013_104727.txt   2.86KB   4 downloads and Attached File  UsbFix Listing 1 YOULI-PC.txt   3.3KB   8 downloads

 

What's the next steps? 

 

 



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 11 September 2013 - 10:40 PM

Thanks for providing the reports.

 

:step1:  Please click on the Windows 7 Start button and then on Control Panel
In Control Panel, select the Folder Options link.
Click on the View tab in the Folder Options window.

In the Advanced settings: area, locate the Hidden files and folders category.

Check: Show hidden files, folders, and drives
Uncheck: Hide protected operating system files (Recommended)
Click Apply and OK at the bottom of the Folder Options window.

 

 

:step2:  Next, with the External drive connected, please run Malwarebytes Anti-Malware:
Download: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Save to the Desktop

Double-click the downloaded MBAM file to run it.

 

When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the following options are checked:
>Update Malwarebytes’ Anti-Malware 
>Launch Malwarebytes’ Anti-Malware

Uncheck:
>Enable free trial of Malwarebytes Anti-Malware PRO

Click on the Finish button.

 

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan

When the Select the Drives to scan prompt appears, make sure all drives (except: CD-Rom/DVD) are selected, and in particular the External drive.

 

Next, click on the Scan button.

 

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

>> Please copy/paste the entire contents of the MBAM report in your reply.

 

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.


Edited by Aaflac, 11 September 2013 - 10:42 PM.

Old duck...


#5 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 September 2013 - 04:15 AM

Hello Aaflac,

 

The trashes still remain in H drive (there are still shortcut links there), but the hidden folders are now visible so I can open it.

 

Here is the copied report:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.09.12.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
You Li :: YOULI-PC [administrator]
 
9/12/2013 12:40:57 PM
mbam-log-2013-09-12 (12-40-57).txt
 
Scan type: Full scan (C:\|H:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 403920
Time elapsed: 3 hour(s), 20 minute(s), 35 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit) -> Bad: (http://search.conduit.com?SearchSource=10&ctid=CT3220468) Good: (http://www.google.com) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 4
C:\Users\You Li\AppData\Local\Temp\MyDelta_sftnc.exe (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
C:\Users\You Li\Downloads\iLividSetupV1.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
H:\el Memoirs\Docs\InternationalPrimoPDF.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
H:\el Memoirs\photo\swirlabstracts.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
 
(end)
 

 

When I saw the scanning process just now, the files detected was 5 instead of 4 stated in report here. :o



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 12 September 2013 - 06:48 AM

Let's go after those .trashes that still remain in H: drive...

 

:step1:  Press the Windows Key and the R key at the same time for the Run prompt to appear.
In the Run prompt, type the following in the Open area, and press Enter: cmd

 

When the Command Prompt opens, copy/paste (with the mouse) the following, and press: Enter

attrib -h -s -r -a /s /d X:\*.*

(Change the drive letter X to the letter corresponding to the USB removable drive.)

 

:step2:   Please run USBFix once again

Press: Deletion

When done, the program closes on its own, and a report appears.
The report file is also found at C:\UsbFix.txt

>>Please post the UsbFix.txt (Deletion Mode) report in your reply.

 

 

:step3:   Also run RogueKiller as before

Press: Delete

>>Please post the new RKreport Mode: Deletion, in your reply.


Edited by Aaflac, 12 September 2013 - 04:39 PM.

Old duck...


#7 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 September 2013 - 09:17 PM

Hi Aaflac,

 

When I tried to run USBfix, my Avast anti-virus blocked it with the following message

 

MALWARE BLOCKED

avast! File System Shield has blocked a threat.

No further action is required.

Object: C:\Users\You Li\Desktop\UsbFix\Go.exe

Infection: Win32:Malware-gen

Action: Moved to chest

Process: C:\Windows\explorer.exe

 

Do I still need to reinstall USBfix and follow the rest of the steps you stated there?



#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 12 September 2013 - 09:26 PM

Yes, please.

 

Temporarily disable avast!:

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

 

When done with USBFix, re-enable avast!


Old duck...


#9 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 12 September 2013 - 11:47 PM

Hi Aaflac, 

 

Here is report from Usbfix:

 

############################## | UsbFix V 7.134 | [Deletion]
 
User: You Li (Administrator) # JEUNGMINGJUK
Updated 06/09/2013 by El Desaparecido
Started at 11:49:43 | 13/09/2013
 
Contact: eldesaparecido@sosvirus.net
 
PC: TOSHIBA (Satellite L645) (x64-based PC)
CPU: Intel® Core™ i3 CPU       M 350  @ 2.27GHz (2266)
RAM -> [Total : 1910 | Free : 925]
BIOS: InsydeH2O Version 1.90
BOOT: Normal boot
 
OS: Microsoft Windows 7 Home Premium  (6.1.7601 64-Bit) # Service Pack 1
WB: Windows Internet Explorer 10.0.9200.16686
 
SC: Security Center Service [Enabled]
WU: Windows Update Service [Enabled]
AV: avast! Antivirus [(!) Disabled | Updated]
FW: Windows FireWall Service [Enabled]
 
C:\ (%systemdrive%) -> Fixed drive # 286 Gb (82 Mb free - 28%) [] # NTFS
D:\ -> CD-ROM
H:\ -> Fixed drive # 466 Gb (167 Mb free - 36%) [Old Toy Boy] # NTFS
 
################## | El Desaparecido Section |
 
HKLM\SOFTWARE | Run : [ToshibaServiceStation] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
HKLM\SOFTWARE | Run : [TWebCamera] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
HKLM\SOFTWARE | Run : [ITSecMng] - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
HKLM\SOFTWARE | Run : [GrooveMonitor] - "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
HKLM\SOFTWARE | Run : [Samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
HKLM\SOFTWARE | Run : [ROC_roc_dec12] - "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\SOFTWARE | Run : [HF_G_Jul] - "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe"  /DoAction
HKLM\SOFTWARE | Run : [ROC_ROC_NT] - "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
HKLM\SOFTWARE | Run : [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
HKLM\SOFTWARE | Run : [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
HKLM\SOFTWARE | Run : [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM\SOFTWARE | Run : [avast] - "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
HKLM\SOFTWARE | Run : [Aimersoft Helper Compact.exe] - C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
HKLM\SOFTWARE\wow6432Node | Run : [ToshibaServiceStation] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
HKLM\SOFTWARE\wow6432Node | Run : [TWebCamera] - "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
HKLM\SOFTWARE\wow6432Node | Run : [ITSecMng] - %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
HKLM\SOFTWARE\wow6432Node | Run : [GrooveMonitor] - "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
HKLM\SOFTWARE\wow6432Node | Run : [Samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
HKLM\SOFTWARE\wow6432Node | Run : [ROC_roc_dec12] - "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\SOFTWARE\wow6432Node | Run : [HF_G_Jul] - "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe"  /DoAction
HKLM\SOFTWARE\wow6432Node | Run : [ROC_ROC_NT] - "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
HKLM\SOFTWARE\wow6432Node | Run : [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
HKLM\SOFTWARE\wow6432Node | Run : [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
HKLM\SOFTWARE\wow6432Node | Run : [SunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
HKLM\SOFTWARE\wow6432Node | Run : [avast] - "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
HKLM\SOFTWARE\wow6432Node | Run : [Aimersoft Helper Compact.exe] - C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
HKLM\SOFTWARE | RunOnce : [] - 
HKLM\SOFTWARE\wow6432Node | RunOnce : [] - 
HKU\S-1-5-19\SOFTWARE | Run : [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\SOFTWARE | Run : [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [MsnMsgr] - "C:\Program Files (x86)\MSN Messenger\MsnMsgr.Exe" /background
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [Messenger (Yahoo!)] - "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [Facebook Update] - "C:\Users\You Li\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [EA Core] - "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [uTorrent] - "C:\Program Files (x86)\uTorrent\uTorrent.exe"  /MINIMIZED
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [BitTorrent] - "C:\Program Files (x86)\BitTorrent\BitTorrent.exe"  /MINIMIZED
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [Google Update] - "C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe" /c
HKU\S-1-5-21-2458691290-4121066166-3127418973-1000\SOFTWARE | Run : [Sidebar] - C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
HKU\S-1-5-19\SOFTWARE | RunOnce : [mctadmin] - C:\Windows\System32\mctadmin.exe
HKU\S-1-5-20\SOFTWARE | RunOnce : [mctadmin] - C:\Windows\System32\mctadmin.exe
 
################## | Stopped processes |
 
Stopped! C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (1260)
Stopped! C:\Windows\system32\taskhost.exe (1412)
Stopped! C:\Windows\system32\taskeng.exe (1520)
Stopped! C:\Windows\System32\spoolsv.exe (1572)
Stopped! C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (1868)
Stopped! C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE (1928)
Stopped! C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (1952)
Stopped! C:\Windows\SysWOW64\TODDSrv.exe (1512)
Stopped! C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (368)
Stopped! C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe (452)
Stopped! C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe (2460)
Stopped! C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe (2624)
Stopped! C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2636)
Stopped! C:\Windows\System32\hkcmd.exe (1660)
Stopped! C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (2992)
Stopped! C:\Windows\System32\igfxpers.exe (1220)
Stopped! C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe (996)
Stopped! C:\Windows\system32\taskeng.exe (3056)
Stopped! C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (2940)
Stopped! C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe (3272)
Stopped! C:\Windows\system32\SearchIndexer.exe (3320)
Stopped! C:\Program Files\Windows Sidebar\sidebar.exe (3528)
Stopped! C:\Windows\Samsung\PanelMgr\SSMMgr.exe (2432)
Stopped! C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe (1064)
Stopped! C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (3172)
Stopped! C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (3824)
Stopped! C:\Windows\Samsung\PanelMgr\caller64.exe (4048)
Stopped! C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (4060)
Stopped! C:\Program Files\Alwil Software\Avast5\AvastUI.exe (4068)
Stopped! C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe (432)
 
################## | Files # Infected Folders |
 
Deleted ! H:\$RECYCLE.BIN.lnk
Deleted ! H:\Another thumbdrive.lnk
Deleted ! H:\Avast AntiVirus 6.0.11 + Serial Keys - {RedDragon}.lnk
Deleted ! H:\Dietary pattern measurement.lnk
Deleted ! H:\el Memoirs.lnk
Deleted ! H:\Film.lnk
Deleted ! H:\FYP.lnk
Deleted ! H:\RECYCLER.lnk
Deleted ! H:\Seagate.lnk
Deleted ! H:\System Volume Information.lnk
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\com.plasq.ComicLife2
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\crt7CE1.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\iet281C.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\utt6302.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\utt941F.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\utt9D8.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\uttA233.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\uttE14E.tmp.exe
Deleted ! C:\Users\YOULI~1\AppData\Local\Temp\uttE74F.tmp.exe
Deleted ! H:\.Trashes\Desktop.ini
Deleted ! H:\RECYCLER\S-1-5-21-1202660629-1979792683-1417001333-1003
 
(!) Temporary files deleted.
 
################## | Registry |
 
 
################## | Mountpoints2 |
 
 
################## | Listing |
 
[28/10/2011 - 08:39:22 | SHD ] C:\$Recycle.Bin
[30/01/2013 - 12:04:36 | D ] C:\Another from RAS
[14/07/2009 - 13:08:56 | SHD ] C:\Documents and Settings
[13/09/2013 - 11:47:09 | ASH | 1501974528] C:\hiberfil.sys
[12/10/2011 - 20:12:55 | D ] C:\Intel
[13/10/2011 - 15:25:27 | RHD ] C:\MSOCache
[13/09/2013 - 11:47:10 | ASH | 2002632704] C:\pagefile.sys
[14/07/2009 - 11:20:08 | D ] C:\PerfLogs
[30/04/2013 - 07:52:07 | D ] C:\Program Files
[12/09/2013 - 12:37:42 | D ] C:\Program Files (x86)
[12/09/2013 - 12:37:49 | HD ] C:\ProgramData
[12/10/2011 - 19:27:34 | SHD ] C:\Recovery
[12/09/2013 - 17:32:02 | SHD ] C:\System Volume Information
[21/04/2013 - 09:15:54 | D ] C:\Temp
[13/09/2013 - 12:25:17 | D ] C:\UsbFix
[13/09/2013 - 11:21:26 | N | 9377] C:\UsbFix [Clean 1] JEUNGMINGJUK.txt
[13/09/2013 - 12:25:46 | A | 9931] C:\UsbFix [Clean 2] JEUNGMINGJUK.txt
[12/09/2013 - 10:50:52 | N | 3375] C:\UsbFix [Listing 1 ] YOULI-PC.txt
[13/09/2013 - 11:18:37 | N | 3437] C:\UsbFix [Listing 2 ] JEUNGMINGJUK.txt
[12/10/2011 - 19:27:50 | D ] C:\Users
[17/11/2011 - 10:15:31 | D ] C:\windiets
[20/04/2012 - 11:59:21 | D ] C:\WinDiets_Yuliana
[21/07/2013 - 11:28:35 | D ] C:\Windows
[05/07/2012 - 11:11:22 | D ] H:\$RECYCLE.BIN
[13/09/2013 - 12:22:36 | D ] H:\.Trashes
[08/03/2013 - 16:31:56 | D ] H:\Another thumbdrive
[10/09/2013 - 15:42:31 | D ] H:\Avast AntiVirus 6.0.11 + Serial Keys - {RedDragon}
[13/10/2011 - 16:16:12 | N | 81] H:\CTX.DAT
[26/09/2010 - 14:47:42 | N | 368] H:\DEPP'S (F) - Shortcut.lnk
[28/03/2013 - 10:35:33 | D ] H:\Dietary pattern measurement
[21/08/2013 - 18:25:21 | D ] H:\el Memoirs
[10/07/2013 - 14:41:06 | D ] H:\Film
[15/03/2013 - 21:25:16 | D ] H:\FYP
[11/06/2011 - 11:34:02 | D ] H:\RECYCLER
[08/05/2010 - 09:42:01 | D ] H:\Seagate
[16/01/2009 - 15:14:08 | N | 156312] H:\Setup.exe
[02/09/2012 - 17:00:30 | SHD ] H:\System Volume Information
 
################## | Vaccin |
 
C:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
H:\Autorun.inf -> Vaccine created by UsbFix (El Desaparecido)
 
################## | E.O.F | http://www.sosvirus.net |

 

 

 

And the report from RK:

 

RogueKiller V8.6.11 _x64_ [Sep 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : You Li [Admin rights]
Mode : Remove -- Date : 09/13/2013 12:32:37
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-2458691290-4121066166-3127418973-1000\[...]\Run : Google Update ("C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> [0x2] The system cannot find the file specified. 
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-2458691290-4121066166-3127418973-1000UA.job : C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-2458691290-4121066166-3127418973-1000Core.job : C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-2458691290-4121066166-3127418973-1000Core : C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-2458691290-4121066166-3127418973-1000UA : C:\Users\You Li\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> ERROR DELETING TASK
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: TOSHIBA MK3265GSX ATA Device +++++
--- User ---
[MBR] 06601e15fa69640a9b8d117c7d401503
[BSP] 1b9548feb6cdb6d04efaeddae3a53c32 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 293089 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 600453120 | Size: 12055 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: TOSHIBA MK3265GSX ATA Device +++++
--- User ---
[MBR] 2af2e65d33917a636c8d85073936a959
[BSP] 0dacf6747b524eea4c0a75f0c8341a29 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_D_09132013_123237.txt >>
RKreport[0]_S_09122013_104727.txt;RKreport[0]_S_09132013_123138.txt

 

 

 
 
There are no Trashes folder anymore in my external harddrive :D
There is autorun folder but when I tried to delete it, the pop-up window said it is no longer in H drive.
 
So is this fixed? :)


#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 13 September 2013 - 02:07 PM

Good job, fasciola!

 

Was the External drive previously connected to a Mac OS X computer?
Mac OS X automatically creates a folder for the trash  (\.Trashes), which is the windows equivalent of the Recycle Bin.

 

C:\Autorun.inf and H:\Autorun.inf are the Vaccines created by UsbFix for each drive.

 

Let's take another look at the External drive to make sure there is nothing there to be concerned about...

 

:step1:  Please go to Start > All Programs > Accessories > Command Prompt
Right-click on the Command Prompt and select: Run As Administrator

At the blinking cursor of the Command Prompt, type in (or copy/paste with mouse) the following commands inside the code box (assuming H: is still the External drive), and press Enter:

cd\
h:
dir /s

To copy the text contained/produced in the Command Prompt, click on the small command icon in the top left corner, and then choose:
Edit > Select All
Once again, Edit > Copy

 

Open Notepad, and paste the text to it.

>>Please post the text in your reply.

To close the Command Prompt, use the [X], or type in: exit

 

 

:step2:  Next, please download the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.
Double-click the downloaded file to run it.

 

When the tool opens click Yes to the disclaimer.

 

Press the Scan button.

 

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

 

>> Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt

 

>> Also post the Addition.txt in your reply.


Edited by Aaflac, 13 September 2013 - 02:12 PM.

Old duck...


#11 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 13 September 2013 - 10:34 PM

Hi Aaflac, thanks so much for your patience and help!

 

Here are the three reports. For the text copied from the command prompt, I have too many folders so not all text are copied.

 

Attached File  text from command prompt.txt   15.68KB   3 downloads Attached File  FRST.txt   54.98KB   2 downloads Attached File  Addition.txt   31.51KB   1 downloads 



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 14 September 2013 - 09:36 PM

Did not take into consideration the size of the External drive, so, please use the following info at the Command Prompt instead:

 

:step1:  Once again, please go to Start > All Programs > Accessories > Command Prompt
Right-click on the Command Prompt and select: Run As Administrator

At the blinking cursor of the Command Prompt, type in (or copy/paste with mouse) the following commands inside the code box (assuming H: is still the External drive).
Do each command line, one at a time, and press: Enter

ATTRIB -h -s -r H:\.Trashes
dir /a/s H:\.Trashes >tlog.txt
notepad tlog.txt

A report, tlog.txt, opens in Notepad.
>> Please post the text in your reply.

 

Back at the Command Prompt, type in (or copy/paste with mouse) the following commands inside the code box, one at a time, and press: Enter

ATTRIB -h -s -r H:\ autorun.inf
dir /a/s H:\ autorun.inf >alog.txt
notepad alog.txt

Another report, alog.txt opens in Notepad.
>>Please post the text in your reply.

 

To close the Command Prompt, use the [X], or type in: exit

 

 

:step2:  Pressing on with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below
Save it on the Desktop, and name it: fixlist.txt

start
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM-x32\...\Run: [Samsung PanelMgr] - C:\Windows\Samsung\PanelMgr\SSMMgr.exe [688128 2011-07-06] ()
HKLM-x32\...\Run: [ROC_roc_dec12] - "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 [x]
HKLM-x32\...\Run: [HF_G_Jul] - "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe"  /DoAction [x]
HKLM-x32\...\Run: [ROC_ROC_NT] - "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT [x]
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] - C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [x]
URLSearchHook: (No Name) - {a1e75a0e-4397-4ba8-bb50-e19fb66890f4} -  No File
URLSearchHook: (No Name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} -  No File
URLSearchHook: (No Name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -  No File
URLSearchHook: (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} -  No File
URLSearchHook: (No Name) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} -  No File
SearchScopes: HKLM-x32 - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
SearchScopes: HKCU - DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://isearch.avg.com/search?cid={7DA3F1EE-296C-4749-A266-E20A958B3232}&mid=9ef6e89e2b5547d1a92f1943ef907933-b83cb92e23864003666e57ccc531e91827848bfc&lang=en&ds=AVG&pr=fr&d=2012-09-29 09:49:42&v=12.2.5.34&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://isearch.avg.com/search?cid={7DA3F1EE-296C-4749-A266-E20A958B3232}&mid=9ef6e89e2b5547d1a92f1943ef907933-b83cb92e23864003666e57ccc531e91827848bfc&lang=en&ds=AVG&pr=fr&d=2012-09-29 09:49:42&v=12.2.5.34&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll No File
BHO-x32: uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll No File
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll No File
Toolbar: HKLM-x32 - uTorrentControl2 Toolbar - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files (x86)\uTorrentControl2\prxtbuTor.dll No File
Toolbar: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll No File
Toolbar: HKCU -  No Name - {A1E75A0E-4397-4BA8-BB50-E19FB66890F4} -  No File
Toolbar: HKCU -  No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKCU -  No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
Toolbar: HKCU -  No Name - {BA14329E-9550-4989-B3F2-9732E92D17CC} -  No File
Toolbar: HKCU -  No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
FF SelectedSearchEngine: AVG Secure Search
FF Homepage: hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=13
FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3220468&SearchSource=2&CUI=UN52964478442597514&UM=false&q=
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF SearchPlugin: C:\Users\You Li\AppData\Roaming\Mozilla\Firefox\Profiles\3o4xjyka.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
CHR HomePage: hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=48
CHR Plugin: (Conduit Chrome Plugin) - C:\Users\You Li\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/ConduitChromeApiPlugin.dll No File
CHR Plugin: (Conduit Radio Plugin) - C:\Users\You Li\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/np-cwmp.dll No File
CHR Plugin: (AVG Internet Security) - C:\Users\You Li\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2210_0\plugins/avgnpss.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll No File
CHR Plugin: (Facebook Desktop) - C:\Users\You Li\AppData\Local\Facebook\Messenger\2.1.4631.0\npFbDesktopPlugin.dll No File
CHR Plugin: (Google Update) - C:\Users\You Li\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\You Li\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
CHR HKLM-x32\...\Chrome\Extension: [mhfdcmehmjcclgopdodkjdicohagipid] - C:\Users\You Li\AppData\Local\CRE\mhfdcmehmjcclgopdodkjdicohagipid.crx
CHR HKLM-x32\...\Chrome\Extension: [ojpijjmpahflnipadmlpgbjmagmjchkk] - C:\Users\You Li\AppData\Local\CRE\ojpijjmpahflnipadmlpgbjmagmjchkk.crx
CHR HKLM-x32\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\You Li\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx
C:\ProgramData\sysqcl1129067056.dat
C:\ProgramData\sysqcl1129139270.dat
end

Note: This script is written specifically for use only on this computer.
Running this on another computer may cause damage to the Operating System!!

 

Run FRST, and press the Fix button, just once, and wait.

The tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

 

 

:step3:  Next, download the Temporary File Cleaner (TFC)
http://oldtimer.geekstogo.com/TFC.exe
Save to your Desktop.

Save any work in progress!! TFC closes open applications and removes unsaved work!! Close all windows!!

Right-click TFC.exe and select: Run as Administrator
If prompted, click Yes to reboot.

 

 

:step4:  To get rid of Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers...

Please download AdwCleaner:

http://www.bleepingcomputer.com/download/adwcleaner/
Save the program to the Desktop
Close all open programs and internet browsers.
Right-click on adwcleaner.exe and select: Run As Administrator
At the program console, click on: Delete
When the program is done, the computer is rebooted automatically, and a text file opens after the restart.

>> Please post the AdwCleaner report in your reply.

 

 

:step5:  Last, let’s check your Security status with the following...

Download Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.

 

Double-click SecurityCheck.exe to run the program.

Follow the onscreen instructions inside the black box.

 

When done, a Notepad report opens automatically. It is called: checkup.txt

>> Please post the checkup.txt in your reply.

 

(Please do not take any corrective actions!)


Edited by Aaflac, 14 September 2013 - 09:40 PM.

Old duck...


#13 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 26 October 2013 - 10:00 PM

Attached File  tlog.txt   438bytes   1 downloadsHi Aaflac, so sorry for the late reply. I was held up by many incidents.

 

Here I attach the results. For the command prompt, I think there are some errors (I have copied the exact words from the command prompt on top of the report).

 

For alog (the doc is too big so cannot be uploaded:

 

 

From the command prompt:
 
C:\Users\You Li>ATTRIB -h -s -r H:\ autorun.inf
Parameter format not correct -
 
C:\Users\You Li>ATTRIB -h -s -r H:\ autorun.inf
Parameter format not correct -
 
C:\Users\You Li>dir /a/s H:\ autorun.inf >alog.txt
 
C:\Users\You Li>notepad alog.txt
 
C:\Users\You Li>
 
The actual report:
 
 Volume in drive H is Old Toy Boy
 Volume Serial Number is 7C02-CFE2
     Total Files Listed:
           22733 File(s) 321,132,589,970 bytes
            4656 Dir(s)  178,628,153,344 bytes free
 
 Volume in drive C has no label.
 Volume Serial Number is AE83-8FFA
 
 Directory of C:\Users\You Li\Documents\ML-1660_PrintD
 
06/21/2011  08:12 AM               650 AUTORUN.INF
               1 File(s)            650 bytes
 
     Total Files Listed:
               1 File(s)            650 bytes
               0 Dir(s)  105,007,874,048 bytes free
 

 

Attached File  tlog.txt   438bytes   1 downloads Attached File  Fixlog.txt   13.71KB   0 downloads 

 

So sorry I don't know why I could not find Adwcleaner report after reboot.

 

Attached File  checkup.txt   965bytes   0 downloads



#14 fasciola

fasciola
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 26 October 2013 - 10:10 PM

Hi Aaflac, I found several reports for Adwcleaner:

 

Attached File  AdwCleanerR0.txt   64.82KB   0 downloads Attached File  AdwCleanerR1.txt   1013bytes   0 downloads Attached File  AdwCleanerS0.txt   65.7KB   0 downloads Attached File  AdwCleanerS1.txt   1.05KB   1 downloads



#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:09:44 AM

Posted 26 October 2013 - 10:43 PM

Let's see where we are at, and where we need to go...

Please run USBFix once again.

Connect the External Hard Drive.

This time press: Research

Please post the UsbFix.txt (Research) report in your reply.

Edited by Aaflac, 26 October 2013 - 10:44 PM.

Old duck...





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users