Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant ads and spam on browsers (including steam)


  • This topic is locked This topic is locked
26 replies to this topic

#1 gelb123

gelb123

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 14 April 2015 - 01:42 AM

Hello Bleeping Computer Team and thaks in advance for the consideration. Few days ago I started having problems while surfing with mozilla on twitch.tv . The browser was slow and suddenly stopped working. Once closed I decided to reopen it only to find that no matter where I clicked (even on blank space) tons of pop up appeared, and I was often redirected to spam pages. All the different browsers I had were affected, including steam. I started a few complete scans to no avail.

 

The only thing found was a suspect cookie called "doubleclick" in the steam appdata html cache; deleting it had no effect since it just keep popping up. The tech support wasn't able to  find everything on remote. So while waiting to reinstall the os and wiping the HD clean I decided to switch to my clean laptop. Well the same moment I reopened steam, the same cookie started showing up (with the annoying popups). I really don't know what to do know, since I'd really need a hand to clean both machines, since I'm know afraid that even wiping the HD wouldn't have effects since this malware just jumped from my pc to the laptop via Steam.

 

On a side note: the premium version of malware bytes suddenly started blocking in and out malicious connections using the svchost.exe

 

I also apologize for any misunderstanding since english is not my native tongue (a I've barely slept)

Here is my log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-04-2015
Ran by mauro (administrator) on CECORLANDI on 14-04-2015 09:05:39
Running from C:\Users\mauro\Desktop\FRST64
Loaded Profiles: mauro (Available profiles: mauro)
Platform: Windows 8.1 (X64) OS Language: Italiano (Italia)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
() C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\mauro\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7204568 2013-11-05] (Realtek Semiconductor)
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\HPSmplPass.exe [2758200 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [155704 2013-10-14] (Hewlett-Packard)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2771184 2013-07-26] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-24] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [YouCam Service] => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [267224 2013-09-02] (CyberLink Corp.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [704512 2015-03-19] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [509192 2014-10-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [40184 2015-02-27] (Panda Security, S.L.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Run: [GoogleChromeAutoLaunch_F39F8C82CCE75AA58E71DC64E384A646] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [809288 2015-03-30] (Google Inc.)
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Run: [Google Update] => C:\Users\mauro\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-10-20] (Google Inc.)
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Run: [Google+ Auto Backup] => C:\Users\mauro\AppData\Local\Programs\Google\Google+ Auto Backup\Google+ Auto Backup.exe [3754312 2015-02-13] (Google Inc.)
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Run: [Power2GoExpress8] => C:\Program Files (x86)\CyberLink\Power2Go8\Power2GoExpress8.exe [1718536 2014-07-24] (CyberLink Corp.)
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31682144 2015-03-25] (Skype Technologies S.A.)
HKU\S-1-5-18\...\Run: [Epson Stylus SX440] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHBE.EXE [232448 2011-01-20] (SEIKO EPSON CORPORATION)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON14/6
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/HPCON14/6
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON14/6
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON14/6
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPCON14/6
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/724-154353-12130-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/724-154353-12130-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-2292905149-1236629684-1799644725-1001 -> {3EC3379C-408B-48BF-AFE2-1D5C7C9AA319} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2292905149-1236629684-1799644725-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-2292905149-1236629684-1799644725-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/724-154353-12130-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2013-08-28] (Hewlett-Packard)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-08-13] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2292905149-1236629684-1799644725-1001: @tools.google.com/Google Update;version=3 -> C:\Users\mauro\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-2292905149-1236629684-1799644725-1001: @tools.google.com/Google Update;version=9 -> C:\Users\mauro\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-03-11] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.com/
CHR StartupUrls: Default -> "hxxp://search.imesh.com/", "hxxp://www.google.com/intl/it/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-09]
CHR Extension: (Google Drive) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-09]
CHR Extension: (YouTube) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-09]
CHR Extension: (Google Search) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-09]
CHR Extension: (Avira Browser Safety) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-09-06]
CHR Extension: (AdBlock) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-03-26]
CHR Extension: (Google Wallet) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-09]
CHR Extension: (Gmail) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-09]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [432888 2015-03-19] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [432888 2015-03-19] (Avira Operations GmbH & Co. KG)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 Cachedrv server; C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe [109568 2013-10-14] () [File not signed]
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-12-16] (Hewlett-Packard Company) [File not signed]
S2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [569608 2014-10-09] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-22] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-09-04] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142584 2015-02-27] (Panda Security, S.L.)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [87552 2013-10-14] (Softex Inc.) [File not signed]
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-02-27] (Panda Security, S.L.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-10-17] (Realtek Semiconductor)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [128536 2015-03-11] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [132120 2015-03-11] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [28600 2014-08-15] (Avira Operations GmbH & Co. KG)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\system32\DRIVERS\NNSNAHSL.sys [49936 2014-12-31] (Panda Security, S.L.)
R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163088 2015-02-25] (Panda Security, S.L.)
R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2015-02-25] (Panda Security, S.L.)
R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [197392 2015-02-25] (Panda Security, S.L.)
R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [124176 2015-02-25] (Panda Security, S.L.)
R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [133904 2015-02-25] (Panda Security, S.L.)
R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
R3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [61712 2015-01-29] (Panda Security, S.L.)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [429272 2013-08-22] (Realsil Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [3068120 2014-08-09] (Realtek Semiconductor Corporation                           )
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-14 09:04 - 2015-04-14 09:05 - 00000000 ____D () C:\FRST
2015-04-14 09:00 - 2015-04-14 09:05 - 00000000 ____D () C:\Users\mauro\Desktop\FRST64
2015-04-14 08:18 - 2015-04-14 08:21 - 00000000 ___SD () C:\Windows\system32\GWX
2015-04-14 08:18 - 2015-04-14 08:18 - 00000000 ___SD () C:\Windows\SysWOW64\GWX
2015-04-14 00:45 - 2015-04-14 00:45 - 00000000 ____D () C:\Users\mauro\AppData\Local\Steam
2015-04-14 00:12 - 2015-04-14 00:12 - 00526688 _____ (Safe Download-autoshutdown_setup ) C:\Users\mauro\Downloads\autoshutdown_setup.exe
2015-04-13 22:58 - 2015-04-13 22:58 - 00000000 ____D () C:\Users\mauro\Tracing
2015-04-13 22:57 - 2015-04-14 08:21 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\Skype
2015-04-13 22:57 - 2015-04-13 22:57 - 00000000 ____D () C:\Users\mauro\AppData\Local\Skype
2015-04-13 22:56 - 2015-04-13 22:57 - 00000000 ____D () C:\ProgramData\Skype
2015-04-13 22:56 - 2015-04-13 22:56 - 00002713 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-04-13 22:56 - 2015-04-13 22:56 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-04-13 22:56 - 2015-04-13 22:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-04-13 22:52 - 2015-04-13 22:53 - 01380960 _____ (Skype Technologies S.A.) C:\Users\mauro\Downloads\SkypeSetup.exe
2015-04-13 22:31 - 2015-04-14 08:43 - 00000932 _____ () C:\Users\mauro\Desktop\NOTE CELL 2.txt
2015-04-04 09:46 - 2015-04-04 09:49 - 00000000 ____D () C:\Users\mauro\Desktop\Backup
2015-04-02 14:29 - 2015-04-02 14:29 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\SuperSplatters
2015-03-26 19:27 - 2015-03-26 19:27 - 00571070 _____ () C:\Users\mauro\Downloads\xvi32.zip
2015-03-26 10:59 - 2015-03-11 04:38 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 01107456 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 00943104 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 00760320 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 00677888 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-03-26 10:59 - 2015-03-11 00:08 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-03-23 21:01 - 2015-04-14 09:01 - 00003168 _____ () C:\Windows\System32\Tasks\HPCeeScheduleFormauro
2015-03-23 21:01 - 2015-04-14 09:01 - 00000354 _____ () C:\Windows\Tasks\HPCeeScheduleFormauro.job
2015-03-21 21:18 - 2015-03-21 21:19 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\Apple Computer
2015-03-21 21:18 - 2015-03-21 21:18 - 00001772 _____ () C:\Users\Public\Desktop\iTunes.lnk
2015-03-21 21:18 - 2015-03-21 21:18 - 00000000 ____D () C:\Users\mauro\AppData\Local\Apple Computer
2015-03-21 21:18 - 2015-03-21 21:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-03-21 21:16 - 2012-10-03 17:14 - 00033240 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2015-03-21 21:15 - 2015-03-21 21:16 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-03-21 21:15 - 2015-03-21 21:16 - 00000000 ____D () C:\Program Files\iTunes
2015-03-21 21:15 - 2015-03-21 21:15 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-21 21:15 - 2015-03-21 21:15 - 00000000 ____D () C:\Program Files\iPod
2015-03-21 21:15 - 2015-03-21 21:15 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-03-21 21:13 - 2015-03-21 21:13 - 00002535 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2015-03-21 21:13 - 2015-03-21 21:13 - 00000000 ____D () C:\Users\mauro\AppData\Local\Apple
2015-03-21 21:13 - 2015-03-21 21:13 - 00000000 ____D () C:\Program Files (x86)\Apple Software Update
2015-03-21 21:12 - 2015-03-21 21:15 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-21 20:57 - 2015-03-21 21:16 - 00000000 ____D () C:\Users\mauro\Desktop\Musica
2015-03-21 20:56 - 2015-03-21 20:56 - 00001559 _____ () C:\Users\Public\Desktop\Free YouTube to MP3 Converter.lnk
2015-03-21 20:56 - 2015-03-21 20:56 - 00001268 _____ () C:\Users\Public\Desktop\DVDVideoSoft Free Studio.lnk
2015-03-21 20:56 - 2015-03-21 20:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft
2015-03-21 20:54 - 2015-03-21 20:56 - 00000000 ____D () C:\Program Files (x86)\DVDVideoSoft
2015-03-21 20:54 - 2015-03-21 20:54 - 00000000 ____D () C:\Program Files (x86)\Free Codec Pack
2015-03-21 20:53 - 2015-03-21 20:57 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\DVDVideoSoft
2015-03-19 17:38 - 2015-03-19 17:38 - 00000000 __SHD () C:\Users\mauro\AppData\Local\EmieUserList
2015-03-19 17:38 - 2015-03-19 17:38 - 00000000 __SHD () C:\Users\mauro\AppData\Local\EmieSiteList
2015-03-19 17:38 - 2015-03-19 17:38 - 00000000 __SHD () C:\Users\mauro\AppData\Local\EmieBrowserModeList
2015-03-19 15:00 - 2015-03-26 19:13 - 00000000 ____D () C:\Users\mauro\Documents\My Games
2015-03-16 22:31 - 2015-03-16 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NAMCO BANDAI Games
2015-03-16 21:54 - 2015-03-16 21:54 - 00000000 ____D () C:\Users\mauro\Documents\Warhammer Battle March
2015-03-16 16:53 - 2015-03-16 19:14 - 00002457 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-03-16 16:53 - 2015-03-16 16:55 - 00000000 ____D () C:\ProgramData\Adobe
2015-03-16 16:53 - 2015-03-16 16:53 - 00002046 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-03-16 16:53 - 2015-03-16 16:53 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-03-16 16:51 - 2015-03-16 16:54 - 00000000 ____D () C:\Users\mauro\AppData\Local\Adobe
2015-03-16 14:53 - 2013-11-12 15:25 - 00091912 _____ (CyberLink) C:\Windows\system32\Drivers\CLVirtualDrive.sys
2015-03-15 12:55 - 2015-03-15 13:01 - 00000000 ____D () C:\Users\mauro\AppData\Local\hlm2comics
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-14 09:05 - 2015-03-11 16:50 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-04-14 09:01 - 2014-08-08 10:44 - 01993301 _____ () C:\Windows\WindowsUpdate.log
2015-04-14 09:00 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\sru
2015-04-14 08:57 - 2014-08-08 10:52 - 00000000 ____D () C:\Users\mauro\Documents\Youcam
2015-04-14 08:56 - 2014-08-09 11:49 - 00001176 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-14 08:56 - 2014-08-08 10:54 - 00000000 __RDO () C:\Users\mauro\SkyDrive
2015-04-14 08:37 - 2014-08-08 10:56 - 00003954 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{FC5B8C83-7BA5-42C1-A11B-A74A02A57ADC}
2015-04-14 08:20 - 2013-08-22 17:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-04-14 00:53 - 2014-08-08 10:56 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2292905149-1236629684-1799644725-1001
2015-04-14 00:50 - 2014-10-20 11:06 - 00001182 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2292905149-1236629684-1799644725-1001UA.job
2015-04-14 00:50 - 2014-08-09 11:49 - 00001180 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-13 23:04 - 2014-09-06 17:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-04-13 23:04 - 2014-09-06 17:07 - 00000000 ____D () C:\Program Files (x86)\Avira
2015-04-13 23:04 - 2014-03-04 23:20 - 00000000 ____D () C:\ProgramData\Package Cache
2015-04-13 22:58 - 2014-08-08 10:50 - 00000000 ____D () C:\Users\mauro
2015-04-13 22:02 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-04-04 09:58 - 2014-08-09 11:51 - 00002208 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-04 09:50 - 2014-01-18 19:27 - 00838130 _____ () C:\Windows\system32\perfh010.dat
2015-04-04 09:50 - 2014-01-18 19:27 - 00172620 _____ () C:\Windows\system32\perfc010.dat
2015-04-04 09:50 - 2013-08-26 08:09 - 01959130 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-04 09:46 - 2013-08-22 16:46 - 00059385 _____ () C:\Windows\setupact.log
2015-04-01 22:49 - 2015-03-12 11:35 - 00000000 ____D () C:\Users\mauro\Desktop\Farmaco sbob
2015-04-01 22:40 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-04-01 15:50 - 2014-10-20 11:06 - 00001130 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2292905149-1236629684-1799644725-1001Core.job
2015-03-30 11:10 - 2014-08-09 11:12 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2015-03-26 12:24 - 2015-01-07 20:47 - 00000000 ____D () C:\Windows\system32\appraiser
2015-03-26 12:24 - 2014-10-14 20:09 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-03-21 21:13 - 2014-03-04 23:26 - 00000000 ____D () C:\ProgramData\Apple
2015-03-19 11:28 - 2015-03-12 12:28 - 00000000 ____D () C:\Users\mauro\Desktop\Farmaco
2015-03-17 19:53 - 2013-08-22 16:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-17 19:52 - 2013-08-26 08:01 - 00304078 _____ () C:\Windows\PFRO.log
2015-03-17 19:51 - 2013-08-22 15:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-03-16 18:11 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\rescache
2015-03-16 16:54 - 2014-08-08 10:51 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\Adobe
2015-03-16 16:45 - 2014-08-21 08:24 - 00000000 ____D () C:\Users\mauro\AppData\Roaming\CyberLink
2015-03-16 16:44 - 2014-03-04 23:34 - 00000000 ____D () C:\ProgramData\CyberLink
2015-03-16 16:41 - 2013-08-22 17:37 - 00006055 _____ () C:\Windows\DtcInstall.log
2015-03-16 16:38 - 2013-08-22 16:44 - 00422520 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Windows\ToastData
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\MediaViewer
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\FileManager
2015-03-16 15:15 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\Camera
2015-03-16 15:14 - 2013-08-22 21:12 - 00000000 ____D () C:\Program Files\Windows Journal
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\SysWOW64\sppui
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\SysWOW64\setup
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\SysWOW64\migwiz
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\SysWOW64\inetsrv
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\SysWOW64\Com
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
2015-03-16 15:14 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\Common Files\System
2015-03-16 15:14 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\SysWOW64\oobe
2015-03-16 15:14 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2015-03-16 15:14 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\servicing
2015-03-16 15:12 - 2013-08-22 17:36 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2015-03-16 15:12 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\sppui
2015-03-16 15:12 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\setup
2015-03-16 15:12 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\Com
2015-03-16 15:12 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\IME
2015-03-16 15:12 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\Sysprep
2015-03-16 15:12 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\oobe
2015-03-16 15:11 - 2013-08-22 17:36 - 00000000 ___SD () C:\Windows\system32\dsc
2015-03-16 15:11 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\WinBioPlugIns
2015-03-16 15:11 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\SystemResetPlatform
2015-03-16 15:11 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\migwiz
2015-03-16 15:11 - 2013-08-22 17:36 - 00000000 ____D () C:\Windows\system32\inetsrv
2015-03-16 15:11 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\Dism
2015-03-16 15:09 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files (x86)\Windows Portable Devices
2015-03-16 15:09 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files (x86)\Windows Multimedia Platform
2015-03-16 15:08 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
2015-03-16 15:08 - 2013-08-22 17:36 - 00000000 ____D () C:\Program Files (x86)\Windows Photo Viewer
2015-03-16 15:05 - 2014-03-04 23:32 - 00000000 ____D () C:\Program Files (x86)\CyberLink
2015-03-16 15:04 - 2014-08-08 10:52 - 00000000 ____D () C:\Users\mauro\AppData\Local\CyberLink
2015-03-16 15:04 - 2014-03-04 23:38 - 00000000 ____D () C:\Users\Public\CyberLink
2015-03-16 15:02 - 2013-09-01 05:49 - 00000000 ____D () C:\SWSetup
2015-03-16 14:53 - 2014-01-18 11:28 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2015-03-16 10:55 - 2013-08-22 17:36 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2015-03-16 10:55 - 2013-08-22 17:36 - 00195072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
 
Some content of TEMP:
====================
C:\Users\mauro\AppData\Local\Temp\avgnt.exe
C:\Users\mauro\AppData\Local\Temp\Extract.exe
C:\Users\mauro\AppData\Local\Temp\SP69393.exe
C:\Users\mauro\AppData\Local\Temp\SP69401.exe
C:\Users\mauro\AppData\Local\Temp\SP69404.exe
C:\Users\mauro\AppData\Local\Temp\{41B6A986-4FAB-48CF-BD9B-6C18F461A535}.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-14 00:54
 
==================== End Of Log ============================

Attached Files


Edited by gelb123, 14 April 2015 - 02:35 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 17 April 2015 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program using the Add/Remove Programs applet.
Softonic for Windows (HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\...\Softonic for Windows) (Version: 1.5.11 - Softonic International S.L.) <==== ATTENTION
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

SearchScopes: HKU\S-1-5-21-2292905149-1236629684-1799644725-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
CHR StartupUrls: Default -> "hxxp://search.imesh.com/", "hxxp://www.google.com/intl/it/"
CHR Extension: (Avira Browser Safety) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-09-06]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
C:\Users\mauro\AppData\Local\Temp\avgnt.exe
C:\Users\mauro\AppData\Local\Temp\Extract.exe
C:\Users\mauro\AppData\Local\Temp\SP69393.exe
C:\Users\mauro\AppData\Local\Temp\SP69401.exe
C:\Users\mauro\AppData\Local\Temp\SP69404.exe
C:\Users\mauro\AppData\Local\Temp\{41B6A986-4FAB-48CF-BD9B-6C18F461A535}.exe
End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 18 April 2015 - 05:06 AM

Thanks for the quick response! The laptop seems to run fine for now, but the ads used to be a little sneaky (only appearing after a while). I'll be able to tell you with no doubt in a little while maybe.

 

Here is the FRST log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-04-2015 01
Ran by mauro at 2015-04-18 11:50:50 Run:1
Running from C:\Users\mauro\Desktop\FRST64
Loaded Profiles: mauro (Available profiles: mauro)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
SearchScopes: HKU\S-1-5-21-2292905149-1236629684-1799644725-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
CHR StartupUrls: Default -> "hxxp://search.imesh.com/", "hxxp://www.google.com/intl/it/"
CHR Extension: (Avira Browser Safety) - C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-09-06]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
C:\Users\mauro\AppData\Local\Temp\avgnt.exe
C:\Users\mauro\AppData\Local\Temp\Extract.exe
C:\Users\mauro\AppData\Local\Temp\SP69393.exe
C:\Users\mauro\AppData\Local\Temp\SP69401.exe
C:\Users\mauro\AppData\Local\Temp\SP69404.exe
C:\Users\mauro\AppData\Local\Temp\{41B6A986-4FAB-48CF-BD9B-6C18F461A535}.exe
End
*****************
 
Processes closed successfully.
"HKU\S-1-5-21-2292905149-1236629684-1799644725-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found. 
Chrome StartupUrls deleted successfully.
C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => Moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully.
C:\Users\mauro\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\mauro\AppData\Local\Temp\Extract.exe => Moved successfully.
C:\Users\mauro\AppData\Local\Temp\SP69393.exe => Moved successfully.
C:\Users\mauro\AppData\Local\Temp\SP69401.exe => Moved successfully.
C:\Users\mauro\AppData\Local\Temp\SP69404.exe => Moved successfully.
C:\Users\mauro\AppData\Local\Temp\{41B6A986-4FAB-48CF-BD9B-6C18F461A535}.exe => Moved successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 11:50:56 ====
 
 
And here is the adwcleaner one (unfortanetely adwcleaner autodetected my language so all the voices all translated, sorry for the inconvenience):
 
# AdwCleaner v4.201 - Creato file registro eventi 18/04/2015 in 11:57:57
# Aggiornato 08/04/2015 da Xplode
# Database : 2015-04-18.3 [Server]
# Sistema operativo : Windows 8.1  (x64)
# Nome utente : mauro - CECORLANDI
# In esecuzione da : C:\Users\mauro\Desktop\adwcleaner_4.201.exe
# Opzione : Pulizia
 
***** [ Servizi ] *****
 
 
***** [ File / Cartelle ] *****
 
 
***** [ Attività pianificate ] *****
 
 
***** [ Collegamenti ] *****
 
 
***** [ Registry ] *****
 
Chiave Eliminato : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Chiave Eliminato : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Eliminato : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Chiave Eliminato : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Eliminato : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Chiave Eliminato : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Chiave Eliminato : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Chiave Eliminato : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Chiave Eliminato : HKCU\Software\Softonic
 
***** [ Browser web ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v41.0.2272.118
 
[C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Eliminato [Search Provider] : hxxp://supertoolbar.ask.com/redirect?client=ie&tb=DVSV5&o=15012&src=crm&q={searchTerms}&locale=it_IT
[C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Eliminato [Search Provider] : hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=AVR-4&o=APN10267&locale=it_IT&apn_uid=af4885c2-6c79-455c-9cee-d15be554ca7d&apn_ptnrs=%5EAGY&apn_sauid=C34E6FBA-8BA6-480F-9906-82EDBB2B5B98&apn_dtid=%5EYYYYYY%5EYY%5EIT&q={searchTerms}
[C:\Users\mauro\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Eliminato [Search Provider] : hxxp://search.imesh.com//web?src=crb&appid=331&systemid=1&sr=0&q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2287 byte] - [18/04/2015 11:55:58]
AdwCleaner[S0].txt - [2178 byte] - [18/04/2015 11:57:57]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2236  byte] ##########
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 18 April 2015 - 08:37 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 18 April 2015 - 09:38 AM

I'll try to download steam again and see if something phishy comes up, but otherwise seems like everything it's just fine! With a little luck I won't need help again :D If it's not a problem may I ask to keep this thread open for a couple of days? I know you are all very busy, but it would really help me (in case something comes up).

In any case thanks for the help, you're awesome!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 18 April 2015 - 12:30 PM

I will close it in 5 days.

#7 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 19 April 2015 - 09:56 AM

Unfortunately the ads and the popups are back! (I didn't download anything, or browsed on dangerous sites) what to do now? (Should I change my router, or maybe even ask for a new internet connection?). Btw, All the spam pages are loaded by a certain rdsrv.com 


Edited by gelb123, 19 April 2015 - 11:06 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 19 April 2015 - 12:31 PM

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>


Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Keep me posted.

#9 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 19 April 2015 - 01:22 PM

Did the command prompt thing (running as admin); on the renew and the release it says something like: "Impossible to make any operation on the lan*13 when the relative support is disconnected" (same message for the wifi). The router was connected to the laptop via cable, but now I had to switch to wifi since the connection suddenly died. The hyperlinks were still active while the command prompt was open, but since I had to switch to wifi they appear to be gone (I also resetted the browsers)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 19 April 2015 - 01:40 PM

Were do we stand.
If you need to reset your router.
 
 

How to Reset a Router Back to the Factory Default Settings


http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html
 
Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)
 
http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===
 
Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/
 
====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html



#11 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 20 April 2015 - 06:36 AM

Apologies but my connection died on me (after the router reset) and I was able to restore it just now. The browser hijacking seems to be gone at this moment. Do I need to run a complete system scan with some antivirus program?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 20 April 2015 - 07:54 AM

There could be some remnant items.
Run this online scan.
It may take some time. Do it when you know you will not need the computer for a few hours.

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png

#13 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 20 April 2015 - 09:15 AM

I'll start the scan right now and post the log on the next reply!



#14 gelb123

gelb123
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:24 PM

Posted 20 April 2015 - 11:30 AM

Here is the logfile (as requested I didn't select the "remove threats" option)

 

# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-04-20 04:25:11
# local_time=2015-04-20 06:25:11 (+0100, ora legale Europa occidentale)
# country="Italy"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1='Panda Free Antivirus'
# compatibility_mode=1557 16777213 87 100 3464966 215743085 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 3451491 54428404 0 0
# scanned=270978
# found=6
# cleaned=0
# scan_time=7444
sh=A56E60E6CFDE67787A335746B7425C3C1A99B0C2 ft=1 fh=c080744a0cd460f1 vn="a variant of Win32/Toolbar.Visicom.A potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\Users\mauro\AppData\Local\Temp\{41B6A986-4FAB-48CF-BD9B-6C18F461A535}.exe.xBAD"
sh=90A440A11B158CACC211196FF49670F6F38EB760 ft=1 fh=8b2ddc3358c7903c vn="a variant of Win32/Toolbar.Visicom.A potentially unwanted application" ac=I fn="C:\Program Files (x86)\Panda Security\Panda Security Protection\Tools\PandaSecurityTb.exe"
sh=39455565AD792A7D9AAB03CDE37A234AA04B4FBC ft=1 fh=a06366ad09d7b766 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application" ac=I fn="C:\Users\mauro\Desktop\Backup\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\sky40x08.default\extensions\toolbar@ask.com\plugins\npAviraCallingID.dll"
sh=236C21032E0490FF0EEE69A442ADC92C7DB99328 ft=1 fh=eebbfee217421b85 vn="Win32/Toolbar.SearchSuite potentially unwanted application" ac=I fn="C:\Users\mauro\Desktop\Backup\Administrator\Documenti\samsung\Kies\Backup\GT-I9300\GT-I9300_\AUTOBACKUP\Others\Download\iLividSetup.exe"
sh=236C21032E0490FF0EEE69A442ADC92C7DB99328 ft=1 fh=eebbfee217421b85 vn="Win32/Toolbar.SearchSuite potentially unwanted application" ac=I fn="C:\Users\mauro\Desktop\Backup\Administrator\Documenti\samsung\Kies3\backup\GT-I9300\GT-I9300_\GT-I9300_20140209200537\Others\Download\iLividSetup.exe"
sh=ABF759CA3BFB16DE62197DD7C417AC5039A43AE0 ft=1 fh=1801af74030ebca1 vn="a variant of Win32/PriceGong.A potentially unwanted application" ac=I fn="C:\Users\mauro\Desktop\Backup\Administrator\Impostazioni locali\Dati applicazioni\BrotherSoft_Extreme\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.5.3\bin\PriceGongIE.dll"


#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:24 AM

Posted 20 April 2015 - 01:20 PM

Run again and remove everything that has been found.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users