Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invincible Hao 123


  • This topic is locked This topic is locked
21 replies to this topic

#1 Torolosko

Torolosko

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 04:21 PM

Hallo,
 
Its the first time that i write on this forum , but im not new from the forum.
 
I decided to post here for help, because , from a fresh windows installation, im fighting with a malware that i cant eradicate from myself. I used a lot of tools, but the situation is that the tools find somenthing, clean up, and for the current day seems all ok.
 
Tomorrow, with the first boot i find again the same things.
 
I have a malware called hao123, and i cant completely eradicate it from the system. It seems that only a new fresh installation can help me.
 
As you see he changes the ling in the browsers.
 
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://hao.169x.cn/?v=108
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://hao.169x.cn/?v=108
 
So im looked up in the forum and I try to do the same things like this post.
 
http://www.bleepingcomputer.com/forums/t/607100/hijackthis-log-please-help-diagnose/
 
 
 
here my results.
 
AdwCleaner by Xplode - Delete Adware
 
# AdwCleaner v5.037 - Creato file registro eventi 06/03/2016 in 13:40:01
# Aggiornato 28/02/2016 da Xplode
# Database : 2016-03-06.2 [Server]
# Sistema operativo : Windows 10 Pro  (x64)
# Nome utente : TxP - STARGATE
# In esecuzione da : F:\_SERVICE_\Antivirus\adwcleaner_5.037.exe
# Opzione : Analisi
# Supporto : http://toolslib.net/forum

***** [ Servizi ] *****


***** [ Cartelle ] *****


***** [ File ] *****


***** [ DLL ] *****


***** [ Collegamenti ] *****


***** [ Attività pianificate ] *****


***** [ Registry ] *****


***** [ Browser web ] *****


*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1842 byte] - [28/02/2016 14:39:07]
C:\AdwCleaner\AdwCleaner[C2].txt - [1577 byte] - [01/03/2016 13:55:15]
C:\AdwCleaner\AdwCleaner[C3].txt - [1771 byte] - [01/03/2016 14:14:38]
C:\AdwCleaner\AdwCleaner[S1].txt - [1570 byte] - [28/02/2016 14:37:20]
C:\AdwCleaner\AdwCleaner[S10].txt - [1644 byte] - [06/03/2016 13:34:20]
C:\AdwCleaner\AdwCleaner[S11].txt - [991 byte] - [06/03/2016 13:40:01]
C:\AdwCleaner\AdwCleaner[S2].txt - [1642 byte] - [28/02/2016 14:38:18]
C:\AdwCleaner\AdwCleaner[S3].txt - [989 byte] - [28/02/2016 14:53:17]
C:\AdwCleaner\AdwCleaner[S4].txt - [1065 byte] - [29/02/2016 10:26:16]
C:\AdwCleaner\AdwCleaner[S5].txt - [1395 byte] - [01/03/2016 13:54:12]
C:\AdwCleaner\AdwCleaner[S6].txt - [1595 byte] - [01/03/2016 14:13:26]
C:\AdwCleaner\AdwCleaner[S7].txt - [1427 byte] - [03/03/2016 01:01:14]
C:\AdwCleaner\AdwCleaner[S8].txt - [1499 byte] - [04/03/2016 13:14:55]
C:\AdwCleaner\AdwCleaner[S9].txt - [1571 byte] - [05/03/2016 10:05:24]

########## EOF - C:\AdwCleaner\AdwCleaner[S11].txt - [1638 byte] ##########
 
 
Junkware Removal Tool
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 10 Pro x64
Ran by TxP (Administrator) on 06/03/2016 at 13:36:34,27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\TxP\AppData\Roaming\productdata (Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06/03/2016 at 13:38:01,88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

RogueKiller by Tigzy

 

 

RogueKiller V11.0.14.0 (x64) [Feb 29 2016] (Gratuito) di Adlice Software
posta : http://www.adlice.com/contact/
Commenti : http://forum.adlice.com
Sito Web : http://www.adlice.com/software/roguekiller/
Discussione : http://www.adlice.com

Sistema Operativo : Windows 10 (10.0.10586) 64 bits version
Iniziato in : Modalità Normale
Utente : TxP [Amministratore]
Iniziato da : C:\Program Files\RogueKiller\RogueKiller64.exe
Modalità : Scansione -- Data : 03/06/2016 13:47:32

¤¤¤ Processi : 0 ¤¤¤

¤¤¤ Registro : 0 ¤¤¤

¤¤¤ Attività : 0 ¤¤¤

¤¤¤ Archivi : 0 ¤¤¤

¤¤¤ Archivio Hosts : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Non caricato [0x0]) ¤¤¤

¤¤¤ Web Browser : 0 ¤¤¤

¤¤¤ Controllo MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD2002FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] 39cb2e48c4cda74d52b9f55c171e1e6e
[BSP] 9fa4a8b2ccf43bcb170c806554eca421 : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 PRO Series +++++
--- User ---
[MBR] e392bd3bc1f2f28428b0de863db548c4
[BSP] bbb579f28ebaa5e6d506648d369a8ba3 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 244197 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

 

 

 

HITMAN PRO

 

 

 

HitmanPro 3.7.13.258
www.hitmanpro.com

   Computer name . . . . : STARGATE
   Windows . . . . . . . : 10.0.0.10586.X64/8
   User name . . . . . . : STARGATE\TxP
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2016-03-06 22:14:42
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 27s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 18

   Objects scanned . . . : 1.691.244
   Files scanned . . . . : 39.278
   Remnants scanned  . . : 352.732 files / 1.299.234 keys

Suspicious files ____________________________________________________________

   C:\Users\TxP\Desktop\FRST64.exe
      Size . . . . . . . : 2.374.144 bytes
      Age  . . . . . . . : 0.4 days (2016-03-06 13:05:03)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 1CB35A93213562911D4E4218EFFCB9FC5A946B6E1A99509BCD2B5C936898D159
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -13.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\97F64CAB853756A38DD7D069EAE907418EB1F337
         -12.6s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\BED4D087A45FE7917F2E3CB126DFB7174EAF2F63
         -12.3s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\FCF91C0523352C3F72DEEBED75AE2D0A7CE0445C
         -12.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\7E1BA49C2E5DF37767AD99DC9B721273BE31F36E
         -12.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\6C026B3C8DBFC7B00C4E741F72DAB04D3C0F7184
         -12.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\992A720C30B203E65A34C4CC09F80B5D5113AF68
         -12.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\EE5749AA65B97C7399480A2604A0EF530FBBED14
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\4AE658980FCA6BFD3777DED9E8DA65191378177C
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\ABB898AB73F6059FAF229B0B12D276E8898CC2D7
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\1DF7F584EA0428D43E662434B9C11E54C9CA1584
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\DB2857104A031AF02C71BDFFEC392B6C247599E9
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\C52B8E55047A78041454C9651F7E8827044E08C4
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\FB4D1C5F36CCD48FF901A47289298D73E648DC38
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\5317733EF58A11F656854EE06ADED00630BBCEC7
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\B5CD29712EE0B7E3E7C681161B97144CD25CD1D9
         -12.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\9E6508FA9B1BE9B3567FE10F5A91E1EE18DB4FE8
         -11.8s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\6AD589EDBDAAC18FD98440C463FC3025408D721D
         -11.4s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\5CC32C877F0EDC9B927DDB52AFBC7C48710BB155
         -11.4s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\869D722841F38D7748ADA7A4A1D99580948E159B
         -11.4s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\23CC667A56309619CF4F2702CF9EBA423600077B
         -10.7s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\3F58457013FB73A2BE3F9358CB1C111DC266F016
         -8.0s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\7C935755DCA50B82D10483EF5B2EF6142AFA5DFC
         -7.2s C:\Users\TxP\Desktop\FRST64.exe
         -3.1s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\221470F6A5478A4075C66689D7D4C4199245817B
          0.4s C:\Users\TxP\AppData\Local\Mozilla\Firefox\Profiles\lrIgoAk7.default\cache2\entries\03971E21233DEFCF858F5F368D1184F28544C743


Potential Unwanted Programs _________________________________________________

   Google Chrome.lnk
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\

   Mozilla Firefox.lnk
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\

   Google Chrome.lnk
   C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

   chrome.exe - collegamento.lnk
   C:\Users\TxP\Desktop\

   firefox.exe - collegamento.lnk
   C:\Users\TxP\Desktop\


Cookies _____________________________________________________________________

   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:adbrn.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:adnxs.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:doubleclick.net
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:dpclk.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:in.getclicky.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:mmstat.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:outbrain.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:scorecardresearch.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:simpli.fi
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:skimresources.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:statcounter.com
   C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\cookies.sqlite:taboola.com
 

 



BC AdBot (Login to Remove)

 


#2 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 04:28 PM

I add some files that are

 

FRST + addition

Hijackthis.log

 

maybe this can help.

 

 

If there is no solution to this... I can only format C again....  :unsure:

 

thanks.

 

 

 

Attached File  FRST.txt   173.65KB   9 downloads

Attached Files


Edited by Torolosko, 06 March 2016 - 04:29 PM.


#3 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 March 2016 - 05:02 PM

here a fresh Zemana Scan.

 

Zemana AntiMalware 2.19.2.904 (Installato)

-------------------------------------------------------
Risultato scansione        : Completato
Data scansione             : 2016/3/6
Sistema operativo          : Windows 10 64-bit
Processore                 : 8X Intel® Core™ i7-2600K CPU @ 3.40GHz
Modalità BIOS              : Legacy
CUID                       : 00684FD64FE01F47B98C55
Tipo di scansione          : Scansione completa
Durata                     : 3m 10s
Oggetti scansionati        : 180732
Oggetti rilevati           : 0
Oggetti esclusi            : 0
Livello lettura            : SCSI
Caricamento automatico     : Sì
Mostra tutte le estensioni : No
Scansione documenti        : No
Informazioni dominio       : WORKGROUP,0,2

Oggetti rilevati
-------------------------------------------------------

Nessun oggetto rilevato
 



#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 06 March 2016 - 10:51 PM

Hi Torolosko,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-
     

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
     

Let's get started....


FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Clover 3.0

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.  

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter.  Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
GroupPolicyScripts: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Session Restore: -> is enabled.
2016-03-05 09:54 - 2016-03-06 01:44 - 00001866 _____ C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk
2016-03-05 09:54 - 2016-03-06 01:44 - 00001625 _____ C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk
2016-03-05 09:54 - 2016-03-05 09:54 - 00001056 _____ C:\Users\Public\Desktop\Clover.lnk
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\Users\TxP\AppData\Local\Clover
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Clover
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\Program Files (x86)\Clover
2016-02-27 14:52 - 2016-02-27 14:52 - 00000000 ____H C:\ProgramData\DP45977C.lfl
C:\Users\TxP\AppData\Local\Temp\avgnt.exe
C:\Users\TxP\AppData\Local\Temp\dllnt_dump.dll
C:\Users\TxP\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\TxP\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\TxP\AppData\Local\Temp\nvStInst.exe
Task: {B4DEC2BA-BFAD-41CA-92DE-54F22703B36A} - System32\Tasks\KMS10 => C:\Windows\KMS10\KMS10.exe
Task: {C9925C04-07F2-49C9-91B3-6E533105BEAE} - System32\Tasks\KMS10Server => C:\Windows\KMS10\KMS10.exe
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
C:\Windows\KMS10
ShortcutWithArgument: C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


How is your system running now?

 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 07 March 2016 - 01:36 AM

Hi dbrisendine,

 

thank you for your help. I make exactly what you say to do.

 

Step one done.

 

Step two this is the result

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by TxP (2016-03-07 07:18:43) Run:1
Running from C:\Users\TxP\Desktop
Loaded Profiles: TxP (Available Profiles: TxP)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
GroupPolicyScripts: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
FF Session Restore: -> is enabled.
2016-03-05 09:54 - 2016-03-06 01:44 - 00001866 _____ C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk
2016-03-05 09:54 - 2016-03-06 01:44 - 00001625 _____ C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk
2016-03-05 09:54 - 2016-03-05 09:54 - 00001056 _____ C:\Users\Public\Desktop\Clover.lnk
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\Users\TxP\AppData\Local\Clover
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Clover
2016-03-05 09:54 - 2016-03-05 09:54 - 00000000 ____D C:\Program Files (x86)\Clover
2016-02-27 14:52 - 2016-02-27 14:52 - 00000000 ____H C:\ProgramData\DP45977C.lfl
C:\Users\TxP\AppData\Local\Temp\avgnt.exe
C:\Users\TxP\AppData\Local\Temp\dllnt_dump.dll
C:\Users\TxP\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\TxP\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\TxP\AppData\Local\Temp\nvStInst.exe
Task: {B4DEC2BA-BFAD-41CA-92DE-54F22703B36A} - System32\Tasks\KMS10 => C:\Windows\KMS10\KMS10.exe
Task: {C9925C04-07F2-49C9-91B3-6E533105BEAE} - System32\Tasks\KMS10Server => C:\Windows\KMS10\KMS10.exe
Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
C:\Windows\KMS10
ShortcutWithArgument: C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
FF Session Restore: -> removed successfully
C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk => moved successfully
C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk => moved successfully
"C:\Users\Public\Desktop\Clover.lnk" => not found.
"C:\Users\TxP\AppData\Local\Clover" => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Clover" => not found.
"C:\Program Files (x86)\Clover" => not found.
C:\ProgramData\DP45977C.lfl => moved successfully
C:\Users\TxP\AppData\Local\Temp\avgnt.exe => moved successfully
"C:\Users\TxP\AppData\Local\Temp\dllnt_dump.dll" => not found.
"C:\Users\TxP\AppData\Local\Temp\nvSCPAPI.dll" => not found.
"C:\Users\TxP\AppData\Local\Temp\nvSCPAPI64.dll" => not found.
"C:\Users\TxP\AppData\Local\Temp\nvStInst.exe" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B4DEC2BA-BFAD-41CA-92DE-54F22703B36A} => key not found.
C:\Windows\System32\Tasks\KMS10 => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMS10 => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9925C04-07F2-49C9-91B3-6E533105BEAE} => key not found.
C:\Windows\System32\Tasks\KMS10Server => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMS10Server => key not found.
C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => moved successfully
"C:\Windows\KMS10" => not found.
C:\Users\TxP\Desktop\chrome.exe - collegamento.lnk => not found.
C:\Users\TxP\Desktop\firefox.exe - collegamento.lnk => not found.
C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully.

=========  ipconfig /flushdns =========


Configurazione IP di Windows

Cache del resolver DNS svuotata.

========= End of CMD: =========


=========  netsh advfirewall reset =========

OK.


========= End of CMD: =========


=========  netsh advfirewall set allprofiles state on =========

OK.


========= End of CMD: =========


========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

Errore: Impossibile trovare la chiave del Registro di sistema o il valore specificato.


========= End of Reg: =========


========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========

Operazione completata.



========= End of Reg: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

Operazione completata.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

Operazione completata.



========= End of Reg: =========


=========  bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1488912293-190276535-2156731096-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1488912293-190276535-2156731096-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

EmptyTemp: => 101.4 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 07:19:07 ====

 

 

Its really interesting how you made a fixlist written exclusively for me. I want to learn too.

 

Clover is a unsecure software?I thinked it was a secure download. as you see is good rated.

 

http://download.cnet.com/Clover/3000-2248_4-75732861.html

 

 

you need a new scan?

 

thank you.

 

 

 

 



#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 07 March 2016 - 03:00 AM

There are several good sites to get training on malware fighting; you can find a list of some here.

 

How is your system running?

 

As to the Clover program; how I found that needed to be uninstalled is the logs showed when the hao169 hijack was made and that was the most likely cause.  We will discuss preventative measures in closing.

 

We need to get a fresh scan from FRST please.

  • If you still have the Addition.txt file on your desktop, please delete it now.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update.  Allow it do this please.  Otherwise, just wait for the "The tool is ready to use." message.
  • Please check the Addition.txt in the Option Scan section of FRST.
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

 

 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 07 March 2016 - 03:53 AM

At the moment it seems its ok.

 

No browser issues

No Link on desktop

 

Here the fresh scans.

Attached Files


Edited by Torolosko, 07 March 2016 - 03:57 AM.


#8 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 07 March 2016 - 10:38 AM

Yes, this is a tricky shortcut hijacker and let's monitor the system for a day or so to see if it comes back.  You fresh logs look fine at first glance but I will go through them in detail later this morning and get back to you.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#9 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 07 March 2016 - 04:30 PM

So.. Hao is back.

 

I turned on the pc now, after the last post of today, and surprise... Hao is back again....

 

like a scheduled task...

 

Here the new scans...

Attached Files



#10 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 08 March 2016 - 02:15 AM

Sorry about the delay in posting but I was trying to see what the 'hijack' was doing on a VMware system I run.  It looks like you found the culprit in the 4 logs you ran and posted.

 

FIRST >>>>

Please download Rkill by Grinler and save it to your desktop.

  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.


SECOND >>>>

Download the attached fixlist.txt file and save it to the Desktop.  Attached File  Fixlist.txt   2.32KB   9 downloads

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 


Edited by dbrisendine, 08 March 2016 - 02:16 AM.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#11 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 March 2016 - 03:59 AM

Good Morning.

 

Thank you for your efforts.

 

I done all. I want to ask you,  you see that I have installed CryptoPrevent, the error displayed by rekill for example

 

* Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

 

are caused from that program? maybe is better if I disable it?

 

 

Attached Files



#12 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 March 2016 - 04:16 AM

I disabled Criptoprevent, and runned again Rkill. But it seems the same.

 

I see in the fixlist that you cancel some firefox extension

 

FF Extension: ProxTube - Unblock YouTube -...

 

this extension was downloaded from the official page.

 

On reboot after the fixlist done, firefox ask me again the login for the sync.

What happen now if I give it? it will reinstall the missing extension?

 

I made new scan, after the fix.

 

 

 

Attached Files



#13 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 08 March 2016 - 11:52 AM

Your extension seems to be back anyway so you can log into the Firefox Sync.  It does look like the hijack is gone for now but please tell me later today if it comes back.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#14 Torolosko

Torolosko
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 March 2016 - 05:07 PM

I restarted the computer now, from tomorrow morning when i made the scan. And surprise. Its back. The invincible.

 

Here the scans.

 

 

Attached Files



#15 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:11:46 AM

Posted 09 March 2016 - 12:08 AM

FIRST >>>>

Please delete the current Firefox Sync account.  In Firefox go to the Menu > Options > Sync > Manage Account.  Once the web page loads (you may have to log into the Firefox account), click on Delete under Delete Account.
Please do this for all devices you have set up on the current Sync account.


SECOND >>>>


Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
 


Start
CreateRestorePoint:
CloseProcesses:
FF Session Restore: -> is enabled.
FF Extension: ProxTube - Unblock YouTube - C:\Users\TxP\AppData\Roaming\Mozilla\Firefox\Profiles\lrIgoAk7.default\Extensions\ich@maltegoetz.de.xpi [2016-03-08]
2016-03-08 09:41 - 2016-03-08 09:41 - 00000000 ____D C:\Users\TxP\AppData\Roaming\ProductData
2016-03-08 09:41 - 2016-03-08 09:41 - 00000000 ____D C:\ProgramData\ProductData
ShortcutWithArgument: C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\Users\TxP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://hao.169x.cn/?v=108
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://hao.169x.cn/?v=108
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end



NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


LAST >>>>

Once the system has rebooted, you may now create a new Firefox Sync account.

 

Monitor the system for a day and see if the Hao123 returns now.  Thank you.
 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users