Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill reports ZEROACCESS after unresponsive internet using apps


  • This topic is locked This topic is locked
8 replies to this topic

#1 guneyozsan

guneyozsan

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 27 September 2016 - 03:46 PM

Hello,
 
In general Unity 3D and Chrome started acting weird. In Unity 3D after selecting a project in the welcome screen it keeps running in the background but nothing shows up. After removing the user files or fresh uninstall/install online license manager doesn't work and require manual licensing. Chrome also started reporting some unresponsive pages. I also start seeing increasing CPU and disk usage from System and Windwos Defender in Task Manager. Then I suspected of a virus and run Rkill which reported a ZEROACCESS. Then I run FRST.
 
** Rkill log is so long that it gives server time out so I'm cropping the file list in the pasted log and attaching all logs to the post.
Attached File  Rkill.txt   3.61MB   5 downloads
Attached File  FRST.txt   175.42KB   13 downloads
Attached File  Addition.txt   136.82KB   7 downloads
 
Thank you for any advice and help.
----------------------
 
Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 09/27/2016 10:22:12 PM in x64 mode.
Windows Version: Windows 10 Home Single Language 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
 
     * C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe => <Unknown Target> [File]
 
 * Reparse Point/Junctions Found (These may be legitimate)!
 
     * C:\WINDOWS\Boot\PCAT\bootvhd.dll => <Unknown Target> [File]
     * C:\WINDOWS\Boot\PCAT\memtest.exe => <Unknown Target> [File]
***************************************************************
*************** (EXTREMELY LONG FILE LIST)*********************
*************** (COMPLETE LOG IS ATTACHED)*********************
***************************************************************
 
Checking Windows Service Integrity: 
 
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 * AppMgmt [Missing Service]
 * CSC [Missing Service]
 * CscService [Missing Service]
 * PeerDistSvc [Missing Service]
 
 * agp440 [Missing ImagePath]
 
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 09/27/2016 10:29:49 PM
Execution time: 0 hours(s), 7 minute(s), and 37 seconds(s)
 

 



BC AdBot (Login to Remove)

 


#2 guneyozsan

guneyozsan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 September 2016 - 05:38 PM

Right after I also ran Malwarebytes Anti-Rootkit reporting no malware. Log here:

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2016.09.27.12
  rootkit: v2016.09.26.02
 
Windows 10 x64 NTFS
Internet Explorer 11.187.14393.0
Guney :: ASUS-STUDIO [administrator]
 
28.09.2016 01:47:47
mbar-log-2016-09-28 (01-47-47).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 435102
Time elapsed: 51 minute(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 01 October 2016 - 08:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#4 guneyozsan

guneyozsan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 01 October 2016 - 12:01 PM

Hello nasdaq,

 

Thank you for helping me out. Here is the log RogueKiller generated:
 

RogueKiller V12.6.4.0 (x64) [Sep 26 2016] (Ücretsiz) by Adlice Software
mail : http://www.adlice.com/contact/
Geribildirim : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Bolg : http://www.adlice.com
İşletim Sistemi : Windows 10 (10.0.14393) 64 bits version
-de başlatıldı : Normal mod
Kullanıcı : Guney [Yönetici]
-den başlatıldı : C:\Program Files\RogueKiller\RogueKiller64.exe
Mod : Tarama -- Tarih : 10/01/2016 18:40:20 (Süreç : 01:09:51)
¤¤¤ İşlemler : 0 ¤¤¤
¤¤¤ Kayıt : 28 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Bulundu
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Wpm -> Bulundu
[PUP] (X64) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Conduit -> Bulundu
[PUP] (X86) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Conduit -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3D1832B4-0D11-49AF-A952-5920F5F7BF55} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\ProgramData\BlueStacksGameManager\OBS\HD-OBS.exe|Name=HD-OBS| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {83E58C3D-5DD5-411C-8570-B01FFEB4E60F} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\BlueStacksGameManager\OBS\HD-OBS.exe|Name=HD-OBS| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{67AB2A04-57AA-4EA4-A0DE-8385CBEE011C}C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe|Name=fledge.exe|Desc=fledge.exe|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{2082FD7B-83BF-4C40-A06C-0619E3D12E17}C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe|Name=fledge.exe|Desc=fledge.exe|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {99F9731E-BAD6-42C1-8A64-4B3BA75E2F7B} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Guney\AppData\Local\Temp\EPSON L355 Series_Export\Network\EpsonNetSetup\Data\ENEasyApp.exe|Name=EpsonNet Setup| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5F0C6B00-C689-4FC5-9BE3-C6988969BACE} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Guney\AppData\Local\Temp\EPSON L355 Series_Export\Network\EpsonNetSetup\Data\ENEasyApp.exe|Name=EpsonNet Setup| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{DECFCA8E-2A62-4691-A474-8B7DD70B2C33}D:\temp\downloader_starcraft_combo_engb.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=D:\temp\downloader_starcraft_combo_engb.exe|Name=Blizzard Downloader|Desc=Blizzard Downloader|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{2E1B33D4-EBE0-4382-919C-81E165D90501}D:\temp\downloader_starcraft_combo_engb.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=D:\temp\downloader_starcraft_combo_engb.exe|Name=Blizzard Downloader|Desc=Blizzard Downloader|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AE9481F9-7C1C-4BE0-9E68-630E506B1677} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2163C79E-1011-4AEC-AF2F-9827290B92D5} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3D1832B4-0D11-49AF-A952-5920F5F7BF55} : v2.25|Action=Allow|Active=TRUE|Dir=Out|App=C:\ProgramData\BlueStacksGameManager\OBS\HD-OBS.exe|Name=HD-OBS| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {83E58C3D-5DD5-411C-8570-B01FFEB4E60F} : v2.25|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\BlueStacksGameManager\OBS\HD-OBS.exe|Name=HD-OBS| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{67AB2A04-57AA-4EA4-A0DE-8385CBEE011C}C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe|Name=fledge.exe|Desc=fledge.exe|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{2082FD7B-83BF-4C40-A06C-0619E3D12E17}C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guney\appdata\local\research in motion\blackberry smartphone simulators 7.1.0\7.1.0.355 (9930)\fledge.exe|Name=fledge.exe|Desc=fledge.exe|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {99F9731E-BAD6-42C1-8A64-4B3BA75E2F7B} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Guney\AppData\Local\Temp\EPSON L355 Series_Export\Network\EpsonNetSetup\Data\ENEasyApp.exe|Name=EpsonNet Setup| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5F0C6B00-C689-4FC5-9BE3-C6988969BACE} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Guney\AppData\Local\Temp\EPSON L355 Series_Export\Network\EpsonNetSetup\Data\ENEasyApp.exe|Name=EpsonNet Setup| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{DECFCA8E-2A62-4691-A474-8B7DD70B2C33}D:\temp\downloader_starcraft_combo_engb.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=D:\temp\downloader_starcraft_combo_engb.exe|Name=Blizzard Downloader|Desc=Blizzard Downloader|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{2E1B33D4-EBE0-4382-919C-81E165D90501}D:\temp\downloader_starcraft_combo_engb.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=D:\temp\downloader_starcraft_combo_engb.exe|Name=Blizzard Downloader|Desc=Blizzard Downloader|Defer=User| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AE9481F9-7C1C-4BE0-9E68-630E506B1677} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Bulundu
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {2163C79E-1011-4AEC-AF2F-9827290B92D5} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\ProgramData\Battle.net\Agent\Agent.3526\Agent.exe|Name=Battle.net Update Agent| [x] -> Bulundu
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Bulundu
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Bulundu
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Bulundu
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Bulundu
¤¤¤ Görevler : 1 ¤¤¤
[Suspicious.Path] \CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} -- C:\ProgramData\cis724E.exe (--PostUninstall {15198508-521A-4D69-8E5B-B94A6CCFF805}) -> Bulundu
¤¤¤ Dosyalar : 5 ¤¤¤
[Suspicious.Path][Dosya] C:\Users\Guney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Slack.lnk [LNK@] C:\Users\Guney\AppData\Local\slack\Update.exe --processStart "slack.exe" -a "--startup" -> Bulundu
[PUP][Dosya] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Converter\FLV Converter.lnk [LNK@] C:\PROGRA~2\GREENT~1\FLV~1.COM\FLVCOM~1.EXE -> Bulundu
[PUP][Dosya] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLV Converter\Uninstall.lnk [LNK@] C:\PROGRA~2\GREENT~1\FLV~1.COM\UNINST~1.EXE -> Bulundu
[PUP][Klasör] C:\ProgramData\WPM -> Bulundu
[PUP][Klasör] C:\Program Files (x86)\GreenTree Applications -> Bulundu
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Host Dosyaları : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Yüklendi) ¤¤¤
¤¤¤ Web tarayıcıları : 1 ¤¤¤
[PUP][CHROME:Addon] Default : Video Downloader professional [elicpjhcidhpjomhibiffojpinpmmpil] -> Bulundu
¤¤¤ MBR Kontrol : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] 4876d5ef3b46944db11781505850f74e
[BSP] 74925cea26eb4c97ae45516ab38e669f : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 616448 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2459648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2721792 | Size: 381197 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 783413248 | Size: 350 MB
5 - Basic data partition | Offset (sectors): 784130048 | Size: 550503 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 02 October 2016 - 09:09 AM

Run the RogueKiller tool and delete/fix these items.
 

[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Bulundu
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Wpm -> Bulundu
[PUP] (X64) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Conduit -> Bulundu
[PUP] (X86) HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\Conduit -> Bulundu
[PUP][CHROME:Addon] Default : Video Downloader professional [elicpjhcidhpjomhibiffojpinpmmpil] -> Bulundu




Please download AdwCleaner by Xplode onto your Desktop.

Clean everything that this tool will find.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#6 guneyozsan

guneyozsan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 October 2016 - 06:16 AM

Hi nasdaq,

 

Below is the AdwCleaner results.

 

Then I ran Zoek and after an hour I left it overnight (Run as admin, AV off, browsers off).

 

In the morning it was still running for 12 hours, but the last operation was logged at midnight (--- Firefox Extensions 23:06:19,29 ). Currently it is still using 20% CPU. I also guess that it is still refreshing the log but not writing any new entries (when I open the log in notepad++ and scroll down, it goes to the beginning of the file with constant intervals. Similarly I turn off the laptop monitor with Fn key but it turns on again so I think it still works).

 

I am attaching the current program screen and log of Zoek as well.

 

Should I wait or terminate Zoek? Or re-run again?

 

Thanks!

 

-----------------------------------------------------------------------------------------------
AdwCleaner log:
-----------------------------------------------------------------------------------------------

 

# AdwCleaner v6.020 - Logfile created 02/10/2016 at 22:06:13
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-10-01.1 [Server]
# Operating System : Windows 10 Home Single Language  (X64)
# Username : Guney - ASUS-STUDIO
# Running from : C:\Users\Guney\Desktop\adwcleaner_6.020.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default\StumbleUpon
[-] Folder deleted: C:\ProgramData\WPM
[!] Folder not deleted: C:\Program Files (x86)\GreenTree Applications
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[!] Key not deleted: HKU\S-1-5-21-1380215849-3434565304-3192534155-1002\Software\GreenTree Applications
[!] Key not deleted: HKCU\Software\GreenTree Applications
[!] Key not deleted: [x64] HKCU\Software\GreenTree Applications
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Wpm
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}]
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\disk-doctors-digital-media-recovery.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mobogenie.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disk-doctors-digital-media-recovery.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mobogenie.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\disk-doctors-digital-media-recovery.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mobogenie.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\solvusoft.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disk-doctors-digital-media-recovery.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mobogenie.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\solvusoft.com
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Guney\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: instagram-for-chrome.en.softonic.com
[-] [C:\Users\Guney\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Guney\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Guney\AppData\Local\Google\Chrome\User Data\Default] [startup_urls] Deleted: hxxp://www.sweet-page.com/?type=hp&ts=1399231382&from=cor&uid=HGSTXHTS541010A9E680_JA100010120G6P120G6PX
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [5807 Bytes] - [02/10/2016 22:06:13]
C:\AdwCleaner\AdwCleaner[R0].txt - [3279 Bytes] - [18/05/2015 12:40:46]
C:\AdwCleaner\AdwCleaner[S0].txt - [5811 Bytes] - [02/10/2016 21:33:48]
C:\AdwCleaner\AdwCleaner[S1].txt - [5884 Bytes] - [02/10/2016 21:55:37]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [6099 Bytes] ##########
 

-----------------------------------------------------------------------------------------------
Zoek program screen:
-----------------------------------------------------------------------------------------------

 
 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Guney on Paz 02.10.2016 at 22:19:33,34.
Microsoft Windows 10 Home Single Language 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Guney\Desktop\zoek.exe    [Scan all users] [Script inserted] 
 
===== Runcheck 22:25:26,18 =====
 
--- Create Environment Variables 22:25:27,11 
--- Create System Restore Point 22:28:01,82 
--- Checking Input 22:28:39,54 
--- AU AppData Check 22:29:08,91 
--- Remove From Windows Installer 22:29:15,03 
--- Empty Folders Check 22:31:14,26 
--- Registry HKLM Software Check 22:31:14,29 
--- Quick Launch Shortcut Check 22:31:38,96 
--- IE Startpage Check 22:31:51,32 
--- Program Files DB Check 22:32:10,03 
--- C:\Users\Bidi\AppData DB Check 22:32:50,87 
--- C:\Users\Default\AppData DB Check 22:32:50,87 
--- C:\Users\Default.migrated\AppData DB Check 22:32:50,87 
--- C:\Users\Guney\AppData DB Check 22:32:50,87 
--- C:\Users\Public\AppData DB Check 22:32:50,87 
--- C:\WINDOWS\SysNative\config\systemprofile\AppData DB Check 22:32:50,87 
--- C:\WINDOWS\sysWoW64\config\systemprofile\AppData DB Check 22:32:50,87 
--- C:\WINDOWS\serviceprofiles\networkservice\AppData DB Check 22:32:50,87 
--- C:\WINDOWS\serviceprofiles\Localservice\AppData DB Check 22:32:50,87 
--- C:\Users\Guney DB Check 22:35:19,69 
--- C:\PROGRA~3 DB Check 22:36:09,40 
--- C:\Users\Bidi\AppData\Local DB Check 22:36:30,75 
--- C:\Users\Default\AppData\Local DB Check 22:36:30,75 
--- C:\Users\Default User\AppData\Local DB Check 22:36:30,75 
--- C:\Users\Default.migrated\AppData\Local DB Check 22:36:30,75 
--- C:\Users\Guney\AppData\Local DB Check 22:36:30,75 
--- C:\Users\Public\AppData\Local DB Check 22:36:30,75 
--- C:\WINDOWS\SysNative\config\systemprofile\AppData\Local DB Check 22:36:30,75 
--- C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local DB Check 22:36:30,75 
--- C:\WINDOWS\serviceprofiles\networkservice\AppData\Local DB Check 22:36:30,75 
--- C:\WINDOWS\serviceprofiles\Localservice\AppData\Local DB Check 22:36:30,75 
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check 22:38:21,83 
--- C:\Users\Guney\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check 22:38:30,93 
--- Tasks DB Check 22:38:36,62 
--- C:\Users\Bidi\AppData\LocalLow DB Check 22:38:41,07 
--- C:\Users\Guney\AppData\LocalLow DB Check 22:38:41,07 
--- C:\WINDOWS\SysNative\config\systemprofile\AppData\LocalLow DB Check 22:38:41,07 
--- C:\WINDOWS\sysWoW64\config\systemprofile\AppData\LocalLow DB Check 22:38:41,07 
--- C:\WINDOWS\serviceprofiles\networkservice\AppData\LocalLow DB Check 22:38:41,07 
--- C:\WINDOWS\serviceprofiles\Localservice\AppData\LocalLow DB Check 22:38:41,07 
--- Tasks2 DB Check 22:39:28,09 
--- Documents DB Check 22:39:57,00 
--- Documents2 DB Check 22:40:04,90 
--- C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default DB Check 22:40:07,43 
--- C:\Users\Public\Desktop DB Check 22:40:09,48 
--- C:\Users\Guney\Desktop DB Check 22:40:13,56 
--- Services DB Check 22:40:23,72 
--- FF prefs.js DB Check 22:41:05,52 
--- Emptyclsid 22:41:37,53 
--- Del by CLSID 22:41:40,58 
--- Delete Services 22:42:39,79 
--- Firefox Fix 22:42:44,69 
--- Batch Commands 22:42:46,60 
--- Delete files\folders 22:42:46,76 
--- Create Backups 22:42:46,83 
--- Firefox Extensions 23:06:19,29 
 
-----------------------------------------------------------------------------------------------
Zoek log:
-----------------------------------------------------------------------------------------------
 
 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by Guney on Paz 02.10.2016 at 22:19:33,34.
Microsoft Windows 10 Home Single Language 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Guney\Desktop\zoek.exe    [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2.10.2016 22:28:38 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Comodo deleted successfully
C:\PROGRA~2\MusicLab deleted successfully
C:\PROGRA~2\COMMON~1\Avid deleted successfully
C:\PROGRA~2\COMMON~1\EPSON deleted successfully
C:\PROGRA~2\COMMON~1\Merge Modules deleted successfully
C:\PROGRA~2\COMMON~1\Research In Motion deleted successfully
C:\Program Files\EPSON deleted successfully
C:\PROGRA~3\ALM deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\Note deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\PROGRA~3\{152EF68B-16AC-49D3-A3E6-E39F7613A2D7} deleted successfully
C:\Users\Bidi\AppData\Local\VirtualStore deleted successfully
C:\Users\Guney\AppData\Local\ActiveSync deleted successfully
C:\Users\Guney\AppData\Local\EmieSiteList deleted successfully
C:\Users\Guney\AppData\Local\EmieUserList deleted successfully
C:\Users\Guney\AppData\Local\PACE Anti-Piracy deleted successfully
C:\Users\Guney\AppData\Local\Skype deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Maps deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} deleted successfully
HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_USERS\S-1-5-21-1380215849-3434565304-3192534155-1002\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0 deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller deleted successfully
 
==== FireFox Fix ======================
 
Deleted from C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default\prefs.js:
user_pref("browser.search.defaultenginename", "Google");
 
Added to C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default
 
user.js not found
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 0);
---- FireFox user.js and prefs.js backups ---- 
 
prefs_02.10.2016_2242_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\Comodo not found
C:\PROGRA~2\MusicLab not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\PROGRA~3\{152EF68B-16AC-49D3-A3E6-E39F7613A2D7} not found
C:\Users\Guney\AppData\Local\MusicLab deleted
C:\Users\Guney\AppData\Roaming\Slack deleted
C:\Users\Guney\AppData\Roaming\Unity deleted
C:\windows\SysNative\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805} deleted
C:\Users\Guney\.android deleted
C:\PROGRA~2\GreenTree Applications deleted
C:\PROGRA~2\COMMON~1\Wondershare deleted
C:\Users\Guney\ia_remove.sh6621.tmp deleted
C:\PROGRA~3\com.sparkol.VideoScribeDesktop deleted
C:\PROGRA~3\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222} deleted
C:\PROGRA~3\{ACEB5C90-39F7-4044-91EF-FBD59A59D240} deleted
C:\PROGRA~3\{C2A88E6D-FA3D-462B-BDFF-A09B1EFA8FBE} deleted
C:\PROGRA~3\{C78336EC-F2EB-4640-99A4-DFE96581B90B} deleted
C:\PROGRA~3\{D69A48BF-7653-4AA8-94BC-5847522A4573} deleted
C:\PROGRA~3\{E2937431-E60E-4C65-BD1B-280017DB2B28} deleted
C:\PROGRA~3\{F92C204F-6C39-4D56-B100-EC929C871966} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Guney\AppData\Local\Unity deleted
C:\Users\Guney\AppData\Local\Wondershare deleted
C:\Users\Guney\AppData\Local\cache deleted
C:\Users\Guney\AppData\LocalLow\Unity deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\WINDOWS\Syswow64\SET6477.tmp deleted
C:\WINDOWS\Syswow64\SET64D7.tmp deleted
C:\WINDOWS\Syswow64\SET78F0.tmp deleted
C:\WINDOWS\SysWow64\AI_RecycleBin deleted
C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default\jetpack deleted
"C:\WINDOWS\Installer\354f8c.msi" deleted
"C:\Users\Guney\AppData\Roaming\MPC-HC" deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\Guney\AppData\Roaming\Mozilla\Firefox\Profiles\n4opkdt8.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"web2pdfextension@web2pdf.adobedotcom"="C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn" [08.11.2013 00:27]
 


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 03 October 2016 - 08:49 AM

After a normal restart of the computer do you still have issues?

#8 guneyozsan

guneyozsan
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 03 October 2016 - 11:19 AM

Since Zoek seemed unresponsive I waited a confirmation for a restart. And after the restart it seems fine for now. I also noticed UAC setting was set to "Never Notify" which I now increased to the highest level and installed McAfee Real Protect.

 

I have one last question that I couldn't get a clear understanding from the malware topic. I get it is not advisable to use more than one anti-malware but I couldn't get in which category is Real Protect. Does Real Protect conflict with anti-malware software like Malwarebytes Antimalware?

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/?p=2413189

 

Thank you for all your help nasdaq!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:52 AM

Posted 04 October 2016 - 07:54 AM

Exactly that link is part of my closing message.

I will keep this topic open of 5 days.
If you need to return please do.

Edited by nasdaq, 10 October 2016 - 12:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users