Book Pages

Saturday, April 23, 2005

HijackThis vs. the Elitebar Removal Tool

The following HijackThis thread, from Web User Forums, highlights a number of key points about the modus operandi of the SearchMiracle/EliteBar downloader. It also highlights the comparative merits of SimplyTech's EliteBar Removal Tool.

The user's opening comments are typical:

I've just started getting IE pop-up windows appearing every so often. They appear regardless of whether I'm actually using my browser (Maxthon).

I've run [Ad-Aware], [SpyBot S&D], and installed SpywareBlaster and SpywareGuard. Removed a heap of items, but the popups are still appearing. Included below is a [HijackThis] log (created immediately after a reboot).


No standard anti-spy software has managed to fend off the infection entirely. A HijackThis log is posted together with a plea for help.

The expert's instructions are typical of the early strategy attempted by HijackThis experts:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

R3 - URLSearchHook: IncrediFindBHO Class - {0026AD90-C86F-4269-97F3-DAB4897C6D06} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exeO4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll [see VGS's Key File Index for more information on this file]

*Close all open Windows except [HijackThis] and click on "fix Checked".

* Open Windows Explorer, navigate to and delete the following
Files/Folders:

C:\Program Files\Common files\SearchUpgrader\>>>folder
C:\winnt\system32\elitekck32.exe>>>file
C:\WINNT\system32\NavLogon.dll>>>file [see VGS's Key File Index for more information on this file]

Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force. As HijackThis experts have generally discovered, the downloader for the infection detects, and, if necessary, reinstalls itself from RAM as Windows is closed. (The related file can have different names for different variations of the infection but always appears, to date, in the form "elite***32.exe".) This explains the next set of comments from the user:

I've done everything as you suggested, noting:

"C:\winnt\system32\elitekck32.exe>>>file": This file wasn't there. Searched entire HD and couldn't find it.
"C:\WINNT\system32\NavLogon.dll": Deleted *after* reboot, as was in use before reboot. [see VGS's Key File Index for more information on this file]

After 1st reboot, the elitekck32.exe entry (O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe) had reappeared, so I fixed it again and rebooted a 2nd time. It's still there, see new HJT log below. The pop-up windows are still appearing.

The file for "elitekck32.exe" is no longer on the hard drive. The resident file was deleted by SearchMiracle itself when "eleitekck32.exe" was removed. The file is probably designed to be deleted in order to avoid the problem of having to rename it in order to successfully re-install.

The second round of instructions (in response to the updated HijackThis log) make the matter still clearer:

*Open [HijackThis], take another scan and place a checkmark next to these entries.

O4 - HKLM\..\Run: [load32] C:\WINNT\system32\winldra.exe [see VGS's Key File Index for more information on this file]

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitekck32.exe
O21 - SSODL: NnjrTTQcGY - {372715F7-9D8D-BF5D-D9F5-F29E65298DCD} - C:\WINNT\system32\xqzq.dll (file missing)

*Close all open Windows except [HijackThis] and click on "fix Checked".
*Open Windows Explorer, navigate to and delete the following Files/Folders if present:

C:\WINNT\system32\winldra.exe >>>file [see VGS's Key File Index for more information on this file]
C:\winnt\system32\elitekck32.exe >>>file
C:\WINNT\system32\xqzq.dll >>> file

*
*
*


Reboot the Computer in normal mode, then click the "Post Reply" button and post a new log in this thread for further review and evaluation.



A number of files have returned: first the downloader exe and then the files it has begun to reinstall. The HijackThis expert, in this particular case, is stumped. He keeps advising that the user reboot in normal mode which will only reload elitekck.32.exe back up into RAM from where it will reinstall when Windows is closed. In the new, successful Hijackthis threads the expert knows to reboot in Safe Mode and then delete the file. This prevents elite***.32.exe from loading up into RAM. If it can't get to RAM it can't download back onto the hard drive.

This thread will end up successful, however, and for an intersting reason. The user takes the matter of getting rid of elite***32.exe into her/his own hands:

Hi, think I've got to the bottom of the elitekck32.exe file.

Another forum (http://forum.iamnotageek.com/history/topic.php/1819049822-1.html) put me onto this [Elite Toolbar Remover]... I've run it and it's removed the Elitekck32.exe malware, as shown in the new HJT log below. I've not posted logs for each account as I suspect that's not the problem.


She/he has downloaded and run the Elitebar Removal Tool and now returns to clean up some loose ends not related to SearchMiracle/EliteBar.

Again, this thread seems to highlight the relative merits of HijackThis and the Elitebar Removal Tool. The removal tool is quickly downloaded and specifically targets the problematical elite***32.exe file. HijackThis is not limited to a single strain of infection(s). Given some time for the HijackThis expert community to get a grasp of a particular infection there is an excellent chance that a fix can be developed.Using it can also add to the user's knowledge level about infections and his/her computer.



Also see:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]


Also from the Library of Babel:

  • Pierce Butler, Fanny Kemble, et al.  July 22, 2020.  ‘“An attempt of the Pennsylvania Supreme Court to make a way around the original Fugitive Slave Law, of 1793, by finding a private agent guilty of kidnapping for having remanded a slave from Pennsylvania to Maryland was forcefully overturned by the U. S. Supreme Court in Prigg v. United States (1842).”’

  • The Best Translation of Dante’s Divina Commedia.  July, 14, 2019.  “For the next month, then, I put aside a few hours each night.  Not only with Singleton and Merwin.  In the glorious Age of the Internet, the first step could only be a search for what books relating to the subject were available on Google Book Search and the Internet Archive.”

  • A Memoriam for W. S. Merwin.  April 17, 2019.  “It took about three days, as I recall, for me to surrender to the fact that W. S. Merwin was the finest English language poet of his time.  I wished I’d been prepared to read him years ago.”

  • Be sure to check out the Browser's Guide to the Library of Babel.

Also from Virtual Grub Street:

  • The Fascinating Itinerary of the Gelosi Troupe, 1576.  June 10, 2019.  “The Spanish soldiers had not been paid and unpaid soldiers tend to rob and loot.  The citizens were prepared to give them a fight.  Violent flare ups were occurring everywhere.”

  • A Thousand Years of English Terms.  June 2, 2019.  ‘One person did not say to another, “Meet you at three o’clock”.    There was no clock to be o’.  But the church bell rang the hour of Nones and you arranged to meet “upon the Nones bell”.’


3 comments:

  1. Anonymous4:42 PM

    Elite toolbar became one of the most prevalent spyware. How did they become so popular?

    [url=http://www.spyware-removal-guideline.com]Remove spyware[/url]

    ReplyDelete
  2. Anonymous4:44 PM

    Elite Toolbar has infected thousands of computers. Forums are full of elite malware removal requests.
    Remove spyware

    ReplyDelete
  3. My quad core 6600
    with vista runs explorer.exe at a little over 25% all the time.....so far noibody can explain this mistery, other then simple ststements like Vista is a piece of...
    Vista certainly is that, but meanwhile I have no clue how to slow down explorer.exe which makes my computer slow...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:07:28 PM, on 10/25/2007
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16546)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Windows\sttray.exe
    C:\Windows\Samsung\PanelMgr\SSMMgr.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Portrait Displays\forteManager\dthtml.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    C:\Program Files\Azureus\Azureus.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5478
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [Samsung PanelMgr] "C:\Windows\Samsung\PanelMgr\SSMMgr.exe" /autorun
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
    O4 - HKLM\..\Run: [DT LGE] "C:\Program Files\Portrait Displays\forteManager\DTHtml.exe" -startup_folder
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
    O4 - HKCU\..\Run: [LightScribe Control Panel] "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" -hidden
    O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\Sidebar.exe" /autorun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) DHTrace Controller (DHTRACE) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe
    O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
    O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    O23 - Service: Intel(R) NMSCore (NMSCore) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Intel(R) Quality Manager (QualityManager) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
    O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: StuffIt Task Manager - Allume Systems, Inc. - C:\PROGRA~1\Allume\StuffIt\MXTask.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 11684 bytes

    ReplyDelete

Note: Only a member of this blog may post a comment.