Java/Agent.DW removal help needed

here are the latest run for the W7 box:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: Phoenix Technologies Ltd.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: R720
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 156):
0x8301B000 \SystemRoot\system32\ntoskrnl.exe
0x8341E000 \SystemRoot\system32\halmacpi.dll
0x80BD2000 \SystemRoot\system32\kdcom.dll
0x8B824000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8B8A9000 \SystemRoot\system32\PSHED.dll
0x8B8BA000 \SystemRoot\system32\BOOTVID.dll
0x8B8C2000 \SystemRoot\system32\CLFS.SYS
0x8B904000 \SystemRoot\system32\CI.dll
0x8B9AF000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8BA20000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8BA2E000 \SystemRoot\system32\drivers\ACPI.sys
0x8BA76000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8BA7F000 \SystemRoot\system32\drivers\msisadrv.sys
0x8BA87000 \SystemRoot\system32\drivers\pci.sys
0x8BAB1000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8BABC000 \SystemRoot\System32\drivers\partmgr.sys
0x8BACD000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8BAD5000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8BAE0000 \SystemRoot\system32\drivers\volmgr.sys
0x8BAF0000 \SystemRoot\System32\drivers\volmgrx.sys
0x8BB3B000 \SystemRoot\System32\drivers\mountmgr.sys
0x8BC14000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x8BCEE000 \SystemRoot\system32\drivers\atapi.sys
0x8BCF7000 \SystemRoot\system32\drivers\ataport.SYS
0x8BD1A000 \SystemRoot\system32\drivers\msahci.sys
0x8BD24000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8BD32000 \SystemRoot\system32\drivers\amdxata.sys
0x8BD3B000 \SystemRoot\system32\drivers\fltmgr.sys
0x8BD6F000 \SystemRoot\system32\drivers\fileinfo.sys
0x8BD80000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BEAF000 \SystemRoot\System32\Drivers\msrpc.sys
0x8BEDA000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8BEED000 \SystemRoot\System32\Drivers\cng.sys
0x8BF4A000 \SystemRoot\System32\drivers\pcw.sys
0x8BF58000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8C039000 \SystemRoot\system32\drivers\ndis.sys
0x8C0F0000 \SystemRoot\system32\drivers\NETIO.SYS
0x8C12E000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8C153000 \SystemRoot\System32\drivers\tcpip.sys
0x8C29D000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C2CE000 \SystemRoot\system32\DRIVERS\epfwwfp.sys
0x8C2DF000 \SystemRoot\system32\drivers\volsnap.sys
0x8C31E000 \SystemRoot\System32\Drivers\spldr.sys
0x8C326000 \SystemRoot\System32\drivers\rdyboost.sys
0x8C353000 \SystemRoot\System32\Drivers\mup.sys
0x8C363000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8C36B000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8C39D000 \SystemRoot\system32\DRIVERS\disk.sys
0x8C3AE000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x920F9000 \SystemRoot\system32\drivers\cdrom.sys
0x92118000 \SystemRoot\System32\Drivers\Null.SYS
0x9211F000 \SystemRoot\System32\Drivers\Beep.SYS
0x92126000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0x92146000 \SystemRoot\System32\drivers\vga.sys
0x92152000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x92173000 \SystemRoot\System32\drivers\watchdog.sys
0x92180000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x92188000 \SystemRoot\system32\drivers\rdpencdd.sys
0x92190000 \SystemRoot\system32\drivers\rdprefmp.sys
0x92198000 \SystemRoot\System32\Drivers\Msfs.SYS
0x921A3000 \SystemRoot\System32\Drivers\Npfs.SYS
0x921B1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x921C8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x921D4000 \SystemRoot\system32\drivers\afd.sys
0x9222E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x92260000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x92267000 \SystemRoot\system32\DRIVERS\pacer.sys
0x92286000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x92297000 \SystemRoot\system32\DRIVERS\EpfwLWF.sys
0x922A3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x922B1000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x922C4000 \SystemRoot\system32\drivers\termdd.sys
0x922D5000 \??\C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
0x922DD000 \??\C:\windows\system32\Drivers\SABI.sys
0x922E5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x92326000 \SystemRoot\system32\drivers\nsiproxy.sys
0x92330000 \SystemRoot\system32\drivers\mssmbios.sys
0x9233A000 \SystemRoot\System32\drivers\discache.sys
0x92346000 \SystemRoot\System32\Drivers\dfsc.sys
0x9235E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x9236C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x9380E000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x93D4E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x93E05000 \SystemRoot\System32\drivers\dxgmms1.sys
0x93E3E000 \SystemRoot\system32\drivers\HDAudBus.sys
0x93E5D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x93E68000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x93EB3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x93EC2000 \SystemRoot\system32\DRIVERS\athr.sys
0x93FF6000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x9238D000 \SystemRoot\system32\DRIVERS\yk62x86.sys
0x93800000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x923DE000 \SystemRoot\system32\drivers\i8042prt.sys
0x92000000 \SystemRoot\system32\drivers\kbdclass.sys
0x8BF61000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x93804000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8C3E0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x93806000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8C3ED000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C000000 \SystemRoot\system32\drivers\CompositeBus.sys
0x8C00D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8C01F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8BF9B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8BFA6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8BFC8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8BFE0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8BB51000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x9380C000 \SystemRoot\system32\drivers\swenum.sys
0x8BB68000 \SystemRoot\system32\drivers\ks.sys
0x8BC00000 \SystemRoot\system32\drivers\umbus.sys
0x8BB9C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8BBE0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9401C000 \SystemRoot\system32\drivers\HdAudio.sys
0x9406C000 \SystemRoot\system32\drivers\portcls.sys
0x9409B000 \SystemRoot\system32\drivers\drmk.sys
0x940B4000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x94359000 \SystemRoot\system32\DRIVERS\udfs.sys
0x94399000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x943A4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x943B7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x943BE000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x943C9000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x9200D000 \SystemRoot\System32\Drivers\usbvideo.sys
0x943E0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9740B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x974E5000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97870000 \SystemRoot\System32\win32k.sys
0x974F6000 \SystemRoot\System32\drivers\Dxapi.sys
0x97500000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97AD0000 \SystemRoot\System32\TSDDD.dll
0x97B00000 \SystemRoot\System32\cdd.dll
0x9750B000 \SystemRoot\system32\drivers\luafv.sys
0x97526000 \SystemRoot\system32\DRIVERS\eamonm.sys
0x975F4000 \SystemRoot\system32\drivers\WudfPf.sys
0x9760E000 \SystemRoot\system32\DRIVERS\epfw.sys
0x97636000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x97646000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9768C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9769C000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x976AF000 \SystemRoot\system32\drivers\HTTP.sys
0x97734000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9774D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9775F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x97782000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x977BD000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x977F0000 \SystemRoot\system32\drivers\npf.sys
0x92031000 \SystemRoot\system32\drivers\peauth.sys
0x97400000 \SystemRoot\System32\Drivers\secdrv.SYS
0x920C8000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x977D8000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA1C23000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA1C73000 \SystemRoot\System32\DRIVERS\srv.sys
0xA1D2F000 \??\C:\Users\admin\AppData\Local\Temp\aswMBR.sys
0x77BA0000 \Windows\System32\ntdll.dll
0x483A0000 \Windows\System32\smss.exe
0x77DE0000 \Windows\System32\apisetschema.dll

Processes (total 74):
0 System Idle Process
4 System
312 C:\Windows\System32\smss.exe
476 csrss.exe
548 C:\Windows\System32\wininit.exe
556 csrss.exe
604 C:\Windows\System32\services.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
736 C:\Windows\System32\svchost.exe
800 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\atiesrxx.exe
904 C:\Windows\System32\winlogon.exe
952 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\svchost.exe
1288 C:\Windows\System32\atieclxx.exe
1312 C:\Windows\System32\svchost.exe
1628 C:\Windows\System32\spoolsv.exe
1672 C:\Windows\System32\svchost.exe
1760 C:\Program Files\LSI SoftModem\agrsmsvc.exe
1796 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1852 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1900 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
1920 C:\Program Files\ICQ6Toolbar\ICQ Service.exe
2008 C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
424 C:\Windows\System32\Rezip.exe
492 C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe
428 C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
1936 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
468 C:\Windows\System32\svchost.exe
1564 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
1328 C:\Windows\System32\svchost.exe
2112 C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
2656 C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
2828 C:\Windows\System32\svchost.exe
3608 C:\Windows\System32\taskhost.exe
3644 C:\Windows\System32\taskeng.exe
3684 C:\Windows\System32\dwm.exe
3964 C:\Windows\explorer.exe
3136 C:\Windows\System32\svchost.exe
3400 C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
3412 C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
1860 C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
1988 C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
2564 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
1688 C:\Windows\System32\SearchIndexer.exe
2024 C:\Program Files\Windows Media Player\wmpnetwk.exe
2688 C:\Windows\System32\svchost.exe
3712 C:\Windows\System32\svchost.exe
2464 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
3524 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4696 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
5300 C:\Windows\WindowsMobile\wmdc.exe
2644 C:\Program Files\iTunes\iTunesHelper.exe
4308 C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
4576 C:\Program Files\ESET\ESET Smart Security\egui.exe
4480 C:\Program Files\iPod\bin\iPodService.exe
6560 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
7996 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
9152 C:\Program Files\ICQ7.0\ICQ.exe
11168 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
16316 C:\Program Files\OpenOffice.org 3\program\soffice.exe
18656 C:\Program Files\OpenOffice.org 3\program\soffice.bin
19324 C:\Windows\System32\audiodg.exe
10008 C:\Program Files\Mozilla Firefox\firefox.exe
20692 C:\Program Files\Mozilla Firefox\plugin-container.exe
24084 C:\Windows\explorer.exe
28628 C:\Windows\System32\notepad.exe
28584 dllhost.exe
24528 dllhost.exe
26384 C:\Users\admin\Desktop\MBRCheck.exe
26828 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c6500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000068`0bf00000 (NTFS)

PhysicalDrive0 Model Number: ST9500325AS, Rev: 0001SDM1

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
 
here is the aswMBR log I did 4 days ago, (took me a day to scan,) I can re-do it if you whant.

bye
philippe

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-08 21:23:06
-----------------------------
21:23:06.569 OS Version: Windows 6.1.7601 Service Pack 1
21:23:06.569 Number of processors: 2 586 0x170A
21:23:06.569 ComputerName: ADMIN-PC UserName: admin
21:23:28.690 Initialize success
21:23:34.540 AVAST engine defs: 11120701
21:27:17.873 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:27:17.873 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 3
21:27:17.904 Disk 0 MBR read successfully
21:27:17.904 Disk 0 MBR scan
21:27:17.904 Disk 0 unknown MBR code
21:27:17.904 Disk 0 scanning sectors +976771072
21:27:18.013 Disk 0 scanning C:\windows\system32\drivers
21:27:41.007 Service scanning
21:27:42.552 Modules scanning
21:27:52.505 Disk 0 trace - called modules:
21:27:52.520 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
21:27:52.520 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dac030]
21:27:52.536 3 CLASSPNP.SYS[8c38759e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85f5e028]
21:27:54.127 AVAST engine scan C:\
15:42:06.632 Scan finished successfully
18:41:46.532 Disk 0 MBR has been saved successfully to "C:\Users\admin\Desktop\MBR.dat"
18:41:46.532 The log file has been saved successfully to "C:\Users\admin\Desktop\aswMBR-log-9-12-2012.txt"
 
hi,

Are you getting re-directs when you are browsing the internet? Do you have W7 install DVD? Prior to writing a new mbr, I would pull off anything you dont want to lose. Not that it will wipe your drive but because something could go wrong leaving a non-bootable machine.
 
Hi shelf life,

>Are you getting re-directs when you are browsing the internet?
Not really, but in fact I am not really using my W7 box anymore, just to do security scans...

>Do you have W7 install DVD?

I do not have any install DVD, the W7 have been shipped with the OS pre-installed… and when I phone up Samsung, the answer is No we do not ship W7 install CDs… and on MSFT site it’s not possible to download it. All I have Is the rescue/re-install CD I bruned a couple of days ago and I believe the malware have been back up with it.

So I plan to download an ISO image of the official install from digitalrivercontent.net I have seen a couple of links on the web to this site and use my OEM licence to activate it.

I did not believe how ridiculous this situation can be…. !!!!

>Prior to writing a new mbr, I would pull off anything you dont want to lose. >Not that it will wipe your drive but because something could go wrong >leaving a non-bootable machine.

I will move all my content to a NAS (I will try to do it only with FTP if
possible) the NAS is running a Linux OS.
I have ordered the NAS this Week end I am waiting for it.


bye
philippe
 
hi,

I guess the good news is that I dont recognize any malware in any of the logs, they all look ok and the three tools you ran are the best tools for removing current rootkits. Based on the logs and the fact you are not getting re-directed I would say you are malware free.
The only thing Iam going on is the unknown MBR code, which doesn't mean malware is present. It could be Samsung custom MBR code.
 
hi shelf life


>I guess the good news is that I dont recognize any malware in any of the >logs, they all look ok and the three tools you ran are the best tools for >removing current rootkits. Based on the logs and the fact you are not >getting re-directed I would say you are malware free.

I see your point, but how do you explain that there is something on the box, that connects to

Host: rs.mail.ru

and this thing downloads flash files ??? this still looks extremely suspicious to me...


I did a search on the IP that my box is connecting to and it's a mail server in Russia:

General IP Information
IP: 94.100.187.197
Decimal: 1583659973
Hostname: rf7-reklama.mail.ru
ISP: Limited liability company Mail.Ru
Organization: Mail.Ru
Services: None detected
Type:
Assignment: Static IP
Blacklist:
Geolocation Information
Country: Russian Federation ru flag



here is the TCP stream I captured using wiresharck:




GET /b14070641.swf HTTP/1.1

Accept: */*

Accept-Language: fr-FR

x-flash-version: 11,1,102,55

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)

Host: rs.mail.ru

Connection: Keep-Alive

Cookie: p=iBwZADTP+AAA; b=rTsCAABjigIAAQBKgMYA



HTTP/1.1 200 OK

Server: nginx/1.1.7

Date: Mon, 12 Dec 2011 06:38:28 GMT

Content-Type: application/x-shockwave-flash

Content-Length: 28828

Connection: keep-alive

Expires: Mon, 19 Dec 2011 06:38:28 GMT

Cache-Control: max-age=604800

P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSAo PSDo OUR BUS UNI NAV STA INT"



CWS.....x...u\U..7:...%....4(..iD.....Y.
J*.(%
....()...t..Z.N<{.s........s..s....c>....c........
hG...)..A..
.....u-9..?.gW....M6{oo.......|.B|n.v...........y!
^/.Wo.?^W.KlR,.8..xYy:.{;....?[X..x.dc......_l]..,..,m...\..,................v..qss..9.bQp...g..t......[8.......w.....A...5..^.k...t....._....&x.........P5.o.k.o....
\.....
._h...Y;.......,.........._.t..t..F.V.6.6.6..^.K.~...................9C~?^/{7+'_.{6.......'..]. ....."....I...ec....t..m..l..|<.l .K.........=.k.O7._..[xz....d..pN.K.u.W/o.W+.e9)....`}]APTTTPA^XNAV.Z-.k........."2.B.B.
.'7k7+.s'...................'77O.;.(....U@\\NANT....p.....%'$ /. $,($.'.....W...~.....JXD.........d....rS..s.....:..S..O..?...!..G..b..0.h4.S.*.....0.ts..Vn>.. ......B.....\..LB..;W@...&a......{..H..GI...cC.VVV .h@JU\_..#.O.....c.....U...F....?@.z.;.c..x..."..w.....`..<s.o.....N........a......1...DTob...\.~rO..xV.{..p.p.(...{.!.'....
...l..z.N...X......].;.f[...WK..{.&]2A'...e6..r....+..w/.d=...5-@J.iX....u...*..A.X.p
. O{.....$K.7.s,.$
L.T.{o).?..A....U....7.....2.X...v.OU...S..jUgL.+^..R.SL.. ....5".....fA
...|./......j.'.{..r.....|.s......[........
...'1....P....'...(...*..<.{v...i.A..!.a+..2#........P.....t...bQ.....}|)Vz.j"/.$!...$5{M...Q....}#..}U...c..(..{On..D.n...M<...$..Ey..Km$...9.....fD.yp.:.t..4#.^a.W...B.~.-.s..$...b..M[...P..S.......C%..U...+Y+.....|....q..G/.....F.....
..q...8!...b........CoZ.(./i)]...g......&yw..
n..6..k.B.....E./..t.O..
O..+......
.z..)....f8.:;.:..;)x.......H..#.x!lO..?.N.R..\,.d.....G~.W..Xe......?..kK...K..%h........q....W...W..........zF.....<.. ....$.]..
..*....=..Jm.
zN
A.......6....i..W.O...a..../.L..Q.M.V..q'..]..*.......m....7..|.=..6......-.....W......6LC..*.../T..T.m9o./...o$...H.I...O$i(.&..[...+O(z.....U.*..b=Xi.;.6.....-=iIC*.t..d
9~sMz:...;.....r..d.`....M....l.....r...f.f....>In....N.....9.E....(8*w.......Eg.}.;.}..Q......F...C.G.....`$...Y7gk^-7..W@...(T..`....T....X4.X8.p,p..\.............V^. .#r ."!.z.Z@(.d..
....4...ok-o.16.d..6k..)..X..`\gQH....m...n.v\....u..%|w..@.0..#..,..Q.(.m....U6....I*P.{.........x@.b/}..I....v/4.....r..l..,C/|k..0O..".
....&@....
.....W..I.E.(L.0|...3!.BQT....%jz...N.....S.UP}c.....^..r.g..RI......e...5U.....y.~8.Pc..ZR.g.Y.F>..|..|.b...S..c).........}"e.k.0..P.S..!O]$...~...g.....
./}...cQ...~...v.........EKZ.|..f$..~.B.!&... ...75.Lvv.....>i...u,[..4...92...[8>....g.^CF,.Y.|u.Z..LR.i...h...a}j...i
hY.)7.m.....%...n(..}.i.+tK...*I...@'1.<R.....za..m;VL..}..Q(...E..?LU:D.,...x...z...0.....J.B.P...#..2..\..........LI7..R6..b.........n.}<.{..z... .....z...O.e........J{.......m..(].5.;...D.eH.....~.`....1Q_.;oqw.....-.oHk..(....I.l..3....F...E.P...w\E4...u}/.$3.z......4 H.....EJqc.....G_.L=C.o.7r.........5........8.....#.wr........[.9.E....+..%.......>.......[...T....Z%...)..eB.....%.x@Pd/]]!.Px*2X..}..........!<..!...H..........f8...m...f.e"..y ^...H%..A_`..l.............yO........b#............0..X...;.av...M.*]eRz1u(.c......._+..Ee..1...)IU.......2..@n.<......Ju.55...Y.<b.R...};4..N.0._..'....V..Y.!......J*.u..<tM..p;.
.U.C>.!K.^.h.u.f..`..2Ge^.Q.n
..=.< .o..=ZO.u....S.......ZM......./..`$....q.Qq.#....6..6.....a..jBI.Ht...V.5e....0/<}|gI_T.`ae... pc........;#...Y..]".5..<..$El.......|o..w.\M........=..Ez...p.F..A].F.<&.f.C...!........|.B...D.Q^*....$...>,0
.e..Fy..0.#RB........Ook{.GY............Q..^.\..0
on.HqY....a..j...a..~M.xY.|,.7y......l..
...Pl1{...,o.j.I,6W.ub......,9..n..Q.W....nJg.cD..hT.......j...t.......5O)@`/
z....
.....j5..Z...(..V........Sl?..r.EcaR....4...G..=..j......].z.m.....F....~..pg.3i.yO.`>..........o...6O=.p.Pq^{.e....}8......k<H.a&...........{4+.......J......n.....{.N.P.7......../.........y...g...__O..:.........@!....p...He.E..i3.k...@...H..9I....CA.....O......L.. .(g.a9M...:.ttvK.W.D.......P2......#>.S......j.}v&.vL.Rzt...x......t..q..;D.o..|...A....-..x.+..5/......\...:..%O.Ge..........k...].v.^.9`.....b_.&........n".........0...1.gL.....&Y...W.g...J
p..4..e.[...CaW...,z.0...2m....
........w.-...uX!.....C...%[..../...)..EDW.3..62i...+..].o|.s....Mq....~..~?..n..._.>..3.3e.vT...&...C...4../.0.=...G...2I....h...A......q6b.......C9.D.`=...<6.!......l..../..N.Ca?...-.r
..........0E.........y.m.P..Y@...z,...h...*Zd..2t?.A.8..-.@.#u.3U..Pe..j.=.C..A 2.0h.....bS>.....
...._...)]6;G..8...H@M..t..lz..`...z..}J.v....K..ts..\+..H......Rr.y......(.]!.5HK"{...7..Q;.n!.i..u..O.......P..)Hc$=..4.....\/....)=..|I..j......1i..-..P68..1....^..AD.^H...k..C..C./.i.P.n.h...Q+..L..T......K..(.P.K\&.v{.P\{.-.o.%C...p.h..J....;Jc..P]...n^....P..%...J..Y..p........Q..|g...X'...y.@"J.R{...^..q.k/B..:`.z[;t2.@...].....`..[.....,...;.nB.2-@..vS'#g........Wy...../....q...w!+e3{.%..lk..h1.f1.R.}..T.E....,.1.`.!.e.v.)..*..[..]ct..g@.Q..M! ,....m..w0^..|...8...&N.a7.!-s.y(...P.,.X.8....<.Um.y...a..
t0{.....A
T...o..
.}c.+........Z..ZI..
o]...y...l.y1....F..F6)./.=..$].....;...@.
..........."..:..;..K.....}...........M.l....'].I<.......u.. H.........,...C.7...ps#(.[q...3q../...+.A{..D..a.".....{e%p.h..
.z.q....N.._.........5. H...F3
m..r.q...\.0.-.
@q.).x...4.....r..S.Pl.k0q..;.W.r...(.rZ%..F..EV:.28FIZy...e4..SA...
.K0{...{.............A_...
.il...`..Z...........a...R..u.\ .r...d..'nP=].....$.
.%...*...U...P.o...{.. .'.eC
k............4......a.|...../..T...G.Z).9.B&w...^.U*9.T..,..\...1I.....>..o..dC...qha^4@ee!.>.H...* .w......kwW.Il. v.....4.`..s'.`.:.b.e.H=u.....5..G....R
.i.....\P.........^^.[w..B.g.yz.*...B...Y.B........m:..d...............j..x
..3...y.-.....7 ..8..3....(."....2...*.........]y..Io.X.@.>.I.l.0U...lY...k~Y..<.X...a.2Y........5Y'
...eeDS.|..>"R.?../...5m...I.............9.*.8.2%B..,.k..?W..........;..!Y.[...<.
...s. ...Oj........2I...+|..<........n.....v....f..._.M ......]..(9.-..Ea.......Y...i.1R.;S._...f....T...}f.@.!...,..f@.....G.q....+@...
@.(.M`.,....6....{....3p.n..x.o....g..,.....0.D.......Q...#.......T........#o..9"h$.............5w./....nBszR.#...r.5R..W..~..B.._....N..sp.._...."$Y.\m..m.\..o>k..).[n....v..,...N,...6N6....U......,.B.-....c...eoc.b....1..wsgQv...t..[..3...'..w.7.......
. ..\.../...oO.k...O'.7[..m._...Wk.m7[o_.O..E.K%>....._+..qZ.A.O.~...6..\.z..F(...[......U.......;y..Yx...:)Ec}.R1.........e.x|.{.....H}.8.......J.J.......I.`.mdW.....F......o....c._....^.= .o.9_...o.y;....7.".....D)...b.M...9..o.......9...1...
.....U..SG.W.h....?..)C...3P-.8.`.....L.,L...............' ".'.@..GHBx................3.a`.Baa........_.n...~..u.Y)!.X.8.....A
)..abb`aB.aAo........U@..B.....R0.i6.%...*..;.B......4.i.._...........~KN^AQIYE[GWO...............=_?.....FD>z.........y.........E.U.5.u.
..].=.}o......OL~..^X\..my..............s.`......."........=....{N@...*.C...k.A.&..G).4...........G.jv..............e._....)(z........O....../..v@.....0al....I...C..c!6
.`....$.p.B.o.A.\E..)...b.&..."L
6.u...}..sLRu.3*..`.......t..f.Q.{*.........H.W.. ..\..d..k.$.L.j.......D...r..[...%..en..=.tAw...$.~.........'..,..v..........HLPfa<.
;!..$.s......9R.t.=..M._$....a.z~1^[W2.S"..b7..J..<-,O.RX.f.;b..8#....H.M............B]....-./n7..'...e...<..:[..[..F... ..kHw......,.T..75&.
e4..YD....Q:..g......p+"E......sT.?..G.....
...6..t.h.*..X.Q.G!kSSEK.q.-.....%....n]
..."..=Ko...R@.
.M..b<)6..7..4..@.......nA.~.f...v..d(L?.E..e%I.l.5........24..&..... X.wQ..........E.
._ (..\...n.T.lv..*Z.j..F....\.5....J..4(.....g>..'+.........P8[[M.1..p...A(.b..a.j..yW?T......$..7.4u..-..e.).!R.%................./.`..s. n.............g}h.U.s....5...6.{.|...GJ.vUkm...C...Qsb\.W..c............0F<.$....[g.?..^.....V.f.2;.$rM.l......s@?.U.
...)W<j...bMv....i..........;..l.x....(.*..V....#J......z8..k...:.@... .....i.Nf.)r.J8................bz..:..-.p.....X...........N....(.}.9......6...<S.=xN...,`r..)..z8b~n.z...b..Yw7..I.....P4..._.........G8.W...*..w......Rx.$........E.&.......l_O..7...s......?.X.........H...SV....9.]...|F...<Oh........W\. .&"Zy..V...{PPW.......|..".z...ve.Mw>....D4...1.....7...9$..)......Efb..u*T....N....?y.&...;.^..~y..u.8..!`.I.d..|.H.Pe.....e....>...S'.3....h.E.....-A.....fSIy..U....+....*....l.Di..Y.&...W...8m/._.0..lR...?.O(Ns.......S..+|.....F.`...Z.d..S2..T..........a..$..*.P)....F....p.s.Yi.8............<h0.8..^....
pvP..".}..lm3.....y:m.x-........y.....P~_@>.[.q`y.?.*^.1..<d..$....f.U"..]...(`.&....."6...o.s...,.4...>c...+7DT..r.7..v...m...K..m.Sn.._c3C..../. ...........j.A..B......S....L........~........A.~...IM8.<Qoav..E..i._.."5..8...3.. g..a....af.X..8...8..V.m.>.W.?4;5@.|.3...Y...{..E....n~.W.o...id.$..}.... ?..b.A....).|.M.<.i>.F{.c..]Tyw......$....&V..+!..L3......;.(<.y.aRu..R..h.E.+7.
.y....i.>....aO`.+,B..'...`...Hk...4...$b....S........g...b.7.Y.YN%.....c..&.a(...`)..E..d>p..D.v.6....5S....2... ...7.{....w2f...........9..&...j.........<n........=.W........._......e.
.....8L..{...Ms..kk+U~N..z...o......d.g..kTS...........c17Z.<...g<.rnz..;..@....C...p*\0q.=.2G.../4....."d.)..Okgs......P5..0xH\7.2.d=>..PJ.f.wC,a5...-Nik.A..'S.M..XV"..u........9.......$.?Yi=t0.F...X......A..n&
....q.....55....;...-g.iL.?...s..A............D.X V...@...=>]@..w?....&..
.K...P...o)..?.au...B..)C...n+&.hg..\...X1H...{5......!......L.w....ShTwmi]....
...]O..q).#....6....7o.{A.C.=0H..4~.m0....~.~.|........AX.<.3....:1.!...t.R'..d.T.9....!=Hs!d#.k.aO.ol..a...q[.M.~........m
M."'.|}sz. .......f..f.K#!.f_N.>.Y.r!..K*. u"[.r..u.V0.....{...V......n.h...d...Dl..*........!...6.G..y@._..@B..?..V/.8&.8..[P<.#bF.C%2...}.4;B.....*..`.}...*d.e>........J16...(u....m......2L..!.kW...al
..[t.`e..&5.....3A
.....W7m;.K....X.txj.3dr).<!q{.)..-]\......3.
.\....%I..hM)..
..].
_..f...5.....v......d.....<.......>4.....7.9.....k6Yhq.......n..w.g.a.s.U...7.).2..<.....EV..r\=.4..i.....[(........e.[....G....N.......Z.)b.O.:p?......Cja=h..<m.1.hnr...T.w.............._cB|.<NT..P...h`3......B._..W..b]..q.4T".N..v..g..T.F..-...D.j....r.Z.s.->E...y4.<.:..#......8.;..].j.......T^}.....|.nA9.w.c......cy."...h.[.J...b....w..i.i...J...O..eqL...^......%.3<y..b..S..6.=}.m..........p?....U7.i..c+..^..>9.Wz<.%X.....%.~......A.u.~5...
Se..s...._-..IZ........{.{.L.s.5......VjtJ.z[.E.O-eyk........h....^..h..a.#.{....e..JO......N!7....R...q.'..XW....K..3.//|M...`...6..K.T..u.U}..&l>YC.X_.......;.......\l......{(..0.........$.u..}n.oY.qUY.....p.W_..r.[B..e.......u.-.p.UJ.y......]ezVy/C.^.).m..}........t...^.p...yx....&...9.....u..O.....m.r.v..;....l...5...zq./..+..
8<u.K.....z)..P....o..................4k..?....!....f.....u..k...7.c|E+T.|.)...h..5..
..!Kk..i...>V..T..};.....~B"....s..Q.3z......Vj.5.5u5_j<k'F&[.'>..D:....|t9.A+..oim9_6v..F.......7b..(+.J...r.(3@.L.
..7..>.v.qb..............WM%(9%n..:.5[...nn.p...]S-.0..`.....\....AH..t.O"m.I1..>2.d....w.-.......3.X..X.....~.^......*.....?1....8../E.....W..|...1m..._..u?A(.....c.{......26....p..9#E.U.."..........7..-.K....u.Y...9.|.v..aa.h.p;.U..{....Q.....x.S..T..?F8gn....L<.=....E.......|.\....Jq...I3.S>5+H4.l.....r..}W.Yu.v'.&0..ua.Sm.,..z]*.vPe?.._...<.xj.i4..R...........1Rc.K..k.......]^.x.IxW.[5../n.F........L(/.Z...t...8m.........._...~...|...6!......Z"..n...0r...t2.X..{.v#O...a.e..d.l.4r..9T!..WPN|.......4.y.;.o.....|...Fa.D.A..HxUK.C...^....n.......Uo.../.;-..l..<.h`.+vg.>_.|....Z.x.Q,..p....|.&=B7.....e*3i...&
.t.H..^.~'3i...........a.....h.../1........g.Rk...]..Q.Q[..y..{[.....e...'.R.A....v..f[..V]..J...<...i.x7|...:5.!}.....iC^.....K.w..)t.z5..W..7.>e..F.....~..@..v....F......v...lv....*OH*...e...I)C.x..u...#.;..h@.x...iv.~
......Q.?QT..m+..(.6..i.B&..5.~=.P...(..v.U=.'.....` .r.x..=)..c..w.i.g.p.
..d........W...`..T.........ia...
.
.|
..-..;G..=...........S.9".0}.)!b7._.|...|....7GBT.]...(F4...|*..uR..]f..+h.1wj....P~....an(.`c~...f;.......m..9.,r..d3Sh.Zv&Ow...f.....L.N(....PU.e.'.....w........+...)y..t.O........+b..
z.H...
.D$..A..........t3c#..O.;.r..-..{..s...2...".........\...-.?.....n...X"}.&....R.#...g....uM||...eh.d.l..<VX...;;..5.8.z#|8..M:..M.....].H....U.J..V....7..L...3..4.
.......>...w..t%{^....C...L`z|/.....S.].....N.%....f.....t..0'8.[2..;%..@.q....].u3. .....jd..>.=.....*.a.. ...|...t-.E.L.E.eIq.T..C..z_..#.E....bv&...:ncMC;.. .tS_.J++~'I
.X...!.4Y....*.6...2.s<.>s........5.ff...Y.z.|>..l..!....$~.j..Co....;.....*8m.n.'n....l....^4.j...v.....qs+o....`.H\.....cj.y.x.......G].#_..
..N...+..b..................t..yB
.5m.....;+.bQ.....}.....zj...vj...y....@5.p.s.o.f.f..~.............<........
.y.7.....K..n......r...K...c.!5_[.....7./U@...gf......]............FOA.{..Og.\..^.k..t.bH.'K}/..SsKl...E{k..QV.\.....zq(.5.n^....I.&.P.....^ .X..... Y.DlC....H".(f.9.W.../.>g....Q.0.....my.....Cc6..:./ISs.g.V..W.|.;'.......#.....gbwj.....v..._.9.j.)8...J.b.rT.S....ql1....i7..B..Z...V.(.O_.2+3.......sP.r}pe.....g...y.&b.G.....[.B.q<..|. .....02w.`4\.]H.#.I.!eTb)b.?X....^f....;..vi...H...w1Fn.m.5.....9..&........z..<.../...."
Og.=.U.1Z...B..0..]....nC.-...-8..T.1....EO....]..O.3|#....Z.s.z...h
...Z.....O.....
AI%<aVw.7....U...... .k...[<h...h>. s7{.a.
D.IN.^..":...M......../....d..t....|1..&............m..N9.).......o\{*..B......RB.f9...L.....U...Q..^4.\-v....L....&.Gwc|*!.S...e...G...J...7.....c..6SsU....nuA].T.r.S.T.+e.[.:.....Z...9...h....X.N..(...]0...y:c&.....k...N..i...$........}T..JfX[us........L.:...u.......{.]..O.....*S...........
......-Y..;..G.7.=..T%l>.....#X.......o.Z..z...Y...f,..]..nNT..+f.%..(..*....|.Jv.q....i.j"tZT....z...\L..'....5..>(.......$&M=.<.7....&..?O..........N.........pg.Y'.L.,.../z.6~.u1........H..NE5.j=.....c.8D_...............,..A+.[....(i...N.. ...B..?...p....+.SK....?.L.. .IH.N.N..t.R..r[...4.HA T%...3.....-^..M.e.......:_Ad\s......'.b`oL.#..h.V.b..%F.(>./.....v.......p.2.qC$h.....&v.
...qz}....lE.....O?/.k.......8....^.*aq.{.%...4.*.%..R...T{....>.....Kiv.-n.gf^..........:,W.kV.)...gO.Ap.......{...i.7......Gk\$.8_......l..s...nUa........ ..}.`y..'Q.47..ru....tr.1......+.R;5...>..L.f......vUq.O....w.....wNw.o=.q*.K...g.Z.#....3.c.)...?..l#.........}..9......#.....XZ/..t...kuT{'.Od.......'
....a....9|8....d&........'f.J...T../oJ...8...@[..d...n..h.q;...r..$.@.vWBM......-..+.Z~v..)....."S.u..A..r.....)s...*..K...%."l..`t8....v.#.!..)..#..S.e;..bH...q.Y.....&(
.....z.D.....(..ghs.&..;3P{.0IC...m.~..-...m......l....wa.p.v..Pl.O..a...fb.]*......&.~l..~......_..E..._C.5}...%.;.Td.......Y...;.+..|..$.b...O.(..]...N...../'.....]@..l..V
...../.NO.....n[.q+M..........XluG..h!...7-.O.|.&!5Z.3.~.b.6..P..g9...R.....",*yx..
.j......dB....S.....Nz.
xW.....By".pbL.b..S.........&.7.U(.>t8.........8..1......#v..C..<iJ4..a..;...-e...?.k......x\.........&.-
........;....E1I.*.....F]......<...lT...c.aY.
.....Z I..k.|...
&.]O..j......[...............V.....K??...xS.B2n...N.M..9|..3..!....B....}Qd..........wW2.%../R$._...&...M6.).-a\...} _|.u>...d......F<.3......KNAv..A5.R..m.s..hP...?R.o*v.<.{J.tx.)..g..?.%.......+D..8...........+..Y...c.......hP.6;...s/.&T.._.-7c(...Q..
.......R....v.Q.s...Y$klh.P...EB.X.TTl1#].m,......Li..*c.H.
. ......0N.?..2|<.........6}<}qWo....b.d...!4..3.....;..H.....q,....g.....c....:....E...68.8.T.....0.98zh...V}cu1......RS.z...U. ..>....I.J.:.Yg.I^j....E.., .u.N...C).GS.....j.=b..N>.w.J.v.c....&G...,(.W,.>..C......8.m...oPC....~.t.......(.,....R..u....dY.........oh{.P4g......cn.....S.5.....c85...........N$U}..x....T|W...;..A.....b....t.\Dud'...5...6Q....3]i.*.....Q...n`r)..~$x...-m........N.l.[.._L_.| vkb.....J.............:..........#g...@..F[..,.=L...4,...r....C..(..GO...2Qv.TT..#y[...]..>.O..'.lBea.
q=#
..s......$,..#E......e..[..Rk....b..|+...I..G2n...Nd."Gd3......7?.|N=;..F..%..(fG.........^....N......6'W3.@.Qof".^....../..Y.[./.d!....9......o..Ia".w...=^...u9X.v....|....kw1..F..;.iW/z1....M.....7.&.....*..*.D.9E.'.)_noX.%`......X].. y.>~..[GZ.b..........Kf..,!.......t......z.......P.`..e.I......A.Q.L.6.p.h;K..mvc.7..&A..8...C.._.^...+7.<...z~..)..=.y.m..............X8..j.,F..^k...........1.....C.N...F.....%...W.B.9...w...v..M....I..w.5'.7M..{W...EB..]N.4.|.-v.).;..m.!.Cm............b.-%../....ny.......?...X{.6
.^.L....d..._0Y..me.sYn.=x^C..T..}9.3..Gm.!..iR.mife.w4....7T...~....n...m.n.f"..PCx-...s..K...p..... ...I..D.>Q:.Q...5y...1.e.T_dt .|.....?}.../u...1
.K_.u.S..0h.}./....;].*........a.e........C.T..j..?...fbH.r.2...$...f.zoNn...5d.3....B.0.G2W.w....;..;L..iM..Lj....2....m........8.h.....,..'.sK.r.....i..+.S..O...].Q....K...%
t.......>....?....I?.::P..e.........Se...o.I.5'..m#?.m/!b...uy.C.`z.J..........Djj.4...K.....t ........T.G[K..p.....z.IZ..... .z.
.._.o.........'....u..T.....u..GNiw..I....U..>..$.Xu...0/.X;...Y....S..!..)..~~2....._..-.rMgO
Q}.....V,m).....yt....*f..m.q......Ys....$.....\t.Z....EY.y......
...w(...._%'.....s..\:.>..........`Hu.~..x.F..
:Z....s.~l?Z..p..A.H...^.<6.gF^Kk..V.D.U.i.>m;o...2....H3.C.gv.h[6../D.........Q.c...n..<.f......t..t.....rJ~......g...Uh......j%!R.3$w.#.....kv.......F..qJ.Re.>f,...=...V5.j..K.9W...N..g.bA>.X.~a.+..
.........q4.N..'~,,fh.H..O...=e.....X..E.L.pl.k^[.....R..|..x
..v.i..[.....g,...W....
..2.w*.B.r. q........}..JT.....&3..".<....m.@.....Kw...KJR..X...*.%oS~MH.qj5....R....?.?.hs..G.#.O.w...gYwP....oj....f...M......}W...9..~...e...:.J..0.q.....W.SB.....
.c..t+......wn...\...I.G.W.y....Eq..4F..z............k<.....
.....+Wi....._....s.z.T.;K...$y...x...........y.O...V.R...s..pb....y.\z?WSQ.,.%2.d.f.wL..j.......'.w..../...q.T>..%..^{...,..CJ..Y..=.X9H.J...RD..I]......
...'.U..........'G....z.D.b.c.5{..?.IH.J.Q_..m6.R.L.Yu.._..J..o~....2..;..&%....C...bj.#.a.4....!MN4.g......0UZk.....n.~HN..S.M..............
...)..@O.q.4...3.EJl..C.......Ww......=$.......$A@..Y...T.,.H^X..A2...3(9.%..3J.9,y.e..D..9.^....|..>..........w...&.<...c9.....R...y........Q.%.
d2.....n......5.....z..~.
np..^ET..6...j....)>......`.R~.|*G.a........_.V.........3.%..v.n(.Wf..':{...U.y.R.zoQ.iN.C.X..PZ.:|..l!.|..pU.Z._HS>.....b,r..........f.*.B.U.V?.s...jU.s+}....kG......\_Fs.7..Ag.".3S=.v]G...}8h..... K.pt...
p/..t.[%..7E.0@...e..5..
.hN.....L...we2}...R.E_.......-...1U._..!..UQ..Yv.+rE.[.h....GZo..M..F(*e..;B~1...{.O.............|.......(.5....s-0..Ik....g.(
....v.@..
.....;,ma.4.6g_+f ...b....g.O..[..$u.q.G.+.....?I
....%C......g.?Hk:..?.8oCfQ.....!O....w..^i...{].KI."...E...:.....l..]h.*b.l..2FCE.....93.....W9%..4u..p@.7.".,....H.g!Z$_.9..X
...j..o.d>..).#......S.CtMC>.u.. .\D..UD..3..gY.).v.]...#zV[..[O........d.....E......,..%.>=L'..IE...i.A...z.P.....MY.QC.>m......|UW............(3.Hqs..5l.1.f...P..6...V.'...i...,..1..#..#ZI.-q:a....a.R.S.i..%n>.CV....%../.....h.G<z........\..I.<..$.|..Ah|..=..e{.3W4.j.D..rY>.>.ok.PWk^..DI........yZA*&v|M..gE[.G.......E..@s.ZQ.s.....l..W9P-k..Pk..(..~./.[.+....}aC...'&0.....i.Y.G...;...d.G...........E.n.I.K.....L.v.....bD..V..tf..c.l.I....2..i...8\..>.UL......BKc.s..D2...?\.}.\...Fn.....Y...x....|.......j..D.J.%..iL..>|...2....9..u.A.w..d...k.mY%.....].%.....O./(.......3.S.....ienwXv.R.o.j..r.XPI..p..R...HP.e-(...Wp....#.+.8.*It{.... ...$@c1."D..u.vwa.j..c.......=#D...H..#i....cT..3i*...d.5*.].OH....1.....i_'..4..du`..F(
{q...$G..,.Q....,A4.8y...@...@,x.~......!...Z..#:.@...Pt..M[e.
Dc..A...w...........i.$.....8..n..=X=....v+...zMeT.....7d...........2...AgA.p.@{.`...82KP..*.B{...z...Xi.Q..f..o,..k3.,
..k.z.V.'v.T.......49f.)...Z.........f...$g..eP.......'.a.j.<-7].............U..+.Y..a=j.8...$.x..t97w....w..F}....
....*.Sw.NgX..L...Mx..[..1.P.|f.s...{..9k.C?.j.T>c"k..w.....i..(..;.......oZ..66u..&...!....9(..@&b.t.O.#..u.....~~Ez.......Q...=9.N
3\..........,..X$.....W[..?..F..a`Gb.*@.w.......:......VUG.....5.t.y......z...y.......1i.].s2-.+....F..h"^.p..b.7......[2a......-...(...?.*.......*.........8j.'!.
.[.:.o..^4......`k3.R}..
..e.F.&>'.q*.....&"D.6..P...r"b..a..=.U.gcy....$...LM..CRO......%..).Ef.v.T.m.M+.4...G.. c.u.
..t..R..i..4....
..a.E..
U]Da.U....$..>..F.5..M...R.g....
t^k......"e..=WeY.=|.m...........;.E.r."......o&D.....X.Je..F.'Tl.R}..Z7y.f...L>y...@s...sT.O...R$..[...S.../r>......
...+.....Y
...$...i.{....X.*..Xsk..>.Y. ....../......I.....)H}.J.e.N..q,w...W.eV..E......j..=_.OZ$cA..xp"......&u...l........F..`e.9.4...Uv.d.~./.BO.........v..?j...).D..q!..H.p..
....K<>.;.5..M.}g....Q....M...I...I:.@...4<!]qvS.}...v...;t...&a...w.'H.....da.{..oF..#5..6..P.F^.mm...u....9w..)..y.....2...S...........G.l/(_$_V.oG.nD..@hOk3.l%.M.[.r....>....,..V..<K.a.>
2~.......H.<...!5IV..:..?.O.(....?i..*......\F.p.M[3''.=8..h..:l....p....1....Q....T...,.t..|.!9xPi.fL3.-.;'..e..................B........_X..3.W.+!*..Rf...`.kp..1<....o.,...}UQ.nA.|Qn}.....%...._I....'...%,)...M~.....+.$.....n.5L.....g.w.HD.2..W..r.....7...4...
:.8.
....vYX............ .g.ml.p.A....6...6...}.%...g..0..p.i>/........p <xm.z...Q~O..(...1..s..at.>jQ...j.;...i.,I....z...S..b...u.^6.../.......f.....d..Z.`?.w....).7.B(..Xw2D0.W...../..........z...Msi...d6u.B...M.......Q....f/_f..V......hZ...X....x.>2.....i.UUz...s.)}.:.Y#..
..I.J~.1..P#....~......F..0...|.@.^.(QFd.5.../x..^^.<....[4f.4.h.\`.......:..A.i.#.a...!..l.....)VV.N0..{..7...Y..\rw.."...C.............V...G=d.-.C...E.\....?..x}..............FG.,..o...2.DL.*}..H.?.|....Cj.....r..(V.3..4.=.........U.....).......6.Oa.$.L.m
...30@..|...b<.Jc..`.:.r]...2.....y_./8l......s...l.....R*F..1..1J.KZ=..z.^k-/
>...h...\R..8+..CS.x....z.b.0..&X.F.......l.s...m.-. .=..[...bb?.....t{.@....zD.... :.e.m.g`...Y.(.....R.ViJ%i..~O..,p......).5&:....I.....%q.+.lE.......>@..3..F....Sn.......pN..q.$;_....<.L3........k0.>......5o.i.X..!_5....f.[....*+...C.0Lwa!..2.A..H_7NY.[...nM9.3@Rt.kF5.%EV.u.o../..=h..._.-.........f.]."..^..x...59.]D.....!.R.L..B].....N..d...g'...9.1...b.
.R.%.9y9.%q......+..q...E.`.B|..kH.... {Qd..eV.d.j.|...........U.6.p...Y..n...o...a;..~S...|.^..Q(.pT'.xt......./U6_....@..........r.p=o]...pLBH.x.<....5e)V>U....;.h.w.+..B...=.....CnG#.{.....J...n.....$...&..3..%m..}g&.-...N}.i.*..Um@..\.Kk.QT....Y{#.s....S...V.....]rx.d.J.0..Y......'..G%e.,B..!........I.b....J..z:.:.E....P 1]~..[.f!.*l^.....NOY+.3a.j..\7...........n.A+.yc%..x.k....p..^F...=?.*..OA5.0...?.[.Gw...W..,..5.@..iPj...?.... ....(LC&.....`H.~0...H..u.4JO:.=...^.T..,.W\.e4$.. ._y..k.....l..y...
....*....6FS....P.ye5wDf.......w1.
.
~...K...??.;...B...eRC.t.j7.F[9=\Q]....g.RE8.l..m.c....i..d..Q...w.....a..6...s..7h.....]y.....u...N..fN.....=.....u...0.]"N....m..!d`..3.i...v.v..{*.....J}.$m..u=[...........C....;..,..T?X:>..k......w)J..P=.}..
....NMG<....~\....B..x......}...c.B3.<...C1m2T...'m>.....s.;|z!...".i..j3.. kz./.......G.....vR.F.)...2wb..%..Y/.J.u.j.<..gAw7..s.}.......,.4.7.)...ao.....`.2.]?Jl*..a...3.B.U.^G.G......R...V...z.|3.......Q.........e.AC......FgFkb..Mp.v=
R..?.&.'..W..de..{.(7iTuP.Bv(..6.D'siC.g}6Pl.-..%..g.$.bg]YHU.G>dr..`......L....p..O....t"..W.C.yj.1@.3....H7...1..V..y....,EF.Fx.D......n.
U4.*.jB.N!+...._....
.<.3.O..||+}=....~...P..}...F......o....l^..\h.
.......
.8..obn.E......2p....,.n>.'X.......7..X.!.......OnP..T.5.V]..+9!...IW......7...T,........X<..(.*.($+"...gpiT.3...UP...MB...W...QA
/R..N.%CDL^J..F.L..<..Q.
;*v.dp`V.V85.
.ZwOs....=`....=......e.A.P...SK.x.2.,.-....."..j........ B}I ........;Jx..A....S.o.}..........iX^..c.....)v.?.........jhz...u..qK...a.......Wd.A...:,H_F.4..
..0?.4...j.:x.....|........."W*....8..:...=E-OC...!.."X.3[t.N.Y!dR...)j....1N..?z.......T......,.....2_.,...A.....?y.X.?.9....Z..<e.d$X......#o......r}..U.h.g.._..l*.].....I'... .Y`..sLd.Z.l..No)....13.>......].......x....et?.....P........#.@......}.......:|I...O
`......^...6b~...D....'..}...D.2y.2..;....B...#>.O.)t.._...p......^<c....L..K.J~u.~.n....!..q..."]ZC..x....x..j.M....Xq.R....F/7....\...1K#j(V....=.[[.&K.-.O;......Q..L.8.(..v..U.....AS.u.t.T.]....h$..^/j?..=..'B{p..:..\......>T...uO.Y../...#.5.....[..s0....cT|.'....)8}....h.r.X~..}... ..Y]....P..Q..e1.k...:..(.2.p..J~...... ..n.:.7+..T.U\..WE`..W
...".m.r..t9...7.[.O...}<:...
..K.
?.]..`.....v...T..X.A....UP..`w.l.}{0 .P.0.......[.c....f.n..p.f......H..|s.Z.....24..U.6.%a..ji.fEW...{..u..Y)......n..(..~j.[.B14A./..Di<x.?.{Q......%x8......U..c..|....AM.V..K.d..J.....y..-.x.g...j........r.d......P]....o............1.mCS....9q.qz8.H{H.._UP...B{k...~......h..-Sw....1#n.d.wQ.....I}...L......;2...0N{H..}.*-S....].....S.3R9...E....s.......n9..{...."...m..-{...zG..Pb.pA./.5.F0yD.$......9 .Q:d[.4.......DE.B.}.z....n.....d.<.xD....mM..0tl....M.......a.@S..x.A'.:.N....s......'E...`5.scF^d.um.A8...}...x...].....'..2.#....0.).!.!zQt|....7E<_.5......N..W.......l[.!...s....e.../..........a.0*...Z...l.N..5../.Ms6c.....F.?
G.....v...N.P.9}.U#/:~........y.......w....g......J~...s.......b.=..[Ku.C.....W=g.k^PUV?...]..6.T[7P^..4*w...ku=..P.A...1..\z..e}...........>jd.......8o..P{.{......-&G%U........;:........yt..6.#...v"........L...+...P.xd..;..P#5.. ..TB.....\.......6.C.j?S$....z.Jx.c..}+E......cc........D.:./....4Bm..T..mRQQ].U.y..m..t-..r.}...j...&^..k'V...W.F..qa.]{e....7.o...b..|.=..^......M-..i'....}AU......m..]~|......&..,$.WP=.....n.....)......9.....1Wv....N.n.3.....2Hv|.....,N.....................p.a..LT.3_g.fD^..e.o....F...2o...A.e7.E.;..{..5..my...........<r..?..XRn.=b...H......<..%XC..<......L..|.>..........
.m~.........nDc.z.M....a.71.
.26..;|]..Ju.v..%.V?..U.d..e.s..w.jJ9.....5......>...,....%_...T8.(Vh.dUj..m.=.q......KT..L.u.u.....Zu...u..02.I2|..aS....X.....el^....1....[...kdxn!Lk++...)..../..6S5...^.k..5.)....LWwf.T...&.d..x..........G.%.3..E....D.......8...:.0......*.n..L<..... .q.....).Lx..P..w{Yr...R..."......~f..W".....ln......:..v.E........|R........!./..3J.....r.f..h...x.U...........+i....m\.:.m....).......C...[.4....5.w>I..Xd...[.1....,Nk9.....Kr.%x..9.k..d..,E}.%.A?qL]...........w.8pV...'..{Z....b.=_....so...V.x.....h........X......!s.,r....7...=
...5. q...../t.....l{n*=)t.y.P'..x4Q..'<......z...7q.....l..*.g&=...m..ES,.=?...+N.a..&..RkPu..........K..z...........T8xyx.j...~.#e..I.U.e..y..s.....yv....x..Sj...c"..kv..n...[....._6.W7.x...U#.jJ.#....I...'.Y..1.......p...e...".;.M...<.=..#...X\.xCi..Zk.+..2........L-w^6..e..}...../.....E..|1!
...)b..2..4tZ*.B..m....:.+3.....fW.g|..].."A.
/.E.M..._....W.@WH.L....D...;[..|y.C.{4....*......aYs}......J.X?%y.(..`_.`...x...D......j.`.I.5{.M...U..k..g.:.....O.y...e.o....P....q...(..{.g.)<...I_.I[..SG...'.'m.o.....].?i...)....r?}..|
..].._....IL..c....$...c.....K.9q..?...\....$......g.d....lk..i...a
...I.......+.u...Z.edN..]..>..[,..2:.gn.n.....j.).\.I...w...MC\.[_.Q........,.yj....op?.]r|...%G.. .....?..=
0.0"..H...x..&;D...\...C}............O.....kv2`.>./.))...."..`..0.[..AZJ.......b....OG..2....x....oN.>.|X......../ ..I......
}.w -.?.............HS....e..^L.T#M.;.z./ ..e...I.>
z......O....w.6X.D..x..1...<.'..0....JK....R..i........*....._..l...../.WK..@.....J..
..C.q...f?.*..X..xz.`....C}...~.ql...S....BO....J........d.....EW..}.....d.../..S......9l.m.6t.na-vk..D...U9..h.G...._..\..Y........9....F-...15.x.e.D.....@.....{..p{F.!.`...S.U.......S?.._....7@....M.q......\...W......\.gNG..:P.....
0bg.,W....C..98<..y..u.
...C.."..6.g...T....m..X...&@Jm....?yS..>.K._..'l......Z,5..N.....4-.%...A7...S. =}j....E..V.)KG...O5NL.Z..L...w.w3...Sy..
t9...l=.B.O\....Z.D._...Y/v........x.....p......Y."Od.<.F8...|....t7..._..P...SAS....E......lO.ER.s.........:%?.W...
.(..f..U.7>.18tQ};.7.....RG9.~!%..^SU.^.+..*..
..L.VT...;.C...."..9........"..;.....K...
...`.=..r...i2.@...c..H...W
......v.G.r.j.A&.J.
/D|..a!...q..)f.....<c....f......=...C#.Z2r.........:.c)~...7..$...3.Db..IG$p...F......p.q......~....,<w...Ij.y.J.....=.X.....^ ..Ua_"..0......`{|L.KRo..)Ht..Psb....Z.`....7..4.`...PPV,.....>o..S......aLC."8...#.i.H...3.#...'.....~.j....tN..W.K...3..o%..-...-......_....yZ3.....s....w.>(~...6.:ml^.T{....~gH.,.F,.V.....<..3..i.........i...4$.?.....qA...-.".y...l....t.$.S9......$.....)..;I2H.ErL.3.~LE........m.=.
=>Q..{......%...c?..H....8....2.x.......*]......'%">P....ox.1T...o..wW.}..?q.1T.!.o...="tg..~..<.ap..?.xP.@...Z.+..p......KD.._.o..f.g....y.....F......j....z....q....V..p..R.m......Uc......>........n....3W.?....@...U...U._:...........:......h....../..h.|`..%..n..............Jn...N\..l.x.!.G.J...(p..Z
.$K..K.r\YFeV.q...(.;....:[
q...].w}.8.A<.....R ...\....D[f..k@%. !.*6;..H.7.d.......P<.8vPa._...Q}e.._>].}.'Q..|...bc..c.@J.....fS
M&..xW.
.BES ...O<..1.N...d..D_.
.hV0.d....Et.o.:.f.....@.g.wA.d..%Q.L.9.'.V...Z..$c.{wg.'I.......g......aZ.u+.t..k2FX..R.......y...6.G3........V.$*n...iV(E..J....g[.=...8.K
}v.O...^..5.x....".g.......T....sss...h.8.1..F....5...w.\.o..X.w.:L
.xU....?.<.".....7.2kawe'.=...\G..1..|.l<q&6.......0D}...Gw........q.....j..BuO..C.!=Q..>Z........^6~.:...z..@..a..D yZ..,u.)p.M......IY%C...I.9..m..`.p...K~.c.6P"..w.fe..........Jz..........K....
.}...t.1..:...j#..K.|o7
.#.'ID8.....8.a...H...wj..#C_..xt...i.........T..0.l.R...
...Z.{....F[t.>...u........Q.............XYl.........8."..kd2.).A.e._.7r....*..$[%,..X"...iJ.....)....":.s&.......^R..G..q..I......8&.=.1.-A.3......O...=..................!...X.0...J.S......q......g..c8.....~....W...........g............?;._..n...q.......('....wo..s3.....!~9........:..`.....]....t...l..~..;..~.DS....c...yq...{..G...2.s_8..z~+=.O..%*o=.2........7...I..`5.....5....j.7..,.j}.L..{..+].i...>J.....F.......M.....q...(g...'I.@...:....).VA.c.ov........D....e..".j..:......j........i.h......25....v.Y>..2Wd.....,...,....e..~....OW......k.d...cZq.......o:_.-[$.......t..![..;../.Ap..BF.......3.........p;
..?...H..
.....N...C{S...[16/...xe...P.'o.n.Zy.k...
....{.V..Z......k....._+._*8..V...T....T.%.8E'........0.yfs.........3..@.6@........(..
.g...........Q$'....B...6.]....-.E...~....{..8e./.{....,8`...>XH.....06.........N0..?6..j
 
Then we will assume the unknown mbr code is not from Samsung and or you still have other malware present and proceed with writing a new mbr to disk.

Let me see if I can find a source for a W7 RE iso image. You can download it, burn to CD and boot off of it and have it to keep.

go to start/search and type in diskmgmt.msc The disk managment windows will open up. Maximize the window and take a screenshot of it and post the screenshot.
 
Last edited:
there is a 100 Mb partition that is not attached to any disk, I check the security settings for it and it says:

\\?\Volume{1057A64E-B3AC-11DE-B77D-806E6F6E6963}\

looks strange ?

bye
philippe
 
today I booted up the XP box, and farly quicly after the boot my Modem firewall reported this :

TCP- or UDP-based Port Scan 4 Jeudi 15 Décembre 2011 22:53:01 public myIP:50373 source: 89.2.0.1:53
 
I will PM you a link to a W7 recovery/repair iso image. Burn it to cd and boot from it to enter the W7 RE. Its from there we will write a new mbr. This will take care of the problem assuming its a mbr rootkit. Also pull off any files you dont want to lose as a precaution and i will find a good set of instructions to follow.
Did you get this:
ISO image of the official install from digitalrivercontent.net
 
hi shelf life,

thanks for the link and all your help here.

In fact given all the problems I did get, what I plan is migrate to Linux for both W7 and XP box.

I will install a CentOS 5 distribution (that I know already a bit), and use a vitrual environement like Xen or VM virtual Box to install windows if I need it.

Once my data are backed-up on the NAS I will do a low level format of the disks I dont' trust, and install from there uising Ext3 file system.

Do you have any recomendations ?

>Did you get this:
>ISO image of the official install from digitalrivercontent.net
Not yet. do you have anything to say about this ?


bellow is a link to a very interesting tool to do in-depth live memory analysis
http://www.mandiant.com/products/free_software/redline/
I did an analysis with it on my W7 box, but I am not experienced enought to really analyse the results.

If you are interested I can send you a download link to get the result of the run it's a 100Mb zip.

bye
philippe
 
Your Welcome. Not familiar with CentOS. I am somewhat of a distro hopper and I am using Fedora right now.
Sounds like a good plan. Malware is going deeper and deeper in to the OS and becoming increasingly difficult to detect and remove. Seeing more and more rootkits now also.

HD vendors make tools you can download and use for diagnostics and to do a low level reformat.
I've used Western Digitals utilities to wipe a drive. G-parted will also wipe a drive but I dont think its a 'low level'.

I asked about the official iso image because I didnt want you to do anything until you had that. Just in case the fixmbr failed then you at least would have a reinstall disk to use.

Sure send the link to your results, I would like to see them.
 
hi shelf life,

>Your Welcome. Not familiar with CentOS.
CentOS is used by some hosting providers and I use it in a server context.

>Sure send the link to your results, I would like to see them.

hi here is the link to the result:
http://oron.com/vcsgs4tmyuqo

>HD vendors make tools you can download and use for diagnostics and to do a >low level reformat.
Ok, I got it. will this process erase the MBR or do I need to erase it manually ?

>I asked about the official iso image because I didnt want you to do anything >until you had that. Just in case the fixmbr failed then you at least would have >a reinstall disk to use.

So I can safely dowload it to use it for the VM.

bye
philippe
 
hi,

A low level format or writing zeros to a drive will wipe out the MBR.
I saw your results, didn't sift through all of it, but didn't see anything conclusive. Had to install .NET framework to use it. Good Luck
 
You must log in or register to reply here.
Back
Top