Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit trojan PRAGMApouoiemjnw hidden service, can't remove


  • This topic is locked This topic is locked
43 replies to this topic

#1 JameyC

JameyC

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 11 September 2014 - 03:18 PM

Ok, landladys laptop, this is the 2nd time in 3 months that she has given it to me to clean up when it stops working. I ran Avast, and MBAM and things seemed cool (8 removals and a ton of malware), till I got a rootkit warning for this critter. Yesterday, she got an email from her ISP stating her IP is being used for botting.

 

I downloaded several rootkit "removers" Avast aswmbr, Kapersky, and it simply will not delete. I tried to use the mbam rootkit remover but it's giving an error saying that "this tool can be used on windows 2000 or later"....This is XP pro.  I located it in the registry, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMApouoiemjnw and can't even change the permissions in order to remove it.

 

A pal of mine suggested combofix last night, they gave me a link. It looked like it did quite a bit of work, but it didn't get this monster. I can only assume it's either reinstalling or I am not getting it out, or just plain doing it wrong. 

 

I ran this this morning, so post efforts, and have not done anything since.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by LOLA at 10:37:55 on 2014-09-11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.610 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
C:\WINDOWS\system32\EscSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.9012.1008\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {BDEADE7F-C265-11D0-BCED-00A0C90AB50F} - <orphaned>
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [dla] c:\windows\system32\dla\DLACTRLW.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D5548137-8E21-4658-AC66-F8C7982029EA} : DHCPNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\32.0.1700.107\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lola\application data\mozilla\firefox\profiles\oqke24x9.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - ExtSQL: 2014-09-09 21:15; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-9-9 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-9-9 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-9-9 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-9-9 414520]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-9-9 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-9-9 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-9-9 50344]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [2013-12-3 122000]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 aswMBR;aswMBR;\??\c:\docume~1\lola\locals~1\temp\aswmbr.sys --> c:\docume~1\lola\locals~1\temp\aswMBR.sys [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-5-28 110296]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S3 ugtdypob;ugtdypob;\??\c:\docume~1\lola\locals~1\temp\ugtdypob.sys --> c:\docume~1\lola\locals~1\temp\ugtdypob.sys [?]
.
=============== Created Last 30 ================
.
2014-09-11 06:40:00 -------- d-----w- C:\ComboFix
2014-09-11 05:47:49 -------- d-sha-r- C:\cmdcons
2014-09-11 05:45:20 98816 ----a-w- c:\windows\sed.exe
2014-09-11 05:45:20 256000 ----a-w- c:\windows\PEV.exe
2014-09-11 05:45:20 208896 ----a-w- c:\windows\MBR.exe
2014-09-11 05:29:08 -------- d-----w- c:\windows\ERUNT
2014-09-11 05:15:47 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-11 05:13:52 -------- d-----w- C:\AdwCleaner
2014-09-10 08:39:37 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2014-09-10 04:26:45 -------- d-----w- c:\documents and settings\lola\application data\AVAST Software
2014-09-10 04:21:59 -------- d-----w- c:\windows\jumpshot.com
2014-09-10 04:16:09 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-09-10 04:16:08 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-09-10 04:16:06 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-09-10 04:16:05 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-09-10 04:16:03 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-09-10 04:15:11 43152 ----a-w- c:\windows\avastSS.scr
2014-09-10 04:09:57 -------- d-----w- c:\program files\AVAST Software
2014-09-10 04:07:48 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2014-09-08 02:42:04 -------- d-----w- c:\documents and settings\lola\application data\Developerts LLC USA
.
==================== Find3M  ====================
.
2014-09-11 00:01:29 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-11-26 09:15:26 49940480 ----a-w- c:\program files\GUT7DC.tmp
2007-07-13 01:02:58 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 10:39:18.31 ===============
 


BC AdBot (Login to Remove)

 


#2 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 12 September 2014 - 02:08 PM

Hi JameyC and Welcome to BleepingComputer !

I am currently looking though your logs and will advice you on what to do in my next reply.
 
I would like to see the Log Combofix creates. Please include the C:\ComboFix.txt in your next reply.

Edited by seedy21, 12 September 2014 - 02:10 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#3 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 12 September 2014 - 07:01 PM

Here we go, sorry for the delay in response.  This is the result I got the other day, I have'n't done anything since.

 

ComboFix 14-09-11.01 - LOLA 09/10/2014  23:42:35.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.854 [GMT -7:00]
Running from: C:\Documents and Settings\LOLA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LOLA\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
 
 
(((((((((((((((((((((((((   Files Created from 2014-08-11 to 2014-09-11  )))))))))))))))))))))))))))))))
 
 
2014-09-11 05:29:08 . 2014-09-11 05:29:08 -------- d-----w- C:\WINDOWS\ERUNT
2014-09-11 05:15:47 . 2010-08-30 15:34:16 536576 ----a-w- C:\WINDOWS\system32\sqlite3.dll
2014-09-11 05:13:52 . 2014-09-11 05:19:53 -------- d-----w- C:\AdwCleaner
2014-09-10 08:39:37 . 2014-09-10 15:22:48 -------- d-----w- C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-09-10 04:26:45 . 2014-09-10 04:26:45 -------- d-----w- C:\Documents and Settings\LOLA\Application Data\AVAST Software
2014-09-10 04:21:59 . 2014-09-10 04:21:59 -------- d-----w- C:\WINDOWS\jumpshot.com
2014-09-10 04:16:10 . 2014-09-10 04:15:30 57800 ----a-w- C:\WINDOWS\system32\drivers\aswTdi.sys
2014-09-10 04:16:09 . 2014-09-10 04:15:29 192352 ----a-w- C:\WINDOWS\system32\drivers\aswVmm.sys
2014-09-10 04:16:08 . 2014-09-10 04:15:29 779536 ----a-w- C:\WINDOWS\system32\drivers\aswSnx.sys
2014-09-10 04:16:07 . 2014-09-10 04:19:56 414520 ----a-w- C:\WINDOWS\system32\drivers\aswsp.sys
2014-09-10 04:16:06 . 2014-09-10 04:15:27 49944 ----a-w- C:\WINDOWS\system32\drivers\aswRvrt.sys
2014-09-10 04:16:05 . 2014-09-10 04:15:27 67824 ----a-w- C:\WINDOWS\system32\drivers\aswMonFlt.sys
2014-09-10 04:16:03 . 2014-09-10 04:15:27 24184 ----a-w- C:\WINDOWS\system32\drivers\aswHwid.sys
2014-09-10 04:16:02 . 2014-09-10 04:15:27 55112 ----a-w- C:\WINDOWS\system32\drivers\aswRdr.sys
2014-09-10 04:15:42 . 2014-09-10 04:15:11 276432 ----a-w- C:\WINDOWS\system32\aswBoot.exe
2014-09-10 04:15:11 . 2014-09-10 04:15:11 43152 ----a-w- C:\WINDOWS\avastSS.scr
2014-09-10 04:09:57 . 2014-09-10 04:09:57 -------- d-----w- C:\Program Files\AVAST Software
2014-09-10 04:07:48 . 2014-09-10 04:09:57 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVAST Software
2014-09-08 02:42:04 . 2014-09-10 03:25:52 -------- d-----w- C:\Documents and Settings\LOLA\Application Data\Developerts LLC USA
.
 
 
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2014-09-11 00:01:29 . 2014-05-29 05:09:59 110296 ----a-w- C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
2013-11-26 09:15:26 . 2013-11-26 09:15:26 49940480 ----a-w- C:\Program Files\GUT7DC.tmp
2007-07-13 01:02:58 . 2007-07-13 01:03:05 774144 ----a-w- C:\Program Files\RngInterstitial.dll


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 13 September 2014 - 04:12 PM

Hi JameyC

Before we start to remove this malware I need to ask you some question's.

1) The Combofix log is incomplete - did the scan complete? If so, can you post me the full log?
2) Where did you get the CFScript.txt file from?
3) Are you recieving any help from any other person or website?
 


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 13 September 2014 - 05:27 PM

Hi Seedy,

 

1)It said complete, I can't find any other text file in that folder that looks like that. I can run it again if you would like? I haven't done anything with the laptop since I posted.

2) My friend who suggested that I use the combofix in the first place said to use the script (he posted it to me in an IM). I was trying to find it yesterday, but it seems to be gone now? If I remember correctly it was like two two lines, something about a driver and a service, but it had the name of the particular root that I am working with on this computer.

 

3) No, I haven't gotten any help from anyone except my pal. I spent a lot of time searching, and finding different rootkit "removers" but none of them worked. After the combofix failed, I said screw it, and searched till I found out this forum is the source of it. I figured it would be better working with the folks who made it than my pal who works on computers in his spare time.



#6 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 14 September 2014 - 03:07 AM

Hello JameyC

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.

Step 1

---> Exit all running programs!

---> Download the RogueKiller (created by Tigzy) from

http://www.adlice.com/softs/roguekiller/RogueKiller.exe

---> Click [Scan]

---> Then click [Report] Once the scan is complete, copy and paste the report on the forum.

(The report is also on the desktop)

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#7 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 14 September 2014 - 03:55 PM

Hi Seedy21,

 

Right, no worries, this beastie sits patiently on the floor awaiting your instructions. I'm not messing with it unless on your say so. :thumbup2:

Ok, I clicked the link, it downloaded, it ran the scan and there is a lot of stuff on the tabs but the report was completely blank. I ran the scan again, still blank. I ran it the 3rd time, it generated a report this time and some internet explorer page popped up out of the blue, http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/

 

 

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : LOLA [Admin rights]
Mode : Scan -- Date : 09/14/2014  13:44:30
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 19 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\mbr.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\mbr.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> FOUND
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> FOUND
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 4 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Iviaspi @ Unknown (\SystemRoot\system32\drivers\iviaspi.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Pfc @ Unknown (\SystemRoot\system32\drivers\pfc.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \FileSystem\DLACDBHM @ Unknown (\SystemRoot\system32\DRIVERS\USBD.SYS)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2160BT PL +++++
--- User ---
[MBR] ee14a528aaaeb20f26b8a3a10ac1e279
[BSP] 48418dc489112fbc055cf98cad1b7d16 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 152374 MB
3 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 312062625 | Size: 251 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_09142014_121925.log - RKreport_SCN_09142014_124443.log


#8 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 15 September 2014 - 04:05 PM

Hi jameyC
 

some internet explorer page popped up out of the blue, http://www.adlice.com/kernelmode-rootkits-part-3-kernel-filters/


Yes, this is warning you that there is a Kernel filter. Kernel filters can be used by rootkits but they can also be used by legitimate programs. In your case, the kernel filter detection(s) are not attributable to rootkits.


Step 1

We need to re-run RogueKiller

Double Click to start the program

Click the Scan Button

Please make sure the following is Checked :-

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\mbr.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\mbr.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswMBR (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\aswMBR.sys) -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ugtdypob (\??\C:\DOCUME~1\LOLA\LOCALS~1\Temp\ugtdypob.sys) -> FOUND


Click the Delete button


Once the deletion finished, a text report is available by clicking on the Report button. Please Copy and paste this in your next reply.

Step 2

More information about Installing and run Combofix can be found HERE

Please Delete your verison of ComboFix and download the new Verison from one of the following locations:

**IMPORTANT! Save ComboFix to your Desktop. Read the following thoroughly

  • Close any open browsers.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on 'ComboFix.exe' & follow the prompts.
  • If ComboFix finds any Updates, Please allow ComboFix to run them.
  • ComboFix will now disconnect your computer from the Internet and start scanning for Malware so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. please be patient.
  • When the scan finished, it will delete the malware found and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.
  • Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered.
  • If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

Please include the contents of C:\ComboFix.txt in your next reply.

Please Enable your Anti-virus Software again !!

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#9 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 15 September 2014 - 04:08 PM

Hi Seedy,

 

Will get right on this and will post the results here in a bit.

 

edit: lol, misspelled your name!


Edited by JameyC, 15 September 2014 - 04:11 PM.


#10 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 16 September 2014 - 12:51 AM

Ok, here is the first part, I am having some trouble with the combofix. It ran for almost 8 hours and it looked like it was stuck on the same file IMVU in the application data. I stopped the process, and found most of the programs had been deleted. I ran a sytem restore for the day previous. This is the results of the 2nd run of the roguekiller. I will run the combofix here shortly.

 

RogueKiller V9.2.10.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : LOLA [Admin rights]
Mode : Remove -- Date : 09/15/2014  22:41:13

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR () -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ugtdypob () -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR () -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ugtdypob () -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswMBR () -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ugtdypob () -> DELETED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> NOT SELECTED
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.toshibadirect.com/dpdstart  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> NOT SELECTED

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 4 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Iviaspi @ Unknown (\SystemRoot\system32\drivers\iviaspi.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\Pfc @ Unknown (\SystemRoot\system32\drivers\pfc.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \FileSystem\DLACDBHM @ Unknown (\SystemRoot\system32\DRIVERS\USBD.SYS)
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\redbook @ Unknown (\SystemRoot\system32\DRIVERS\redbook.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHV2160BT PL +++++
--- User ---
[MBR] ee14a528aaaeb20f26b8a3a10ac1e279
[BSP] 48418dc489112fbc055cf98cad1b7d16 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 152374 MB
3 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 312062625 | Size: 251 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_09152014_223822.log



#11 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 16 September 2014 - 02:39 AM

And here is the combofix report, this is much more info than previously!

ComboFix 14-09-16.01 - LOLA 09/15/2014  22:57:38.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.657 [GMT -7:00]
Running from: c:\documents and settings\LOLA\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_audiere.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_avatarwindow.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_cal3d.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_ctypes.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_hashlib.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_imaging.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_imvuflash.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_imvugecko.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_libzero.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_pylzma.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_socket.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_sqlite3.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_ssl.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\_win32sysloader.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ActionList.json
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\audiere.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\boost_python.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\bz2.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\cal3d.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\cal3d_authors.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\cal3d_license.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\cal3d_readme.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\CallStack.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\checksum.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\dbghelp.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\devicefingerprint.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\Flash32_11_8_800_94.ocx
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\Flash32_12_0_0_44.ocx
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\freebl3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\.autoreg
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\classic.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\classic.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\comm.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\comm.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\en-US.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\en-US.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\pippki.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\pippki.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\toolkit.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\chrome\toolkit.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\alerts.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\appshell.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\appstartup.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\autocomplete.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\autoconfig.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\caps.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\chardet.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\chrome.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\commandhandler.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\commandlines.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\components.list
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\composer.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_events.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_html.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_htmldoc.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_xmldoc.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_xslt.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\content_xtf.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\contentprefs.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\cookie.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\directory.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\docshell_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_canvas.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_core.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_css.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_events.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_geolocation.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_html.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_json.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_loadsave.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_offline.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_range.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_sidebar.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_storage.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_stylesheets.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_svg.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_threads.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_traversal.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_views.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_xbl.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_xpath.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\dom_xul.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\downloads.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\editor.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\embed_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\extensions.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\exthandler.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\exthelper.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\fastfind.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\FeedProcessor.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\feeds.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\find.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\gfx.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\GPSDGeolocationProvider.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\htmlparser.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\imgicon.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\imglib2.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\inspector.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\intl.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\jar.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\jsconsole-clhandler.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\jsdservice.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\layout_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\layout_printing.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\layout_xul.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\layout_xul_tree.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\locale.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\loginmgr.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\lwbrk.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\mimetype.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\mozbrwsr.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\mozfind.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_about.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_cache.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_cookie.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_dns.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_file.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_ftp.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_http.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_res.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_socket.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_strconv.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_viewsource.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\necko_wifi.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\NetworkGeolocationProvider.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsAddonRepository.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsBadCertHandler.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsBlocklistService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsContentDispatchChooser.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsContentPrefService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsDefaultCLH.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsDownloadManagerUI.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsExtensionManager.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsFormAutoComplete.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsHandlerService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsHelperAppDlg.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsINIProcessor.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsLivemarkService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsLoginInfo.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsLoginManager.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsLoginManagerPrompter.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsPlacesAutoComplete.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsPlacesDBFlush.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsProgressDialog.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsProxyAutoConfig.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsSearchService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsSearchSuggestions.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsTaggingService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsTryToClose.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsUpdateService.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsUpdateServiceStub.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsUpdateTimerManager.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsURLFormatter.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsWebHandlerApp.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\nsXULAppInstall.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\parentalcontrols.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\pipboot.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\pipnss.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\pippki.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\places.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\plugin.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\pluginGlue.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\pref.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\prefetch.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\profile.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\proxyObject.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\rdf.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\satchel.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\saxparser.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\shistory.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\spellchecker.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\storage-Legacy.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\storage-mozStorage.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\storage.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\toolkitprofile.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\toolkitsearch.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\txEXSLTRegExFunctions.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\txmgr.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\txtsvc.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\uconv.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\unicharutil.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\update.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\uriloader.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\urlformatter.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\webBrowser_core.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\webbrowserpersist.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\webshell_idls.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\widget.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\windowds.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\windowwatcher.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_base.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_components.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_ds.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_io.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_system.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_thread.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpcom_xpti.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpconnect.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xpinstall.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xulapp.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xulapp_setup.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xuldoc.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\xultmpl.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\components\zipwriter.xpt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\crashreporter.ini
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\autoconfig\platform.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\autoconfig\prefcalls.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\pref\xulrunner.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\chrome\userChrome-example.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\chrome\userContent-example.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\localstore.rdf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\US\chrome\userChrome-example.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\US\chrome\userContent-example.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\defaults\profile\US\localstore.rdf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\dependentlibs.list
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\dictionaries\en-US.aff
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\dictionaries\en-US.dic
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\freebl3.chk
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\greprefs\all.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\greprefs\security-prefs.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\greprefs\xpinstall.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\LICENSE
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\CertUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\CrashSubmit.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\ctypes.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\debug.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\DownloadLastDir.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\DownloadUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\FileUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\ISO8601DateUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\LightweightThemeConsumer.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\LightweightThemeManager.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\Microformats.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\NetUtil.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\PlacesDBUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\PluralForm.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\SpatialNavigation.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\utils.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\WindowDraggingUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\modules\XPCOMUtils.jsm
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\nspr-config
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\nssdbm3.chk
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\platform.ini
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\README.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\arrow.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\arrowd.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\broken-image.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\charsetalias.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\charsetData.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\contenteditable.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\designmode.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\dtd\mathml.dtd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\dtd\xhtml11.dtd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\EditorOverride.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\html40Latin1.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\html40Special.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\html40Symbols.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\htmlEntityVersions.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\mathml20.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\entityTables\transliterate.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfont.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfontStandardSymbolsL.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfontSTIXNonUnicode.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfontSTIXSize1.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfontSymbol.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\fonts\mathfontUnicode.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\forms.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\grabber.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\hiddenWindow.html
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\html.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\html\folder.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\langGroups.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\language.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\loading-image.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\mathml.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\quirk.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\svg.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-after-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-after-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-after.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-before-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-before-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-column-before.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-after-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-after-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-after.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-before-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-before-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-add-row-before.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-column-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-column-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-column.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-row-active.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-row-hover.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\table-remove-row.gif
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\ua.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\viewsource.css
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\res\wincharset.properties
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\softokn3.chk
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\GeckoBin\update.locale
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\glRenderEngine.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\hw.txt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\imvu.ico
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\IMVUClient.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\IMVUClient.exe.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\imvuflash.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\imvugecko.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\imvuicon.icns
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\imvuicon.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\IMVUQualityAgent.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\IMVUupdater.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\installer\SetupImvu_update.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\js3250.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\da.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\de.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\es.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\fr.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\id.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\it.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\nb.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\nl.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\pl.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\pt.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\sv.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\language\tr.pickle
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\LIBEAY32.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\library.zip
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\loadorder.py
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\macros.config.xml
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\MemoryHook.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\mozctl.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\mozctlx.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\msvcp100.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\msvcr100.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\MusicTool.swf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\npfpbase_vc10.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nphwndproxy.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\npimvu.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\NPSWF32.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nspr4.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nss3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nssckbi.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nssdbm3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\nssutil3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ParticleLib.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\PIL._imaging.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\plc4.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\plds4.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\plugin-container.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\pyexpat.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\python26.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\python27.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\pythoncom26.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\pythoncom27.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\pywintypes26.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\pywintypes27.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\arrow_down_background.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\arrow_right_background.png
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\bubbleart01.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\button_halo_back.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\button_halo_front.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\cacert.pem
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\convert_to_hsla.py
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\dx11shader.fx
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\gift_box.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\imvu-root-ca.crt
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\invite.ogg
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\node_halo_back.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\node_halo_front.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\oglsm2.frag
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\oglsm2.vert
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\online.ogg
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\seat_icon.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\seat_icon_inactive.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\seat_icon_small_dot.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\Splash_AutoLogIn.bmp
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\SushiBarSalesIcons.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\sushiicons01.tga
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\resources\unlock.ogg
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\SceneWindow.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\select.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\smime3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\softokn3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\sqlite3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ssl3.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\SSLEAY32.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\swiftshader.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\application.ini
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\chrome\chrome.manifest
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\chrome\imvuContent.jar
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\defaults\preferences\blocklist.xml
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\defaults\preferences\cert8.db
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\defaults\preferences\prefs.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\defaults\preferences\test_cert8.db
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\blocklist.xml
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\008C6E16d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\013B85DAd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\03A38377d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\04206010d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\052C8D6Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\056C9F46d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\05BE0C2Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\067B5795d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\06AB875Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\06EC168Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\08714E3Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0B656BADd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0B740893d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0BF387A9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0BFAB1DCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0C38A8F7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0C955550d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0CEED953d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0D2CCA46d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0D87997Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0DFD5047d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0E520C7Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0EC85084d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0F153D1Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\0FD459B2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\12C3F9B9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\13E59191d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\13FB8C14d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\14CB3B20d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1576CAC4d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\15BDB481d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\17170575d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1797F6CCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\18196A49d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\18DE95D6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\190352D8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\19445E55d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\196F34CFd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1979EC3Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1AF13227d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1C39F7E7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1CC78C2Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1D537980d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1DA84744d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1DC240E3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1DDE52DDd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1EBC15A5d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\1EDA3D44d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\201D64A6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\206C8C23d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\20F028E6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\214C144Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\21CBF68Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\222B0DB7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\224FBBB0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2299B28Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\237C1D57d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\24923713d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\257401C5d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2624894Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2686025Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2726ED67d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\28624B2Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\29C193F1d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\29F09FCDd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2AD57A12d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2B419A95d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2BA7E66Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2C34ECC0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2C68A5B3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2C71AA39d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2D019A88d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2D02E82Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2DB11386d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2DB2209Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2E2CF7A1d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\2E6E33F3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\311A917Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\31861759d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3306B647d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\33A3429Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\367E720Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3680125Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3703714Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\37B0CF71d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\37E16784d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\385335BBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3894FFA5d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\39088722d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3918D3C3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\394C07C9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\395472F9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3AF243E1d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3B033123d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3B1A607Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3B569FB0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3BFD12F3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\3C43E5B2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\409AB9F2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4113AB64d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\411DDEF9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\412D81E7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\41BBBF99d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\41C234D8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\41CCDF9Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\42095231d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\427B3AEBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\43B3927Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\43E49EC0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\43F92950d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\44154602d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\44FC304Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\44FCF41Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\455992F2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\47298BF4d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\487E6F62d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\49209727d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\49A6D180d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\49E7EE5Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\49F910B0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4A2D0976d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4AB08B29d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4AD38618d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4B35BD63d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4B4E227Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4C63D374d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4DEFBDB3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4E6C5DEFd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4F12286Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4F1EAE05d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\4F323AEAd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\51AA39FFd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\526D0A31d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\53048E49d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\53D8C090d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\548C3DD8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\550DD41Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\55621513d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\558C5871d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\55A64FC6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\561E69D5d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\56BD6033d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\579E0446d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\57CFE995d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5838B90Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\588AAC40d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\58B45D44d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\58BF401Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\58DBCF02d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\591C007Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5950F54Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5976BB84d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5A09E54Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5A28DF13d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5A8E4C70d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5B4CBC0Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5B90DFB4d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5CC87F97d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5D60F9C5d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5F4899C9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\5FF631D8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6007618Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\61D778A9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\61E0D90Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\634918BEd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\634ED942d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\63BD8F86d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\64C970B6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\64CD8BF8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\652160DEd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\65FFAC5Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\66D406C7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\66D7EC51d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\66F60BFDd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\671F3DF7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\675D5DE7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6795DD78d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\686E2745d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\69082072d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\694805E9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\694ADC21d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\69935CFCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\69CBE8D2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6A7E664Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6AC4664Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6B7ABB54d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6CF0D6B0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6DE627EBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6E285698d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6E3A10EBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6E9CE84Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\6FFECAF1d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\700937E2d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\702C49E7d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7089947Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\70E7042Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7132FC09d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\71F1D0C1d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\72212477d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\729B0558d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\73674C2Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\73B7854Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\74820D6Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\755D0940d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\759B31F8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7608E249d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\764F5D43d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\779B0C8Ad01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7811DBFCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\782D35DAd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\78BC3347d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7A6E13BCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7B235EF6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7B2EA6A6d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7B35F86Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7B4BD2E9d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7B6B83ABd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7C681B27d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7C7635DDd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7C92820Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7CA2430Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7DD7E06Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7E28696Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7E4B73C3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7EB52C0Bd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7FE63344d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7FE8D969d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7FF4BA3Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\7FF7F589d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\80702154d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8103C310d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\816D48E8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\82028FDCd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\834D9425d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\83AAE290d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8408003Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\84282299d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\846463A4d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\850B839Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\85FFD523d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\887B1E64d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\88C3EFFBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\88CE8B47d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\89DB92CBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8A39752Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8B84EE06d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8BF46692d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8C06596Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8C3462A8d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8CA6F0ECd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8CBD7B3Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8D4BC012d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8D79C907d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\8F88FAFEd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9131DA1Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\914C57C3d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\92E0A1CBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\93CB95A0d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\93E9EA88d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\94541A64d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9462AF89d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9486D99Cd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\94A218CBd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\952CC437d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\96483681d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\975E1943d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\99909B4Ed01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9A109A1Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9AD79710d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9AF31D18d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9B4EED86d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9C03E70Fd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9C87DE61d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9C9FE2EFd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9DF245DAd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9E6E8252d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9E7CC78Dd01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9EA86F52d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\Cache\9F6A1F61d01
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\cert8.db
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\compreg.dat
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\cookies.sqlite
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\key3.db
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\localstore.rdf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\mimeTypes.rdf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\permissions.sqlite
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\places.sqlite-journal
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\places.sqlite
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\pluginreg.dat
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\prefs.js
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\secmod.db
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\webappsstore.sqlite
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\XPC.mfl
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\ui\profile\xpti.dat
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\unicodedata.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\Uninstall.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\w9xpopen.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\WidgetSpace.swf
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32api.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32clipboard.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32com.shell.shell.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32event.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32evtlog.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32file.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32gui.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32pipe.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\win32process.pyd
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\WriteMiniDump.exe
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\xpcom.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\xul.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\zero.dll
c:\recycler(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\INFO2
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-16 to 2014-09-16  )))))))))))))))))))))))))))))))
.
.
2014-09-16 04:42 . 2014-09-16 04:42 -------- d-----w- c:\windows\system32\wbem\Repository
2014-09-14 19:01 . 2014-09-16 05:16 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-14 19:01 . 2014-09-16 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\RogueKiller
2014-09-11 05:29 . 2014-09-11 05:29 -------- d-----w- c:\windows\ERUNT
2014-09-11 05:15 . 2010-08-30 15:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-11 05:13 . 2014-09-11 05:19 -------- d-----w- C:\AdwCleaner
2014-09-10 08:39 . 2014-09-16 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2014-09-10 04:26 . 2014-09-10 04:26 -------- d-----w- c:\documents and settings\LOLA\Application Data\AVAST Software
2014-09-10 04:21 . 2014-09-10 04:21 -------- d-----w- c:\windows\jumpshot.com
2014-09-10 04:16 . 2014-09-10 04:15 57800 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-09-10 04:16 . 2014-09-10 04:15 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-09-10 04:16 . 2014-09-10 04:15 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-09-10 04:16 . 2014-09-10 04:19 414520 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-09-10 04:16 . 2014-09-10 04:15 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-09-10 04:16 . 2014-09-10 04:15 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-09-10 04:16 . 2014-09-10 04:15 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-09-10 04:16 . 2014-09-10 04:15 55112 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-09-10 04:15 . 2014-09-10 04:15 276432 ----a-w- c:\windows\system32\aswBoot.exe
2014-09-10 04:15 . 2014-09-10 04:15 43152 ----a-w- c:\windows\avastSS.scr
2014-09-10 04:09 . 2014-09-10 04:09 -------- d-----w- c:\program files\AVAST Software
2014-09-10 04:07 . 2014-09-10 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2014-09-08 02:42 . 2014-09-16 04:29 -------- d-----w- c:\documents and settings\LOLA\Application Data\Developerts LLC USA
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-12 17:02 . 2014-05-29 05:09 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-12 23:00 . 2014-08-12 23:00 4575232 ----a-w- c:\windows\system32\GPhotos.scr
2013-11-26 09:15 . 2013-11-26 09:15 49940480 ----a-w- c:\program files\GUT7DC.tmp
2007-07-13 01:02 . 2007-07-13 01:03 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-09-10 04:14 578240 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2014-01-17 421888]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-03 43816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2011-10-31 1058400]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-07-08 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-09-10 4085896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0bootdelete
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [9/9/2014 9:16 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [9/9/2014 9:16 PM 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/9/2014 9:16 PM 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [9/9/2014 9:16 PM 414520]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 1:51 PM 65584]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [9/9/2014 9:16 PM 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [9/9/2014 9:16 PM 67824]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\EpsonCustomerParticipation\EPCP.exe [6/9/2011 2:01 PM 521600]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [12/3/2013 7:43 PM 122000]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21D.tmp --> c:\windows\system32\21D.tmp [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-16 05:26 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2014-09-16 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2014-09-10 04:14]
.
2014-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 04:35]
.
2014-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 04:35]
.
2014-09-16 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-09-10 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-09-15 c:\windows\Tasks\User_Feed_Synchronization-{B9502085-D691-4144-9D99-7D34360E34AC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\LOLA\Application Data\Mozilla\Firefox\Profiles\oqke24x9.default\
FF - ExtSQL: 2014-09-09 21:15; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-15 23:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\21D.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2396)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\TDispVol.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TPSBattM.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2014-09-15  23:47:41 - machine was rebooted
ComboFix-quarantined-files.txt  2014-09-16 06:46
ComboFix2.txt  2014-09-11 06:35
.
Pre-Run: 123,932,008,448 bytes free
Post-Run: 124,105,441,280 bytes free
.
- - End Of File - - 05EEEEEB9D63961CF179D8EEEFFD942F
09CE7397AF23D4C0B331B89D0297CC7E
 



#12 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 16 September 2014 - 04:03 PM

Hi JameyC

I assume you still have ComboFix on your system. If not, please download Combofix from one of the following locations:

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is:
 

KILLALL::

Rootkit::
MEMSWEEP2


File::
c:\windows\jumpshot.com
c:\program files\GUT7DC.tmp
c:\windows\system32\21D.tmp


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

JavaClearCache::

Reboot::

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you.
 
Please include the C:\ComboFix.txt in your next reply.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#13 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 16 September 2014 - 09:20 PM

ComboFix 14-09-16.01 - LOLA 09/16/2014  15:53:00.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1526.680 [GMT -7:00]
Running from: c:\documents and settings\LOLA\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\LOLA\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\program files\GUT7DC.tmp"
"c:\windows\jumpshot.com"
"c:\windows\system32\21D.tmp"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\GUT7DC.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-16 to 2014-09-16  )))))))))))))))))))))))))))))))
.
.
2014-09-16 04:42 . 2014-09-16 04:42 -------- d-----w- c:\windows\system32\wbem\Repository
2014-09-14 19:01 . 2014-09-16 05:16 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-14 19:01 . 2014-09-16 04:41 -------- d-----w- c:\documents and settings\All Users\Application Data\RogueKiller
2014-09-11 05:29 . 2014-09-11 05:29 -------- d-----w- c:\windows\ERUNT
2014-09-11 05:15 . 2010-08-30 15:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-11 05:13 . 2014-09-11 05:19 -------- d-----w- C:\AdwCleaner
2014-09-10 08:39 . 2014-09-16 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2014-09-10 04:26 . 2014-09-10 04:26 -------- d-----w- c:\documents and settings\LOLA\Application Data\AVAST Software
2014-09-10 04:21 . 2014-09-10 04:21 -------- d-----w- c:\windows\jumpshot.com
2014-09-10 04:16 . 2014-09-10 04:15 57800 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-09-10 04:16 . 2014-09-10 04:15 192352 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-09-10 04:16 . 2014-09-10 04:15 779536 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-09-10 04:16 . 2014-09-10 04:19 414520 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-09-10 04:16 . 2014-09-10 04:15 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-09-10 04:16 . 2014-09-10 04:15 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-09-10 04:16 . 2014-09-10 04:15 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-09-10 04:16 . 2014-09-10 04:15 55112 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2014-09-10 04:15 . 2014-09-10 04:15 276432 ----a-w- c:\windows\system32\aswBoot.exe
2014-09-10 04:15 . 2014-09-10 04:15 43152 ----a-w- c:\windows\avastSS.scr
2014-09-10 04:09 . 2014-09-10 04:09 -------- d-----w- c:\program files\AVAST Software
2014-09-10 04:07 . 2014-09-10 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2014-09-08 02:42 . 2014-09-16 04:29 -------- d-----w- c:\documents and settings\LOLA\Application Data\Developerts LLC USA
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-12 17:02 . 2014-05-29 05:09 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-12 23:00 . 2014-08-12 23:00 4575232 ----a-w- c:\windows\system32\GPhotos.scr
2007-07-13 01:02 . 2007-07-13 01:03 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-09-10 04:14 578240 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-09 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2014-01-17 421888]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-13 304568]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-03 43816]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2011-10-31 1058400]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-07-08 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-09-10 4085896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [9/9/2014 9:16 PM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [9/9/2014 9:16 PM 192352]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/9/2014 9:16 PM 779536]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [9/9/2014 9:16 PM 414520]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 1:51 PM 65584]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [9/9/2014 9:16 PM 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [9/9/2014 9:16 PM 67824]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\EpsonCustomerParticipation\EPCP.exe [6/9/2011 2:01 PM 521600]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [12/3/2013 7:43 PM 122000]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-16 15:17 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.120\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2014-09-16 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2014-09-10 04:14]
.
2014-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 04:35]
.
2014-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-27 04:35]
.
2014-09-16 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-09-10 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-09-16 c:\windows\Tasks\User_Feed_Synchronization-{B9502085-D691-4144-9D99-7D34360E34AC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\LOLA\Application Data\Mozilla\Firefox\Profiles\oqke24x9.default\
FF - ExtSQL: 2014-09-09 21:15; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-16 16:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TDispVol.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\AGRSMMSG.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2014-09-16  16:37:13 - machine was rebooted
ComboFix-quarantined-files.txt  2014-09-16 23:36
ComboFix2.txt  2014-09-16 06:47
ComboFix3.txt  2014-09-11 06:35
.
Pre-Run: 123,694,411,776 bytes free
Post-Run: 123,938,791,424 bytes free
.
- - End Of File - - 71CD97574970EDC8A55ED720F0C6C761
09CE7397AF23D4C0B331B89D0297CC7E


#14 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:09:40 AM

Posted 17 September 2014 - 03:25 PM

Hi JameyC

Step 1

Perform an Online Antivirus Scan with ESET:


Note:ESET recommends disabling your resident antivirus's active protection component BEFORE scanning , how to do so can be read here. Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan. If you are using Vista or Windows 7 or 8, launch Internet Explorer by right-clicking the Start Menu icon & selecting "Run as Administrator".

  • Please go here then click on Run ESET ONLINE SCANNER
  • Select the option YES, I accept the Terms of Use then click on START
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is checked.
  • Now click on Advanced Settings and select the following:
     
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
     
  • Now click on START
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    When the scan is complete,

    If no threats were found:
     
  • Check in "Uninstall application on close"
  • Close program

    If threats were found:
     
  • Select "list of threats found"
  • Select "Export to Text File" & Save the Report to your Desktop as ESETScanLog"
  • Select Back
  • Place a checkmark in "Uninstall application on close"
  • Select Finish & Exit the program
  • Copy and paste ESETScanLog.txt in your next reply

 

Step 2


Please Download Farbar Recovery Scan Tool 32-Bit and save it to your Desktop.

Open up Farbar's Recovery Scan Tool 

Type the following in the edit box after "Search:".

PRAGMApouoiemjnw


Click Search Registry button and post the log (Search.txt) it makes to your reply.


Edited by seedy21, 17 September 2014 - 03:26 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#15 JameyC

JameyC
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 17 September 2014 - 09:37 PM

Ok, here we go, This is what Eset cleaned out, 39 items

C:\AdwCleaner\Quarantine\C\Documents and Settings\LOLA\Local Settings\Application Data\IMVU_Inc_C\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll.vir a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Mozilla Firefox\browser\nsprotector.js.vir Win32/Conduit.SearchProtect.A potentially unwanted application deleted - quarantined
C:\Documents and Settings\LOLA\Desktop\books\music\Downloads\ChuzzleDeluxe_EN-dm[1].exe a variant of Win32/Adware.Trymedia.A potentially unwanted application deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\IMVU_Inc\hk64tbIMVU.dll Win64/Toolbar.Conduit.A potentially unwanted application deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\IMVU_Inc\hktbIMVU.dll Win32/Toolbar.Conduit.W potentially unwanted application deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\IMVU_Inc\ldrtbIMVU.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Application Data\IMVU_Inc\tbIMVU.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Qoobox\Quarantine\C\RECYCLER(2)\S-1-5-21-1549369082-270239162-1212728732-1005(2)\Dc1\installer\SetupImvu_update.exe.vir Win32/Toolbar.Conduit.S potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP722\A0182191.dll a variant of Win32/BrowseFox.O potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP722\A0182194.exe Win32/BrowseFox.C potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182334.exe a variant of MSIL/Rebrand.LittleRegClean.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182336.exe a variant of MSIL/Rebrand.LittleRegClean.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182501.dll a variant of Win64/Adware.MultiPlug.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182503.dll a variant of Win64/Adware.MultiPlug.A application cleaned by deleting - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182505.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182508.dll Win32/BrowseFox.N potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP723\A0182512.exe Win64/BrowseFox.B potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP724\A0183533.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183571.exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183573.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183575.exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183577.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183578.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183579.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183580.exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183582.exe a variant of Win32/ClientConnect.A potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183589.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183590.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183591.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183592.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183593.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183594.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183595.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183596.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183597.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183598.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183599.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP726\A0183600.exe a variant of Win32/4Shared.D potentially unwanted application deleted - quarantined
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP727\A0184733.dll a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
 
Post Eset Run, Farbar
 
Farbar Recovery Scan Tool (x86) Version: 12-09-2014
Ran by LOLA at 2014-09-17 19:26:56
Running from C:\Documents and Settings\LOLA\My Documents\Downloads
Boot Mode: Normal
 
================== Search Registry: "PRAGMApouoiemjnw" ===========
 
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMApouoiemjnw]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PRAGMApouoiemjnw]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMApouoiemjnw]
[HKEY_USERS\S-1-5-21-1549369082-270239162-1212728732-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PRAGMApouoiemjnw"
 
====== End Of Search ======





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users