Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe


  • Please log in to reply
12 replies to this topic

#1 cloud10again

cloud10again

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 20 November 2014 - 07:30 PM

So I have this laptop (wife of the boss). It had Poweliks, but RogueKiller took care of that.

 

Here's the problem:

 

When I log on, obviously explorer comes up. However, it creates a 2nd explorer.exe process (Process Explorer shows it under the first explorer.exe). This 2nd process will randomly and intermittently create 100s of TCP connections to a bunch of different IPs, sometimes using multiple megabits of bandwidth with memory usage varying wildly as well (I've seen 2MB - 4.7GB). If I kill the offending process, it will come back momentarily. However, if I kill the "parent" explorer.exe, everything is fine (apart from, you know, not having Windows Explorer). As soon as I restart explorer via New Task, the 2nd one comes back too almost immediately.

 

The problem persists even in safe mode (with networking obviously).

 

Even better, every malware scan I've tried has come back clean. SFC reports signatures are good as well.

 

Any ideas?



BC AdBot (Login to Remove)

 


m

#2 ElfBane

ElfBane

  • Members
  • 775 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:10 AM

Posted 21 November 2014 - 04:12 AM

Your symptoms still indicate malware. I'll request a mod to move this post to the "Am I Infected" forum.



#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:10 AM

Posted 21 November 2014 - 11:58 AM

Please run the following scans.

 

The symptoms you posted sound a lot like those of Poweliks.  Please run the Powelikscleaner by ESET to be sure it is gone.

 

 
newtool3_zpsae6d2122.png
 
Please download Powelikscleaner (by ESET) and save it to your Desktop.
 
1.  Double-click on ESETPoweliksCleaner.exe to start the tool.
 
2.  Read the terms of the End-user license agreement and click Agree.
 
3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
 
newtool1_zpsa1caa06e.png
 
4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
 
newtool2_zps0e6d39b1.png
 
The tool will produce a log in the same directory the tool was run from.
 
Please copy and paste the log in your next reply.
 
 

Please run Malwarebytes AntiMalware
 
Please download Malwarebytes Anti-Malware.  After clicking on the link the download will start automatically.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  Malwarebytes will automatically open.  If this is the first time you have run this version of Malwarbytes you will see an image like the one below.
 
mbam1_zps95cc812c.png
 
Click on Update Now, after Malwarebytes is updated click on Scan.
 
If this isn't the first time you have run this version, then you will see an image like the one below.  Click on Scan
 
mbam1_zps98e7fba9.png
 
You will be prompted to update Malwarebytes, to do so click on Update Now.
 
 mbam2_zps85f38f0c.png
 
3)  The scan will automatically run now.
 
malwarerun_zps9abd4ef1.png
 
 
4)  When the scan is complete the results will be displayed.  Click on Quarantine All, then click on Apply Actions
 
mbam4_zps23e52ad4.png
 
 
5)  To complete any actions taken you will be asked if you want to restart your computer, click on Yes
 
 mbam4_zps490948cc.png
 
6)  Please post the Malwarebytes log.
 
To find your Malwarebytes log,download mbam-check.exe from here and save it to your desktop.
 
To open the log double click on mbam-check.exe on your desktop.  When the log opens, scroll down toward the bottom of the log to Quarantined Items.  Copy and paste this in your next post.
 
 

Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
tdss1_zps90132559.png
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
tdsskillermultiple_zps472c18eb.png
 
3.  Click Start Scan and allow the scan process to run.
 
tdss4_zps6792a13c.png
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!
 
Click on Continue.
 
tdss5_zps98fc5887.png
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.

Edited by dc3, 21 November 2014 - 12:00 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 21 November 2014 - 01:17 PM

Well shucks, I thought we were onto something there. I guess RogueKiller didn't get completely rid of it, or there was more than 1 variant. ESET said it was cleaned, so I rebooted. The 2nd explorer didn't come up, so I thought it might be fixed. It came up a few minutes later though. Side note, whatever ESET did made the touchpad two-finger scrolling work again.
 
Malwarebytes and TDSSKiller have both been run multiple times before, but latest logs are below.
 
---------------------------------ESET log-----------------------------------------------------------------
 
[2014.11.21 11:00:47.912] - Begin
[2014.11.21 11:00:47.912] - 
[2014.11.21 11:00:47.912] -     ....................................
[2014.11.21 11:00:47.928] -   ..::::::::::::::::::....................
[2014.11.21 11:00:47.928] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2014.11.21 11:00:47.928] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2014.11.21 11:00:47.928] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2014.11.21 11:00:47.928] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.11.21 11:00:47.928] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.11.21 11:00:47.928] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.11.21 11:00:47.928] -     ....................................
[2014.11.21 11:00:47.928] - 
[2014.11.21 11:00:47.928] - --------------------------------------------------------------------------------
[2014.11.21 11:00:47.928] - 
[2014.11.21 11:00:47.928] - INFO: OS: 6.1.7601 SP1
[2014.11.21 11:00:47.928] - INFO: Product Type: Workstation
[2014.11.21 11:00:47.928] - INFO: WoW64: True
[2014.11.21 11:00:47.928] - INFO: Machine guid: 0680A5E8-6A84-4981-AAEF-5A77D9A5FC63 
[2014.11.21 11:00:47.928] - 
[2014.11.21 11:00:49.972] - INFO: Scanning for system infection...
[2014.11.21 11:00:49.988] - --------------------------------------------------------------------------------
[2014.11.21 11:00:49.988] - 
[2014.11.21 11:00:49.988] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.21 11:00:49.988] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.21 11:00:49.988] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.21 11:00:49.988] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.21 11:00:49.988] - INFO: Processing classes...
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\S-1-5-21-1129299657-3513596477-2523695919-1004\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.21 11:00:49.988] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-1129299657-3513596477-2523695919-1004\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:49.988] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:49.988] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:49.988] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:49.988] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:49.988] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:49.988] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.21 11:00:49.988] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.21 11:00:49.988] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.21 11:00:49.988] - INFO: Win32/Poweliks found
[2014.11.21 11:00:58.526] - INFO: process: dllhost.exe, pid 4748, parent 836
[2014.11.21 11:00:58.526] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.21 11:00:58.526] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.21 11:00:58.526] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.21 11:00:58.526] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.21 11:00:58.526] - INFO: Processing classes...
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\S-1-5-21-1129299657-3513596477-2523695919-1004\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.21 11:00:58.526] - INFO: Deleted classid [\Registry\User\S-1-5-21-1129299657-3513596477-2523695919-1004\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.21 11:00:58.526] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.21 11:00:58.526] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:58.526] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:58.526] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.21 11:00:58.526] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.21 11:00:58.526] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.21 11:00:58.526] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.21 11:00:58.526] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.21 11:00:58.526] - INFO: Cleaning status: 0
[2014.11.21 11:01:02.660] - End
 
----------------------------------------/ESET log--------------------------------------------------------
 
 
---------------------------------------Malwarebytes Quarantine------------------------------------
 
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Quarantine
0011406916.data                         File Size: 713       BYTES FileVersion:  N/A            MD5: [d3b428d6bc70f2f9620b8c7f0936b8b9]
0011406916.quar                         File Size: 159136    BYTES FileVersion:  N/A            MD5: [f7cc77a90fc5333f1f3c0c33bd10950c]
0065471788.data                         File Size: 694       BYTES FileVersion:  N/A            MD5: [629bfaa50ddb511cf7be0674ca4f7cea]
0065471788.quar                         File Size: 266240    BYTES FileVersion:  N/A            MD5: [c631d5efd0b1e9982acf548de8a1eeb7]
0199141060.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [b789861519caea214ac9027a0a04caa8]
0199141060.quar                         File Size: 14709286  BYTES FileVersion:  N/A            MD5: [152826838fdc83ed4ee9566d874732de]
0375768795.data                         File Size: 691       BYTES FileVersion:  N/A            MD5: [dc456c23958ed0359f1b25e21252443d]
0375768795.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [b1b6c590ff756cce47ca50d2a07bdefd]
0452793556.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [cc198a227ccf37d6d0b716f06b3aa523]
0452793556.quar                         File Size: 840       BYTES FileVersion:  N/A            MD5: [04fa795b93582b56651cfd5d28dccd37]
0485719297.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [e488db53d11da75e75fb084d1f73429f]
0485719297.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [8f088dd8a50293ff59f6320b25b6e0fe]
0548633672.data                         File Size: 721       BYTES FileVersion:  N/A            MD5: [cbc7ed48afcb4dfaf220378fd9e25d70]
0548633672.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [4e1a5d64a0731d77e1e3225603ffce86]
0712398273.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [b06631666b8e6dc077390196454bd4d9]
0712398273.quar                         File Size: 180096    BYTES FileVersion:  N/A            MD5: [14d93504e0b0bd9ca9aadd25c9fb3810]
0850122994.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [5c6888bf0cd8f3d0ca3f2e69fd5b5abe]
0850122994.quar                         File Size: 538112    BYTES FileVersion:  N/A            MD5: [86d84650c902bb4c355b44c27b3ec579]
0888286084.data                         File Size: 690       BYTES FileVersion:  N/A            MD5: [9f1d3bc92ff7ecc336f3e29de394389d]
0888286084.quar                         File Size: 274944    BYTES FileVersion:  N/A            MD5: [1d10d2901b56ec30553777f4fd5a7a57]
0907265253.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [f3abd0adf8c9d26add6a3342aee3c17a]
0907265253.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [18ab926fc10d475fefe314547e38850f]
0940608021.data                         File Size: 721       BYTES FileVersion:  N/A            MD5: [0af658f66c1fc745110e48caac3f68e2]
0940608021.quar                         File Size: 274944    BYTES FileVersion:  N/A            MD5: [826be82c136a5ebebe20eaeab22a3de7]
0979432118.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [c2bf00e21ecb07ef73228749047e1a16]
0979432118.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [18ab926fc10d475fefe314547e38850f]
1112444547.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [26f790e4728f1f1b810fc589467beb78]
1112444547.quar                         File Size: 81920     BYTES FileVersion:  N/A            MD5: [0311b8acb0905a905c17f2cd3111a370]
1177414789.data                         File Size: 724       BYTES FileVersion:  N/A            MD5: [e93b5488daf4f8fff369beee2006511c]
1177414789.quar                         File Size: 225792    BYTES FileVersion:  N/A            MD5: [e205e12451ac2a73d10de789cb43078e]
1308451678.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [5bd366613a5bee1929ab2e0561c4e32b]
1308451678.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [ae81df07355c043dbb3427b3e4faddc8]
1336315109.data                         File Size: 745       BYTES FileVersion:  N/A            MD5: [ed0263aac9075b7421a6dfadd7a838b2]
1336315109.quar                         File Size: 1288      BYTES FileVersion:  N/A            MD5: [1b7de10fc033051cdf91c920073a05dc]
1384897215.data                         File Size: 926       BYTES FileVersion:  N/A            MD5: [161d1f77c37ea1adda71578762c481df]
1477692206.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [83e82dbcbba3be2a7c7ef30edec74ddb]
1477692206.quar                         File Size: 422912    BYTES FileVersion:  N/A            MD5: [2a16a22a07629dd8390fe628791a4c64]
1487273822.data                         File Size: 929       BYTES FileVersion:  N/A            MD5: [26381f45418dd268710c076746648fa6]
1598710997.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [7029da6b50141730b9ed1cfe6ae84227]
1598710997.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [9fdb3714133a19eae0e31dfcd5a1bef6]
1621453428.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [c0867a379bb3e7e32a52f21f850930d9]
1621453428.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [7c722ff65e3a73afa741a48fb24500b4]
1889162711.data                         File Size: 720       BYTES FileVersion:  N/A            MD5: [8ad7ba90a56fbf39ed4b3f619a2d31d8]
1889162711.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [439a515d29f0bb5f69ae9d407681408a]
1971520429.data                         File Size: 697       BYTES FileVersion:  N/A            MD5: [10939e79616a1cdafaaedceb3da479e8]
1971520429.quar                         File Size: 299008    BYTES FileVersion:  N/A            MD5: [f983b141f6781f81e0b91c6de2424ec7]
2105224640.data                         File Size: 710       BYTES FileVersion:  N/A            MD5: [9ee6d860c1c5943e199b2a7b35158920]
2105224640.quar                         File Size: 23552     BYTES FileVersion:  N/A            MD5: [ffe70b03e84fc5fd7606390b932fba6f]
2165292298.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [bd191d36d50b5c0b310dbb337af6ee4c]
2165292298.quar                         File Size: 382848    BYTES FileVersion:  N/A            MD5: [aa9cdfdeda6616ee5e6dd01598d9d56e]
2210593849.data                         File Size: 716       BYTES FileVersion:  N/A            MD5: [323caa6f3211f14f16ef948daf5a39e0]
2210593849.quar                         File Size: 4096      BYTES FileVersion:  N/A            MD5: [d4ddf6aec3ff53cda9946f6299cb0881]
2293592154.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [4fa049a752ed65cb97af5dcfa3810a4d]
2293592154.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [aa9c30bc7639f67f9cc750d2c4275f3b]
2401496905.data                         File Size: 691       BYTES FileVersion:  N/A            MD5: [c819eba6489c127fa05d68b217a7a968]
2401496905.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [8ff2c7bf9b3cbbf90b003c9260db9fb6]
2419384290.data                         File Size: 760       BYTES FileVersion:  N/A            MD5: [17e1dec1fffa74f25ec6f3cf4cfb5919]
2419384290.quar                         File Size: 436       BYTES FileVersion:  N/A            MD5: [31d223ba86894ada065ea53f8086e847]
2421115672.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [558cca16da458f2a8a76f812c53a9ca2]
2421115672.quar                         File Size: 113152    BYTES FileVersion:  N/A            MD5: [1c26116298f9974ae09adbb90186df4e]
2424227997.data                         File Size: 901       BYTES FileVersion:  N/A            MD5: [f4d5ffbdb67383760bb953bda79e850a]
2521062473.data                         File Size: 710       BYTES FileVersion:  N/A            MD5: [741ead330892bfaa00f63844ae881766]
2521062473.quar                         File Size: 23552     BYTES FileVersion:  N/A            MD5: [adb3db78dff03a8880ab543c25e92dc7]
2904074885.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [d62e4593839db51aac40558f0575b40d]
2904074885.quar                         File Size: 114688    BYTES FileVersion:  N/A            MD5: [cb3c31169ed38c42e320882be07d1361]
2904717676.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [b27e2ab688bd21af634e15be12bae14b]
2904717676.quar                         File Size: 422912    BYTES FileVersion:  N/A            MD5: [2a16a22a07629dd8390fe628791a4c64]
3106890172.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [bd5a596a11ee20dad92c61d5be903da8]
3106890172.quar                         File Size: 113664    BYTES FileVersion:  N/A            MD5: [aacdb55e87200e69af5bedd5672482c7]
3189785886.data                         File Size: 724       BYTES FileVersion:  N/A            MD5: [fad6b95debceec3e6708628d0fc2e5f8]
3189785886.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [238bd1a50fbc3fa1fa69fcc022a16b23]
3245138014.data                         File Size: 712       BYTES FileVersion:  N/A            MD5: [16b0343595fa216b4df7bbd93790d348]
3245138014.quar                         File Size: 15872     BYTES FileVersion:  N/A            MD5: [b76dd4c0b75d1280022c65d1d15b6706]
3252125922.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [b5432c799e62493ccc61a807f0e01939]
3252125922.quar                         File Size: 180096    BYTES FileVersion:  N/A            MD5: [14d93504e0b0bd9ca9aadd25c9fb3810]
3450073830.data                         File Size: 724       BYTES FileVersion:  N/A            MD5: [7571f2a5098fea2dff277318cec1f653]
3450073830.quar                         File Size: 924672    BYTES FileVersion:  N/A            MD5: [df7841ab1f02084e977a57e1fa66bd7c]
3495939190.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [05999382e92a05f41cc578720693e7ed]
3495939190.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [6037c8a7791b3b903db0f1986b9ace2c]
3586986204.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [e97322f3d8625d8f31188174612ed247]
3586986204.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [4a41675dda667e6e59e515a53090946e]
3679870217.data                         File Size: 692       BYTES FileVersion:  N/A            MD5: [30081ced826a6c458a6b3ec3c9e0848b]
3679870217.quar                         File Size: 274944    BYTES FileVersion:  N/A            MD5: [1d10d2901b56ec30553777f4fd5a7a57]
3691150153.data                         File Size: 712       BYTES FileVersion:  N/A            MD5: [0740ce4490eea0fa1586df6bdb4e34ad]
3691150153.quar                         File Size: 15872     BYTES FileVersion:  N/A            MD5: [b76dd4c0b75d1280022c65d1d15b6706]
3729972553.data                         File Size: 691       BYTES FileVersion:  N/A            MD5: [40ab6411393bfca09b9e1506e256f6b1]
3729972553.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [439a515d29f0bb5f69ae9d407681408a]
3736284124.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [b4dff3a579566377476e80c98be25830]
3736284124.quar                         File Size: 794624    BYTES FileVersion:  N/A            MD5: [b44318f11d95df4509480be991ef8854]
3836372415.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [45008fd01a8c752e3251b40a46bf4048]
3836372415.quar                         File Size: 1982      BYTES FileVersion:  N/A            MD5: [06c5693beb33f9dc3a39e09bea9ee7ad]
3880310055.data                         File Size: 724       BYTES FileVersion:  N/A            MD5: [ac59c9dddedfa6d5673ff06de900cb67]
3880310055.quar                         File Size: 129536    BYTES FileVersion:  N/A            MD5: [dca130dd6d076fb654c9cc586272022d]
3929093215.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [a864aa1a5695842294607367cf74456e]
3929093215.quar                         File Size: 848       BYTES FileVersion:  N/A            MD5: [27c9ae757fedc306b74fca362f5e0a04]
3950132196.data                         File Size: 720       BYTES FileVersion:  N/A            MD5: [eb4439c74fc906750ce73f73a2727689]
3950132196.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [c2c2375deb3e803e583f815306ca9b8f]
4036796129.data                         File Size: 709       BYTES FileVersion:  N/A            MD5: [50d5b0baf6e4fb08a00db8217484a22a]
4036796129.quar                         File Size: 13824     BYTES FileVersion:  N/A            MD5: [fc91d877b24fa77fbb1201b02a45cc14]
4101701511.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [456bb5f4d490281ef21bf30205d7eb60]
4101701511.quar                         File Size: 1994      BYTES FileVersion:  N/A            MD5: [edf88f590570b73dbd9b6b7a5bcbde10]
4124322052.data                         File Size: 725       BYTES FileVersion:  N/A            MD5: [bdea769a31e98d372b6f6953f0cb40cf]
4124322052.quar                         File Size: 916480    BYTES FileVersion:  N/A            MD5: [4dea53133a86ce9d841b5a4a8d2087ec]
4210599132.data                         File Size: 695       BYTES FileVersion:  N/A            MD5: [20dab9299eff44935a94093b9b388322]
4210599132.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [4e1a5d64a0731d77e1e3225603ffce86]
4258247032.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [a30af1d0b60d8a5eb68ceadd7f014536]
4258247032.quar                         File Size: 382848    BYTES FileVersion:  N/A            MD5: [aa9cdfdeda6616ee5e6dd01598d9d56e]
4305667025.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [5868d376b3583802d7850188c0997b7d]
4305667025.quar                         File Size: 133632    BYTES FileVersion:  N/A            MD5: [df97d2e66da0938ff33ca337bb83f05e]
4316534073.data                         File Size: 712       BYTES FileVersion:  N/A            MD5: [8a786fb25eba3cac58528c7c238530dc]
4316534073.quar                         File Size: 266270    BYTES FileVersion:  N/A            MD5: [8516e3fe66b067909345501d118bb9d3]
4449059719.data                         File Size: 745       BYTES FileVersion:  N/A            MD5: [c6897945bd623bd7b1a0399c5f993238]
4449059719.quar                         File Size: 1288      BYTES FileVersion:  N/A            MD5: [61d4637f3311a1d62945a7a2daeeb707]
4533681198.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [06e774bb1400b2f034900e7157ada78d]
4533681198.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [3c796155ef2d24a9b600a20c304ba280]
4656795904.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [690a4aeb6ebb6868ded889a37f11462b]
4656795904.quar                         File Size: 225792    BYTES FileVersion:  N/A            MD5: [e205e12451ac2a73d10de789cb43078e]
4702513684.data                         File Size: 745       BYTES FileVersion:  N/A            MD5: [d3b8a75a1f5a8f56cd8bd05df39adc70]
4702513684.quar                         File Size: 1288      BYTES FileVersion:  N/A            MD5: [307f0bd14fb4725ad446de759a3ba208]
4716705248.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [e82cc5ef084c72cad606c24713a0f3ce]
4716705248.quar                         File Size: 356352    BYTES FileVersion:  N/A            MD5: [4cf192aa500672b05ca421c2d1166cf4]
4720740053.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [076bc099dce9610d5ad7ab305d9a0b52]
4720740053.quar                         File Size: 180096    BYTES FileVersion:  N/A            MD5: [14d93504e0b0bd9ca9aadd25c9fb3810]
4818857186.data                         File Size: 895       BYTES FileVersion:  N/A            MD5: [988171b465bb60e290a6869dc9826f61]
4828683434.data                         File Size: 719       BYTES FileVersion:  N/A            MD5: [bbfa6b8f2b0402d93698539af6322877]
4828683434.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [c0f3a10549654cb63fce7c0b15ad39ea]
4859058186.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [21cf272d8bb628ca16ecc1e193401fc7]
4859058186.quar                         File Size: 356352    BYTES FileVersion:  N/A            MD5: [4cf192aa500672b05ca421c2d1166cf4]
5084215026.data                         File Size: 725       BYTES FileVersion:  N/A            MD5: [fc3bff52f07b6b68eab6b7c5ffa6e63e]
5084215026.quar                         File Size: 916480    BYTES FileVersion:  N/A            MD5: [36a68284d286822653387e4beaa7c389]
5299634340.data                         File Size: 710       BYTES FileVersion:  N/A            MD5: [aac61bf44bdd41f2d1e61be2d7958171]
5299634340.quar                         File Size: 23552     BYTES FileVersion:  N/A            MD5: [2af6129956c71a49681e0e807ea3cc37]
5302735614.data                         File Size: 690       BYTES FileVersion:  N/A            MD5: [041c2d9aacdcde6858ec28fedbdfa3e0]
5302735614.quar                         File Size: 266240    BYTES FileVersion:  N/A            MD5: [c631d5efd0b1e9982acf548de8a1eeb7]
5320125848.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [1d1dbbf50451079f2c22984fb42a778b]
5320125848.quar                         File Size: 113664    BYTES FileVersion:  N/A            MD5: [aacdb55e87200e69af5bedd5672482c7]
5429976777.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [0f1afd33a2254b9fdcbc2e91a401eaad]
5429976777.quar                         File Size: 1982      BYTES FileVersion:  N/A            MD5: [5e236b7282b38abe4b16a27bf9554e96]
5432381411.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [b40ef2e9422184ba397f528769613f07]
5432381411.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [6037c8a7791b3b903db0f1986b9ace2c]
5502722075.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [e4e297b65a869d257b56c8d5698b0a20]
5502722075.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [8f088dd8a50293ff59f6320b25b6e0fe]
5643844558.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [71d61cb9225e2645fb0e5d316ce4c446]
5643844558.quar                         File Size: 405504    BYTES FileVersion:  N/A            MD5: [c1a8c72d20839dc9217372876ecc0808]
5727179227.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [c7c468949830fafddd61147f38823c3b]
5727179227.quar                         File Size: 114688    BYTES FileVersion:  N/A            MD5: [cb3c31169ed38c42e320882be07d1361]
6025419400.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [1ff84a755d0502be1124ce20d9e1a12f]
6025419400.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [832725d774607d8bc248b8ca96433c0d]
6083096003.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [c1ccbc4d9f294374fc57e5f57d247aa6]
6083096003.quar                         File Size: 840       BYTES FileVersion:  N/A            MD5: [a48e23ee97dfca18fb22dd7a2e6243a0]
6306976483.data                         File Size: 748       BYTES FileVersion:  N/A            MD5: [07d9e38ba6bfb173c310e1c8295e4d60]
6306976483.quar                         File Size: 412       BYTES FileVersion:  N/A            MD5: [613336d324827ab976a24cc45e120f37]
6408801730.data                         File Size: 894       BYTES FileVersion:  N/A            MD5: [2b593794786912cbead9a524fb6cdddb]
6505917030.data                         File Size: 852       BYTES FileVersion:  N/A            MD5: [c0faeb87994cf8cb8c4a70f2f1f439a0]
6507414577.data                         File Size: 712       BYTES FileVersion:  N/A            MD5: [03a1629d74dbf1f84dcaa2ff0e6d6491]
6507414577.quar                         File Size: 15872     BYTES FileVersion:  N/A            MD5: [b76dd4c0b75d1280022c65d1d15b6706]
6529385627.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [937f2d17fa455cee541534503292e9e0]
6529385627.quar                         File Size: 2054      BYTES FileVersion:  N/A            MD5: [d9a48d10909e8cb25465fca3e4ad0306]
6565939587.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [05ad8b5526cfd8137b78a4ed757b2016]
6565939587.quar                         File Size: 840       BYTES FileVersion:  N/A            MD5: [bb0470c022e627b32de22421485cda14]
6680122575.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [720c12f662254459b3a80919945324c5]
6680122575.quar                         File Size: 81920     BYTES FileVersion:  N/A            MD5: [0311b8acb0905a905c17f2cd3111a370]
6762895693.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [59a0ee4b226e9e55062d283e86d32035]
6762895693.quar                         File Size: 846       BYTES FileVersion:  N/A            MD5: [ee8d89ea9d9306a3fc03125316470beb]
6788893797.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [c91ad7410b0362fa2f33bea11d7467b6]
6788893797.quar                         File Size: 405504    BYTES FileVersion:  N/A            MD5: [c1a8c72d20839dc9217372876ecc0808]
6808612652.data                         File Size: 726       BYTES FileVersion:  N/A            MD5: [255715119fd1fb2c433c21fc5fa7f5ac]
6808612652.quar                         File Size: 538112    BYTES FileVersion:  N/A            MD5: [86d84650c902bb4c355b44c27b3ec579]
6848170284.data                         File Size: 691       BYTES FileVersion:  N/A            MD5: [c83ae552ebcde48c547321b97dff107b]
6848170284.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [c0f3a10549654cb63fce7c0b15ad39ea]
7192841095.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [03393f24e9cf6de44f24a01ece077e2d]
7192841095.quar                         File Size: 153       BYTES FileVersion:  N/A            MD5: [aa472cdc5f57c683d4beef3fc08be4c8]
7203374600.data                         File Size: 849       BYTES FileVersion:  N/A            MD5: [608ffd1b77270b9961a58642b3a67861]
7355756003.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [584ca63b11a6b9a26a439d3f459edcb8]
7355756003.quar                         File Size: 840       BYTES FileVersion:  N/A            MD5: [0dae11842564583bbf56b80a85bb9a14]
7446124468.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [e95680bc8b21a08b4b8126446ec32c26]
7446124468.quar                         File Size: 159136    BYTES FileVersion:  N/A            MD5: [f7cc77a90fc5333f1f3c0c33bd10950c]
7506325109.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [27bddcb907964f0e70d1cf7348138a11]
7506325109.quar                         File Size: 2030      BYTES FileVersion:  N/A            MD5: [8bbadfc83cfc9b8580903c457e463e45]
7737507426.data                         File Size: 851       BYTES FileVersion:  N/A            MD5: [5237839d487a9577c0236a08bca80b3b]
7766888964.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [1c468ef423f1cd3d136e906fbff247c6]
7766888964.quar                         File Size: 292370    BYTES FileVersion:  N/A            MD5: [7c722ff65e3a73afa741a48fb24500b4]
7790030276.data                         File Size: 719       BYTES FileVersion:  N/A            MD5: [b2bef1361dcb5fee12f02aedda58f1e8]
7790030276.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [b1b6c590ff756cce47ca50d2a07bdefd]
7803596614.data                         File Size: 724       BYTES FileVersion:  N/A            MD5: [575ca0b299446c2396890cf31da03dc2]
7803596614.quar                         File Size: 225792    BYTES FileVersion:  N/A            MD5: [e205e12451ac2a73d10de789cb43078e]
7877464804.data                         File Size: 846       BYTES FileVersion:  N/A            MD5: [c3c32023961bc0a761199e47a7904762]
7911265697.data                         File Size: 836       BYTES FileVersion:  N/A            MD5: [f69002cf532be703088fac9157357e43]
7980477988.data                         File Size: 725       BYTES FileVersion:  N/A            MD5: [8f1414a9f2542f91cc17bfebe7501137]
7980477988.quar                         File Size: 401408    BYTES FileVersion:  N/A            MD5: [b29941ea624ff6001d6631ccdf446cf7]
8050454666.data                         File Size: 694       BYTES FileVersion:  N/A            MD5: [2abafa47d006b314c1e424268fc39c89]
8050454666.quar                         File Size: 292569    BYTES FileVersion:  N/A            MD5: [c2c2375deb3e803e583f815306ca9b8f]
8259559886.data                         File Size: 842       BYTES FileVersion:  N/A            MD5: [1df34f7a04774e3b2fabe984f47fd66d]
8462372528.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [a2ce2c706c125a65fa3327be3c7a7163]
8462372528.quar                         File Size: 1982      BYTES FileVersion:  N/A            MD5: [1f1e068eed99cd9091ee4dd205f0343e]
8580386102.data                         File Size: 725       BYTES FileVersion:  N/A            MD5: [92786eb94e0a0ff8137300363f52bd9a]
8580386102.quar                         File Size: 401408    BYTES FileVersion:  N/A            MD5: [b29941ea624ff6001d6631ccdf446cf7]
8800701071.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [00666abd702a60a69a9ee70c066c683e]
8800701071.quar                         File Size: 8192      BYTES FileVersion:  N/A            MD5: [4ab24192e5117b67db43441c8b5b9da2]
8857757080.data                         File Size: 719       BYTES FileVersion:  N/A            MD5: [e0422db76028beebfed27d7c4a798239]
8857757080.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [8ff2c7bf9b3cbbf90b003c9260db9fb6]
9056894386.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [43fb1b321789876f716ec7ac341d3db5]
9056894386.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [832725d774607d8bc248b8ca96433c0d]
9085974147.data                         File Size: 715       BYTES FileVersion:  N/A            MD5: [c3965770f1349b12ecac55a3c3699fbb]
9085974147.quar                         File Size: 840       BYTES FileVersion:  N/A            MD5: [2618547bf883f2f42b9d045cb2a0c1c4]
9089155648.data                         File Size: 923       BYTES FileVersion:  N/A            MD5: [b5a5e03c172992c00f2c29902603f508]
9199743098.data                         File Size: 733       BYTES FileVersion:  N/A            MD5: [044dd3dd4471014725aa482489cc09b3]
9199743098.quar                         File Size: 411182    BYTES FileVersion:  N/A            MD5: [9fdb3714133a19eae0e31dfcd5a1bef6]
9364550713.data                         File Size: 693       BYTES FileVersion:  N/A            MD5: [02111a542ee04e67e3817e4d441740a4]
9364550713.quar                         File Size: 299008    BYTES FileVersion:  N/A            MD5: [f983b141f6781f81e0b91c6de2424ec7]
9371945216.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [f7e808b0731d4cc652f0df70f7d874b5]
9371945216.quar                         File Size: 382848    BYTES FileVersion:  N/A            MD5: [aa9cdfdeda6616ee5e6dd01598d9d56e]
9379978457.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [43050b8918601f28ade17b2988fa3483]
9379978457.quar                         File Size: 382848    BYTES FileVersion:  N/A            MD5: [aa9cdfdeda6616ee5e6dd01598d9d56e]
9649590772.data                         File Size: 705       BYTES FileVersion:  N/A            MD5: [22f9745b437b21d5141e34bc51ce6523]
9649590772.quar                         File Size: 180096    BYTES FileVersion:  N/A            MD5: [14d93504e0b0bd9ca9aadd25c9fb3810]
9696106265.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [dbdda55005ec4a2f1acd9743fb2554a7]
9696106265.quar                         File Size: 113152    BYTES FileVersion:  N/A            MD5: [1c26116298f9974ae09adbb90186df4e]
9728234096.data                         File Size: 735       BYTES FileVersion:  N/A            MD5: [f4e5d977fce0cfc358fac03ea96114bb]
9728234096.quar                         File Size: 291381    BYTES FileVersion:  N/A            MD5: [ae81df07355c043dbb3427b3e4faddc8]
9734924798.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [3c2b6246a874a2ea984a399dea64b834]
9734924798.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [aa9c30bc7639f67f9cc750d2c4275f3b]
9754907311.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [ca589c1e37a1bafb3a18eb67606ce181]
9754907311.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [3c796155ef2d24a9b600a20c304ba280]
9803845187.data                         File Size: 694       BYTES FileVersion:  N/A            MD5: [d3904c9219e715366ad31bee3d5b5678]
9803845187.quar                         File Size: 274944    BYTES FileVersion:  N/A            MD5: [826be82c136a5ebebe20eaeab22a3de7]
9878391374.data                         File Size: 730       BYTES FileVersion:  N/A            MD5: [818d27a2496732fee62b8b8d7523a8bf]
9878391374.quar                         File Size: 325166    BYTES FileVersion:  N/A            MD5: [4a41675dda667e6e59e515a53090946e]
9905637995.data                         File Size: 725       BYTES FileVersion:  N/A            MD5: [61e874c302529be21aa549a591f97528]
9905637995.quar                         File Size: 916480    BYTES FileVersion:  N/A            MD5: [610d585000b7fc61699ed05f0608c42d]
9978139258.data                         File Size: 727       BYTES FileVersion:  N/A            MD5: [a460ea615fd5cc94edb82c444708e041]
9978139258.quar                         File Size: 159136    BYTES FileVersion:  N/A            MD5: [f7cc77a90fc5333f1f3c0c33bd10950c]
 
--------------------------------------/Malwarebytes-----------------------------------------------------------
 
--------------------------------------TDSSKiller---------------------------------------------------------------
 
This log is disgustingly large, here's a pastebin: http://pastebin.com/z3jHAqDb
 
--------------------------------------/TDSSKiller---------------------------------------------------------------
 
Malwarebytes: no threats found (quarantine is from a while ago).
TDSSKiller: no threats found.
 
Thought I was onto something again after installing the TDSS monitor and rebooting; the 2nd explorer.exe didn't come back. After another reboot, it's back, though it seems to have a more delayed start now (2-5 minutes after boot)(possibly why I didn't see it during TDSS). It's also taking several minutes to come back after killing the "real" explorer.exe and re-launching it (>2 minutes, used to be within seconds).

Edited by cloud10again, 21 November 2014 - 01:18 PM.


#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:10 AM

Posted 21 November 2014 - 04:04 PM

Please download and install Emsisoft.
 
1.  When Emsisoft opens click on Update.
 
emsisoft6_zpsace019ac.png
 
2.  Click on Full Scan.
 
emsisoft7_zps9186dacd.png
 
3.  After the scan has completed the results will be displayed.  Make sure there is a check in the box of each item found, then click on Quarantine.
 
emsisoft9_zpsf493a30a.png
 
4.  After the items have been quarantined click on OK.
 
emsisoft10_zpscd89d5de.png
 
5.  After the quarantine has been completed click on Logs.
 
emsisoft11_zps7f976399.png
 
6.  Click on Export and save the log to a location which you will be able to find and open.  Open the log, copy and then paste the log in your topic.
 

 

emsisoft12_zpsb7365391.png

 

 

Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to have the time to allow this to run till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need to download the Eset Smartinstaller.***

  • Click on this link to open ESET OnlineScan in a new window.
  • The ESET Online Scanner page will open, click on Yes, I agree to the trems of use, then click on Start, the scan will now begine.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 24 November 2014 - 01:41 PM

Thought we were onto something again... ESET found some stuff, but after fixing them and rebooting, the problem was back. ESET reports no issues now. EMSISOFT smart and deep scan both report nothing.

 

---------------------------------------ESET------------------------------------------------------

 

C:\Users\All Users\RogueKiller\Quarantine\9A5DC46B0BDEFDCA.reg Win32/Poweliks.C trojan
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\ProgramData\RogueKiller\Quarantine\9A5DC46B0BDEFDCA.reg Win32/Poweliks.C trojan cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Erktion\ExcDump.dll a variant of Win32/Packed.Themida potentially unwanted application deleted - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Temp\19a24\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TDTDHIQ4\aynt2p07ob[1].htm JS/Exploit.Agent.NHV trojan cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Temp\1d34\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LUQY1ODX\83yhv6vej9[1].htm JS/Exploit.Agent.NHV trojan cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Temp\3514\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NZ2V436P\hbczxszi4d[1].htm JS/Exploit.Agent.NHX trojan cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\Temp\7ed4\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S47E49X2\jkme2ic1m0[1].htm JS/Exploit.Agent.NHV trojan cleaned by deleting - quarantined
C:\Users\Patti.PATTIDELL\AppData\Local\YnPack\axvlc.dll a variant of Win32/Packed.Themida potentially unwanted application deleted - quarantined
C:\Users\Patti.PATTIDELL\AppData\Roaming\Mozilla\Firefox\Profiles\w7v7kj2t.default\extensions\{7E4CB059-7A2C-295C-07EB-830F6CB8200A}\components\WscIsvIfProxyStub.js Win32/Boaxxe.BU trojan cleaned by deleting - quarantined
 
---------------------------------/ESET----------------------------------------------------------
 
--------------------------------EMSISOFT----------------------------------------------------
 
Emsisoft Emergency Kit - Version 9.0
Last update: 11/24/2014 9:06:40 AM
User account: PATTIDELL\Patti
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 11/24/2014 9:08:00 AM
 
Scanned 1155143
Found 0
 
Scan end: 11/24/2014 12:11:00 PM
Scan time: 3:03:00
 
-------------------------------------------------------------------------------

Edited by cloud10again, 24 November 2014 - 01:42 PM.


#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:10 AM

Posted 24 November 2014 - 01:43 PM

 
newtool3_zpsae6d2122.png
 
Please download Powelikscleaner (by ESET) and save it to your Desktop.
 
1.  Double-click on ESETPoweliksCleaner.exe to start the tool.
 
2.  Read the terms of the End-user license agreement and click Agree.
 
3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
 
newtool1_zpsa1caa06e.png
 
4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
 
newtool2_zps0e6d39b1.png
 
The tool will produce a log in the same directory the tool was run from.
 
Please copy and paste the log in your next reply.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 24 November 2014 - 01:46 PM

 

 
newtool3_zpsae6d2122.png
 
Please download Powelikscleaner (by ESET) and save it to your Desktop.
 
 

 

 

Well I did that at the beginning, and many times after, and it's always turned up clean since that first time.



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:10 AM

Posted 24 November 2014 - 02:05 PM

You do not need to quote my posts, please don't in the future.

 

Try running the scan in Safe Mode.

 

The first item quarantined in post #6 is C:\Users\All Users\RogueKiller\Quarantine\9A5DC46B0BDEFDCA.reg Win32/Poweliks.C trojan


Edited by dc3, 24 November 2014 - 02:06 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 24 November 2014 - 04:48 PM

Safe mode:

 

---------------------------------------------------------------------------

 

[2014.11.24 15:27:56.713] - Begin
[2014.11.24 15:27:56.713] - 
[2014.11.24 15:27:56.713] -     ....................................
[2014.11.24 15:27:56.728] -   ..::::::::::::::::::....................
[2014.11.24 15:27:56.728] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2014.11.24 15:27:56.728] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2014.11.24 15:27:56.728] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2014.11.24 15:27:56.728] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.11.24 15:27:56.728] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.11.24 15:27:56.728] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.11.24 15:27:56.728] -     ....................................
[2014.11.24 15:27:56.728] - 
[2014.11.24 15:27:56.728] - --------------------------------------------------------------------------------
[2014.11.24 15:27:56.728] - 
[2014.11.24 15:27:56.728] - INFO: OS: 6.1.7601 SP1
[2014.11.24 15:27:56.728] - INFO: Product Type: Workstation
[2014.11.24 15:27:56.728] - INFO: WoW64: True
[2014.11.24 15:27:56.728] - INFO: Machine guid: 0680A5E8-6A84-4981-AAEF-5A77D9A5FC63 
[2014.11.24 15:27:56.728] - 
[2014.11.24 15:27:59.833] - INFO: Scanning for system infection...
[2014.11.24 15:27:59.833] - --------------------------------------------------------------------------------
[2014.11.24 15:27:59.833] - 
[2014.11.24 15:27:59.833] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.24 15:27:59.833] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.24 15:27:59.833] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.24 15:27:59.833] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.24 15:27:59.833] - INFO: Processing classes...
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\.DEFAULT\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{0FC964BD-1C07-4FE9-B272-0DFA38EC5A9F}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{6F8C2879-4244-495D-901A-5B763F9551D1}]
[2014.11.24 15:27:59.833] - INFO: Processing clsid [\Registry\User\S-1-5-18\SOFTWARE\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}]
[2014.11.24 15:27:59.833] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.24 15:27:59.833] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.24 15:27:59.833] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.24 15:27:59.833] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.24 15:27:59.833] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.24 15:27:59.833] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.24 15:27:59.833] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.24 15:27:59.833] - INFO: Win32/Poweliks not found
[2014.11.24 15:28:04.544] - End


#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,030 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:01:10 AM

Posted 24 November 2014 - 04:55 PM

[2014.11.24 15:27:59.833] - INFO: Win32/Poweliks not found


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 24 November 2014 - 05:09 PM

Yes, that's what it's been saying all along since it cleaned it the first time.


Edited by cloud10again, 24 November 2014 - 05:24 PM.


#13 cloud10again

cloud10again
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 24 November 2014 - 05:58 PM

Thanks for trying to help.

 

I'm officially "giving up" I guess. Adding a block in Windows Firewall on Explorer seems to have "fixed" it (if I disable it it'll come right back), so I'm going to go for that instead of re-installing.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users