Unknown, persistent malware (3rd System)

ShadowPuterDude · January 3, 2015

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: H - H:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {0d7ecc8e-0add-11e2-9521-20107a274802} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {29dd296d-1521-11e2-94ea-001e101f8aaa} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {c80cc177-0a40-11e2-9cfc-20107a274802} - G:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {cb932e8e-1699-11e2-aa63-001e101f8924} - H:\AutoRun.exe
HKU\S-1-5-21-1094131024-318668930-3021465862-1000\...\MountPoints2: {e4025b9a-098b-11e2-9761-082e5f866291} - G:\AutoRun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
Toolbar: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1094131024-318668930-3021465862-1000 -> No Name - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} -  No File
C:\Users\Guest\AppData\Local\Temp\vlc-2.1.5-win32.exe
AlternateDataStreams: C:\Users\andrea\Downloads\2012 Paid Holidays for U.S. TIers.eml:OECustomProperty
AlternateDataStreams: C:\Users\andrea\Downloads\ashampoo_winoptimizer_2014_1.0.0_16444.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\ashampoo_winoptimizer_free_1.0.0_sm.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\download-ninja.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\herdProtectScan_Setup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\leaktest.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\mbae-setup-1.03.1.1220.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\MBRCheck.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\MicrosoftFixit.dvd.MATSKB.Run.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\OCCleanupTool.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\okayfreedomintdle11.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\revosetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\RevoUninProSetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\ScanNowUPnP.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SD1.4.0.519_Setup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SecurityKISSsetup.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\SetupAnyDVD7490.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\sp63258.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\strap.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\VMware-workstation-full-10.0.2-1744117.exe:BDU
AlternateDataStreams: C:\Users\andrea\Downloads\wlsetup-web.exe:BDU

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Close all windows then double click on AVZ.exe

Click File > Custom scripts

Copy & paste the below code in to the text box in the program

Note: When you run the script, your PC will be restarted

Close all windows then double click on AVZ.exe
[LIST]
[*]Click [b]File[/b] > [b]Custom scripts[/b][/*]
[*]Copy & paste the below code in to the text box in the program
Note: When you run the script, your PC will be restarted
[code][/code][/*]
[*]Click [b]Run[/b][/*]
[*]Restart your PC if it doesn't do it automatically.[/*]
[/LIST]
Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also [b]let me know how things are running now![/b]

Click Run
Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

pallino · January 3, 2015

Hello Kevin,

thank you!!!

Pls find attached the Fbar log.

I couldn't run the script in AVZ, can you please check it?

What do you think it's going on on this laptop?

Thank you

Have a great week-end!

Fixlog.txt

ShadowPuterDude · January 5, 2015

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

pallino · January 7, 2015

Hello Kevin,

please find attached the new reports.

I also tried to run AVZ but "the program stopped working" and was closed.

Thank you!Addition.txt FRST.txt a2scan_150107-004613.txt

ShadowPuterDude · January 7, 2015

Close all windows then double click on AVZ.exe

Click File > Custom scripts

Copy & paste the below code in to the text box in the program

Note: When you run the script, your PC will be restarted

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteService('vhjrap');
 DeleteService('icquni');
 DeleteFile('icquni.sys','32');
 DeleteFile('vhjrap.sys','32');
ExecuteSysClean;
RebootWindows(true);
end.

Click Run
Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

pallino · January 8, 2015

Hello Kevin,

I attached the new AVZ report.

What did you/AVZ find before? What were the acquni and the vhjrap?

I think it starts a little bit faster, but still not as "before".

Today when I restarted the laptop, before running the script, I got a message that asked me if I wanted to change a startup entry (apparently ccleaner).

Since I didn't install anything in the last days (I was travelling) I denied. At next reboot, the laptop started with an explorer page open at c:/program files/............./"AutorunsDisabled".....

Thank you again for your help!

ShadowPuterDude · January 8, 2015

AutoRuns is by default in all Windows systems since XP SP3. So, there is no need to do anything special to disable AutoRuns.

Close all windows then double click on AVZ.exe

Click File > Custom scripts
Copy & paste the below code in to the text box in the program
Note: When you run the script, your PC will be restarted
```
begin
 DelBHO('AutorunsDisabled');
ExecuteSysClean;
end.
```
Click Run
Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

pallino · January 9, 2015

Windows starts now with an explorer page open at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled (snap shot attached)...don't know why...

Tried to update windows: since 31-12 available only defender definition. During download Windows update page froze.

Did I get a rootkit or what did you find?

Thank you

ShadowPuterDude · January 9, 2015

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Handler: AutorunsDisabled - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: AutorunsDisabled - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Filter: AutorunsDisabled - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
Filter-x32: AutorunsDisabled - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
AlternateDataStreams: C:\Users\andrea\Downloads\2012 Paid Holidays for U.S. TIers.eml:OECustomProperty

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

pallino · January 11, 2015

Auturuns window disappeared! Thank you.

System is running better but still not "smooth", sometimes it is slow to respond (e.g to close a window)....

What did you see so far, what did I have?

thank you

TDSSKiller.3.0.0.42_13.01.2015_17.40.27_log.txt

Fixlog.txt

pallino · January 11, 2015

I forgot one question...

AVZ's info below from scan report is normal?

1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:NtAllocateVirtualMemory (198) intercepted, method - APICodeHijack.JmpTo[74A18CE6]
Function ntdll.dll:NtFreeVirtualMemory (311) intercepted, method - APICodeHijack.JmpTo[74A18E96]
Function ntdll.dll:NtProtectVirtualMemory (396) intercepted, method - APICodeHijack.JmpTo[74A18D76]
Function ntdll.dll:ZwAllocateVirtualMemory (1450) intercepted, method - APICodeHijack.JmpTo[74A18CE6]
Function ntdll.dll:ZwFreeVirtualMemory (1562) intercepted, method - APICodeHijack.JmpTo[74A18E96]
Function ntdll.dll:ZwProtectVirtualMemory (1646) intercepted, method - APICodeHijack.JmpTo[74A18D76]

Thank you!

ShadowPuterDude · January 12, 2015

Any number of things could be responsible for those entries in the AVZ log, Most of which are not malicious.

Your system had mostly Alternate Data Streams, and a few orphaned entries.

How are things running?

pallino · January 12, 2015

System is running better but still not "smooth", sometimes it is slow to respond (e.g to close a window)....

What where the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you deleted before?

Can I use this laptop again for online banking or is it still not safe/risky?

What can I do now?

thank you

ShadowPuterDude · January 12, 2015

They appear to be associated with a Trojan horse.

Any system that was infected, can never be fully trusted to be safe.

I still have a few tools left in my tool box. We can keep looking at the system.

pallino · January 12, 2015

yes, please.....

Now it's too late to upload the file for analysis, correct?

Would have liked to know the name of the trojan that passed" all the defences" I had on my laptop....and managed to stay hidden to all tools/AV I used and Know.....Do you know what kind of trojan it was? Could it infect other devices on the same network? or the router?

What should i do now?

thank you!

ShadowPuterDude · January 13, 2015

Trojans open backdoors to the computer, that allow unfettered access to the system. They are not infecters themselves, but can be used to download and infecter.

Read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Double-click on TDSSKiller.exe to run the application.
Click Change parameters
Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
Click on the Start Scan button to begin the scan and wait for it to finish.
NOTE: Do not use the computer during the scan!
During the scan it will look similar to the image below:
When it finishes, you will either see a report that no threats were found like below:

If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
If any infection or suspected items are found, you will see a window similar to below:
- If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
- If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
- If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
- Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
Click Continue to apply selected actions.
A reboot may be required to complete disinfection. A window like the below will appear:

Reboot immediately if TDSSKiller states that one is needed.
Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
Attach this log to your next reply.

pallino · January 14, 2015

Hello Kevin,

some infos/summary that I hope might help........my doubts started mid September 2014 when Bitdefender IS 2015 told me a virus was found in a file in Emsisoft folder on this laptop....I scanned the laptop with all I had and knew I could use(bitdefender, emsisoft EK, Malwarebytes, Hitmanpro, Norton Power eraser, TDSSkiller, ASWmbr, Malwarebytes antirootkit, Emsisofts MBRceck beta, ESET online scan...I also scanned with some AV boot cds created with another laptop)....nothing was found....online I found it was/could have been a false alarm of Bitdefender.

.....I kept on scanning but no AV ever found/ alerted about the Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32') you found last week .....

I still have the first TDsskiller reports from that time, does it help if I upload them? To save time I upload the first ones....

thank you!

TDSSKiller.3.0.0.40_14.09.2014_14.30.01_log.txt

TDSSKiller.3.0.0.40_14.09.2014_14.16.57_log.txt

TDSSKiller.3.0.0.40_13.09.2014_00.16.38_log.txt

ShadowPuterDude · January 14, 2015

The TDSSKiller log looks fine.

Changing tools.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE for help
Double click on Combo-Fix & follow the prompts.

When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

pallino · January 14, 2015

I'll check with combofix asap....thank you!

Yesterday I was thinking that at the moment you found something associated with a trojan horse but we don't know what it was.

I was thinking at my other pcs and laptops and at my backups created before today and at how I/we can figure out what trojan it was and if the other HDs are infected too or not since AV and antirootkits didn't fount these trojans until now.

I remembered that I created a backup with windows, with Macrium reflect and with paragon backup free.....I have to check if I created the backups before the cleaning or after...I think it was before...

How and where can I look for the deleted trojan files? I would like to upload them so that you can analyze them and add detection in Emsisoft....

With what tool/program can I check the usb HDs for this infection (I wouldn't like to reinfect the laptop again)?

thank you as usual for your help!

ShadowPuterDude · January 14, 2015

EAM will scan connected USB devices, when doing a custom scan.

pallino · January 14, 2015

..my fear is EAM might not detect it since it didn't detect it before on scan....

Where could I find the 2 trojan files on the backup?

What tool can I use since I might not see them with explorer?

thank you

pallino · January 15, 2015

I have good and bad news..

The good news are that the backups were created on 19 and 20th of November....the "bad" that EMSI IS (paranoia mode, custom scan with direct access) doesn't find anything suspect nor infected.

Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

I run Combofix, please find attached the new report.

How does it look like?

What do we do now?

thank you!

ComboFix.txt

pallino · January 15, 2015

As soon as I restarted Kaspersky on this laptop I got alerted that a new program c:\newtool\pv.3exe wanted to connect to internet...I cannot see it nor the folder in explorer and I blocked it....

Checked the report and other files were blocked or added to restricted..

virusinfo_syscheck 15-1-15.zip

ShadowPuterDude · January 15, 2015

As soon as I restarted Kaspersky on this laptop I got alerted that a new program c:\newtool\pv.3exe wanted to connect to internet...I cannot see it nor the folder in explorer and I blocked it....

Checked the report and other files were blocked or added to restricted..

That is part of ComboFix.

You have significant system damage to critical system files.

pallino · January 15, 2015

Very very strange..this would be the 3rd system with damaged files or corrupted ones in 6 months..and this laptop is 2 years old!!!!...was it like this in the previous logs?

Can t it be malware not discovered yet?

What about the files deleted by combofix in c and in windows folder?

What do we do now? What can I scan with now????

I don t think we had any signs of corrupted files before...........windows was working fine till now, no alerts from any AV, windows scannow command reported only a problem with beep.sys.......very strange and worrying situation.....

Please, let me know what I can scan with over the weekend!!!

thank you

ShadowPuterDude · January 16, 2015

The damaged system files did not show in the logs until this last FRST log.

pallino · January 16, 2015

That s too strange ..I just installed wi dows, kasperky s update and herd protect. Then combofix...nothing more...no crashes...

what can i use now to scan?

pallino · January 16, 2015

I hope this is not all that can be done!!!!...all it s not normal...how can this laptop get so many corrupted files "overnight" or just after little updates?

How did the latest reports look like?

Avz for example had many red lines.......

Thank you

ShadowPuterDude · January 16, 2015

That could be related to the Trojans that were on the system.

Attach a copy of the latest AVZ log.

pallino · January 17, 2015

After running combofix and restarting the laptop, after all the alerts from KIS I run AVZ. I might have restarted the system one more time before running AVZ. First it stopped working with " rich edit line insert error", then with "out of memory while expanding memoru steam"...then one log was created (attached log15-1-15)

Today I could run it .... I attached the log.

Thank you!

https://www.gdatasof...-keyboard-guard

ShadowPuterDude · January 19, 2015

Close all windows then double click on AVZ.exe

Click File > Custom scripts

Copy & paste the below code in to the text box in the program

Note: When you run the script, your PC will be restarted

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('AutorunsDisabled');
 DeleteService('GDKBFlt');
 DeleteService('GDKBBlocker');
 BC_DeleteFile('c:\program files (x86)\g data\usb keyboard guard\gd2ndkbb.exe');
 DeleteFile('C:\Windows\system32\drivers\GDKBBlocker64.sys','32');
 DeleteFile('C:\Windows\system32\drivers\GDKBFlt64.sys','32');
 DeleteFile('C:\Program Files (x86)\G DATA\USB KEYBOARD GUARD\GD2NDKBB.exe','32');
 DeleteFile('C:\Program Files (x86)\G Data\InternetSecurity\AVK\AVKWCtlX64.exe','32');
 DeleteFile('C:\Program Files (x86)\G Data\InternetSecurity\Firewall\GDFwSvcx64.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','GDataUsbProtection');
 DeleteFile('C:\Users\andrea\Downloads\programmi\antivirus\gdata','32');
 DeleteFile('C:\Windows\system32\Tasks\{FFC0F1DA-D755-4C90-AF81-5AF9159BF37C}','64');
 DeleteFile('C:\Users\andrea\Downloads\programmi\antivirus\gdata\INT_R_FUL_2015_IS.exe','32');
ExecuteSysClean;
RebootWindows(true);
end.

Click Run
Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

pallino · January 20, 2015

Hello Kevin,

is this program not a legit one, Gdata's Usb Keyboard guard?

Is this a false positive?

Just to be sure before I delete it...

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer?

Thank you

ShadowPuterDude · January 21, 2015

You can skip the Gdata removal. The Gdata entries appeared to be orphaned.

pallino · January 21, 2015

Thank you!

What can we scan the laptop with now?

What can we use as a 2nd or 3rd opinion software?

What can we do now?

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

Would they get copyed by a backup program? Wha program coud I use to see them if hidden to winsdows explorer?

thank you!

ShadowPuterDude · January 21, 2015

I checked the backups I have but I cannot find the older 2 deleted files, nor in windows/system32/drivers ,nor in system 32, nor in windows...Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

Both of those should be in the AVZ backup folder.

We have not run RogueKiller yet.

Download RogueKiller from one of the following links and save it to your desktop:

Link 1
Link 2
- Close all programs and disconnect any USB or external drives before running the tool.
- Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
- Once the Prescan has finished, click Scan.
- Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
- Attach the RogueKiller report to your next reply.
  - The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
  - The highest number of [X], is the most recent Scan

pallino · January 21, 2015

Hello Kevin,

thank you!

I checked AVZ infected and quarantined folder (file/open infected, quarantined files" but both were empty.....Is this normal?

Did AVZ find and deleted them or were these ramdom names and "disappeared"?

How/where can I find them?

What do we do now?

Thank you!

RKreport_SCN_01212015_003641.log