legend time activity name path/details
TRANSCRIPT
legend
“bad” ids ids logs
“important” internet historyinternet history
mcafee stops something badwindows prefetch cache
files containing restricted data
file timestamps
“important” event logevent log
comments
time activity name path/details01/01/80 1:00:00 created hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive01/01/80 1:00:00 created igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive01/01/80 1:00:00 created smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive
10/05/01 8:20:28 written Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx10/05/01 8:20:28 written Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/29/01 7:02:04 written Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx10/29/01 7:02:04 written Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/29/01 7:04:38 written Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx10/29/01 7:04:38 written Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx
05/07/02 12:00:56 written foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls05/07/02 12:00:56 written boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls
07/26/02 17:02:06 written UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive09/19/03 14:24:44 created agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive09/19/03 14:26:10 created issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive01/07/04 2:01:00 created sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive01/07/04 2:01:00 written sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive01/07/04 15:56:57 created Credit Union of Ohio - Your Financial Resource Partner.urlhttp://www.cuofohio.org/ Bookmarks -04/13/04 7:07:18 written issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive04/17/04 13:41:30 written ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive04/23/04 20:03:06 written agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive08/04/04 3:06:34 created msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 created unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 created wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive08/04/04 7:00:00 written DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive08/04/04 7:00:00 written MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive09/15/04 14:27:54 written unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive09/15/04 14:28:00 written wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive10/12/04 18:54:30 written DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File10/14/04 17:42:54 written smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive11/04/04 14:03:44 created BRHS.ORG.url http://w3.brhs.org/ Bookmarks -01/27/05 8:05:47 created pagefile.sys Bookmarks -01/27/05 8:06:08 created A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed01/27/05 8:10:43 created hiberfil.sys Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://ubw.osu.edu/ubw_at_ohio.htm Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://ubw.osu.edu/underwater_basket_weaving_facilit `ies_at_ohio.htm Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://www.microsoft.com/isapi/redir .dll?prd=ie&ar=windowsm!a Bookmarks -01/27/05 8:10:43 created hiberfil.sys http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail Bookmarks -01/27/05 8:19:35 created DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/07/05 10:37:19 created _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed02/07/05 10:39:59 written _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed02/07/05 10:40:41 logged SecEvent.Evt EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: OSUUBWCLASS DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: OSUUBWCLASS$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)-02/10/05 14:32:53 created accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/10/05 14:32:53 created xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive09/24/05 1:30:38 created acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive09/24/05 1:31:14 created acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive10/19/05 8:59:12 written hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive10/19/05 8:59:14 written igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive01/09/06 7:00:40 written SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File01/12/06 19:52:32 written acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive01/12/06 19:53:07 written acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/14/06 4:32:15 written SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/23/06 7:47:12 modified DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive03/16/06 19:38:01 created verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File03/23/06 2:14:37 written Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/23/06 8:54:52 written setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File04/07/06 15:02:24 written Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive
04/19/06 7:24:19 created VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf04/27/06 15:07:38 written ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
04/27/06 15:07:38 written ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls06/19/06 7:27:17 Deleted WFV6C.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFV6C.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE06/19/06 7:27:25 Deleted WFV7D.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFV7D.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE06/19/06 7:28:18 Deleted WFVA0.tmp C:\Documents and Settings\hackedpc.2\Local Settings\Temp\WFVA0.tmpW32/Sdbot.worm.gen.as (Virus)OUTLOOK.EXE10/04/06 9:04:20 written Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive10/26/06 14:40:34 created mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive10/26/06 14:40:34 written mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive11/07/06 15:39:18 written 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive01/09/07 12:56:21 created ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive
01/17/07 7:17:00 written Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx01/17/07 7:17:00 written Mike.mbx C:\Eudora\Mike.mbx01/17/07 7:17:00 written Mike.mbx C:\My Documents\Eudora\Mike.mbx
04/05/07 13:21:36 created AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive04/05/07 13:21:36 created BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive06/05/07 11:03:30 created SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 created SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 written SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/05/07 11:03:30 written SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive06/12/07 5:46:30 created SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive06/12/07 5:46:30 written SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive06/22/07 10:55:27 created Joseph W. Testa, Franklin County Auditor - Welcome!.urlhttp://www.co.franklin.oh.us/auditor/ Bookmarks -07/23/07 15:37:20 written IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/23/07 15:37:20 written IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls08/13/07 19:32:30 written mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive
09/12/07 15:49:42 written Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx09/12/07 15:49:42 written Scholarship.mbx C:\Eudora\Scholarship.mbx09/12/07 15:49:42 written Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx09/18/07 13:50:26 written Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\My Documents\Eudora\Previous search.mbx09/18/07 13:50:26 written Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx09/28/07 8:20:36 written Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx09/28/07 8:20:36 written Misc.mbx C:\Eudora\Misc.mbx09/28/07 8:20:36 written Misc.mbx C:\My Documents\Eudora\Misc.mbx10/01/07 8:39:24 written Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 8:39:24 written Out.mbx C:\Eudora\Out.mbx10/01/07 8:39:24 written Out.mbx C:\My Documents\Eudora\Out.mbx
10/01/07 9:48:40 created Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive10/01/07 10:52:52 created Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx
10/01/07 11:06:24 created NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 created Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 11:06:24 created Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive10/01/07 11:06:24 written Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 11:06:24 written Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive
10/01/07 12:34:09 created Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx10/01/07 12:34:09 modified Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx10/01/07 12:34:09 modified Mike.mbx C:\My Documents\Eudora\Mike.mbx10/01/07 12:34:10 created Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 12:34:14 created Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:14 modified Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx10/01/07 12:34:14 modified Out.mbx C:\My Documents\Eudora\Out.mbx10/01/07 12:34:15 created Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Misc.mbx C:\My Documents\Eudora\Misc.mbx10/01/07 12:34:15 modified Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:15 modified Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx10/01/07 12:34:16 created Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx10/01/07 12:34:16 modified Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx10/01/07 12:34:16 modified Previous search.mbx C:\My Documents\Eudora\Previous search.mbx
10/01/07 12:35:04 created 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive10/01/07 12:35:04 modified 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive10/01/07 12:35:04 modified 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive10/01/07 12:37:08 accessed foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls10/01/07 12:37:08 created foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls10/01/07 12:37:08 modified foo.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\foo.xls
10/01/07 12:37:08 accessed boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls10/01/07 12:37:08 created boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls10/01/07 12:37:08 modified boff claybon.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2002 Scholarships\boff claybon.xls
10/01/07 12:37:12 created ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls10/01/07 12:37:12 created IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
10/01/07 12:37:12 created IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls10/01/07 12:37:12 created ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls10/01/07 12:49:37 created Mike.mbx C:\Eudora\Mike.mbx10/01/07 12:49:38 modified Mike.mbx C:\Eudora\Mike.mbx10/01/07 12:49:39 created Out.mbx C:\Eudora\Out.mbx10/01/07 12:49:43 created Misc.mbx C:\Eudora\Misc.mbx10/01/07 12:49:43 created Scholarship.mbx C:\Eudora\Scholarship.mbx10/01/07 12:49:43 modified Out.mbx C:\Eudora\Out.mbx10/01/07 12:49:43 modified Scholarship.mbx C:\Eudora\Scholarship.mbx10/01/07 12:49:44 created Previous search.mbx C:\Eudora\Previous search.mbx10/01/07 12:49:44 modified Misc.mbx C:\Eudora\Misc.mbx10/01/07 12:49:44 modified Previous search.mbx C:\Eudora\Previous search.mbx10/01/07 12:49:44 modified Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx
10/01/07 12:50:20 created 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive10/01/07 12:50:20 modified 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive
10/01/07 13:13:10 created Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx10/01/07 13:13:10 created Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx10/01/07 13:13:29 created Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx10/01/07 13:13:30 created Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx10/01/07 13:23:53 created Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:53 modified Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:53 modified Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx10/01/07 13:23:54 created Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 created Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx10/01/07 13:23:54 modified Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 modified Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx10/01/07 13:23:54 modified Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx10/01/07 13:23:54 modified Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx
10/01/07 13:35:19 created UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive10/01/07 13:35:20 created Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive10/01/07 14:59:30 accessed Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 14:59:30 created Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive
10/01/07 14:59:30 written Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive10/01/07 16:26:26 accessed SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/01/07 16:26:26 modified SSSInstaller.dll C:\\Program Files\Screensavers.com\SSSInstaller\bin\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/01/07 16:26:27 modified SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive10/24/07 13:05:19 Cleaned ohioamericanlegion[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\SZY7YXY1\ohioamericanlegion[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe11/06/07 13:43:46 created Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
11/06/07 13:43:46 created UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls11/13/07 16:46:00 created TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive11/13/07 16:46:00 written TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive
12/14/07 14:40:45 accessed Ken.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Ken.mbx12/14/07 14:40:45 created Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx12/14/07 14:40:46 accessed Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Misc.mbx12/14/07 14:40:46 created Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx12/14/07 14:40:47 accessed Out.mbx C:\Documents and Settings\smith.99999\My Documents\Qualcomm\Eudora\Out.mbx12/14/07 14:40:47 created Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx12/14/07 14:48:48 created Mike.mbx C:\My Documents\Eudora\Mike.mbx12/14/07 14:48:49 created Misc.mbx C:\My Documents\Eudora\Misc.mbx12/14/07 14:48:51 created Out.mbx C:\My Documents\Eudora\Out.mbx12/14/07 14:49:01 created Previous search.mbx C:\My Documents\Eudora\Previous search.mbx12/14/07 14:49:02 created Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx
12/14/07 14:50:37 created 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive12/18/07 9:41:00 created Baum's Page Wrestling.url http://www.baumspage.com/ Bookmarks -01/09/08 15:18:58 Deleted gnida[1].swf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\CBPBUI7H\gnida[1].swfGeneric Downloader.bk (Trojan)C:\Program Files\Internet Explorer\iexplore.exe
01/22/08 16:53:30 accessed Mike.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Mike.mbx01/22/08 16:53:30 accessed Misc.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Misc.mbx01/22/08 16:53:30 accessed Out.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Out.mbx01/22/08 16:53:31 accessed Previous search.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Previous search.mbx01/22/08 16:53:32 accessed Scholarship.mbx C:\Documents and Settings\smith.99999\My Documents\Eudora\Scholarship.mbx
01/31/08 13:59:30 accessed 37679041.pdf.zip C:\\Documents and Settings\smith.99999\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive Match File, Archive02/08/08 11:08:46 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\B1COUTNU\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe02/13/08 11:46:41 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\67K7ML07\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe
02/19/08 10:38:46 we block the host for spamming02/22/08 10:58:38 created SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/22/08 11:00:00 created SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive03/11/08 12:20:40 created uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive03/11/08 12:20:40 written uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive03/14/08 10:13:31 Cleaned scholars[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\A2EWQP6T\scholars[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE03/14/08 10:14:21 Cleaned scholars1[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\K5Q3MFOP\scholars1[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE03/17/08 10:58:56 Cleaned sal[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\L08JLPKH\sal[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\iexplore.exe03/25/08 12:22:15 accessed Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:16 accessed NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:16 accessed Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive03/25/08 12:22:17 accessed Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:22:17 accessed Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive03/25/08 12:29:21 accessed SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File03/25/08 12:29:21 created SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File03/25/08 12:29:25 created Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/25/08 12:30:10 accessed Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File03/25/08 12:30:53 created setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File03/25/08 12:34:38 created SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:11 written accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:14 written cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:15 written conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:16 written dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:18 written dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:18 written dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:19 written explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:21 written fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:21 written fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:21 written helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:22 written imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:22 written ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:23 written mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:28 written msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:28 written msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:29 written netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:30 written ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:30 written ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:32 written regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:33 written rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:37 written taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive04/13/08 20:12:38 written userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:38 written verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File04/13/08 20:12:38 written wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive04/13/08 20:12:40 written wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive04/14/08 8:56:50 Cleaned scholars[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\NSVT4NCB\scholars[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE04/14/08 8:57:14 Cleaned dates[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\C9712A8M\dates[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE04/14/08 8:57:44 Cleaned ohio[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\G0CBQJRK\ohio[1].htmW32/RAHack!htm (Trojan)C:\Program Files\Internet Explorer\IEXPLORE.EXE07/07/08 16:07:39 accessed ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
07/07/08 16:07:39 accessed ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls07/07/08 16:08:21 modified ubw042706ay07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ubw042706ay07.xls
07/07/08 16:08:21 modified ogr-ubw042706ay07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\2006 Scholarships\ogr-ubw042706ay07.xls07/07/08 16:11:00 accessed IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/07/08 16:11:00 accessed IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls07/07/08 16:12:20 written Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
07/07/08 16:12:20 written UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls07/07/08 16:13:57 modified IFT 07.xls C:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls
07/07/08 16:13:57 modified IFT 07.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\IFT\IFT 07.xls07/08/08 22:13:26 created googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive07/08/08 22:13:26 written googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive07/22/08 13:09:41 modified Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls
07/22/08 13:09:41 modified UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls07/28/08 10:14:22 modified Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx07/28/08 10:14:22 written Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx
08/04/08 13:40:51 accessed REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/04/08 13:40:51 created REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/04/08 13:40:51 written REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/15/08 16:22:54 deleted REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/15/08 16:22:54 modified REC719271.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\REC719271.zip ZIP Compressed Archive Match File, Recycled, Archive08/25/08 6:27:59 logged SecEvent.Evt
08/25/08 8:06:28 logged SecEvent.Evt
09/10/08 6:29:15 logged SecEvent.Evt
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; - - Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; - - Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)
09/10/08 8:03:48 logged SecEvent.Evt
09/16/08 6:52:20 logged SecEvent.Evt
09/16/08 6:52:20 logged SecEvent.Evt
09/16/08 7:17:51 logged SecEvent.Evt
09/16/08 7:17:52 logged SecEvent.Evt
09/16/08 7:59:46 accessed msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive09/16/08 8:22:37 created WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf09/16/08 8:24:40 created WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf09/16/08 11:41:17 created USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf09/16/08 11:42:15 created SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf09/16/08 11:42:16 created SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf09/16/08 11:42:23 created TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf09/22/08 11:07:19 accessed tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/22/08 11:07:19 created tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/22/08 11:07:19 written tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 accessed tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 created tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 8:14:23 written tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 16:49:52 deleted tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive09/23/08 16:49:52 modified tits1.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits1.rar Compressed Archive Archive Match File, Recycled, Archive10/02/08 17:28:00 deleted tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive10/02/08 17:28:00 modified tits.rar C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\tits.rar Compressed Archive Archive Match File, Recycled, Archive10/06/08 9:15:22 accessed pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 9:15:22 created pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 9:15:22 written pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 17:04:10 deleted pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/06/08 17:04:10 modified pussy.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\pussy.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/17/08 7:56:29 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive
10/17/08 7:56:29 its interesting to see how many postcard.zip files were created vs. what mcafee detected10/17/08 7:56:29 Deleted postcard.zip C:\program files\qualcomm\eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe10/20/08 11:16:34 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/20/08 11:16:34 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/20/08 11:16:34 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/21/08 7:32:35 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive10/22/08 7:31:40 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe10/23/08 9:01:13 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/23/08 9:01:13 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/23/08 9:01:13 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 accessed Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 created Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 written Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:37 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 7:32:38 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 accessed Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 created Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/24/08 14:17:52 written Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive10/27/08 17:00:55 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/27/08 17:00:55 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive10/28/08 11:07:05 accessed wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive10/31/08 7:38:51 Deleted postcard.zip C:\program files\qualcomm\eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/03/08 7:54:43 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 7:54:43 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 7:54:43 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified Rechnung.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Rechnung.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:53 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:55 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:55:55 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/03/08 16:56:00 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/04/08 14:52:00 deleted Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive11/04/08 14:52:00 modified Anhang.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\Anhang.zip ZIP Compressed Archive Match File, Recycled, Archive11/05/08 7:50:31 Deleted postcard1.zip C:\program files\qualcomm\eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/06/08 7:28:54 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/06/08 7:28:54 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/06/08 7:28:54 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:20 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:20 Deleted postcard2.zip C:\program files\qualcomm\eudora\attach\postcard2.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/10/08 7:38:21 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 7:38:21 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 16:23:04 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/10/08 16:23:04 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:53 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:54 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:37:54 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/12/08 7:37:59 Deleted postcard3.zip C:\program files\qualcomm\eudora\attach\postcard3.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/12/08 7:38:00 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/12/08 7:38:00 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:32 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:32 Deleted postcard4.zip C:\program files\qualcomm\eudora\attach\postcard4.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/13/08 7:28:35 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:28:35 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:28 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:28 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:30 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:30 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)
EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: HACKEDPC$; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x3E7)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)EVENT ID: 612 EVENT TYPE: SUCCESS_AUDIT EVENT CATEGORY: Policy Change SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: Audit Policy Change:;New Policy:; Success Failure; - - Logon/Logoff; - - Object Access; - - Privilege Use; - - Account Management; - - Policy Change; - - System; - - Detailed Tracking; - - Directory Service Access; + + Account Logon;Changed By:; User Name: smith.99999; Domain Name: UNDERWATERBASKETWEAVING; Logon ID: (0x0,0x18CEA)
11/13/08 7:59:31 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:31 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:32 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:32 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:33 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 7:59:33 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/13/08 9:30:54 created PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf11/13/08 10:29:54 Deleted postcard.zip C:\Program Files\Qualcomm\Eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/13/08 11:29:53 Deleted postcard.zip C:\Program Files\Qualcomm\Eudora\attach\postcard.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/14/08 7:32:25 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 7:32:25 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 7:32:25 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/14/08 13:42:06 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/14/08 16:19:05 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/17/08 7:17:57 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/17/08 7:18:02 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 8:01:09 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:10 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 8:01:14 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:14 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 8:01:14 Deleted postcard1.zip C:\Program Files\Qualcomm\Eudora\attach\postcard1.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/18/08 14:59:22 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 14:59:22 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/18/08 14:59:22 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/19/08 7:41:40 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:26 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive11/20/08 7:31:27 Deleted postcard5.zip C:\Program Files\Qualcomm\Eudora\attach\postcard5.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/21/08 7:56:03 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 accessed postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 created postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive11/21/08 7:56:03 written postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive11/24/08 7:53:52 Deleted postcard7.zip C:\Program Files\Qualcomm\Eudora\attach\postcard7.zip Generic Malware.a!zip (Trojan)C:\Program Files\Qualcomm\Eudora\Eudora.exe11/24/08 16:56:01 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/24/08 16:56:01 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/25/08 16:48:42 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/25/08 16:48:42 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 7:43:08 accessed A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 7:43:08 modified A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 7:43:08 written A0061054.ini C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\A0061054.iniInitialization Windows File, Deleted, Overwritten, Archive, Compressed, Not Indexed11/26/08 8:03:43 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:43 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:43 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:44 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:45 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 8:03:45 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive11/26/08 11:31:12 accessed _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed11/26/08 11:31:12 modified _REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\Fifoed\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-349397977-1612375313-4210125015-1005File, Deleted, Overwritten, Hidden, Archive, Compressed, Not Indexed12/01/08 7:34:56 accessed postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:56 created postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:56 written postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 7:34:57 accessed postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 7:34:57 created postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 7:34:57 written postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/01/08 11:24:28 accessed postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 11:24:28 created postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 11:24:28 written postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:53 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/01/08 16:30:54 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 10:21:15 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 16:31:20 deleted postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/02/08 16:31:20 modified postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 7:38:22 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 accessed postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 created postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 8:55:19 written postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 accessed postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 created postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 11:38:08 written postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 16:31:07 deleted postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/04/08 16:31:07 modified postcard7.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard7.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 accessed postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 created postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/05/08 11:12:40 written postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:26 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:26 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:27 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/08/08 16:34:27 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/09/08 12:35:17 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:32 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 accessed postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 created postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 8:22:34 written postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:54 deleted postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:54 modified postcard9.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard9.zip ZIP Compressed Archive Match File, Recycled, Archive12/11/08 16:10:55 deleted postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive12/11/08 16:10:55 modified postcard8.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard8.zip ZIP Compressed Archive File, Recycled, Archive
12/12/08 15:45:56 accessed Mike.mbx C:\Program Files\Qualcomm\Eudora\Mike.mbx12/12/08 15:58:43 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/12/08 15:58:43 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive
12/15/08 8:36:22 created WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf12/15/08 9:35:04 accessed Previous search.mbx C:\Program Files\Qualcomm\Eudora\Previous search.mbx
12/15/08 11:28:19 modified postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 deleted postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 deleted postcard4.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard4.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:20 modified postcard3.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard3.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:21 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/15/08 11:28:21 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive Match File, Recycled, Archive12/16/08 10:00:25 deleted postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/16/08 10:00:25 modified postcard5.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard5.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/17/08 8:21:18 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/18/08 16:33:01 deleted postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/18/08 16:33:01 modified postcard6.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard6.zip ZIP Compressed Archive Match File, Recycled, Archive12/19/08 15:33:40 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/19/08 15:33:40 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 accessed postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 created postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 7:35:05 written postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 16:25:08 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/22/08 16:25:08 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 accessed postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 created postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive12/23/08 7:54:50 written postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 8:15:17 created postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 8:15:19 accessed postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 8:15:19 written postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/05/09 16:55:57 deleted postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:57 modified postcard1.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard1.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:58 deleted postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive01/05/09 16:55:58 modified postcard.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard.zip ZIP Compressed Archive Match File, Recycled, Archive01/09/09 8:04:12 written SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive01/09/09 8:04:17 written SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive01/15/09 16:21:34 deleted postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/15/09 16:21:34 modified postcard2.zip C:\\RECYCLER\S-1-5-21-57765512-1263358170-1248344978-1385\postcard2.zip ZIP Compressed Archive File, Recycled, Archive01/30/09 12:08:11 created SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf
02/10/09 13:09:24 modified Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx02/10/09 13:09:24 written Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx02/10/09 13:09:32 accessed Scholarship.mbx C:\Program Files\Qualcomm\Eudora\Scholarship.mbx
02/12/09 11:06:59 accessed Underwater Basket Weaving Majors and Minors 0708.xlsC:\\Documents and Settings\smith.99999\My Documents\UBW Scholarships\Underwater Basket Weaving Majors and Minors 0708.xls02/12/09 11:06:59 accessed UBW Majors and Minors 0708.xls C:\Documents and Settings\smith.99999\My Documents\UBW Scholarships\UBW Majors and Minors 0708.xls
02/13/09 7:26:50 modified MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 7:26:50 written MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 14:21:10 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/13/09 14:21:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/13/09 14:35:14 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the stopped state. -02/13/09 14:38:09 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/13/09 14:38:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/13/09 14:38:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service was successfully sent a start control. -02/13/09 14:38:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service entered the running state. -02/13/09 14:38:56 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Office Source Engine service entered the stopped state. -02/13/09 14:38:58 accessed wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 accessed xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 written wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:58 written xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 accessed accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 accessed pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 written accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:38:59 written pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/13/09 14:49:18 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the stopped state. -02/13/09 15:11:23 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/13/09 15:11:23 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/13/09 16:31:36 accessed MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 16:31:36 created MAPPING2.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP655\snapshot\Repository\FS\MAPPING2.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/13/09 16:31:50 accessed wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive02/13/09 16:33:06 accessed uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive02/13/09 16:33:24 accessed setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File02/13/09 16:33:52 logged SysEvent.Evt EVENT ID: 19 EVENT TYPE: INFORMATION EVENT CATEGORY: Installation SID: COMPUTER: HACKEDPC DESCRIPTION: Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool - February 2009 (KB890830) -02/13/09 16:34:03 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/16/09 7:43:27 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/16/09 7:43:40 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/16/09 7:43:40 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/16/09 7:44:15 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/16/09 7:44:15 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/16/09 7:44:36 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/16/09 7:44:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/16/09 7:44:45 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/16/09 7:45:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/16/09 7:45:49 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/16/09 7:45:58 modified MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 7:45:58 written MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 7:46:48 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/16/09 7:46:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/16/09 7:47:11 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/16/09 7:50:50 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/16/09 7:59:37 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 30 minutes. -02/16/09 7:59:37 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 29 minutes.;NtpClient has no source of accurate time. -02/16/09 8:29:38 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 60 minutes. -02/16/09 8:29:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 59 minutes.;NtpClient has no source of accurate time. -02/16/09 9:29:40 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 120 minutes. -02/16/09 9:29:40 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 119 minutes.;NtpClient has no source of accurate time. -02/16/09 10:10:20 accessed MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 10:10:20 created MAPPING1.MAP C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP656\snapshot\Repository\FS\MAPPING1.MAPCorel PhotoPAINT Tone MapMisc File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/16/09 11:07:45 created RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/16/09 11:29:46 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 240 minutes. -02/16/09 11:29:46 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 239 minutes.;NtpClient has no source of accurate time. -02/16/09 11:59:18 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/16/09 12:45:39 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -
02/16/09 12:45:39 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/16/09 13:19:32 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/16/09 15:29:56 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/16/09 15:29:56 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/16/09 16:08:56 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/16/09 16:08:56 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/16/09 16:10:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/16/09 16:59:42 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/17/09 7:46:02 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/17/09 7:46:16 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/17/09 7:46:16 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/17/09 7:46:44 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/17/09 7:46:44 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/17/09 7:46:59 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/17/09 7:46:59 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/17/09 7:47:22 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/17/09 7:47:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/17/09 7:48:17 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/17/09 7:48:17 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/17/09 7:48:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/17/09 7:48:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/17/09 7:48:24 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/17/09 7:48:31 created SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/17/09 7:48:38 created SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/17/09 7:48:41 created TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/17/09 7:48:49 created UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/17/09 7:48:51 created TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/17/09 7:48:54 created SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/17/09 7:49:03 created TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/17/09 7:49:09 created SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/17/09 7:49:14 created WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/17/09 7:50:36 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/17/09 7:50:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/17/09 7:50:50 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/17/09 7:55:28 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/17/09 8:02:01 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 30 minutes. -02/17/09 8:02:01 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 29 minutes.;NtpClient has no source of accurate time. -02/17/09 8:32:02 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 60 minutes. -02/17/09 8:32:02 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 59 minutes.;NtpClient has no source of accurate time. -02/17/09 9:29:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 9:29:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 9:32:05 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 120 minutes. -02/17/09 9:32:05 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 119 minutes.;NtpClient has no source of accurate time. -02/17/09 9:44:47 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 10:09:22 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 10:09:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 10:55:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 10:59:40 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 10:59:40 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 11:30:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 11:32:10 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 240 minutes. -02/17/09 11:32:10 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 239 minutes.;NtpClient has no source of accurate time. -02/17/09 12:21:05 accessed _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 created _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 modified _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:21:05 written _REGISTRY_MACHINE_SECURITYC:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP657\snapshot\_REGISTRY_MACHINE_SECURITY File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/17/09 12:22:27 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/17/09 15:33:38 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 480 minutes. -02/17/09 15:33:38 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 479 minutes.;NtpClient has no source of accurate time. -02/17/09 15:47:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/17/09 15:47:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/17/09 15:54:30 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/17/09 17:00:51 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/18/09 7:45:53 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/18/09 7:46:07 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/18/09 7:46:07 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/18/09 7:46:36 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/18/09 7:46:36 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/18/09 7:46:55 logged SysEvent.Evt EVENT ID: 14 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient was unable to find a domain controller to use as a time;source. NtpClient will try again in 15 minutes. -02/18/09 7:46:55 logged SysEvent.Evt EVENT ID: 29 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The time provider NtpClient is configured to acquire time from one or more;time sources, however none of the sources are currently accessible. ;No attempt to contact a source will be made for 14 minutes.;NtpClient has no source of accurate time. -02/18/09 7:47:13 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/18/09 7:47:52 modified INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 7:47:52 written INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/18/09 7:48:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/18/09 7:48:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/18/09 7:49:04 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/18/09 7:49:05 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/18/09 7:49:05 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/18/09 7:49:30 created WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/18/09 7:49:38 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/18/09 7:49:38 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/18/09 7:49:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/18/09 7:49:52 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/18/09 7:49:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/18/09 7:50:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/18/09 7:50:03 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/18/09 7:50:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/18/09 7:52:18 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/18/09 7:52:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/18/09 7:52:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/18/09 7:53:26 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/18/09 7:58:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service was successfully sent a start control. -02/18/09 7:58:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the running state. -02/18/09 9:19:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Adobe LM Service service entered the stopped state. -02/18/09 12:27:07 accessed INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed02/18/09 12:27:07 created INDEX.BTR C:\\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP658\snapshot\Repository\FS\INDEX.BTR File, Deleted, Overwritten, Archive, Compressed, Not Indexed
02/18/09 12:40:53 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/18/09 13:49:34 modified Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx02/18/09 13:49:34 written Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx02/18/09 13:49:44 accessed Misc.mbx C:\Program Files\Qualcomm\Eudora\Misc.mbx
02/18/09 16:58:35 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -02/19/09 7:47:25 here’s the beginning of the day in question...starts with the system booting...
02/19/09 7:47:26 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 7:47:40 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 7:47:40 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 7:48:44 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 7:50:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 7:51:15 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 7:51:15 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 7:51:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 7:51:29 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 7:51:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 7:51:36 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 7:51:41 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 7:51:42 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 7:52:51 accessed RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 created RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 written RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:52:51 modified RUNDLL32.EXE-62AB2E98.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-62AB2E98.pf02/19/09 7:53:06 accessed index.dat :Host: My Computer History\Daily -02/19/09 7:54:01 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service was successfully sent a start control. -02/19/09 7:54:02 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Background Intelligent Transfer Service service entered the running state. -02/19/09 7:54:15 accessed index.dat :Host: pub.weatherbug.com History\Daily -02/19/09 7:54:15 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/5436@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 7:54:22 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 7:54:24 created smith.99999@advertising[1].txt advertising.com/ Cookies -02/19/09 7:54:26 created smith.99999@advertising[1].txt advertising.com/ Cookies -02/19/09 7:54:32 accessed index.dat :Host: deskwx.weatherbug.com History\Daily -02/19/09 7:54:32 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1234959600&suns=1234998660&ut=1235048002&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1234961542&rnd=4827&&&&vcw=450&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=168&lvh=&wat=1234961185&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=0&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 7:54:38 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/292@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 7:55:59 accessed RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 created RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 written RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:55:59 modified RUNDLL32.EXE-4DEB4935.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4DEB4935.pf02/19/09 7:56:06 accessed index.dat :Host: ubw.osu.edu History\Daily -02/19/09 7:56:19 created smith.99999@sloppykisscards[1].txtsloppykisscards.com/ Cookies -02/19/09 7:56:21 accessed index.dat :Host: www.sloppykisscards.com History\Daily -02/19/09 7:56:21 accessed index.dat http://www.sloppykisscards.com/partnerfetch.php?partnerid=vetinsite&partnerAffiliateId=36&cardId=npg28wkc3bHistory\Daily -02/19/09 7:57:07 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'Bootcode.ini' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 8:00:07 accessed WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:00:07 written WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:00:07 modified WINWORD.EXE-33AEA629.pf C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf02/19/09 8:02:17 accessed RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:17 written RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:17 modified RUNDLL32.EXE-4FF9832D.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf02/19/09 8:02:33 accessed PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:02:33 written PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:02:33 modified PSCT8500.EXE-0492DFC4.pf C:\WINDOWS\Prefetch\PSCT8500.EXE-0492DFC4.pf02/19/09 8:15:31 accessed RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 created RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 written RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:31 modified RUNDLL32.EXE-6BA7CEE7.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-6BA7CEE7.pf02/19/09 8:15:51 accessed index.dat :Host: www.cuofohio.org History\Daily -02/19/09 8:17:26 accessed Credit Union of Ohio - Your Financial Resource Partner.urlhttp://www.cuofohio.org/ Bookmarks -02/19/09 8:17:26 accessed index.dat http://www.cuofohio.org History\Daily -02/19/09 8:17:44 accessed index.dat :Host: buckeyelink.osu.edu History\Daily -02/19/09 8:17:44 accessed index.dat http://buckeyelink.osu.edu History\Daily -02/19/09 8:17:53 accessed index.dat :Host: carmen.osu.edu History\Daily -02/19/09 8:17:53 accessed index.dat https://carmen.osu.edu History\Daily -02/19/09 8:20:37 accessed index.dat https://carmen.osu.edu/goodbye.asp History\Daily -02/19/09 8:24:13 accessed RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 created RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 written RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:13 modified RUNDLL32.EXE-71655565.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71655565.pf02/19/09 8:24:25 accessed index.dat :Host: www.co.franklin.oh.us History\Daily -02/19/09 8:24:25 accessed index.dat http://www.co.franklin.oh.us/auditor History\Daily -02/19/09 8:24:26 accessed Joseph W. Testa, Franklin County Auditor - Welcome!.urlhttp://www.co.franklin.oh.us/auditor/ Bookmarks -02/19/09 8:24:32 accessed index.dat :Host: franklincountyoh.metacama.com History\Daily -02/19/09 8:25:06 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=PHOTO&curpid=01000596400History\Daily -02/19/09 8:25:15 created [email protected][1].txtad.yieldmanager.com/ Cookies -02/19/09 8:25:20 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=GIS&curpid=01000596400History\Daily -02/19/09 8:25:27 accessed index.dat :Host: fcgis3.metacama.com History\Daily -02/19/09 8:25:27 accessed index.dat http://fcgis3.metacama.com/scripts/gis_show_parcel_info.pl?zoom=5&zmlvl=3&stype=valid&mapx=264&mapy=194&pname=283813&pid=010-005964&pick=&intersect=History\Daily -02/19/09 8:25:33 accessed index.dat http://fcgis3.metacama.com/scripts/gis_show_parcel_info.pl?zoom=5&zmlvl=5&stype=valid&mapx=264&mapy=194&pname=4922790&pid=010-005964&pick=&intersect=History\Daily -02/19/09 8:25:46 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/19895@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=24.80&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=168&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=24.80&WO3=0&WO4=68.00&Z3=43204&History\Daily -02/19/09 8:27:50 accessed index.dat http://franklincountyoh.metacama.com/altIndex.jsp History\Daily -02/19/09 8:28:09 accessed index.dat http://franklincountyoh.metacama.com/do/selectDisplay?select=PHOTO&curpid=02000088800History\Daily -02/19/09 8:28:16 accessed index.dat http://franklincountyoh.metacama.com/do/searchByAddress History\Daily -02/19/09 8:30:24 accessed RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 created RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 written RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:30:24 modified RUNDLL32.EXE-71E22CD3.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E22CD3.pf02/19/09 8:52:57 accessed index.dat :Host: webcal.vip.ohio-state.edu History\Daily -02/19/09 8:53:01 created [email protected][2].txtwebcal.vip.ohio-state.edu/fcgi-bin/swc/ Cookies -02/19/09 8:53:02 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi History\Daily -02/19/09 8:53:04 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi?go=calendar&date=2009/2/19&utc=49984History\Daily -02/19/09 9:22:31 created smith.99999@247realmedia[1].txt247realmedia.com/ Cookies -
02/19/09 9:25:09 modified Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx02/19/09 9:25:09 written Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx02/19/09 9:25:29 accessed Out.mbx C:\Program Files\Qualcomm\Eudora\Out.mbx
02/19/09 9:25:43 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/1869@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=169&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:25:44 accessed index.dat :Host: w3.brhs.org History\Daily -02/19/09 9:25:44 accessed index.dat http://w3.brhs.org History\Daily -02/19/09 9:25:45 accessed BRHS.ORG.url http://w3.brhs.org/ Bookmarks -02/19/09 9:25:49 accessed index.dat :Host: www.brhs.org History\Daily -02/19/09 9:25:49 accessed index.dat http://www.brhs.org/announcements/updatednews.htm History\Daily -
02/19/09 9:26:14 the fun (probably) starts here...02/19/09 9:26:15 created smith.99999@jjhuddle[2].txt jjhuddle.com/ Cookies -02/19/09 9:26:19 accessed index.dat :Host: www.jjhuddle.com History\Daily -
02/19/09 9:26:19 accessed index.dat http://www.jjhuddle.com History\Daily -02/19/09 9:26:22 created smith.99999@infolinks[2].txt infolinks.com/ Cookies -02/19/09 9:26:50 accessed index.dat http://www.jjhuddle.com/forums/forumdisplay.php?f=306 History\Daily -02/19/09 9:27:19 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381 History\Daily -02/19/09 9:27:38 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381&page=3 History\Daily -02/19/09 9:27:43 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:27:47 created smith.99999@crwdcntrl[2].txt crwdcntrl.net/ Cookies -02/19/09 9:27:53 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:27:56 created [email protected][1].txtwww.soarnxec.net/ Cookies -
02/19/09 9:28:13 banner[1], [2].pdf are created...these both contain malware (currently not identified by virustotal)02/19/09 9:28:14 created banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:14 created banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=2&pid=15498202/19/09 9:28:17 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=1&pid=15498202/19/09 9:28:17 accessed index.dat :Host: srv.f-o-r.ms History\Daily -02/19/09 9:28:17 accessed index.dat http://srv.f-o-r.ms/code/document/banner?type=1&pid=154982 History\Daily -02/19/09 9:28:17 accessed index.dat http://srv.f-o-r.ms/code/document/banner?type=2&pid=154982 History\Daily -02/19/09 9:28:17 written banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:17 modified banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:28:17 accessed banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 written banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:17 modified banner[2].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[2].pdf02/19/09 9:28:20 bro PDF document, version 1.4 GET http://srv.f-o-r.ms/code/document/banner?type=1&pid=15498202/19/09 9:28:42 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://f-o-r.ms/xrun.tmp
02/19/09 9:28:57 got xrun.tmp, apparently runs something called rn.tmp02/19/09 9:28:57 accessed RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 created RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 written RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 modified RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 accessed RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 created RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 written RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:28:57 modified RN.TMP-36CAACC4.pf C:\WINDOWS\Prefetch\RN.TMP-36CAACC4.pf02/19/09 9:29:15 accessed banner[1].pdf C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\Z1NOBJL1\banner[1].pdf02/19/09 9:29:24 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://srv.f-o-r.ms/xrun.tmp02/19/09 9:29:29 bro application/x-dosexec GET http://srv.f-o-r.ms/xpre.tmp02/19/09 9:29:29 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node22 sa=164.107.xxx.177 sp=1656/tcp da=85.17.162.100 dp=80/tcp method=GET url=http://srv.f-o-r.ms/xpre.tmp msg=application/x-dosexec\ GET\ http://srv.f-o-r.ms/xpre.tmp tag=@83-10576-5c7e6602/19/09 9:29:40 created smith.99999@247realmedia[1].txt247realmedia.com/ Cookies -02/19/09 9:29:40 created smith.99999@adbrite[1].txt adbrite.com/ Cookies -02/19/09 9:29:40 created smith.99999@adgardener[1].txt adgardener.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtads.imarketservices.com/ Cookies -02/19/09 9:29:40 created smith.99999@bluekai[2].txt bluekai.com/ Cookies -02/19/09 9:29:40 created smith.99999@burstnet[2].txt burstnet.com/ Cookies -02/19/09 9:29:40 created smith.99999@enhance[1].txt enhance.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:29:40 created [email protected][2].txtharvest99.adgardener.com/ Cookies -02/19/09 9:29:40 created smith.99999@jjhuddle[2].txt jjhuddle.com/ Cookies -02/19/09 9:29:40 created smith.99999@snap[1].txt snap.com/ Cookies -02/19/09 9:29:40 created smith.99999@traderpub[1].txt traderpub.net/ Cookies -02/19/09 9:29:40 created [email protected][2].txtwww.burstbeacon.com/ Cookies -02/19/09 9:29:40 created [email protected][1].txtwww.burstnet.com/ Cookies -02/19/09 9:29:40 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 9:32:57 accessed index.dat :Host: www.myadco.net History\Daily -02/19/09 9:32:57 accessed index.dat http://www.jjhuddle.com/forums/showthread.php?t=186381&page=4 History\Daily -02/19/09 9:32:57 accessed index.dat http://www.myadco.net/sa3.php?sid=2&id=00746499d6d2aef8af&keyword=bad+credit+car+financingHistory\Daily -02/19/09 9:32:59 accessed index.dat :Host: search.zunga.com History\Daily -02/19/09 9:32:59 accessed index.dat http://search.zunga.com/?search=bad+credit+car+financing History\Daily -02/19/09 9:33:00 accessed index.dat :Host: 66.70.121.200 History\Daily -02/19/09 9:33:00 accessed index.dat http://66.70.121.200/j?sid=0wzaQ7VTHFcwJF6z History\Daily -02/19/09 9:33:02 accessed index.dat :Host: www.automart.com History\Daily -02/19/09 9:33:02 accessed index.dat http://www.automart.com/creditsearchform.php/?CMP=KNC-AskCredit&WT.srch=1&WT.mc_id=AskCreditHistory\Daily -02/19/09 9:33:20 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 9:33:22 created smith.99999@rubiconproject[1].txtrubiconproject.com/ Cookies -02/19/09 9:33:22 created smith.99999@untd[2].txt untd.com/ Cookies -02/19/09 9:33:24 created smith.99999@revsci[2].txt revsci.net/ Cookies -02/19/09 9:33:25 created smith.99999@revsci[2].txt revsci.net/ Cookies -02/19/09 9:33:25 created smith.99999@specificclick[2].txt specificclick.net/ Cookies -02/19/09 9:33:26 created smith.99999@specificclick[2].txt specificclick.net/ Cookies -02/19/09 9:33:30 created [email protected][1].txtsdc.traderpub.net/ Cookies -02/19/09 9:33:31 created [email protected][2].txt at.atwola.com/ Cookies -02/19/09 9:33:33 created [email protected][2].txtehg-traderelectronicmedia.hitbox.com/ Cookies -02/19/09 9:33:33 created smith.99999@hitbox[2].txt hitbox.com/ Cookies -02/19/09 9:35:12 created smith.99999@cherylandco[2].txt cherylandco.com/ Cookies -02/19/09 9:36:50 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:37:46 accessed index.dat :Host: www.hswrestling.com History\Daily -02/19/09 9:37:46 accessed index.dat http://www.hswrestling.com History\Daily -
02/19/09 9:37:55 something apparently created prun.tmp, rasesnet.tmp and winvsnet.tmp, these were deleted (though prun.tmp02/19/09 9:37:56 Deleted prun.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\prun.tmp Generic.dx (Trojan)C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:01 Deleted rasesnet.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\rasesnet.tmp Vundo (Trojan) C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:01 Deleted winvsnet.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\winvsnet.tmp Generic Downloader.x (Trojan)C:\DOCUME~1\smith.99999\LOCALS~1\Temp\xpre.tmp02/19/09 9:38:22 accessed Baum's Page Wrestling.url http://www.baumspage.com/ Bookmarks -02/19/09 9:38:22 accessed index.dat :Host: www.baumspage.com History\Daily -02/19/09 9:38:22 accessed index.dat http://www.baumspage.com History\Daily -02/19/09 9:38:25 accessed index.dat http://www.baumspage.com/wr/index.htm History\Daily -02/19/09 9:38:35 accessed index.dat http://www.baumspage.com/cesect/2009/index.htm History\Daily -02/19/09 9:38:43 accessed index.dat http://www.baumspage.com/cesect/no3/brackets09.htm History\Daily -02/19/09 9:38:55 accessed index.dat http://www.baumspage.com/cesect/no3/entrygrd.htm History\Daily -02/19/09 9:39:06 accessed index.dat http://www.baumspage.com/new_system/default.asp History\Daily -02/19/09 9:39:10 accessed index.dat http://www.baumspage.com/cesect/no3/index.htm History\Daily -02/19/09 9:43:59 created smith.99999@135484[2].txt 135484.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt4509.01.blueseek.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 64.111.196.117/ Cookies -02/19/09 9:43:59 created [email protected][1].txt6478.21.primosearch.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 66.230.188.67/ Cookies -02/19/09 9:43:59 created [email protected][1].txt 74.53.99.54/ Cookies -02/19/09 9:43:59 created [email protected][2].txt 74.53.99.55/ Cookies -02/19/09 9:43:59 created [email protected][1].txtad.yieldmanager.com/ Cookies -02/19/09 9:43:59 created smith.99999@adtrafficsolution[1].txtadtrafficsolution.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtatd.agencytradingdesk.net/ Cookies -02/19/09 9:43:59 created smith.99999@bizcash[1].txt bizcash.info/go/ Cookies -02/19/09 9:43:59 created smith.99999@contextweb[2].txt contextweb.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:43:59 created smith.99999@klickup[1].txt klickup.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txt klite.ath.cx/ Cookies -02/19/09 9:43:59 created [email protected][1].txtload.exelator.com/load/ Cookies -02/19/09 9:43:59 created [email protected][2].txtmedia.mtvnservices.com/ Cookies -02/19/09 9:43:59 created smith.99999@mygeek[2].txt mygeek.com/ Cookies -02/19/09 9:43:59 created smith.99999@myroitracking[2].txtmyroitracking.com/ Cookies -02/19/09 9:43:59 created smith.99999@primetrafficsite[1].txtprimetrafficsite.com/go/ Cookies -02/19/09 9:43:59 created smith.99999@redirectfor-me[2].txt Cookies -
02/19/09 9:43:59 created smith.99999@sportgfx[2].txt sportgfx.com/ Cookies -02/19/09 9:43:59 created smith.99999@statcounter[2].txt statcounter.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txttag.contextweb.com/ Cookies -02/19/09 9:43:59 created smith.99999@thedailyshow[1].txtthedailyshow.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwatches.revone.biz/ Cookies -02/19/09 9:43:59 created smith.99999@wmvmedialease[1].txtwmvmedialease.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.abcjmp.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.advertising365.com/ats/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.fxopen.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.investorsconsumergoods.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsconsumerservices.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsenergystocks.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorsfinancials.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtwww.investorshealthcare.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.ncmfinancial.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.popunderserver.net/ Cookies -02/19/09 9:43:59 created [email protected][1].txtwww.primetrafficsite.com/go/ Cookies -02/19/09 9:43:59 created [email protected][1].txt xyz.freelogs.com/ Cookies -02/19/09 9:43:59 created [email protected][1].txtyellowpages.addresses.com/ Cookies -02/19/09 9:43:59 created [email protected][2].txtyellowpagescom.addresses.com/ Cookies -
02/19/09 9:44:07 more bad stuff is created, run...mcafee finds what would appear to be a by-product...02/19/09 9:44:08 created prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:44:08 written prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:44:24 created PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 9:44:24 created PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 9:44:33 Cleaned ecomsnraxw.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\ecomsnraxw.tmp W32/Virut.n.gen (Virus)C:\WINDOWS\system32\mshta.exe02/19/09 9:44:37 bro application/x-dosexec GET http://childhe.com/pas/apstpldr.dll.html?affid=177047&uid=&guid=D294B3372EFC4D4CA6C6DDD12F79C20A02/19/09 9:44:38 bro
02/19/09 9:44:48 the seneka rootkit...02/19/09 9:44:49 created senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 9:44:49 written senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 9:44:57 Deleted wcenoxarms.tmp C:\DOCUME~1\smith.99999\LOCALS~1\Temp\wcenoxarms.tmp Generic Downloader.x (Trojan)C:\WINDOWS\system32\mshta.exe02/19/09 9:45:00 created senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:00 modified senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive
02/19/09 9:45:01 ????02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service was successfully sent a start control. -02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service entered the running state. -02/19/09 9:45:02 logged SysEvent.Evt EVENT ID: 7034 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Installer service terminated unexpectedly. It has done this 1 time(s). -02/19/09 9:45:03 created senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 9:45:05 accessed senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 created senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 created senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 modified senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 modified senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 written senekakxidursb.dll C:\\WINDOWS\SYSTEM32\senekakxidursb.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:05 written senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:10 created winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:12 accessed winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:12 written winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:45:13 bro application/x-dosexec GET http://rs263tg.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:45:15 accessed SSSInstaller.dll C:\\Documents and Settings\smith.99999\Local Settings\Temp\SSSInstaller.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:45:28 modified winsinstall.exe C:\\Documents and Settings\smith.99999\Local Settings\Temp\winsinstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 9:46:01 Will be deleted after the next reboot (Clean failed) apstpldr.dll[1].htm C:\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\apstpldr.dll[1].htmVundo (Trojan) C:\WINDOWS\Explorer.EXE02/19/09 9:46:10 accessed index.dat :Host: klite.ath.cx History\Daily -02/19/09 9:46:11 accessed index.dat :Host: saledirectwarehouse.com History\Daily -02/19/09 9:46:11 accessed index.dat http://saledirectwarehouse.com/traffic.php History\Daily -02/19/09 9:46:27 accessed index.dat :Host: www.globoengine.com History\Daily -02/19/09 9:46:27 accessed index.dat http://www.globoengine.com/search_results.php?keyword=lung cancer&ref=48453History\Daily -02/19/09 9:46:30 accessed index.dat :Host: www.abcjmp.com History\Daily -02/19/09 9:46:30 accessed index.dat http://www.abcjmp.com/jump2/?affiliate=netzter2&subid=01&terms=mortgage loan refinanceHistory\Daily -02/19/09 9:46:34 accessed index.dat http://www.abcjmp.com/jump2/?affiliate=calgonite&subid=01&terms=build credit cardsHistory\Daily -02/19/09 9:46:38 accessed index.dat :Host: www.searchfeed.com History\Daily -02/19/09 9:46:38 accessed index.dat http://www.searchfeed.com/rd/Clk.jsp?s=ap&hu=1&k=lung+cancer&lnk2=rhhE?..4L68'G9'ExsBDyekxpr'pDB.ziBE9.>kffsAskhe=ML88)yiosq=8GG1M)hexBy=AiCg#G2pkCpex)ysq=Z2682LH1M8#L2buV2bdNubuNfJdNt8ANt8cO28TOLpdN9KRNumRF)k=fyx5f|2'282&p=82295&sid=256415&ex=1235054799525&snid=65History\Daily -02/19/09 9:46:40 accessed index.dat :Host: www.thedailyshow.com History\Daily -02/19/09 9:46:40 accessed index.dat http://www.thedailyshow.com/video/index.jhtml?videoId=210190&title=Bill-O'Reilly-Pt.-1&tag=HTLF_generic&itemId=218531History\Daily -02/19/09 9:46:41 accessed index.dat :Host: 6478.21.primosearch.com History\Daily -02/19/09 9:46:41 accessed index.dat http://6478.21.primosearch.com/jump1/?affiliate=5488&subid=82295&terms=lung cancer&sid=Z078043958@EzX0EDNzEzNfRDNy8lNy8FO08VO4cDN1ATNzITM&a=fsrqfHistory\Daily -02/19/09 9:46:42 accessed index.dat http://6478.21.primosearch.com/jump2/?affiliate=5488&subid=82295&terms=lung cancerHistory\Daily -02/19/09 9:46:44 accessed index.dat :Host: www.primosearch.com History\Daily -02/19/09 9:46:44 accessed index.dat http://www.primosearch.com/cgi-bin/search.cgi?affiliate=index0001&subid=82295&terms=lung cancerHistory\Daily -02/19/09 9:47:12 accessed index.dat :Host: www.fxopen.com History\Daily -02/19/09 9:47:20 created prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:20 modified prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:20 written prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:47:28 created geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:28 modified geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:28 written geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 created ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 modified ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:32 written ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:47:33 accessed index.dat http://www.fxopen.com History\Daily -02/19/09 9:47:35 created fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 created qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 modified fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 modified qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 written fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:35 written qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:36 accessed fccbAQkj.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\fccbAQkj.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:47:36 accessed qoMfdaYs.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\qoMfdaYs.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive
02/19/09 9:47:43 explorer.exe error?02/19/09 9:47:44 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: Explorer.EXE - Application Error : The instruction at "0x03cd62c8" referenced memory at "0x03cd62c8". The memory could not be "read".;;Click on OK to terminate the program;Click on CANCEL to debug the program-02/19/09 9:47:46 bro application/x-dosexec GET http://rs263cg.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:47:46 bro application/x-dosexec GET http://rs263l32.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:47:51 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: IEXPLORE.EXE - Application Error : The instruction at "0x76f2345a" referenced memory at "0x76f2345a". The memory could not be "read".;;Click on OK to terminate the program;Click on CANCEL to debug the program-02/19/09 9:50:13 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 9:50:13 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 9:50:14 created senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 9:50:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 9:54:48 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235055278&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=19912&&&&vcw=451&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=170&lvh=&wat=1235047907&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 9:54:50 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/25667@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:54:52 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/26299@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=20.30&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=20.30&WO3=0&WO4=83.00&Z3=43204&History\Daily -02/19/09 9:55:38 created [email protected][1].txtfc.webmasterpro.de/ Cookies -02/19/09 9:55:46 accessed prun.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\prun.tmp Windows Temporary Windows * Executable File, Archive02/19/09 9:55:48 created rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:48 modified rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:48 written rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 9:55:49 accessed vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:49 created vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:49 modified vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive
no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=1818/tcp da=77.74.48.107 dp=80/tcp method=GET url=http://childhe.com/pas/apstpldr.dll.html?affid\=177047&uid\=&guid\=D294B3372EFC4D4CA6C6DDD12F79C20A msg=164.107.xxx.177\ ->\ 4a56334f3f65d45d90aa15c1bd2f3484\ http://childhe.com/pas/apstpldr.dll.html?affid\=177047&uid\=&guid\=D294B3372EFC4D4CA6C6DDD12F79C20A\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=4a56334f3f65d45d90aa15c1bd2f3484 tag=@83-10576-5e4041
02/19/09 9:55:49 written vtUkhiHb.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\vtUkhiHb.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 9:55:54 bro application/x-dosexec GET http://rs263gc.rapidshare.com/files/198761582/winsinstall.exe02/19/09 9:58:18 created [email protected][1].txt 85.17.166.208/ Cookies -02/19/09 10:00:03 created RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 10:01:20 created cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:21 modified cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:21 written cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:01:23 bro application/x-dosexec02/19/09 10:01:25 created ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:01:25 modified ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:01:25 written ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive
02/19/09 10:01:26 uh-oh...02/19/09 10:01:26 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The irzylwcf service was successfully sent a start control. -02/19/09 10:01:26 created irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:01:36 accessed RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 created RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 written RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:36 modified RUNDLL32.EXE-5C21FBBF.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5C21FBBF.pf02/19/09 10:01:41 created romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:41 modified romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:41 written romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:42 accessed romxwcenas.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\romxwcenas.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:01:45 accessed ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 created ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 written ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:45 modified ROMXWCENAS.TMP-3639D719.pfC:\WINDOWS\Prefetch\ROMXWCENAS.TMP-3639D719.pf02/19/09 10:01:57 accessed SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 created SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 written SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:01:57 modified SXAEWRMCON.TMP-234ED43A.pfC:\WINDOWS\Prefetch\SXAEWRMCON.TMP-234ED43A.pf02/19/09 10:02:01 created swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:01 modified swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:01 written swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:04 accessed swxaoermnc.tmp C:\\Documents and Settings\smith.99999\Local Settings\Temp\swxaoermnc.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:04 created wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:04 modified wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:04 written wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:08 accessed SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 created SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 written SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:08 modified SWXAOERMNC.TMP-316E61E9.pfC:\WINDOWS\Prefetch\SWXAOERMNC.TMP-316E61E9.pf02/19/09 10:02:11 created jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:11 modified jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:11 written jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:12 accessed jkkHBTJD.bat C:\\Documents and Settings\smith.99999\Local Settings\Temp\jkkHBTJD.bat Batch Code\Executable * NDOS Batch to MemoryFile, Archive02/19/09 10:02:12 created mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:17 accessed NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 created NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 modified NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:17 written NMOXWAESRC.TMP-0868916F.pf C:\\WINDOWS\Prefetch\NMOXWAESRC.TMP-0868916F.pf Unknown File, Deleted, Archive, Not Indexed02/19/09 10:02:26 bro application/x-dosexec GET http://thaexp.cn/ex/a.php02/19/09 10:02:27 modified mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:27 written mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:29 bro application/x-dosexec GET http://77.93.75.147/db/upd105320.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&guid=D294B3372EFC4D4CA6C6DDD12F79C20A&rid=pfobnf
02/19/09 10:02:29 mcafee is paused...sigh02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service entered the paused state. -02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service was successfully sent a stop control. -02/19/09 10:02:29 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The McAfee McShield service entered the stopped state. -02/19/09 10:02:30 created VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:30 accessed gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 created gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 modified gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:30 written gcnogcva.sys C:\\WINDOWS\SYSTEM32\DRIVERS\gcnogcva.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:32 accessed VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:32 modified VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:32 written VRT140.tmp C:\\WINDOWS\Temp\VRT140.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:33 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:02:34 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2284/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/ex/a.php msg=application/x-dosexec\ GET\ http://thaexp.cn/ex/a.php tag=@83-10576-60334502/19/09 10:02:34 bro no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=2284/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/ex/a.php msg=164.107.xxx.177\ ->\ dc9f67ae1d175386625c97fcf22c77ab\ http://thaexp.cn/ex/a.php\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=dc9f67ae1d175386625c97fcf22c77ab tag=@83-10576-60334502/19/09 10:02:34 modified xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:34 written xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:34 modified xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:34 written xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:35 bro application/x-dosexec GET http://vipinstall.8800.org/stat/down/adx.exe02/19/09 10:02:36 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2287/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-60367d02/19/09 10:02:36 accessed VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 created VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 written VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:36 modified VRT13F.TMP-19B35236.pf C:\WINDOWS\Prefetch\VRT13F.TMP-19B35236.pf02/19/09 10:02:37 created 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:39 created VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf
02/19/09 10:02:40 bummer...02/19/09 10:02:40 logged SysEvent.Evt EVENT ID: 7000 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The zmzfozjg service failed to start due to the following error: %%317 -02/19/09 10:02:44 created xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 10:02:48 accessed VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:48 written VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:48 modified VRT141.TMP-153583A6.pf C:\WINDOWS\Prefetch\VRT141.TMP-153583A6.pf02/19/09 10:02:50 created xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:50 created phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:50 modified phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:50 written phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:02:51 created lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 accessed lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 accessed xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:52 created xccefb090131.scr C:\\WINDOWS\SYSTEM32\inf\xccefb090131.scr Win NT Screen Saver Code\Executable Match File, Archive02/19/09 10:02:52 modified 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:52 written 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 10:02:52 modified lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:52 written lgate[1].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\lgate[1].htmWeb Page Document ! Bad signature File, Archive, Not Indexed02/19/09 10:02:54 accessed irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 accessed xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 accessed xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 created xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 created xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 modified irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 modified xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 modified xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 written irzylwcf C:\\WINDOWS\irzylwcf ! Bad signature File, Archive02/19/09 10:02:54 written xccdf16_090131a.dll C:\\WINDOWS\xccdf16_090131a.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:02:54 written xccdfb16_090131.dll C:\\WINDOWS\SYSTEM32\inf\xccdfb16_090131.dll Dynamic Link Library Code\Library Match File, Archive
02/19/09 10:02:55 another strange service fails to start...
GET http://85.17.166.133/dwn/klite9.dll?sid=C854505B4F080F0F000D54585E5E595D5E4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D542D5B505D2B5A5A5E5B2C2F2A5D2D5D2A285F2A5F2D2D2D585B2F5E502A5B59284F081D545B2A5B58585151592F2C505F58582D2D5158512B585E5E595D5E2A2F2F2F2F2F4F1E1D545E585C580A5A5B5E59584F0B00545B58594F04061B1901000D54001B185D4F1B0C1F000D54585959515D69A101
02/19/09 10:02:55 logged SysEvent.Evt EVENT ID: 7000 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The aylnlfdx service failed to start due to the following error: %%317 -02/19/09 10:02:56 created ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:56 modified imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive02/19/09 10:02:57 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:02:57 accessed AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 accessed BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:57 modified AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 modified BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:57 written AccessProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txtText Document File, Archive02/19/09 10:02:57 written BufferOverflowProtectionLog.txt C:\\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txtText Document Match File, Archive02/19/09 10:02:58 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:02:58 accessed ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 created 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:02:58 modified ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 written ge[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\ge[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:58 written services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:02:59 bro application/x-dosexec GET http://thaexp.cn/met/ge.txt02/19/09 10:02:59 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/met/ge.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/met/ge.txt tag=@83-10576-60436502/19/09 10:02:59 created em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:02:59 modified verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File02/19/09 10:03:00 accessed em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:00 modified 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:00 modified em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:00 written 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:00 written CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:00 written em[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\em[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:01 bro no=HTTP_Malware na=NOTICE_EMAIL es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/met/ge.txt msg=164.107.xxx.177\ ->\ c83e4a32d0f6b2233b43ed3596766627\ http://thaexp.cn/met/ge.txt\ (hashed\ from\ the\ Team\ Cymru\ malware\ hash\ registry) sub=c83e4a32d0f6b2233b43ed3596766627 tag=@83-10576-60436502/19/09 10:03:02 bro 209.205.196.18 GET http://209.205.196.18/em.txt02/19/09 10:03:02 bro no=ConnectionWithSpamHausDropNet na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2295/tcp da=209.205.196.18 dp=80/tcp msg=164.107.xxx.177\ had\ a\ connection\ with\ a\ SpamHaus\ DROP\ list\ host tag=@83-10576-60451c02/19/09 10:03:02 bro application/x-dosexec GET http://209.205.196.18/em.txt02/19/09 10:03:02 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2295/tcp da=209.205.196.18 dp=80/tcp method=GET url=http://209.205.196.18/em.txt msg=application/x-dosexec\ GET\ http://209.205.196.18/em.txt tag=@83-10576-60451c02/19/09 10:03:04 created CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:03:09 modified CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Application Layer Gateway Service service entered the stopped state. -
02/19/09 10:03:10 the firewall has stopped, the CcEvtSvc service starts...02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state. -02/19/09 10:03:10 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a stop control. -02/19/09 10:03:13 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service was successfully sent a start control. -02/19/09 10:03:13 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service entered the running state. -02/19/09 10:03:14 created abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:14 created services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:14 modified netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive02/19/09 10:03:16 accessed abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:16 modified abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:16 written abb[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\QXLU2P44\abb[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:17 bro application/x-dosexec GET http://thaexp.cn/dll/abb.txt02/19/09 10:03:17 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/abb.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/abb.txt tag=@83-10576-60436502/19/09 10:03:17 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:03:17 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:03:17 created 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:17 created reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:17 written reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:18 created reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:18 written reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:03:23 created al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 accessed al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 created 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 created index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:24 modified 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 modified al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:24 written 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:03:24 written al[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\0BSM01W8\al[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:25 accessed index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 created doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:03:25 created pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:25 modified index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 written index[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\index[1] * Executable File, Archive, Not Indexed02/19/09 10:03:25 written jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:25 written pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:26 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:03:26 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=2293/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-60436502/19/09 10:03:26 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:03:26 modified jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:26 modified pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:27 bro application/x-dosexec GET http://85.17.169.55/forum/index.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&rid=pfobnf&guid=D294B3372EFC4D4CA6C6DDD12F79C20A02/19/09 10:03:27 created jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:03:28 bro MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bitGET http://lorentil.cn/dok/doc.txt
02/19/09 10:03:30 automatic updates have been disabled...02/19/09 10:03:31 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The Automatic Updates service was successfully sent a stop control. -02/19/09 10:03:39 accessed UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive02/19/09 10:03:39 modified UNWISE.EXE C:\\Program Files\AWS\WeatherBug\UNWISE.EXE Windows Executable Code\Executable File, Archive02/19/09 10:03:46 accessed WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:46 written WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:46 modified WUAUCLT.EXE-1360D60A.pf C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf02/19/09 10:03:49 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Automatic Updates service entered the stopped state. -02/19/09 10:04:59 created system@coupons[1].txt coupons.com/ Cookies -02/19/09 10:05:06 created system@google[1].txt google.com/ Cookies -02/19/09 10:05:08 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2335/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2335\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60837302/19/09 10:05:08 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2336/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2336\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60837902/19/09 10:05:17 bro no=ProtocolFound na=NOTICE_FILE es=node07 sa=164.107.xxx.177 sp=2348/tcp da=216.195.57.253 dp=4658/tcp num=16 msg=164.107.xxx.177/2348\ >\ 216.195.57.253/4658\ Apache\ (via\ HTTP)\ on\ port\ 4658/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-60852e02/19/09 10:05:28 created [email protected][2].txt m.webtrends.com/ Cookies -02/19/09 10:05:28 created [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:05:28 created [email protected][2].txt www.upononjob.cn/ Cookies -02/19/09 10:05:31 modified msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive02/19/09 10:05:45 accessed [email protected][2].txt m.webtrends.com/ Cookies -02/19/09 10:05:57 created upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:57 created vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:05:58 accessed upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 modified upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 modified vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:05:58 written upd105320[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\X5RWIZXC\upd105320[1] * Executable File, Archive, Not Indexed02/19/09 10:05:58 written vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:06:00 bro application/x-dosexec GET http://77.93.75.147/db/upd105320.dll?setid=irq4&affid=177047&uid=2C211880FE9611DD818B177047CFFFFF&guid=D294B3372EFC4D4CA6C6DDD12F79C20A&rid=pfobnf02/19/09 10:06:07 accessed doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:07 modified 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:06:07 modified doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:07 written 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 10:06:07 written doc[1].txt C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\doc[1].txtText Document * Executable File, Archive, Not Indexed02/19/09 10:06:12 accessed lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:12 created lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive
02/19/09 10:06:12 created uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 10:06:12 modified lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:12 written lgsztotz.exe C:\\WINDOWS\lgsztotz.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:06:19 accessed [email protected][2].txt www.upononjob.cn/ Cookies -02/19/09 10:06:22 modified uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 10:06:22 written uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System
02/19/09 10:16:11 system reboots (after a crash?)02/19/09 10:16:12 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 10:16:19 accessed SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:16:19 accessed mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive02/19/09 10:16:35 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 10:16:35 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 10:16:36 logged SysEvent.Evt EVENT ID: 1001 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The computer has rebooted from a bugcheck. The bugcheck was:;0x1000007e (0xc0000005, 0x8239c12a, 0xb829aaf4, 0xb829a7f0).;A dump was saved in: C:\WINDOWS\Minidump\Mini021909-01.dmp. -02/19/09 10:17:05 created ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:05 modified ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:05 written ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:17:11 modified SbClientManager.exe C:\\Program Files\SafeBoot\SbClientManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:19 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1049/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1049\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-61d02b02/19/09 10:17:25 modified mdm.exe C:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:34 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1078/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1078\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-61d446
02/19/09 10:17:45 spam starts...02/19/09 10:17:47 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 10:17:52 modified acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:52 modified fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive02/19/09 10:17:58 modified agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive02/19/09 10:18:16 modified xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 10:18:16 written xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive
02/19/09 10:18:52 huh...02/19/09 10:18:53 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:19:00 logged SysEvent.Evt EVENT ID: 10010 EVENT TYPE: ERROR EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. -02/19/09 10:19:14 modified dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive02/19/09 10:19:47 created system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:19:47 created system@google[1].txt google.com/ Cookies -02/19/09 10:19:47 created system@live[2].txt live.com/ Cookies -02/19/09 10:19:47 created [email protected][1].txtmsnaccountservices.112.2o7.net/ Cookies -02/19/09 10:19:47 created system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:19:47 created [email protected][1].txt 66.48.78.222/ron/ Cookies -02/19/09 10:19:47 created [email protected][1].txthotelinternetstrategies.122.2o7.net/ Cookies -02/19/09 10:19:47 created smith.99999@lacasaquecanta[2].txtlacasaquecanta.com/ Cookies -02/19/09 10:19:47 created smith.99999@weatherbug[1].txt weatherbug.com/ Cookies -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7026 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The following boot-start or system-start driver(s) failed to load: ;irzylwcf;zmzfozjg -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 10:20:00 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 10:20:04 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2482/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2482\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6218f102/19/09 10:20:05 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2484/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2484\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62196702/19/09 10:20:27 modified userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive02/19/09 10:20:43 accessed ojaocbok.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ojaocbok.sys Device Driver Code\Executable Match File, Archive02/19/09 10:20:45 accessed phqghume.sys C:\\WINDOWS\SYSTEM32\DRIVERS\phqghume.sys Device Driver Code\Executable Match File, Archive02/19/09 10:20:51 bro
02/19/09 10:20:58 logged SysEvent.Evt EVENT ID: 1003 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Error code 1000007e, parameter1 c0000005, parameter2 8239c12a, parameter3 b829aaf4, parameter4 b829a7f0. -02/19/09 10:20:59 modified dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:21:10 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/17421@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:21:13 bro application/x-dosexec GET http://thaexp.cn/dll/al.txt02/19/09 10:21:13 bro no=HTTP_IncorrectFileType na=NOTICE_ALARM_ALWAYS es=node00.0 sa=164.107.xxx.177 sp=3425/tcp da=211.95.79.6 dp=80/tcp method=GET url=http://thaexp.cn/dll/al.txt msg=application/x-dosexec\ GET\ http://thaexp.cn/dll/al.txt tag=@83-10576-6237d802/19/09 10:21:17 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235056857&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=12382&&&&vcw=452&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=170&lvh=&wat=1235055111&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:21:22 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/18716@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=170&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:21:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 10:21:37 modified senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 10:21:37 written senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 10:21:49 accessed index.dat :Host: 66.48.78.222 History\Daily -02/19/09 10:21:49 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037421&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056906&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CD%D4%C7%28%24rOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FA%24b%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E7%E4D%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%BE%2BsLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2A%7BjSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:21:54 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037463&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056912&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CE%D0%C7%29+rOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FB+b%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E8%E0D%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%BF%27sLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2B%FBjSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:22:35 accessed index.dat http://66.48.78.222/ron/ronz.php?sid=&numpop=2&nid=1535187396&mid=8640037540&servern=&rurl=http://popunder.adsrevenue.net/linksed.php?sn=1781235056920&uip=164.107.xxx.177&siteid=Sniper34&clater=1&serverfile=popnetwork&ref=http%3A%2F%2Fklite.ath.cx%2F&clicksor=&unsold=0&data=rSe_2%CA%D1%D3%CE%CA%D0%D3%D1%CF%CE%C7%2A%7DrOa%5E2%EC%2A%26%26%7B%2A%D0%CC%C3.3%FC%7Db%27%2B%2C%27%C9%D0%C6%FA%FE%2B%23%FC%DA%F3%F4%E9%DED%FE%7Dn%5D%7E%2F%E1%FD%2A%2C3%25%7E%DB%D1%C0%25sLIoV%22%251%2F%D7%D1%C3%F9%7D.%F2%2C%F9jSls2%CC%C52%24%2A%27%26%FC%DA%CE&url=http%3A%2F%2F64.246.15.27%2Fron%2Fblank.phpHistory\Daily -02/19/09 10:22:39 accessed index.dat :Host: yourtrafficserver.com History\Daily -02/19/09 10:22:39 accessed index.dat http://yourtrafficserver.com History\Daily -02/19/09 10:22:50 bro no=ConnectionWithSpamHausDropNet na=NOTICE_ALARM_ALWAYS es=node03.1 sa=164.107.xxx.177 sp=1474/tcp da=91.211.65.76 dp=80/tcp msg=164.107.xxx.177\ had\ a\ connection\ with\ a\ SpamHaus\ DROP\ list\ host tag=@83-10576-6264ad02/19/09 10:22:57 bro02/19/09 10:23:00 bro
02/19/09 10:23:00 accessed index.dat :Host: www.hotelrooms.com History\Daily -02/19/09 10:23:00 accessed index.dat http://www.hotelrooms.com/cgi-bin/search/index.plx?ID=1185303433 History\Daily -02/19/09 10:23:00 accessed [email protected][1].txthotelinternetstrategies.122.2o7.net/ Cookies -02/19/09 10:23:00 accessed smith.99999@lacasaquecanta[2].txtlacasaquecanta.com/ Cookies -02/19/09 10:23:13 accessed index.dat :Host: www.google.com History\Daily -02/19/09 10:23:18 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 10:23:19 bro
02/19/09 10:23:21 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=2145/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/2145\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62725d02/19/09 10:23:54 bro no=ProtocolViolation na=NOTICE_FILE es=node02.1 sa=164.107.xxx.177 sp=2684/tcp da=202.224.39.235 dp=25/tcp num=30 msg=164.107.xxx.177/2684\ >\ 202.224.39.235/smtp\ analyzer\ SMTP\ disabled\ due\ to\ protocol\ violation\ [debug:\ service\=other] sub=reply\ code\ -1\ out\ of\ range\ [50] tag=@83-10576-6281eb02/19/09 10:24:58 accessed index.dat :Host: www.yahoo.com History\Daily -02/19/09 10:25:00 created [email protected][2].txt ad.yieldmanager.com/ Cookies -02/19/09 10:25:07 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4702/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4702\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62a3c002/19/09 10:25:15 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4809/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4809\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62a6fd02/19/09 10:26:50 accessed index.dat :Host: oca.microsoft.com History\Daily -02/19/09 10:26:50 accessed index.dat http://oca.microsoft.com/en/dcp20.asp History\Daily -02/19/09 10:26:52 logged SysEvent.Evt EVENT ID: 7034 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The CcEvtSvc service terminated unexpectedly. It has done this 1 time(s). -02/19/09 10:26:56 created [email protected][2].txt ad.yieldmanager.com/ Cookies -02/19/09 10:26:56 created [email protected][1].txt www.yahoo.com/ Cookies -02/19/09 10:26:56 created system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:27:11 accessed index.dat http://webcal.vip.ohio-state.edu/fcgi-bin/swc/lexacal.fcgi?go=login&time_out=on&ada=offHistory\Daily -02/19/09 10:27:24 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=3093/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/3093\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-62dfd602/19/09 10:28:20 bro no=FastFluxSUB12A na=NOTICE_ALARM_ALWAYS es=node05.0 sa=164.107.xxx.177 sp=1035/udp da=207.44.136.106 dp=53/udp msg=\ threshold\ exceeded\ for\ pjpdata-com.relay1c.spamh.com\ SUB:\ 3\ 0.00925925925925925 tag=@be-9e69-877ee02/19/09 10:28:46 accessed index.dat http://www.yahoo.com History\Daily -02/19/09 10:28:46 accessed [email protected][1].txt www.yahoo.com/ Cookies -02/19/09 10:28:47 accessed index.dat http://www.yahoo.com History\Visited Link -02/19/09 10:28:55 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4720/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4720\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6306e702/19/09 10:28:58 bro no=ProtocolFound na=NOTICE_FILE es=node04.1 sa=164.107.xxx.177 sp=4760/tcp da=216.195.62.100 dp=2084/tcp num=16 msg=164.107.xxx.177/4760\ >\ 216.195.62.100/2084\ Apache\ (via\ HTTP)\ on\ port\ 2084/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-6307fc02/19/09 10:29:03 accessed system@yahoo[1].txt yahoo.com/ Cookies -02/19/09 10:29:26 accessed [email protected][2].txt ad.yieldmanager.com/ Cookies -
164.107.xxx.177:1652 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:2315 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:3252 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
164.107.xxx.177:1629 > 69.46.16.191:80 POST data: os=2600&ver=2.0.5&idx=cdb30140-ebb8-11d8-a4a8-806d6172696f&user=co&ioctl=10&[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M ^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^[email protected]^M^J^M^J User-Agent: User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Referrer: Proxied for:
02/19/09 10:30:23 modified MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive02/19/09 10:30:38 accessed WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:38 written WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:38 modified WGATRAY.EXE-350D4455.pf C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf02/19/09 10:30:39 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:30:39 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:30:44 accessed index.dat http://www.google.com History\Daily -02/19/09 10:30:46 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -
02/19/09 10:30:51 spam!02/19/09 10:30:52 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=2040/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/2040\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-633e2502/19/09 10:30:54 bro
02/19/09 10:30:54 bro 3435 log entries about spamming redacted :-)02/19/09 10:31:01 accessed SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:01 written SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:01 modified SMAX4PNP.EXE-1CC48B49.pf C:\WINDOWS\Prefetch\SMAX4PNP.EXE-1CC48B49.pf02/19/09 10:31:02 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:31:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:31:06 accessed SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:06 written SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:06 modified SGTRAY.EXE-31581176.pf C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf02/19/09 10:31:07 accessed TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:07 written TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:07 modified TFSWCTRL.EXE-2D67C816.pf C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf02/19/09 10:31:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:31:46 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: TransferAgent.exe - Application Error : The application failed to initialize properly (0xc000007b). Click on OK to terminate the application. -02/19/09 10:32:06 bro no=ProtocolViolation na=NOTICE_FILE es=node23 sa=164.107.xxx.177 sp=2383/tcp da=68.178.201.225 dp=25/tcp num=30 msg=164.107.xxx.177/2383\ >\ 68.178.201.225/smtp\ analyzer\ SMTP\ disabled\ due\ to\ protocol\ violation\ [debug:\ service\=other] sub=reply\ code\ -1\ out\ of\ range\ [ERROR:\ ld.so:\ object\ '/tmp/getuid.so'\ fr...] tag=@83-10576-63608402/19/09 10:32:26 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/bot_loading.html History\Daily -02/19/09 10:32:32 accessed index.dat https://edit.yahoo.com/registration History\Visited Link -02/19/09 10:32:34 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:32:37 created smith.99999@weatherbug[1].txt weatherbug.com/ Cookies -02/19/09 10:32:38 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_loading.html History\Daily -02/19/09 10:32:39 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235057547&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=11942&&&&vcw=453&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=171&lvh=&wat=1235056820&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=0&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:32:40 created smith.99999@tacoda[3].txt tacoda.net/ Cookies -02/19/09 10:32:48 created smith.99999@doubleclick[1].txt doubleclick.net/ Cookies -02/19/09 10:32:50 accessed index.dat http://deskwx.weatherbug.com/WeatherWindow/WeatherWindow.html?lvl=0&zip=43204&con1=111&sunr=1235045940&suns=1235085120&ut=1235057559&stat=KTZR&L1=535&ver=6.07&camera_id=&ccamzip=<a=<at=<az=&sed=0&lpt=1235048003&rnd=14604&&&&vcw=454&lvw=1210334133&lvd=1209989319&dosp=0&UA1=506&UA5=506&zcode=Z5264&showgutsads=1&screen_x=1152&screen_y=804&lvr=&lvu=&wpt=&A2=171&lvh=&wat=1235057523&A1=50500&dsr=506&dsu=506&dssp=-1&dspm=-1&pmls=1234184569&D3=3&UA3=-1&UA11=&UA15=&L4=23&UA16=&ui=1&n=506267455&alid=0&u=&LRR=&L3=OHHistory\Daily -02/19/09 10:32:51 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/3902@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=171&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:32:58 accessed index.dat http://pub.weatherbug.com/RealMedia/ads/adstream_sx.cgi/www.wbug.com/HM/153@lb1?_RM_HTML_KEYWORDZ3_=43204&_RM_HTML_KEYWORDWO1_=21.20&_RM_HTML_KEYWORDL2_=Columbus&_RM_HTML_KEYWORDL3_=OH&_RM_HTML_KEYWORDHO1_=0.50&_RM_HTML_KEYWORDPC_=Z5264&A1=50500&A2=171&D1=2&D3=3&FC1=111&FC2=4&FC3=40&HO1=0.50&HO4=Mixed Trace.&L1=535&L2=Columbus&L3=OH&L4=23&N=506267455&Nav1=HM&Nav2=HM_Unknown&PC=Z5264&S2=&S3=0&SP1=&SP2=&SP5=-1&TW3=&UA1=506&WO1=21.20&WO3=0&WO4=58.00&Z3=43204&History\Daily -02/19/09 10:33:22 accessed [email protected][1].txtserving.adsrevenue.clicksor.net/ Cookies -02/19/09 10:33:22 created [email protected][1].txtserving.adsrevenue.clicksor.net/ Cookies -02/19/09 10:33:23 created smith.99999@adsrevenue[2].txt adsrevenue.net/ Cookies -02/19/09 10:33:24 created smith.99999@adsrevenue[2].txt adsrevenue.net/ Cookies -02/19/09 10:33:29 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 10:33:30 created [email protected][1].txt 66.221.37.124/ Cookies -02/19/09 10:33:40 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 10:33:45 accessed index.dat http://klite.ath.cx History\Daily -02/19/09 10:34:06 created system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt c.live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txtcouponbar.coupons.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txt home.live.com/ Cookies -02/19/09 10:34:06 created system@live[2].txt live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt login.live.com/ Cookies -02/19/09 10:34:06 created system@msn[1].txt msn.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt p.live.com/ Cookies -02/19/09 10:34:06 created system@quantserve[2].txt quantserve.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txt rad.live.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:34:06 created smith.99999@bronsonestopshop[1].txtbronsonestopshop.com/ Cookies -02/19/09 10:34:06 created smith.99999@dupontsupercenter[1].txtdupontsupercenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@easymoneywith6[1].txteasymoneywith6.com/ Cookies -02/19/09 10:34:06 created smith.99999@garciaworldshopping[1].txtgarciaworldshopping.com/ Cookies -02/19/09 10:34:06 created smith.99999@hafbargainmall[1].txthafbargainmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@homecybermall[1].txthomecybermall.com/ Cookies -02/19/09 10:34:06 created smith.99999@klywebmall[1].txt klywebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@kpbmarketing[1].txtkpbmarketing.com/ Cookies -02/19/09 10:34:06 created [email protected][1].txtload.exelator.com/load/ Cookies -02/19/09 10:34:06 created smith.99999@micksmarketplace[1].txtmicksmarketplace.com/ Cookies -02/19/09 10:34:06 created smith.99999@paulwebmall[1].txtpaulwebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@popunderadvertise[2].txtpopunderadvertise.com/ Cookies -02/19/09 10:34:06 created smith.99999@pro-market[2].txt pro-market.net/ Cookies -02/19/09 10:34:06 created smith.99999@sharmanshoppingcenter[1].txtsharmanshoppingcenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@shopfrhomestore[1].txtshopfrhomestore.com/ Cookies -02/19/09 10:34:06 created smith.99999@stephanusonestop[1].txtstephanusonestop.com/ Cookies -02/19/09 10:34:06 created smith.99999@surrettshoppingcenter[1].txtsurrettshoppingcenter.com/ Cookies -02/19/09 10:34:06 created smith.99999@toyowebmall[1].txttoyowebmall.com/ Cookies -02/19/09 10:34:06 created smith.99999@wilsonfindings77[1].txtwilsonfindings77.com/ Cookies -02/19/09 10:34:06 created [email protected][2].txtwww.advertyz.com/ Cookies -02/19/09 10:34:06 created smith.99999@zedo[2].txt zedo.com/ Cookies -02/19/09 10:34:10 accessed index.dat https://signup.live.com/Redirect.aspx?mkt=en-us&rollrs=12&lic=1&sutk=1235057632640&wa=wsignin1.0History\Visited Link -02/19/09 10:34:10 accessed [email protected][1].txt login.live.com/ Cookies -02/19/09 10:34:11 accessed index.dat https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=10&ct=1235057645&rver=5.5.4177.0&wp=MBI_SSL&wreply=https://signup.live.com/Redirect.aspx?mkt=en-us&rollrs=12&lic=1&sutk=1235057632640&lc=1033&id=68692&slt=B1yRQXXJ*aFcLPgVingrbnFQrXlcxyJ3RVev8NrY*EDGTMx!4gz79HMaETAUcRnmk5F!Lb*JpOFcWuad0NKHGptlODnpnKxzErxWAGrplokR0kktq3s3r1m4dSwJHistory\Visited Link -02/19/09 10:34:13 accessed [email protected][2].txt home.live.com/ Cookies -02/19/09 10:34:26 accessed [email protected][1].txt p.live.com/ Cookies -02/19/09 10:34:34 accessed index.dat http://sup.live.com/WhatsNew/WNFeed.aspx?cid=e93b3cb24497333b&key=23256283-1a41-41a9-9a42-a9d07e52b391&mkt=en-USHistory\Visited Link -02/19/09 10:34:36 accessed index.dat :Host: home.live.com History\Daily -02/19/09 10:34:36 accessed index.dat http://home.live.com History\Daily -02/19/09 10:34:36 accessed index.dat http://home.live.com History\Visited Link -02/19/09 10:34:36 accessed [email protected][1].txt c.live.com/ Cookies -02/19/09 10:34:36 accessed system@msn[1].txt msn.com/ Cookies -02/19/09 10:34:36 accessed [email protected][2].txt rad.live.com/ Cookies -02/19/09 10:34:40 accessed system@quantserve[2].txt quantserve.com/ Cookies -02/19/09 10:34:41 accessed system@atdmt[1].txt atdmt.com/ Cookies -02/19/09 10:34:49 accessed index.dat http://www.google.com History\Daily -02/19/09 10:34:49 accessed index.dat http://www.google.com History\Visited Link -02/19/09 10:34:54 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=1532/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/1532\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63ae7602/19/09 10:34:55 accessed system@google[1].txt google.com/ Cookies -02/19/09 10:34:57 bro no=ProtocolFound na=NOTICE_FILE es=node03.1 sa=164.107.xxx.177 sp=1592/tcp da=216.195.58.113 dp=2085/tcp num=16 msg=164.107.xxx.177/1592\ >\ 216.195.58.113/2085\ Apache\ (via\ HTTP)\ on\ port\ 2085/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63afa402/19/09 10:35:01 accessed system@live[2].txt live.com/ Cookies -02/19/09 10:35:01 accessed [email protected][1].txt signup.live.com/ Cookies -02/19/09 10:35:13 accessed smith.99999@tacoda[3].txt tacoda.net/ Cookies -02/19/09 10:35:15 accessed [email protected][1].txtmsnaccountservices.112.2o7.net/ Cookies -02/19/09 10:35:17 accessed smith.99999@garciaworldshopping[1].txtgarciaworldshopping.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@micksmarketplace[1].txtmicksmarketplace.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@shopfrhomestore[1].txtshopfrhomestore.com/ Cookies -02/19/09 10:35:17 accessed smith.99999@toyowebmall[1].txttoyowebmall.com/ Cookies -02/19/09 10:35:21 accessed smith.99999@popunderadvertise[2].txtpopunderadvertise.com/ Cookies -02/19/09 10:35:24 accessed smith.99999@hafbargainmall[1].txthafbargainmall.com/ Cookies -02/19/09 10:35:25 accessed index.dat https://signup.live.com/signup.aspx?mkt=en-us&rollrs=12&lic=1 History\Visited Link -02/19/09 10:35:35 accessed smith.99999@kpbmarketing[1].txtkpbmarketing.com/ Cookies -02/19/09 10:35:36 accessed smith.99999@bronsonestopshop[1].txtbronsonestopshop.com/ Cookies -02/19/09 10:35:36 accessed smith.99999@wilsonfindings77[1].txtwilsonfindings77.com/ Cookies -
no=SMTP_PossibleInternalSpam na=NOTICE_EMAIL es=node01.1 sa=164.107.xxx.177 sp=1865/tcp da=212.227.15.134 dp=25/tcp msg=164.107.xxx.177\ appears\ to\ be\ spamming sub=sent:\ 319\ rejected:\ 30\ percent\ mailto:\ [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected] tag=@83-10576-633f4b
02/19/09 10:35:37 accessed smith.99999@klywebmall[1].txt klywebmall.com/ Cookies -02/19/09 10:35:37 accessed smith.99999@sharmanshoppingcenter[1].txtsharmanshoppingcenter.com/ Cookies -02/19/09 10:35:42 accessed index.dat couponbar.coupons.com/ Cookies -02/19/09 10:35:42 accessed system@coupons[1].txt coupons.com/ Cookies -02/19/09 10:35:42 accessed system@google[1].txt google.com/ Cookies -02/19/09 10:35:45 accessed [email protected][1].txtcouponbar.coupons.com/ Cookies -02/19/09 10:35:47 accessed stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 created stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 modified stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:47 written stats[2].htm C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\BR3XKV9F\stats[2].htmWeb Page Document Match File, Archive, Not Indexed02/19/09 10:35:57 logged SysEvent.Evt EVENT ID: 6006 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was stopped. -
02/19/09 10:36:18 system shutdown?02/19/09 10:36:19 created zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:19 modified zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:19 written zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:36:20 accessed seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 created seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 modified seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive02/19/09 10:36:20 written seneka.sys C:\\WINDOWS\SYSTEM32\DRIVERS\seneka.sys Device Driver Code\Executable Match File, Archive
02/19/09 10:37:01 system boots...02/19/09 10:37:02 logged SysEvent.Evt EVENT ID: 9 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Broadcom 440x 10/100 Integrated Controller: Network controller configured for 100Mb full-duplex link. -02/19/09 10:37:03 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SYSTEM\NTRegistry\$$$PROTO.HIV\ControlSet003\Services\senekaFolder ! Bad signature Folder, Registry Entry02/19/09 10:37:03 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SYSTEM\NTRegistry\$$$PROTO.HIV\ControlSet004\Services\senekaFolder ! Bad signature Folder, Registry Entry02/19/09 10:37:09 accessed DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/19/09 10:37:09 accessed acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 accessed issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 accessed senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:09 accessed senekalhtijurw.sys C:\\WINDOWS\SYSTEM32\DRIVERS\senekalhtijurw.sys Device Driver Code\Executable Match File, Archive02/19/09 10:37:09 accessed smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive02/19/09 10:37:09 modified senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:09 written senekafqqjlktq.dll C:\\WINDOWS\SYSTEM32\senekafqqjlktq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 10:37:10 accessed ethqqaeg.sys C:\\WINDOWS\SYSTEM32\DRIVERS\ethqqaeg.sys Device Driver Code\Executable Match File, Archive02/19/09 10:37:12 accessed hiberfil.sys http://ubw.osu.edu/ubw_at_ohio.htm Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://ubw.osu.edu/underwater_basket_weaving_facilit `ies_at_ohio.htm Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://www.microsoft.com/isapi/redir .dll?prd=ie&ar=windowsm!a Bookmarks -02/19/09 10:37:12 accessed hiberfil.sys http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail Bookmarks -02/19/09 10:37:13 accessed zmzfozjg C:\\WINDOWS\zmzfozjg ! Bad signature File, Archive02/19/09 10:37:22 logged SysEvent.Evt EVENT ID: 6009 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free. -02/19/09 10:37:22 logged SysEvent.Evt EVENT ID: 6005 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Event log service was started. -02/19/09 10:37:43 bro no=ProtocolFound na=NOTICE_FILE es=node02.0 sa=164.107.xxx.177 sp=1033/tcp da=94.76.216.202 dp=9011/tcp num=16 msg=164.107.xxx.177/1033\ >\ 94.76.216.202/9011\ Apache\ (via\ HTTP)\ on\ port\ 9011/tcp sub=Apache\ (via\ HTTP) tag=@83-10576-63fb8102/19/09 10:38:16 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:38:35 logged SysEvent.Evt EVENT ID: 11162 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The system failed to register host (A) resource records (RRs) for;network adapterwith settings:; Adapter Name : {A45FF4F5-BE0B-4156-B8E8-7CFCB02CE985}; Host Name : hackedpc; Primary Domain Suffix : ubw.ohio-state.edu; DNS server list :; 164.107.xxx.29, 128.146.1.7, 128.146.48.7; Sent update to server : 164.1.1.1; IP Address(es) :; 164.107.xxx.177;The reason the system could not register these RRs was because the;update request it sent to the DNS server timed out. The most likely;cause of this is that the DNS server authoritative for the name it;was attempting to register or update is not running at this time.;You can manually retry DNS registration of the network adapter and;its settings by typing "ipconfig /registerdns" at the command prompt.;If problems still persist, contact your DNS server or network systems;administrator.-02/19/09 10:38:36 modified smax4pnp.exe C:\\Program Files\Analog Devices\Core\smax4pnp.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:39 modified igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:40 modified hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:43 modified DVDLauncher.exe C:\\Program Files\CyberLink\PowerDVD\DVDLauncher.exe Windows Executable Code\Executable File02/19/09 10:38:46 modified sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:38:48 accessed sgtray.exe C:\\Program Files\Common Files\Sonic\Update Manager\sgtray.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:00 modified acrotray.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:04 modified ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:06 accessed acrodist.exe C:\\Program Files\Adobe\Acrobat 7.0\Distillr\acrodist.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:07 accessed ISUSPM.exe C:\\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:07 modified issch.exe C:\\Program Files\Common Files\InstallShield\UpdateService\issch.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:27 accessed xccef090131.exe C:\\WINDOWS\SYSTEM\xccef090131.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:39:49 logged SysEvent.Evt EVENT ID: 10010 EVENT TYPE: ERROR EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout. -02/19/09 10:39:53 modified SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:54 accessed agent.exe C:\\Program Files\Common Files\InstallShield\UpdateService\agent.exe Windows Executable Code\Executable File, Archive02/19/09 10:39:54 accessed TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 written TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 modified TIMOUNTERMONITOR.EXE-1A929E4A.pfC:\WINDOWS\Prefetch\TIMOUNTERMONITOR.EXE-1A929E4A.pf02/19/09 10:39:54 accessed TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 written TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 modified TRUEIMAGEMONITOR.EXE-08A65A75.pfC:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-08A65A75.pf02/19/09 10:39:54 accessed UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:54 written UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:54 modified UDATERUI.EXE-173C3AC6.pf C:\WINDOWS\Prefetch\UDATERUI.EXE-173C3AC6.pf02/19/09 10:39:55 written SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:39:55 modified SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:40:00 accessed SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:00 written SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:00 modified SSMMGR.EXE-064D047E.pf C:\WINDOWS\Prefetch\SSMMGR.EXE-064D047E.pf02/19/09 10:40:02 accessed SCHEDHLP.EXE-29F59EF1.pf C:\WINDOWS\Prefetch\SCHEDHLP.EXE-29F59EF1.pf02/19/09 10:40:05 logged SysEvent.Evt EVENT ID: 40961 EVENT TYPE: WARNING EVENT CATEGORY: SPNEGO (Negotiator) SID: COMPUTER: HACKEDPC DESCRIPTION: The Security System could not establish a secured connection with the server ldap/ubw.ohio-state.edu. No authentication protocol was available. -02/19/09 10:40:05 accessed SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:05 written SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:05 modified SBTRAYMANAGER.EXE-19E725FA.pfC:\WINDOWS\Prefetch\SBTRAYMANAGER.EXE-19E725FA.pf02/19/09 10:40:06 accessed SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:15 modified reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Fax service was successfully sent a stop control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7026 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The following boot-start or system-start driver(s) failed to load: ;irzylwcf;zmzfozjg -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Terminal Services service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Location Awareness (NLA) service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Network Connections service entered the running state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service was successfully sent a start control. -02/19/09 10:40:19 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The SSDP Discovery Service service entered the running state. -02/19/09 10:40:20 modified services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:20 accessed SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:20 written SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:20 modified SHSTAT.EXE-34E0D8DA.pf C:\WINDOWS\Prefetch\SHSTAT.EXE-34E0D8DA.pf02/19/09 10:40:21 accessed services.exe C:\\WINDOWS\services.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:21 modified rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:23 written USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:23 modified USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:27 accessed USERINIT.EXE-0743FDA9.pf C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf02/19/09 10:40:31 accessed Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:34 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The Remote Access Connection Manager service entered the running state. -02/19/09 10:40:34 modified ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:41 accessed WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:41 written WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:41 modified WEATHER.EXE-16549C68.pf C:\WINDOWS\Prefetch\WEATHER.EXE-16549C68.pf02/19/09 10:40:42 modified TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:44 modified prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:40:45 accessed TransferAgent.exe C:\\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe Windows Executable Code\Executable File, Archive02/19/09 10:40:47 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: TransferAgent.exe - Application Error : The application failed to initialize properly (0xc000007b). Click on OK to terminate the application. -
02/19/09 10:40:54 accessed PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 written PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 modified PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 accessed PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 written PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:54 modified PRUNNET.EXE-18A96408.pf C:\WINDOWS\Prefetch\PRUNNET.EXE-18A96408.pf02/19/09 10:40:56 accessed TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:40:56 written TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:40:56 modified TRANSFERAGENT.EXE-19919614.pfC:\WINDOWS\Prefetch\TRANSFERAGENT.EXE-19919614.pf02/19/09 10:41:29 accessed msmsgs.exe C:\\Program Files\Messenger\msmsgs.exe Windows Executable Code\Executable File, Archive02/19/09 10:41:30 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-21-57765512-1263358170-1248344978-1385 COMPUTER: HACKEDPC DESCRIPTION: The DSproct service was successfully sent a start control. -02/19/09 10:41:31 accessed index.dat http://ubw.osu.edu History\Daily -02/19/09 10:43:14 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:43:14 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:43:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:24 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:44:36 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:43 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:43 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:44:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:44:59 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:44:59 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:08 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:12 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:27 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:27 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:42 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:42 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:45:51 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:45:56 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:45:57 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:06 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:11 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:12 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:25 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:25 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:35 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:40 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:41 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:46:50 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:46:54 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:46:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:04 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:47:09 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:47:09 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:18 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:47:23 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 10:47:23 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 10:47:32 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 10:49:57 modified googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive02/19/09 10:51:00 accessed googleearth.exe C:\\Program Files\Google\Google Earth\googleearth.exe Windows Executable Code\Executable File, Archive02/19/09 10:51:55 logged SysEvent.Evt EVENT ID: 4226 EVENT TYPE: WARNING EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -02/19/09 10:53:36 accessed reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 10:53:41 modified wmplayer.exe C:\\Program Files\Windows Media Player\wmplayer.exe Windows Executable Code\Executable File, Archive02/19/09 10:53:56 modified xlicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 10:54:02 modified Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 11:00:10 accessed RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 written RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 modified RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 accessed RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 written RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:00:10 modified RUNDLL32.EXE-5DB16EF8.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-5DB16EF8.pf02/19/09 11:01:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:21 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:01:33 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:01:37 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:01:50 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:01:53 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:01:54 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:03 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:04 modified reader_s.exe C:\\Documents and Settings\smith.99999\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 11:02:06 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:06 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:16 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:21 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:22 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:31 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:36 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:37 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:45 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:02:48 accessed conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified conf.exe C:\\Program Files\NetMeeting\conf.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive02/19/09 11:02:48 modified mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:48 modified unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 accessed unregmp2.exe C:\\WINDOWS\INF\unregmp2.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 accessed wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:49 modified wordpad.exe C:\\Program Files\Windows NT\Accessories\wordpad.exe Windows Executable Code\Executable File, Archive02/19/09 11:02:51 logged SysEvent.Evt EVENT ID: 7035 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: S-1-5-18 COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service was successfully sent a start control. -02/19/09 11:02:52 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the running state. -02/19/09 11:02:58 logged SysEvent.Evt EVENT ID: 7036 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The IMAPI CD-Burning COM Service service entered the stopped state. -02/19/09 11:16:39 modified cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive02/19/09 11:16:45 modified ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive
02/19/09 11:18:06 accessed Ken.mbx C:\My Documents\Qualcomm\Eudora\Ken.mbx02/19/09 11:18:18 accessed Misc.mbx C:\My Documents\Qualcomm\Eudora\Misc.mbx02/19/09 11:18:18 accessed Out.mbx C:\My Documents\Qualcomm\Eudora\Out.mbx
02/19/09 11:19:28 accessed senekaklpapjct.dat C:\\WINDOWS\SYSTEM32\senekaklpapjct.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 accessed senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 modified senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive02/19/09 11:19:28 written senekalwbrsnty.dat C:\\WINDOWS\SYSTEM32\senekalwbrsnty.dat Data ASCII & Binary Code\Library ! Bad signature File, Archive
02/19/09 11:21:54 accessed Mike.mbx C:\Eudora\Mike.mbx02/19/09 11:21:54 accessed Misc.mbx C:\Eudora\Misc.mbx02/19/09 11:22:19 accessed Out.mbx C:\Eudora\Out.mbx
02/19/09 11:22:21 accessed Previous search.mbx C:\Eudora\Previous search.mbx02/19/09 11:22:21 accessed Scholarship.mbx C:\Eudora\Scholarship.mbx
02/19/09 11:24:00 accessed 37679041.pdf.zip C:\\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive02/19/09 12:11:29 modified SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive02/19/09 12:13:32 modified defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive02/19/09 12:13:34 modified dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive
02/19/09 12:20:39 accessed Mike.mbx C:\My Documents\Eudora\Mike.mbx02/19/09 12:20:50 accessed Misc.mbx C:\My Documents\Eudora\Misc.mbx02/19/09 12:22:33 accessed Out.mbx C:\My Documents\Eudora\Out.mbx02/19/09 12:23:07 accessed Previous search.mbx C:\My Documents\Eudora\Previous search.mbx02/19/09 12:23:30 accessed Scholarship.mbx C:\My Documents\Eudora\Scholarship.mbx
02/19/09 12:25:26 logged SysEvent.Evt EVENT ID: 1 EVENT TYPE: ERROR EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'Disk0'. It has stopped monitoring the volume. -02/19/09 12:40:52 modified helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:40:54 accessed helpsvc.exe C:\\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:21 accessed WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:21 written WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:21 modified WMIPRVSE.EXE-0D449B4F.pf C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf02/19/09 12:41:22 modified ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:34 accessed CcEvtSvc.exe C:\\WINDOWS\SYSTEM32\CcEvtSvc.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:41:35 accessed cmd.exe C:\\WINDOWS\SYSTEM32\cmd.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:37 accessed ctfmon.exe C:\\WINDOWS\SYSTEM32\ctfmon.exe Windows Executable Code\Executable File, Archive02/19/09 12:41:44 accessed dwwin.exe C:\\WINDOWS\SYSTEM32\dwwin.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:41:48 accessed hkcmd.exe C:\\WINDOWS\SYSTEM32\hkcmd.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:13 accessed prunnet.exe C:\\WINDOWS\SYSTEM32\prunnet.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:15 accessed reader_s.exe C:\\WINDOWS\SYSTEM32\reader_s.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:36 accessed 143.tmp C:\\WINDOWS\SYSTEM32\143.tmp Windows Temporary Windows Match File, Archive02/19/09 12:42:36 accessed 145.tmp C:\\WINDOWS\SYSTEM32\145.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed 147.tmp C:\\WINDOWS\SYSTEM32\147.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed 148.tmp C:\\WINDOWS\SYSTEM32\148.tmp Windows Temporary Windows * Executable File, Archive02/19/09 12:42:36 accessed accwiz.exe C:\\WINDOWS\SYSTEM32\accwiz.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed DRWATSON.EXE C:\\WINDOWS\SYSTEM32\DRWATSON.EXE Windows Executable Code\Executable Match File, Archive02/19/09 12:42:37 accessed defrag.exe C:\\WINDOWS\SYSTEM32\defrag.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed dfrgntfs.exe C:\\WINDOWS\SYSTEM32\dfrgntfs.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:37 accessed dumprep.exe C:\\WINDOWS\SYSTEM32\dumprep.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed fxscover.exe C:\\WINDOWS\SYSTEM32\fxscover.exe Windows Executable Code\Executable Match File, Archive02/19/09 12:42:38 accessed fxssvc.exe C:\\WINDOWS\SYSTEM32\fxssvc.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed geBtSIyX.dll C:\\WINDOWS\SYSTEM32\geBtSIyX.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:38 accessed igfxtray.exe C:\\WINDOWS\SYSTEM32\igfxtray.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed imapi.exe C:\\WINDOWS\SYSTEM32\imapi.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed ipconfig.exe C:\\WINDOWS\SYSTEM32\ipconfig.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:38 accessed jdfjpl.dll C:\\WINDOWS\SYSTEM32\jdfjpl.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:39 accessed MPNOTIFY.EXE C:\\WINDOWS\SYSTEM32\MPNOTIFY.EXE Windows Executable Code\Executable File, Archive02/19/09 12:42:39 accessed mcrh.tmp C:\\WINDOWS\SYSTEM32\mcrh.tmp Windows Temporary Windows Match File, Archive02/19/09 12:42:39 accessed mshta.exe C:\\WINDOWS\SYSTEM32\mshta.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:39 accessed mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed netsh.exe C:\\WINDOWS\SYSTEM32\netsh.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed ntbackup.exe C:\\WINDOWS\SYSTEM32\ntbackup.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed ntvdm.exe C:\\WINDOWS\SYSTEM32\ntvdm.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:40 accessed pydesepr.dll C:\\WINDOWS\SYSTEM32\pydesepr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:40 accessed rqRKEUkK.dll C:\\WINDOWS\SYSTEM32\rqRKEUkK.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:41 accessed ssqQkHBq.dll C:\\WINDOWS\SYSTEM32\ssqQkHBq.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:42:42 accessed userinit.exe C:\\WINDOWS\SYSTEM32\userinit.exe Windows Executable Code\Executable File, Archive02/19/09 12:42:42 accessed wvUmjIbx.dll C:\\WINDOWS\SYSTEM32\wvUmjIbx.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 12:51:33 accessed 37679041.pdf.zip C:\\My Documents\Eudora\attach\37679041.pdf.zip ZIP Compressed Archive File, Archive02/19/09 14:19:50 accessed xccwinsys.ini C:\\WINDOWS\xccwinsys.ini Initialization Windows ! Bad signature File, Archive02/19/09 14:24:38 accessed SafeBoot.scr C:\\WINDOWS\SafeBoot.scr Win NT Screen Saver Code\Executable File, Archive02/19/09 14:24:48 accessed SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:24:48 written SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:24:48 modified SAFEBOOT.SCR-13172D99.pf C:\WINDOWS\Prefetch\SAFEBOOT.SCR-13172D99.pf02/19/09 14:42:56 accessed info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 created info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 modified info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 14:42:56 written info_48[1] C:\\Documents and Settings\smith.99999\Local Settings\Temporary Internet Files\Content.IE5\KVVYP711\info_48[1] * Portable Network GraphicFile, Archive, Not Indexed02/19/09 15:05:13 accessed rundll32.exe C:\\WINDOWS\SYSTEM32\rundll32.exe Windows Executable Code\Executable File, Archive02/19/09 15:05:15 accessed vgyixcnu.dll C:\\WINDOWS\SYSTEM32\vgyixcnu.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:23 accessed RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 created RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 written RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 modified RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 accessed RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 created RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 written RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:23 modified RUNDLL32.EXE-56884C6C.pf C:\WINDOWS\Prefetch\RUNDLL32.EXE-56884C6C.pf02/19/09 15:05:42 created TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:05:42 created TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:05:53 accessed cbXQiFxw.dll C:\\WINDOWS\SYSTEM32\cbXQiFxw.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:53 accessed senekarxltpsnr.dll C:\\WINDOWS\SYSTEM32\senekarxltpsnr.dll Dynamic Link Library Code\Library Match File, Archive02/19/09 15:05:57 accessed Eudora.exe C:\\Program Files\Qualcomm\Eudora\Eudora.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:05:58 accessed verclsid.exe C:\\WINDOWS\SYSTEM32\verclsid.exe Windows Executable Code\Executable File02/19/09 15:05:59 accessed VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:05:59 written VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:05:59 modified VERCLSID.EXE-28F52AD2.pf C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf02/19/09 15:06:01 accessed SbTrayManager.exe C:\\Program Files\SafeBoot Tray Manager\SbTrayManager.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:07 accessed uncxiygv.ini C:\\WINDOWS\SYSTEM32\uncxiygv.ini Initialization Windows ! Bad signature File, Hidden, System02/19/09 15:06:26 accessed taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:39 accessed explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:39 written seneka C:\\WINDOWS\SYSTEM32\CONFIG\SOFTWARE\NTRegistry\$$$PROTO.HIV\seneka Folder Folder, Registry Entry02/19/09 15:06:40 modified taskmgr.exe C:\\WINDOWS\SYSTEM32\taskmgr.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:42 modified Icon84031A18.exe C:\\Documents and Settings\smith.99999\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exeWindows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\NewShortcut2_F04825A0D1E9444AA8D32CE95CBF1716.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_CheckNow_S_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_FAQ_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Help_SC1_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeC:\\WINDOWS\Installer\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}\Program_Setting_SC_A865F9643D344747AD8AA93191B65DD3.exeWindows Executable Code\Executable Match File, Read Only, Archive02/19/09 15:06:42 modified SSLang.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\SSLang.exe Windows Executable Code\Executable File02/19/09 15:06:42 modified SSMMgr.exe C:\\WINDOWS\Samsung\PanelMgr\SSMMgr.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified Ssopen.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\data\Ssopen.exe Windows Executable Code\Executable Match File02/19/09 15:06:42 modified Weather.exe C:\\Program Files\AWS\WeatherBug\Weather.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified accicons.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified msimn.exe C:\\Program Files\Outlook Express\msimn.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified mstsc.exe C:\\WINDOWS\SYSTEM32\mstsc.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified pptico.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:42 modified setup.exe C:\\Program Files\Samsung\Samsung ML-2570 Series\Install\setup.exe Windows Executable Code\Executable File02/19/09 15:06:42 modified uninstall.exe C:\\Program Files\Coupons\uninstall.exe Windows Executable Code\Executable Match File, Archive02/19/09 15:06:42 modified wab.exe C:\\Program Files\Outlook Express\wab.exe Windows Executable Code\Executable File, Archive02/19/09 15:06:42 modified wordicon.exe C:\\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe Windows Executable Code\Executable File, Read Only, Archive02/19/09 15:06:43 modified explorer.exe C:\\WINDOWS\explorer.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:04 accessed regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:04 modified regedit.exe C:\\WINDOWS\regedit.exe Windows Executable Code\Executable File, Archive02/19/09 15:08:14 accessed REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 created REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf
02/19/09 15:08:14 written REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 modified REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 accessed REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 created REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 written REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:08:14 modified REGEDIT.EXE-2AE3423E.pf C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf02/19/09 15:10:30 accessed taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive02/19/09 15:10:30 modified taskkill.exe C:\\WINDOWS\SYSTEM32\taskkill.exe Windows Executable Code\Executable File, Archive02/19/09 15:10:40 created TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:10:40 created TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:11:34 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_failed.html History\Daily -02/19/09 15:13:30 accessed tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive02/19/09 15:13:30 modified tasklist.exe C:\\WINDOWS\SYSTEM32\tasklist.exe Windows Executable Code\Executable File, Archive02/19/09 15:13:40 accessed TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 created TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 written TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 modified TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 accessed TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 created TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 written TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:13:40 modified TASKLIST.EXE-18943874.pf C:\WINDOWS\Prefetch\TASKLIST.EXE-18943874.pf02/19/09 15:14:50 accessed TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 written TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 modified TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 accessed TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 written TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:14:50 modified TASKMGR.EXE-06144C13.pf C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf02/19/09 15:16:34 accessed index.dat file:///C:/Program Files/AWS/WeatherBug/Local/center_failed.html History\Daily -02/19/09 15:16:37 logged SysEvent.Evt EVENT ID: 26 EVENT TYPE: INFORMATION EVENT CATEGORY: SID: COMPUTER: HACKEDPC DESCRIPTION: Application popup: taskkill.exe - DLL Initialization Failed : The application failed to initialize because the window station is shutting down. -02/19/09 15:16:37 accessed TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 written TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 modified TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 accessed TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 written TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf02/19/09 15:16:37 modified TASKKILL.EXE-1EEA7CB4.pf C:\WINDOWS\Prefetch\TASKKILL.EXE-1EEA7CB4.pf