=========================== PID 4028 - exp3.tmp.exe =========================== 20:39:38.8834401","exp3.tmp.exe","4028","QueryNameInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Name: \Documents and Settings\RIK\Local Settings\Temp\exp3.tmp.exe" 20:39:38.8838828","exp3.tmp.exe","4028","QueryNameInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Name: \Documents and Settings\RIK\Local Settings\Temp\exp3.tmp.exe" 20:39:38.8840739","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\Prefetch\EXP3.TMP.EXE-32842BFC.pf","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a" 20:39:38.8846360","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:38.8867304","exp3.tmp.exe","4028","FileSystemControl","C:\Documents and Settings\rik","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED" 20:39:38.8870028","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:38.8880021","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 62,464, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:38.9317627","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9326376","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9328913","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9332559","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9349173","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:38.9349410","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:38.9349779","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:38.9352525","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9360417","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9373785","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9376307","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9379970","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9395676","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:38.9395877","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:38.9396234","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:38.9398961","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9414343","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9416994","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9419522","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9430021","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9432750","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:38.9433538","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:38.9438329","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9463073","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9477848","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9480438","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9489900","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9502759","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9505296","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","" 20:39:38.9533140","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\LPK.DLL","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:38.9549916","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:38.9552961","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:38.9555855","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","" 20:39:39.0093929","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.0097189","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:39.0098030","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:39.0101196","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","" 20:39:39.0220973","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\USP10.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.0241227","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.0244705","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:39.0247940","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","" 20:39:39.0265024","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.0268496","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:39.0269337","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:39.0272812","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","" 20:39:39.0790546","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:39.0793258","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:39.0793496","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\SHELL32.dll","SUCCESS","AllocationSize: 8,372,224, EndOfFile: 8,367,104, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.0793870","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeOther" 20:39:39.0796496","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:39.0813602","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:39.1170952","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","" 20:39:39.1174734","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.1183747","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1184794","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","CreationTime: 2012/10/07 18:19:17, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:18, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D" 20:39:39.1185719","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","" 20:39:39.1195304","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1197377","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1198902","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:39.1199059","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","AllocationSize: 1,064,960, EndOfFile: 1,054,208, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1199327","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1235041","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","" 20:39:39.1237963","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1239441","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:39.1240044","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1242293","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","" 20:39:39.1252158","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1252797","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA" 20:39:39.1253334","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","" 20:39:39.1255085","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1255747","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:39.1255884","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1256130","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1256789","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","" 20:39:39.1281779","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1282390","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA" 20:39:39.1289252","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","" 20:39:39.1290495","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1291162","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:39.1291297","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1291531","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1299448","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","" 20:39:39.1300921","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1301572","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:39.1301706","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1301940","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1308360","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1309296","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:39.1479474","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","" 20:39:39.1533752","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1535629","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:39.1535789","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","AllocationSize: 622,592, EndOfFile: 617,472, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:39.1536051","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:39.1537937","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:39.1540985","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:39.1559060","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","" 20:39:39.1588608","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1588991","exp3.tmp.exe","4028","QueryNameInformationFile","C:\","SUCCESS","Name: \" 20:39:39.1589326","exp3.tmp.exe","4028","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: " 20:39:39.1589600","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS","" 20:39:39.1665629","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1666344","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2012/10/07 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHD" 20:39:39.1666923","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS","" 20:39:39.1669641","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","NAME COLLISION","Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0" 20:39:39.1671183","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:39.1672258","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 1601/01/01 9:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HN" 20:39:39.1687333","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","" 20:39:39.1702002","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 1,024, Length: 31,232, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:39.1919659","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 46,080, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:39.1922673","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 32,256, Length: 512, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:39.1924126","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\SYSTEM32\SHLWAPI.DLL","SUCCESS","Offset: 267,264, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:39.3723460","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.3996903","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.4000887","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.4037039","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.4125713","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:39.4128671","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : looping so many times... 20:39:43.6352431","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:43.6354747","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:43.6357320","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:43.6360432","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:43.6363863","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\wbem\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" 20:39:46.4602405","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:46.4602958","exp3.tmp.exe","4028","QueryNameInformationFile","C:\","SUCCESS","Name: \" 20:39:46.4603257","exp3.tmp.exe","4028","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: " 20:39:46.4603528","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS","" 20:39:46.9660126","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9661123","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 1601/01/01 9:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: N" 20:39:46.9662833","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:46.9664693","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9665858","exp3.tmp.exe","4028","QueryAttributeTagFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","INVALID PARAMETER","" 20:39:46.9666892","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:46.9667805","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","CreationTime: 2013/01/26 20:39:38, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9668772","exp3.tmp.exe","4028","QueryStreamInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","INVALID PARAMETER","" 20:39:46.9669828","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","CreationTime: 2013/01/26 20:39:38, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9670803","exp3.tmp.exe","4028","QueryEaInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","EaSize: 0" 20:39:46.9671887","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0, OpenResult: Overwritten" 20:39:46.9672851","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9673574","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS","" 20:39:46.9675259","exp3.tmp.exe","4028","QueryAttributeInformationVolume","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32" 20:39:46.9675982","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:48, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9676918","exp3.tmp.exe","4028","QueryAttributeInformationVolume","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32" 20:39:46.9677636","exp3.tmp.exe","4028","SetEndOfFileInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","EndOfFile: 110,592" 20:39:46.9679413","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:46.9679567","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:46.9679810","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:46.9680637","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 0, Length: 65,536" 20:39:46.9683858","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 65,536, Length: 45,056" 20:39:46.9685665","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: n/a" 20:39:46.9686808","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","" 20:39:46.9687640","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:46.9689283","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","NAME COLLISION","Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0" 20:39:46.9692104","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9693093","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D" 20:39:46.9693993","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","" 20:39:46.9696362","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp","SUCCESS","Desired Access: Generic Read, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created" 20:39:46.9698681","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp","SUCCESS","" 20:39:46.9700421","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, AllocationSize: 0, OpenResult: Created" 20:39:46.9701701","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9702746","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","" 20:39:46.9707562","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS","Offset: 0, Length: 195" 20:39:46.9710037","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS","" 20:39:46.9715359","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9717041","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9718616","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:46.9722759","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9724388","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9725947","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:46.9728411","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9730107","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:46.9730255","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:46.9730386","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:46.9730629","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:46.9909244","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:46.9922128","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9924804","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9927313","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","" 20:39:46.9977610","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9980373","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:46.9980594","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","AllocationSize: 131,072, EndOfFile: 125,952, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:46.9980974","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","SyncType: SyncTypeOther" 20:39:46.9983692","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","" 20:39:46.9992238","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:46.9994869","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:46.9997372","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","" 20:39:47.0001052","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0003753","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:47.0004549","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\APPHELP.DLL","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0007293","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","" 20:39:47.0015632","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0017920","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0019942","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.0020155","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0020523","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0022772","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0026139","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a" 20:39:47.0030106","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0031745","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe" 20:39:47.0034170","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS","" 20:39:47.0041101","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0043808","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0049650","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0050580","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0051030","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS" 20:39:47.0051631","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS","" 20:39:47.0053606","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0054642","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32" 20:39:47.0055807","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS","" 20:39:47.0058296","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0059838","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe" 20:39:47.0062221","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS","" 20:39:47.0066158","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 143,360, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0283325","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 28,672, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0308563","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 589,824, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0359544","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 815,104, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0465809","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 745,472, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0477894","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0480624","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0483211","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0496302","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0499020","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0501604","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0505356","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0508161","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:47.0508384","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0511164","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0513983","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0514505","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 0, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0526300","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0529018","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0531602","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0535376","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0538181","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.0538396","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0538771","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0541564","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0542478","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 245,760, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0548632","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 454,656, Length: 31,744, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.0711698","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0717442","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0720082","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0723870","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0726663","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:47.0726878","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0727253","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0730049","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0737212","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0866148","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0868788","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0872562","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0885382","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.0885600","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.0885982","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.0889215","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0920898","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0923602","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.0926183","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.0938606","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0939048","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS" 20:39:47.0939682","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS","" 20:39:47.0961752","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0962822","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32" 20:39:47.0964020","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS","" 20:39:47.0966551","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.0968107","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe" 20:39:47.0970513","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS","" 20:39:47.0973860","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","" 20:39:47.1007051","exp3.tmp.exe","4028","QueryNameInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Name: \WINDOWS\System32\cmd.exe" 20:39:47.1013694","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1016418","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1019002","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.1019863","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1020298","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS" 20:39:47.1020880","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS","" 20:39:47.1022818","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1068841","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\System32","SUCCESS","Filter: System32, 1: system32" 20:39:47.1070112","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS","" 20:39:47.1072699","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1075205","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe" 20:39:47.1077621","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS","" 20:39:47.1081189","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1083809","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.1084027","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1084399","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.1091168","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 99,328, Length: 30,720, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.1103024","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:47.1105996","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 247,296, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.1130055","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","" 20:39:47.1132162","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1197111","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE" 20:39:47.1197352","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1197570","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.1199500","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.1201204","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1202132","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1205177","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1220740","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1222771","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.1222983","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1223352","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther" 20:39:47.1238094","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1240868","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a" 20:39:47.1244235","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1255415","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Filter: KB00777165.exe, 1: KB00777165.exe" 20:39:47.1256747","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS","" 20:39:47.1272576","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1273638","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1274560","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:47.1285980","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1286486","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","Filter: rik, 1: rik" 20:39:47.1287131","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS","" 20:39:47.1306664","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1307740","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1308670","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:47.1319283","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1319783","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","Filter: rik, 1: rik" 20:39:47.1335489","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS","" 20:39:47.1337244","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1338185","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1349838","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","" 20:39:47.1354481","exp3.tmp.exe","4028","QueryNameInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Name: \Documents and Settings\RIK\Application Data\KB00777165.exe" 20:39:47.1368728","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1369812","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A" 20:39:47.1370742","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:47.1378199","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened" 20:39:47.1378704","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\RIK","SUCCESS","Filter: RIK, 1: rik" 20:39:47.1389756","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS","" 20:39:47.1391231","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1392195","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY" 20:39:47.1392396","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False" 20:39:47.1392756","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther" 20:39:47.1417818","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a" 20:39:47.1418620","exp3.tmp.exe","4028","ReadFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 78,848, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O" 20:39:47.1485715","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","" 20:39:47.1506142","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik","SUCCESS","" 20:39:47.1508439","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""