What do you think guys? - Sysinternals Forums

Aha. Well since the C:\WINDOWS\assembly... entries haven't reappeared it does rather confirm they were due to some background activity creating false positives.

The ZAlog reports are just ZoneAlarm's log files updating from yesterday to today.

Gil

Hi Namrehto,

Thanks for the reply and the link and explanation for the reg entries and Windows Update check.

I was aware you are not supposed to use the computer during the scan and I did not.

I am currently running the scan over on that PC. I have locked the internet connection with the firewall and upped the time on screen saver and hibernate as well to insure that was not the cause. I will post the new results when the scan is done.

This is a Compaq I'm working on, so yes, the D: is a recovery partition

Thanks again,

Frog

Edited by Frog

Hi guys,

I was cleaning a friend's computer and decided to check for rootkits. I am a fairly knowledgeable computer guy, but don't have a clue when it comes to rootkits. I'd appreciate any help in analyzing this log.

Thanks in advance,

Frog

HKLM\S-1-5-21-2230802784-2284992539-865915320-1007\RemoteAcc ess\InternetProfile 7/11/2004 7:57 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/16/2004 12:09 PM 13 bytes Data mismatch between Windows API and raw hive data.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\R P286\A0228882.RDB 2/26/2006 4:09 PM 1.15 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility \c498501c2a348848af870053462b8de8 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility \c498501c2a348848af870053462b8de8\Accessibility.ni.dll 2/26/2006 4:56 PM 26.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt& nbsp;2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ be0498b7fc7b28458441685656361634 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ be0498b7fc7b28458441685656361634\AspNetMMCExt.ni.dll 2/ 26/2006 4:56 PM 840.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers\37137cd1979eac4cb56238f2d518069b 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers\37137cd1979eac4cb56238f2d518069b\CustomMarshalers.ni.dll 2/26/2006 4:56 PM 232.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc 2/ 26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\435dca5 3f85569458cbfd934fe81dddf 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\435dca5 3f85569458cbfd934fe81dddf\dfsvc.ni.exe 2/26/2006 4:56 PM 15.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat&n bsp;2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat&n bsp;2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index7.dat&nb sp;2/26/2006 1:13 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index8.dat&nb sp;2/26/2006 1:14 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng#\f7352b14fd1da14488cdf22fc56f428a 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng#\f7352b14fd1da14488cdf22fc56f428a\Microsoft.Build.Eng ine.ni.dll 2/26/2006 4:56 PM 860.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra#\c3fd750150b19e4290580bbe10e7dbc4 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra#\c3fd750150b19e4290580bbe10e7dbc4\Microsoft.Build.Fra mework.ni.dll 2/26/2006 4:56 PM 80.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas#\cfc283e62b237745bf4a0ece6d6714dc 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas#\cfc283e62b237745bf4a0ece6d6714dc\Microsoft.Build.Tas ks.ni.dll 2/26/2006 4:56 PM 1.61 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti#\3656cbff8be8c34d99a5004738a78984 2/26/2006 4:56 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti#\3656cbff8be8c34d99a5004738a78984\Microsoft.Build.Uti lities.ni.dll 2/26/2006 4:56 PM 160.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas#\d219ad1cfeef064c8f204c9fc34415b4 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas#\d219ad1cfeef064c8f204c9fc34415b4\Microsoft.VisualBas ic.ni.dll 2/26/2006 4:57 PM 1.64 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration\1e9c4295587d4445af693ec56623c045 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration\1e9c4295587d4445af693ec56623c045\System.Configuratio n.ni.dll 2/26/2006 4:57 PM 940.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment\f6af85893a171d4692974f280b110cc5 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment\f6af85893a171d4692974f280b110cc5\System.Deployment.ni.d ll 2/26/2006 4:57 PM 1.63 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\138494ca9064cd4a85105449f1fc60c1 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\138494ca9064cd4a85105449f1fc60c1\System.DirectorySer vices.Protocols.ni.dll 2/26/2006 4:57 PM 500.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\59ebe50c7926454da269cb462f5d5132 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\59ebe50c7926454da269cb462f5d5132\System.DirectorySer vices.ni.dll 2/26/2006 4:57 PM 1.16 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe\System.EnterpriseSe rvices.ni.dll 2/26/2006 4:57 PM 644.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe\System.EnterpriseSe rvices.Wrapper.dll 2/26/2006 4:57 PM 288.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty\999399be9e6b5f448775d8d5de6ee609 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty\999399be9e6b5f448775d8d5de6ee609\System.Security.ni.dll&n bsp;2/26/2006 4:57 PM 712.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions\107799c5c7b0564fb014ae3d3ea5e918 2/26/2006 4:57 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions\107799c5c7b0564fb014ae3d3ea5e918\System.Transactions. ni.dll 2/26/2006 4:57 PM 668.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web&nb sp;2/26/2006 4:58 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile\0d828982f5ea2f4abf628970648eb400 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile\0d828982f5ea2f4abf628970648eb400\System.Web.Mobile.ni.d ll 2/26/2006 4:59 PM 2.20 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE# 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE#\17026d98a23a374e90c46e450f0efd16 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE#\17026d98a23a374e90c46e450f0efd16\System.Web.RegularE xpressions.ni.dll 2/26/2006 4:59 PM 232.00 KB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices\66bd3bcd55f894458fbfcae3cd1f283e 2/26/2006 4:59 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices\66bd3bcd55f894458fbfcae3cd1f283e\System.Web.Services. ni.dll 2/26/2006 4:59 PM 1.86 MB Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\10 54c4126676744e930a47cf4457629f 2/26/2006 4:58 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\10 54c4126676744e930a47cf4457629f\System.Web.ni.dll 2/26/2 006 4:58 PM 11.26 MB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 2/26/2006 5:04 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
D: 0 bytes Error mounting volume

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
Frog Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 February 2006 Online Status: Offline Posts: 4	Post Options Post Reply Quote Frog Report Post Quote Reply Topic: What do you think guys? Posted: 27 February 2006 at 11:40am
	So, it looks like the computer is clean and healthy after all. Thanks for everything, Namrehto. Frog

namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Post Options Post Reply Quote namrehto Report Post Quote Reply Posted: 27 February 2006 at 11:34am
	Aha. Well since the C:\WINDOWS\assembly... entries haven't reappeared it does rather confirm they were due to some background activity creating false positives. The ZAlog reports are just ZoneAlarm's log files updating from yesterday to today.
	Gil

Frog Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 February 2006 Online Status: Offline Posts: 4	Post Options Post Reply Quote Frog Report Post Quote Reply Posted: 27 February 2006 at 11:30am
	Hi Namrehto, The scan is finished and with different results this time. What's the verdict? Thanks for your help, Frog HKLM\S-1-5-21-2230802784-2284992539-865915320-1007\RemoteAcc ess\InternetProfile 7/11/2004 7:57 PM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/16/2004 12:09 PM 13 bytes Data mismatch between Windows API and raw hive data. C:\WINDOWS\Internet Logs\ZALog.txt 2/27/2006 11:53 AM 9.25 KB Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\Internet Logs\ZALog2006.02.26.txt 2/27/2006 11:53 AM 9.25 KB Hidden from Windows API. D: 0 bytes Error mounting volume

Frog Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 February 2006 Online Status: Offline Posts: 4	Post Options Post Reply Quote Frog Report Post Quote Reply Posted: 27 February 2006 at 11:18am
	Hi Namrehto, Thanks for the reply and the link and explanation for the reg entries and Windows Update check. I was aware you are not supposed to use the computer during the scan and I did not. I am currently running the scan over on that PC. I have locked the internet connection with the firewall and upped the time on screen saver and hibernate as well to insure that was not the cause. I will post the new results when the scan is done. This is a Compaq I'm working on, so yes, the D: is a recovery partition Thanks again, Frog Edited by Frog

namrehto Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 23 June 2005 Location: Scotland Online Status: Offline Posts: 3861	Post Options Post Reply Quote namrehto Report Post Quote Reply Posted: 27 February 2006 at 9:58am
	...RemoteAccess\InternetProfile - the cause is discussed here. ...webcal\URL Protocol - a common false positive. C:\System Volume Information\ - changes in System Restore repository due to PC use during scan. C:\WINDOWS\assembly... - all look like false positives due to PC use during the scan. Run RKR again, on an idle machine, to confirm. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb - Windows Update making a check. D: 0 bytes Error mounting volume - is D: a recovery partition? Edited by namrehto
	Gil

Frog Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 26 February 2006 Online Status: Offline Posts: 4	Post Options Post Reply Quote Frog Report Post Quote Reply Posted: 26 February 2006 at 5:24pm
	Hi guys, I was cleaning a friend's computer and decided to check for rootkits. I am a fairly knowledgeable computer guy, but don't have a clue when it comes to rootkits. I'd appreciate any help in analyzing this log. Thanks in advance, Frog HKLM\S-1-5-21-2230802784-2284992539-865915320-1007\RemoteAcc ess\InternetProfile 7/11/2004 7:57 PM 13 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Classes\webcal\URL Protocol 12/16/2004 12:09 PM 13 bytes Data mismatch between Windows API and raw hive data. C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\R P286\A0228882.RDB 2/26/2006 4:09 PM 1.15 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility \c498501c2a348848af870053462b8de8 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility \c498501c2a348848af870053462b8de8\Accessibility.ni.dll 2/26/2006 4:56 PM 26.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt& nbsp;2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ be0498b7fc7b28458441685656361634 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\ be0498b7fc7b28458441685656361634\AspNetMMCExt.ni.dll 2/ 26/2006 4:56 PM 840.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers\37137cd1979eac4cb56238f2d518069b 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshal ers\37137cd1979eac4cb56238f2d518069b\CustomMarshalers.ni.dll 2/26/2006 4:56 PM 232.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc 2/ 26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\435dca5 3f85569458cbfd934fe81dddf 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\435dca5 3f85569458cbfd934fe81dddf\dfsvc.ni.exe 2/26/2006 4:56 PM 15.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat&n bsp;2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1c.dat&n bsp;2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index7.dat&nb sp;2/26/2006 1:13 PM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index8.dat&nb sp;2/26/2006 1:14 PM 0 bytes Visible in Windows API, but not in MFT or directory index. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng#\f7352b14fd1da14488cdf22fc56f428a 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Eng#\f7352b14fd1da14488cdf22fc56f428a\Microsoft.Build.Eng ine.ni.dll 2/26/2006 4:56 PM 860.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra#\c3fd750150b19e4290580bbe10e7dbc4 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Fra#\c3fd750150b19e4290580bbe10e7dbc4\Microsoft.Build.Fra mework.ni.dll 2/26/2006 4:56 PM 80.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas#\cfc283e62b237745bf4a0ece6d6714dc 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Tas#\cfc283e62b237745bf4a0ece6d6714dc\Microsoft.Build.Tas ks.ni.dll 2/26/2006 4:56 PM 1.61 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti# 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti#\3656cbff8be8c34d99a5004738a78984 2/26/2006 4:56 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Bui ld.Uti#\3656cbff8be8c34d99a5004738a78984\Microsoft.Build.Uti lities.ni.dll 2/26/2006 4:56 PM 160.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas#\d219ad1cfeef064c8f204c9fc34415b4 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vis ualBas#\d219ad1cfeef064c8f204c9fc34415b4\Microsoft.VisualBas ic.ni.dll 2/26/2006 4:57 PM 1.64 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration\1e9c4295587d4445af693ec56623c045 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Config uration\1e9c4295587d4445af693ec56623c045\System.Configuratio n.ni.dll 2/26/2006 4:57 PM 940.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment\f6af85893a171d4692974f280b110cc5 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deploy ment\f6af85893a171d4692974f280b110cc5\System.Deployment.ni.d ll 2/26/2006 4:57 PM 1.63 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\138494ca9064cd4a85105449f1fc60c1 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\138494ca9064cd4a85105449f1fc60c1\System.DirectorySer vices.Protocols.ni.dll 2/26/2006 4:57 PM 500.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\59ebe50c7926454da269cb462f5d5132 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Direct orySer#\59ebe50c7926454da269cb462f5d5132\System.DirectorySer vices.ni.dll 2/26/2006 4:57 PM 1.16 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe# 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe\System.EnterpriseSe rvices.ni.dll 2/26/2006 4:57 PM 644.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Enterp riseSe#\986ee63c72431e4a8aaeefff153fe1fe\System.EnterpriseSe rvices.Wrapper.dll 2/26/2006 4:57 PM 288.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty\999399be9e6b5f448775d8d5de6ee609 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Securi ty\999399be9e6b5f448775d8d5de6ee609\System.Security.ni.dll&n bsp;2/26/2006 4:57 PM 712.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions\107799c5c7b0564fb014ae3d3ea5e918 2/26/2006 4:57 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transa ctions\107799c5c7b0564fb014ae3d3ea5e918\System.Transactions. ni.dll 2/26/2006 4:57 PM 668.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web&nb sp;2/26/2006 4:58 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile\0d828982f5ea2f4abf628970648eb400 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mo bile\0d828982f5ea2f4abf628970648eb400\System.Web.Mobile.ni.d ll 2/26/2006 4:59 PM 2.20 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE# 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE#\17026d98a23a374e90c46e450f0efd16 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Re gularE#\17026d98a23a374e90c46e450f0efd16\System.Web.RegularE xpressions.ni.dll 2/26/2006 4:59 PM 232.00 KB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices\66bd3bcd55f894458fbfcae3cd1f283e 2/26/2006 4:59 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Se rvices\66bd3bcd55f894458fbfcae3cd1f283e\System.Web.Services. ni.dll 2/26/2006 4:59 PM 1.86 MB Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\10 54c4126676744e930a47cf4457629f 2/26/2006 4:58 PM 0 bytes Hidden from Windows API. C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\10 54c4126676744e930a47cf4457629f\System.Web.ni.dll 2/26/2 006 4:58 PM 11.26 MB Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 2/26/2006 5:04 PM 64.00 KB Visible in Windows API, but not in MFT or directory index. D: 0 bytes Error mounting volume