PDA

View Full Version : Virus? Malware? Repeated 'blue-screen' crashes in Windows 7



mooseydog
2010-08-31, 21:05
This is a relatively new Hp 'all-in-one' desktop pc with Windows 7. I had no problems at all until a few weeks ago when it suddenly crashed stating 'kernel data in page error'. It has repeatedly done variations of this, despite two full system recoveries. I originally had Kaspersky AV, but since the last recovery tried not to install anything much and stuck with the Norton trial/free that came with it. Am truly at wits' end now! I did post about this before, but the thread closed while I was on holiday.

http://forums.spybot.info/showthread.php?p=380633#post380633

Hope you can help - or at least point me in the right direction. A thousand thanks.

Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.


On Tue 31/08/2010 17:41:28 your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0xFFFFFA80044D5B30, 0xFFFFFA80044D5E10, 0xFFFFF80002DD85D0)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\083110-23634-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.



On Tue 31/08/2010 10:29:22 your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0xFFFFFA80015A72B0, 0xFFFFFA80015A7590, 0xFFFFF80002BDA5D0)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\083110-20498-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.



On Tue 31/08/2010 07:25:33 your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0xFFFFFA8004138060, 0xFFFFFA8004138340, 0xFFFFF80002BD25D0)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\083110-19203-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.



On Tue 31/08/2010 06:52:06 your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0xFFFFFA80041E6950, 0xFFFFFA80041E6C30, 0xFFFFF80002B9A5D0)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\083110-20248-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.



On Mon 30/08/2010 16:23:37 your computer crashed
This was likely caused by the following module: csrss.exe
Bugcheck code: 0xF4 (0x3, 0xFFFFFA80045BA060, 0xFFFFFA80045BA340, 0xFFFFF80002BD65D0)
Error: CRITICAL_OBJECT_TERMINATION
Dump file: C:\Windows\Minidump\083010-19219-01.dmp
file path: C:\Windows\system32\csrss.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Client Server Runtime Process
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.



On Sun 29/08/2010 08:41:22 your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x7A (0xFFFFF6FC50034888, 0xFFFFFFFFC0000010, 0x1176F820, 0xFFFFF8A00691120C)
Error: KERNEL_DATA_INPAGE_ERROR
Dump file: C:\Windows\Minidump\082910-25272-01.dmp
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.




--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

6 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.



DS (Ver_10-03-17.01) - NTFSX64
Run by Kate at 18:53:35.47 on 31/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.1790.1119 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE
C:\Windows\SysWOW64\svchost.exe -k netsvcs
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\WhoCrashed\whocrashed.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kate\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1DU6C4T5\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.ebay.co.uk/ws/eBayISAPI.dll?MyEbay&gbh=1&CurrentPage=MyeBayAllBuying
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_GB&c=94&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files (x86)\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files (x86)\aol\aol toolbar 5.0\aoltb.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files (x86)\aol\aol toolbar 5.0\aoltb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\norton internet security\engine\16.8.0.41\coIEPlg.dll
uRun: [HPADVISOR] c:\program files (x86)\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW
uRun: [V Stuff Backup] "c:\program files (x86)\virginmedia\v stuff backup\v_stuff_backup.exe" /delayed
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HPCam_Menu] "c:\program files (x86)\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files (x86)\hewlett-packard\media\webcam" updatewithcreateonce "software\hewlett-packard\media\Webcam"
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [NortonOnlineBackupReminder] "c:\program files (x86)\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [Easybits Recovery] c:\program files (x86)\easybits for kids\ezRecover.exe
mRun: [UpdatePRCShortCut] "c:\program files (x86)\hewlett-packard\recovery\muitransfer\muistartmenu.exe" "c:\program files (x86)\hewlett-packard\recovery" updatewithcreateonce "software\cyberlink\PowerRecover"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search - c:\programdata\aol\ietoolbar\resources\en-gb\local\search.html
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files (x86)\norton internet security\engine\16.8.0.41\CoIEPlg.dll
SEH: EasyBits ShellExecute Hook: {e54729e8-bb3d-4270-9d49-7389ea579090} - c:\windows\syswow64\EZUPBH~1.DLL
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB-X64: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe /background
mRunOnce-x64: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nisx64\1008000.029\SymEFA64.sys [2010-8-22 402992]
R1 BHDrvx64;Symantec Heuristics Driver;c:\windows\system32\drivers\nisx64\1008000.029\BHDrvx64.sys [2010-8-22 334384]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nisx64\1008000.029\cchpx64.sys [2010-8-22 583296]
R1 IDSVia64;IDSVia64;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100827.001\IDSviA64.sys [2010-8-28 463408]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSr64.exe [2009-8-27 92160]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-27 203264]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2009-7-14 27136]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-27 132656]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-8-27 139616]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-8-27 233472]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nisx64\1008000.029\symndisv.sys [2010-8-22 56880]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-8-26 34872]

=============== Created Last 30 ================

2010-08-29 19:51:49 56 ---ha-w- c:\windows\syswow64\ezsidmv.dat
2010-08-28 21:15:16 82 ----a-w- c:\users\kate\appdata\roaming\wklnhst.dat
2010-08-28 18:21:20 0 d-----w- c:\programdata\VirginMedia
2010-08-28 18:18:51 2767872 ----a-w- c:\windows\syswow64\Redemption.dll
2010-08-28 18:18:47 0 d-----w- c:\program files (x86)\VirginMedia
2010-08-27 21:34:56 299085958 ----a-w- c:\windows\MEMORY.DMP
2010-08-26 12:12:48 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-08-26 01:36:04 0 d-----w- c:\programdata\Recovery
2010-08-25 21:47:46 0 d-----w- c:\windows\syswow64\Wat
2010-08-25 21:47:46 0 d-----w- c:\windows\system32\Wat
2010-08-25 20:53:12 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-08-25 20:53:12 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-08-25 20:43:21 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-08-25 20:43:21 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-08-25 20:43:21 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-08-25 20:43:20 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-08-25 20:43:20 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-25 20:43:20 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-08-25 20:43:20 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-25 20:43:20 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-08-25 20:43:20 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-08-25 20:43:20 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-25 20:42:52 294912 ----a-w- c:\windows\system32\browserchoice.exe
2010-08-25 20:16:13 716800 ----a-w- c:\windows\syswow64\jscript.dll
2010-08-25 20:14:28 424960 ----a-w- c:\windows\system32\secproc.dll
2010-08-25 20:13:50 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-25 20:12:44 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-08-25 20:11:49 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-08-25 20:11:43 1877504 ----a-w- c:\windows\system32\msxml3.dll
2010-08-25 20:11:43 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-08-25 20:11:27 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-08-25 20:11:27 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-08-25 20:11:27 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-08-25 20:11:27 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-08-25 20:11:23 46592 ----a-w- c:\windows\system32\msasn1.dll
2010-08-25 20:11:23 34816 ----a-w- c:\windows\syswow64\msasn1.dll
2010-08-25 20:07:39 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-08-25 20:07:39 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-08-25 20:07:39 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-08-25 20:07:39 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-08-25 20:07:39 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-08-25 20:07:39 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-08-25 20:07:35 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-08-25 20:07:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-08-25 20:04:18 0 d-----r- c:\program files (x86)\Norton Support
2010-08-24 20:24:20 0 d-----w- c:\program files\WhoCrashed
2010-08-23 20:52:45 0 d-----w- c:\program files (x86)\MSXML 4.0
2010-08-23 17:37:12 0 d-----w- c:\programdata\{DA06AA03-DF24-4ECE-939E-1B0939235C66}
2010-08-23 17:36:40 0 d-----w- c:\users\kate\appdata\roaming\hpqLog
2010-08-23 17:28:24 0 d-----w- c:\users\kate\appdata\roaming\HP Support Assistant
2010-08-23 16:56:06 0 d-----w- c:\users\kate\appdata\roaming\WinBatch
2010-08-23 16:44:21 0 d-----w- c:\users\kate\appdata\roaming\HpUpdate
2010-08-22 16:52:15 0 d-----w- c:\program files (x86)\common files\Symantec Shared
2010-08-22 16:15:43 31280 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-08-22 16:15:37 855 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.INF
2010-08-22 16:15:37 7440 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.CAT
2010-08-22 16:15:37 172592 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2010-08-22 16:15:31 0 d-----w- c:\program files\Symantec
2010-08-22 16:15:31 0 d-----w- c:\program files\common files\Symantec Shared
2010-08-22 16:14:03 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-08-22 16:14:03 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-08-22 16:13:51 139264 ----a-w- c:\windows\system32\cabview.dll
2010-08-22 16:13:51 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-08-22 16:08:58 0 d-----w- c:\users\kate\appdata\roaming\HP TCS

==================== Find3M ====================

2010-08-22 16:23:09 588472 ----a-w- c:\windows\syswow64\ezsvc7x.dll
2010-08-22 16:08:30 1679 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_VG256AA-ABU MS215uk_YC_0Pavi_Q4CS937_E94WEv6PrA2_49_ICapirona_SHP_V_BV5.11_T090828_WUH0_L409_M1791_J320_7AMD_8Athlon X2 Dual Core 3250e_91.5_#100322_N168C001C_Z_G10029612.MRK
2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-29 23:12:16 13312 ----a-w- c:\windows\LPRES.DLL
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:54:49.47 ===============