Verifying the event that initally launched a malicious task?

  • Thread starter Thread starter don_b_1
  • Start date Start date
D

don_b_1

I found a malicious task planted in the Task Scheduler of Vista Home Premium.
This task is designed to create an illusion the computer is infected with a
virus.

Is there any way I can verify the event that originally activated the
trigger and set the task in motion?

I'm using a reverse engineered OEM version of Vista, not genuine Microsoft
Vista.
 
Hi don_b_1,

You state the following (quote): "I'm using a reverse engineered OEM version
of Vista, not genuine Microsoft Vista." As such, this can be classed as
PIRATED and it is hardly surprising that you found something untoward with
it. I strongly recommend that you cease using this copy and install a genuine
copy instead because not only may you have more problems with this copy, but
you may find that people are unwilling to help you with problems if you are
not using a genuine copy.
Dwarf
 
don_b_1 said:
I guess I wasn't clear. This OEM Vista is fully licensed by Microsoft.


Please include enough of the previous message(s) so that others trying to
follow this thread know what you are talking about. Also please try to
“edit out†the non relevant portions. It helps everyone. Go to:
Tools > Options > Send > check - “Include message in replyâ€
 
To further clarify, this licensed copy of Vista is of the type that comes as
a pre-installed image copied to the recovery partition of a new laptop
computer. The computer was purchased from a major brick and mortar office
supply company.
 
Hi don_b_1,

Your copy of Vista as supplied is a legitimate OEM version. However, by
'reverse engineering' it, you are violating the EULA agreement. As far as I
am aware, the only difference between the RETAIL version and the OEM versions
of Vista is that with an OEM version that copy is tied to the first system
that it is installed and activated on (it therefore lives and dies with that
system), whereas the retail version is transferable PROVIDING that it is not
installed on more than one machine at a time. The following is taken from
Clause 8 of the EULA of Windows Vista Home Premium.
Dwarf

"SCOPE OF LICENSE. The software is licensed, not sold. This agreement only
gives you some rights to use the software. Microsoft reserves all other
rights. Unless applicable law gives you more rights despite this limitation,
you may use the software only as expressly permitted in this agreement. In
doing so, you must comply with any technical limitations in the software that
only allow you to use it in certain ways. You may not reverse engineer,
decompile or disassemble the software, except and only to the extent that
applicable law expressly permits, despite this limitation. For more
information, see http://www.microsoft.com/licensing/userights."
 
Dwarf said:
Hi don_b_1,

Your copy of Vista as supplied is a legitimate OEM version. However, by
'reverse engineering' it, you are violating the EULA agreement.

Hello Dwarf,

I am not the one that did any reverse engineering on it, okay? I am merely
the one trying to sort out the problems created by the software engineer who
did.

I am also trying find information to verify the original event that pulled
the trigger on the malicious task in the beginning. That's the thing you see
up top and what this thread is supposed to be all about.

Can you please give all this suspicion and innuendo a rest and try to help
me find the place in Vista where I can verify what set this task in motion?
There is nothing about that event in the task properties or in the logs but
it seems like there ought to be a record of it somewhere in Vista. I just
don't know where to look.
 
Hi don_b_1,

Apologies for the misunderstanding. Perhaps if you stated this in your
original post, then this misunderstanding would not have come about. To find
out the trigger for a particular task, do the following. Open the 'Task
Scheduler' by clicking on the start orb and typing 'task scheduler' into the
search box. This program will appear in the 'Programs' section of the results
panel. Right click on it and select 'Run as administrator'. After providing
administrative credentials, the program will open. In the left hand panel,
under the heading 'Task Scheduler (Local)', expand all items. When you see
the item in question, click on it. In the top half of the central panel, this
task will be listed. Click on this and the bottom half of the central panel
will be populated. Go through the options listed here, and this should be
able to help you. Note that since this copy of Vista has been reverse
engineered by a 3rd party, the 'Task Scheduler' program may or may not work
correctly. In addition to this, you may find that other features do not work
as intended as well.
Dwarf
 
Dwarf said:
Hi don_b_1,

Apologies for the misunderstanding. Perhaps if you stated this in your
original post, then this misunderstanding would not have come about. To find
out the trigger for a particular task, do the following. Open the 'Task
Scheduler' by clicking on the start orb and typing 'task scheduler' into the
search box. This program will appear in the 'Programs' section of the results
panel. Right click on it and select 'Run as administrator'. After providing
administrative credentials, the program will open. In the left hand panel,
under the heading 'Task Scheduler (Local)', expand all items. When you see
the item in question, click on it. In the top half of the central panel, this
task will be listed. Click on this and the bottom half of the central panel
will be populated. Go through the options listed here, and this should be
able to help you.

Thanks Dwarf. No problems. I should have been more direct in my original post.

I already have all the general parameters for the task and the settings and
the conditions that control how it runs I also have all the info on the
trigger that makes it run NOW.

What I can't find is the particular piece of programming that activated the
task BEFORE the trigger took over. The regular trigger described under the
"Triggers" tab in the Task Schedule Library gives me that and it is what
continues to make it run. Something occurred to activate the task and it
wasn't installation of the software from the recovery partition to the C:
drive and this is what I cannot find.

I have the complete history of the task from the log.. This dates back to
the first time the task ever executed. I have a very good idea what set the
task it motion but I can't prove it until I find the programming that set it
off.
Note that since this copy of Vista has been reverse
engineered by a 3rd party, the 'Task Scheduler' program may or may not work
correctly. In addition to this, you may find that other features do not work
as intended as well.

Task Scheduler appears to work properly but indeed, there are problems with
this thing that I've been working out, one by one. What bothers me is the
number of bombs planted in the OS that haven't gone off yet.

I am in contact with various people regarding this situation, including the
executive offices of the retailer and Microsoft but I like to have all the
facts before I begin presenting a case. Ya know what I mean?
 
Hi don_b_1,

Click the start orb and type 'winver' followed by enter. What version of
Vista comes up? What is the build number?
Dwarf
 
Dwarf said:
Click the start orb and type 'winver' followed by enter. What version of
Vista comes up? What is the build number?

Good Morning Dwarf. It's Vista Home Premium Version 6.0 (Build 6000)
 
Hi don_b_1,

Thanks for the prompt reply. This has eliminated one possibility that I was
thinking of - the possibility that you had a machine with SP1 on it despite
the code only being released to manufacturers on Feb 4th. A few questions.
What is the name of the task concerned? What is making it run now? What other
things appear to be causing problems? Have you tried recovering your machine
to its original condition - and if so, did you DISCONNECT the machine from
the Internet during the procedure?
Dwarf
 
Dwarf said:
Thanks for the prompt reply. This has eliminated one possibility that I was
thinking of - the possibility that you had a machine with SP1 on it despite
the code only being released to manufacturers on Feb 4th. A few questions.
What is the name of the task concerned? What is making it run now? What other
things appear to be causing problems? Have you tried recovering your machine
to its original condition - and if so, did you DISCONNECT the machine from
the Internet during the procedure?

Dwarf, I'm gonna write you a book and give you complete background info and
all the details. Please be patient while I get this all together.
 
Dwarf said:
Thanks for the prompt reply. This has eliminated one possibility that I was
thinking of - the possibility that you had a machine with SP1 on it despite
the code only being released to manufacturers on Feb 4th. A few questions.
What is the name of the task concerned? What is making it run now? What other
things appear to be causing problems? Have you tried recovering your machine
to its original condition - and if so, did you DISCONNECT the machine from
the Internet during the procedure?

To answer your last two questions, yes the computer has been restored to
original condition and yes, it was disconnected at the time. The only time
the machine is connected to the internet is for a specific purpose. We do not
have an "always on" connection and the computer is always disconnected after
use. I address the other questions below.

From the beginning, and this will be very long, I bought a laptop computer
as a Christmas present for my wife with the plan of setting her up with
secured wi-fi and air card service so she could easily connect to her company
network when out of the office. I set it up, did all the updates and packed
it away until Christmas. After this, I installed all the software she needed
and got rid of all the many gigabytes of promotional trashware that installed
with the OS. I quickly learned it had horrible security problems. Among
other things, on Jan 30 at 9:18 PM, it woke itself from sleep mode with the
screen folded down, dialed up and connected to the internet and began
transmitting data back and forth between it and some unknown site. The
computer was still officially asleep when I raised the lid to begin
investigating. I had to wake it up and enter the password to gain access.
After trying every way possible to break the connection by using software
controls, the only way I to break it was to yank the modem line. By the time
I did that it had transmitted 240 kb of data and had received over 50 kb.
According to my ISP, the computer did was not not logged on to my account.

The tech support for the computer company said the computer was infected
with a virus and had to be restored from the recovery partition. When I
explained that was impossible since it was firewalled, fully protected, had
only connected to Windows Update and Norton Live Update and didn't even have
an email client set up yet, the blame was placed on a bug in Vista. I was
advised to wait for the release of the upcoming Vista service pack that
should solve the problem. I formatted the drive, reinstalled and reupdated
the system and once again removed all the trashware. A week later, it did it
again..When it happened the second time, I returned the computer to the
retailer and that's when I made my second mistake. In exchange, I accepted an
apology and an upgraded model made by the same company.

I originally set up this second machine on Jan 11. The first thing I did was
get all the Windows and Norton updates. On the morning of the 12th, I burned
my recovery set to dvd's and began uninstalling all the trashware that came
preloaded into the system. At a certain point, the computer became unhappy
and displayed serious problems so I restored the computer from the recovery
disks I made. Due to the previous experience, I was expecting trouble. Then I
learned that contrary to published information, the recovery manager did not
take an image from the newly configured and updated installation on the C:
drive, but simply burned the image from the existing recovery partition. So I
started over.

This time I initially uninstalled the gigabytes of trashware (very
carefully) to ensure system stability before I went through the ordeal of
doing all the updates over our dial-up connection, which is the only type of
internet service available to us where we live. On the13th I did all the
updates and all went well except for the Windows Defender update. No matter
what I tried, that update would not install. Following a lot of research, I
began working with Microsoft security engineers on the 14th, attempting to
find a resolution to the problem. After more than eight hours on the phone
with them over a three day period, there was no solution to be found. I had
to reinstall and reupdate the system again. I did this on the 16th..This time
the only update that failed to install was MSXML Core Services SP2 but after
numerous attempts, it finally took.

On the 17th, I once again began uninstalling the trashware and made it all
the way though without incurring any problems. After that the computer was
good until Feb 2 when a very peculiar IE browser window was called after
resuming the computer from a two day hibernation. The browser had no
controls, no menu, no context menu (either from the window or the taskbar
button) and no way to close it except terminate it in Task Manager under the
Applications tab. This concerned me but I wasn't able to duplicate the error.
It concerned me a lot more deeply when it reappeared on Feb 23, again after
resuming from a lengthy hibernation. This time I began looking more closely.
The computer was squeaky clean. No virus, worm, trojan, adware, spyware or
anything else to be found by Norton Internet Security, Spybot S&D or Windows
Defender. Malicious script was not a possibility since that's blocked in
Firefox, the browser that's used on the machine. The January and February
Malicious Software Removal Tool had found nothing. Manipulating startups and
processes would not allow for duplication

That night, I contacted the tech support for the computer company via their
internet chat facility with a full description of the problem and was told
the computer was infected by a virus and it must be restored from the
recovery partition. That wasn't a satisfactory solution because I knew it
wasn't true.

The next day I contacted their email support division and went through it
all again. Again, the only solution was restore the computer from the
recovery partition because the computer was infected with a virus. Over the
course of the week, I received 11 different emails that all said the same
thing, that it is infected by virus and must be restored to factory original
condition as the only possible solution. By this time I'm becoming well aware
that these computers are subject to serious problems as a consequence of
uninstalling all the promotional software they try to sell with the machine
and am rather certain that all problems are caused by manufacturer reverse
engineering. I've been using Microsoft operating systems since DOS 4 was
released and never experienced anything like this before.

After the appearance of the browser again on the 23rd, I assumed the
condition required to call the "virus" browser was hibernation of two days or
better because that was the condition of the computer both times it appeared.
On the evening of Feb 27. I disabled all non-microsoft services and startup
programs and let it hibernate in an attempt to recreate and isolate the
problem. I resumed the computer on Saturday morning, Mar 1, at the same time
of day as the Saturday before and the browser appeared. This meant it wasn't
being called by an application or a non-microsoft service.

After searching through various areas of the system I finally found the
cause in Task Scheduler. It has very little to do with my original assumption
that the computer must be hibernated for two days to make the bug pop. The
actual requirement is the computer must be hibernated at the time the task is
scheduled to run. Otherwise, the window of opportunity is so limited it would
take a very odd set of circumstances for the result to ever be seen with a
normal laptop power management setup.

The task is called "InternetServiceOffers" and was described as "At 7:59 AM
every 5 days - After triggered, repeat every 30 minutes indefinitely".
The parameters are:
Start the task only if the computer is idle for 10 minutes
Wait for idle 1 hour
Start task only if computer is on AC power
Stop if the computer switches to battery power
Wake the computer to run this task=NO
Allow the task to be run on demand
Stop the task if it runs longer than 3 days
If the running task does not end when requested, force it to stop
If the task is already running, then the following rule applies: Do not
start a new instance.

Running it manually revealed the the trigger and execution time changes with
every run.

The net effect of these parameters are:

The successful and visible execution of the task (the "virus" browser") only
occurs when resuming the computer from extended hibernation when the computer
is hibernated at the scheduled runtime of the task.

The execution of the task has never been visible after starting the computer
from a Shut Down state although the "History" indicates it an execution on
schedule and the schedule is updated.

The result of task execution never appears when using the computer although
given the exact right circumstance, it possibly could.

The Microsoft-Windows-TaskScheduler%4Operational log indicates the program
initiated on Jan 22 and ran successfully eight times between Jan 22 and Mar
1.The log also indicates the only times the program ran off the regular five
day schedule are the three times the computer was hibernated at the scheduled
run time. For these executions, the history shows execution of the task
occurred at six, six and seven days. Each of these times the "virus" browser
was called approximately 30 minutes after resuming from hibernation.

In simplification, the task is designed to call a browser window that mimics
a virus only when the computer resumes from hibernation and only when very
restrictive criteria are met and as a consequence, it rarely happens. Of the
dozens of times the computer hibernated between Jan 22 and Mar 1, the
criteria were met only three times..

The alleged purpose of the task is to provide a reminder to take advantage
of the Easy Internet Sign up program. I imagine it's supposed to nag the user
for permission to connect the computer to an array of ISP's for the purpose
of contracting for internet service . The rub is, when the Easy Internet
Sign-up program is uninstalled, the task functions in a completely different
manner. In fact, I believe the requirement for activating the task is
uninstalling the Easy Internet Sign-up program itself.

The reason I believe this is: the program itself was originally installed
along with the OS on the 16th, about 9 PM. If installation of the program
activated the task, the first execution would have occurred at around 9 PM on
the 21st, five days later. Instead, the first logged execution occurred at
8:29 AM on the 22nd which was five days after I uninstalled the program. I
believe the actual uninstall is what activated the task. This, however, is
something I cannot prove without finding the programming that activated the
task it or finding uninstall information in Vista that recorded the date and
time Easy Internet Sign-up was uninstalled. This would also verify the
uninstall was the event that activated the task.

The reason I say this task is malicious is because it's designed to mimic a
virus and at a dozen of the company's tech support personnel insisted it was
indeed a virus. They all said the only possible solution to the problem was
using their Recovery Manager to restore the computer to factory original
condition. Of course, this only serves to recycle the programming that's
designed to scare the user into restoring the computer from the recovery
partition, thus causing reinstallation of the promotional software. It's a
penalty imposed upon those who refuse to play the game and uninstall the
unwanted and unneeded software.

Finding this task planted in the system by the software engineers, combined
with all the other erratic behavior displayed by both computers (including
autodialing and connecting to an unknown point on the internet from sleep
mode) makes me wonder what other little bombs they have planted such as
keyloggers and botnet clients.
 
Hi don_b_1,

Thanks for the comprehensive reply. Hopefully, I now have enough information
to be able to solve your problem. This is not a unique problem to you - many
people have similar problems with pre-installed operating systems. The
problem is that Microsoft (and other operating system manufacturers) allow
computer manufacturers to modify OEM copies of the OS by a process known as
'slipstreaming'. This is fine so long as the manufacturers just integrate the
hardware drivers. Unfortunately, most manufacturers also tend to integrate
what I and many others term as 'bloatware'. This includes trial versions of
software such as Norton and McAfee as well as the program which is giving you
problems. The actual 'bloatware' program content depends on the computer
manufacturer. I assume that this is a HP computer since the 'Easy Internet
Sign Up' program appears to originate from them. I enclose a couple of links.
The first is to the 'Safari Books Online' description of 'Easy Internet Sign
Up' and the second is to the relevant page on CNET forums. Follow the
instructions on the forum, specifically Post 16 of 19 on page 2 (details
correct at the time of my making this post). A copy of this post is given
below for your convenience. All the details seem to tally up with your last
post.
Dwarf

"HP easy internet sign up pop up
by HPfix - 26/04/07 11:30
In reply to: Vista/HP and the easy internet sign-up pop up by Fourdave
OH MY GOD i FINALLY got this issue resolved, four calls, several hours on
the phone, 10,000 pop-ups, a few years of my life...try this:

Use the following steps to uninstall the Easy Internet Sign-up software:

1. Click the Vista Button, and in the area labeled ?start search? type in
Task Scheduler

2. Click on the result at the top; Task Scheduler

3. Click on Continue if you are prompted with User Access Control asking for
permission

4. Disable all the following tasks:


' ExtendedService Plan - After Triggered, repeat every 30
minutes indefinitely.

' HPCeeScheduleForryan After Triggered, repeat every 6 hrs for
3000 hrs (30.00:00:00)

' InternetServiceOffers After Triggered, repeat every 30 minutes
indefinitely.

' Norton Internet Security Every Friday of every week

' Registration After Triggered, repeat every 30 minutes
indefinitely."

' ServicePlan Multiple Triggers Defined"

http://safari.oreilly.com/0131002511/ch12lev1sec4

http://forums.cnet.com/5208-12546_102-0.html?forumID=133&threadID=235913&messageID=2415823
 
Dwarf said:
Hi don_b_1,

Thanks for the comprehensive reply.

Hi Dwarf. Thanks for reading it.
Hopefully, I now have enough information
to be able to solve your problem. This is not a unique problem to you - many
people have similar problems with pre-installed operating systems. The
problem is that Microsoft (and other operating system manufacturers) allow
computer manufacturers to modify OEM copies of the OS by a process known as
'slipstreaming'.

Ah! Slipstreaming. This is what I call "reverse engineering". I don't have a
problem with the design nature of something like this. It's simpler and
easier than collecting all the hardware drivers on my own. Where I go off the
chart is paying the penalties imposed imposed upon me and other users for not
playing the game.

I didn't want to point fingers in an open forum but yes, these are HP/Compaq
computers.

I'm sure huge numbers of users have been bitten by these bugs and have been
influenced to restore their systems by following the simpleminded cookbook
advice dished out by HP tech support.

They have other Taskbombs planted in the machine, too. These offer further
evidence the task itself is not activated until the underlying program is
uninstalled.

One in particular is "Registration". I was "reminded" after startup to go
ahead and complete the online registration. Since the computer was already
registered on 1/16, just prior to the most recent "Recovery" operation, I
removed the underlying program on the 19th. This is what activated the task
and it has run every 14 days ever since. I've apparently not met the criteria
required to experience the result of this task yet but I'm sure it's designed
to do something odd to the computer

There is another Taskbomb but it has not activated yet. probably because i
haven't removed the underlying program to set it off.

What I need to locate is some sort of proof within Vista that shows what
actually activated the task and set it in motion.

Alternatively, I'd like to know if there's anything in Vista that records
the date and time any particular program was uninstalled.

The Taskbombs are merely an annoyance once the user is aware of the problem
but there are much more dangerous things that hide in the guts. A computer
does not wake itself up, connect to the internet and begin transmitting data
without some type of deviant programming to control the action. Lord only
knows what set that bomb off but so far I see no evidence I've activated that
one in this new computer.

BTW: These tasks they plant are "read only". I haven't tried to delete one
yet.
 
Dwarf said:
Hi don_b_1,

Thanks for the comprehensive reply.

Hi Dwarf. Thanks for reading it.
Hopefully, I now have enough information
to be able to solve your problem. This is not a unique problem to you - many
people have similar problems with pre-installed operating systems. The
problem is that Microsoft (and other operating system manufacturers) allow
computer manufacturers to modify OEM copies of the OS by a process known as
'slipstreaming'.

Ah! Slipstreaming. This is what I call "reverse engineering". I don't have a
problem with the design nature of something like this. It's simpler and
easier than collecting all the hardware drivers on my own. Where I go off the
chart is paying the penalties imposed imposed upon me and other users for not
playing the game.

I didn't want to point fingers in an open forum but yes, these are HP/Compaq
computers.

I'm sure huge numbers of users have been bitten by these bugs and have been
influenced to restore their systems by following the simpleminded cookbook
advice dished out by HP tech support.

They have other Taskbombs planted in the machine, too. These offer further
evidence the task itself is not activated until the underlying program is
uninstalled.

One in particular is "Registration". I was "reminded" after startup to go
ahead and complete the online registration. Since the computer was already
registered on 1/16, just prior to the most recent "Recovery" operation, I
removed the underlying program on the 19th. This is what activated the task
and it has run every 14 days ever since. I've apparently not met the criteria
required to experience the result of this task yet but I'm sure it's designed
to do something odd to the computer

There is another Taskbomb but it has not activated yet. probably because i
haven't removed the underlying program to set it off.

What I need to locate is some sort of proof within Vista that shows what
actually activated the task and set it in motion.

Alternatively, I'd like to know if there's anything in Vista that records
the date and time any particular program was uninstalled.

The Taskbombs are merely an annoyance once the user is aware of the problem
but there are much more dangerous things that hide in the guts. A computer
does not wake itself up, connect to the internet and begin transmitting data
without some type of deviant programming to control the action. Lord only
knows what set that bomb off but so far I see no evidence I've activated that
one in this new computer.

By the way, these tasks they plant are "read only". I haven't tried to
delete one yet.

PS: I posted this earlier but for some reason it didn't take. In the interim
I checked the links you provided. Going by the information in the CNET
messages, HP has changed it's ways in the past year. They've modified the
tasks to make them even more devious and harder to track down.
 
Hi don_b_1,

I have been doing a bit more research, and I have come across quite a few
mentions of the following file 'HPSdpApp.exe' which appears to be linked to
the 'Easy Internet Sign Up' program. To prevent this program from running
automatically, open the registry editor by clicking the start orb and typing
'regedit' into the search box. In the 'Programs' section of the results
panel, right click on this program and select 'Run as administrator'. After
providing administrative credentials, the program will appear. Browse to the
following keys and delete all instances of this file, 'HPSdpApp.exe'.
Finally, close the registry editor. This is in addition to the information
given in my previous post.
Dwarf

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
Dwarf said:
Hi don_b_1,

I have been doing a bit more research, and I have come across quite a few
mentions of the following file 'HPSdpApp.exe' which appears to be linked to
the 'Easy Internet Sign Up' program. To prevent this program from running
automatically, open the registry editor by clicking the start orb and typing
'regedit' into the search box. In the 'Programs' section of the results
panel, right click on this program and select 'Run as administrator'. After
providing administrative credentials, the program will appear. Browse to the
following keys and delete all instances of this file, 'HPSdpApp.exe'.
Finally, close the registry editor. This is in addition to the information
given in my previous post.

Thanks Dwarf. I already know all about HPSdpApp.exe. It's formal name is HP
SDP Application Module. That's not what I'm looking for.

So far, I can think of only two things that will help me out. I can't find
either one.

1) I need to find the HP programming in Vista that activated the task when
the Easy Internet Sign-up application was uninstalled. The log times indicate
the task didn't begin at the time of program installation but at the time of
program UNinstallation.

2) I need to know if there's anything in Vista that records the date and
time that any particular application is uninstalled.
 
Hi don_b_1,

This should help you with the answer to Q2. To find out the date of the
uninstallation of a program, you need to run the 'Reliability and Performance
Monitor'. To do this, click on the start orb and type 'reliability and
performance monitor'. This too needs to be executed with administrative
priviledges. When the program opens, click on 'Reliability Monitor'. This is
a 'System Stability Chart', and it is updated daily. Please note that events
for the current day will not appear in this chart until the following day.
One of the things that this monitors is 'Software (Un)Installs', and this is
where you will find the information. Simply check each day until you come
across the required event. This records the date of an event, but I am not
aware of anything recording the time.
Dwarf
 
Back
Top