TechSpot

Trojan/Virus in shared folders

By luzterin
Aug 12, 2010
  1. Hello, I have a problem with a strange virus/trojan. It happens on couple of computers. 4 XP machines and 2 2003 servers.
    The virus create executable files in shared folders on the computers. I have a symantec endpoint protection. Sometimes it catch the virus, sometimes didn't. The name of the files are the name of the folders + one of this extensions .exe, .pif, .scr, .bat, .shortcut. The size of this files, when the process start are equal, for example 976kb. When norton catch them it appear as trojan.backdoor.
    After a few hours of constantly creating this files and norton delete them, this virus stops. The shared folders are empty. It's clean. It is like that.... maybe a day or week.
    The virus create the files also in safe mode without network. When the files start to appear again on the same shared location, the size now is different, norton didn't catch this files now.
    Are anybody have a experience with such a problem.

    Any suggestion ?
     
  2. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    The last time this problem appear between 09.july to 13 july. This month it start approximately on the same time.
     
  3. crunchie

    crunchie Malware Helper Posts: 728

  4. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4420

    Windows 5.2.3790 Service Pack 2
    Internet Explorer 8.0.6001.18702

    12.8.2010 г. 12:22:02
    mbam-log-2010-08-12 (12-22-02).txt

    Scan type: Quick scan
    Objects scanned: 153708
    Time elapsed: 5 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\FirstRRRun (Bagle.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\system32\drivers\down (Trojan.Downloader) -> Quarantined and deleted successfully.

    Files Infected:
    (No malicious items detected)



    ---------------------------------------------------------------------------------------------------------------------------


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-12 15:02:54
    Windows 5.2.3790 Service Pack 2
    Running: xbjixdjo.exe; Driver: C:\DOCUME~1\prinect\LOCALS~1\Temp\kgtdipog.sys


    ---- System - GMER 1.0.15 ----

    INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A9A0916D
    INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A9A08FC2

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload BA3424A8 5 Bytes JMP 8B5FE420
    ? System32\Drivers\atu7lx76.SYS The system cannot find the path specified. !
    .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA6F49400, 0x7960C, 0xE8000020]
    .protectяяяяhardlockentry point in ".protectяяяяhardlockentry point in ".protectяяяяhardlockentry point in ".p" section [0xA6FEB420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectяяяяhardlockentry point in ".protectяяяяhardlockentry point in ".p" section [0xA6FEB420]
    .protectяяяяhardlockunknown last code section [0xA6FEB200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA6FEB200, 0x5049, 0xE0000020]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72B0ABA] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72B0C00] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72B0B82] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72B172E] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72B1604] sptd.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72C3A9A] sptd.sys

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1724067100
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1040081959
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0xCA 0x71 0x21 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x95 0x20 0xA6 0x9F ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0xFA 0x5A 0xAC ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7C 0xCA 0x71 0x21 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x95 0x20 0xA6 0x9F ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x67 0xFA 0x5A 0xAC ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DisableSR 0

    ---- EOF - GMER 1.0.15 ----


    ---------------------------------------------------------------------------------------------------------------------------

    DDS does not support my operating system 2003 server
     
  5. crunchie

    crunchie Malware Helper Posts: 728

    Ok. Lets try an online scan then.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  6. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    I install kasperski 6.0 trial on one of the infected computers. It detect on the shared folders all the created by the virus files 976KB with a HEUR:Trojan.Win32.Generic. It just delete/quarantine the files, but they appear again.

    I also try in safe mode - Malwarebytes' Anti-Malware - perform full system scan. Didn't find anything.

    At the moment this infection isn't active. Didn't create files, obviously it create files every 15 to 30 minutes.

    I start ESET Online Scanner on the 2003 server, the infected one that I post logs earlier.
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    Can I see a logfile of the Eset scan you did?

    =========

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  8. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    Hi there
    this is the eset online scanner log:

    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\Licenses$.exe
    a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\ColorToolbox_3.0\ColorToolbox_3.0.scr a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\HighResRenderer\HighResRenderer.exe a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\LicSN\LicSN.bat a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\Logs\Logs.exe a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\MetaDimension\MetaDimension.bat a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\PDFToolbox\PDFToolbox.exe a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\Prinect Workflow\Workflow.bat a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\ProofRenderer\ProofRenderer.exe a variant of Win32/AutoRun.Agent.UD worm
    C:\Documents and Settings\All Users\Application Data\Heidelberg\Licenses\Signa_Station-3-0\Signa_Station-3-0.exe a variant of Win32/AutoRun.Agent.UD worm
    G:\HF_838\data.tmp\data.tmp.scr a variant of Win32/AutoRun.Agent.UD worm

    ========================================

    this is from OTL:
    extras.txt
    OTL Extras logfile created on: 13.8.2010 г. 11:27:25 - Run 1
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\prinect\Desktop
    Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000402 | Country: Bulgaria | Language: BGR | Date Format: dd.M.yyyy 'г.'

    4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 83,00% Memory free
    10,00 Gb Paging File | 6,00 Gb Available in Paging File | 57,00% Paging File free
    Paging file location(s): c:\pagefile.sys 6141 12192 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 97,65 Gb Total Space | 68,47 Gb Free Space | 70,11% Space Free | Partition Type: NTFS
    Drive D: | 200,43 Gb Total Space | 200,36 Gb Free Space | 99,96% Space Free | Partition Type: NTFS
    Drive E: | 250,92 Gb Total Space | 205,96 Gb Free Space | 82,08% Space Free | Partition Type: NTFS
    Drive F: | 214,84 Gb Total Space | 214,77 Gb Free Space | 99,97% Space Free | Partition Type: NTFS
    Drive G: | 298,09 Gb Total Space | 248,05 Gb Free Space | 83,21% Space Free | Partition Type: NTFS
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
    Drive W: | 146,48 Gb Total Space | 131,77 Gb Free Space | 89,96% Space Free | Partition Type: NTFS
    Drive X: | 132,40 Gb Total Space | -3,16 Gb Free Space | -2,39% Space Free | Partition Type: NTFS
    Drive Y: | 255,34 Gb Total Space | 9,45 Gb Free Space | 3,70% Space Free | Partition Type: NTFS

    Computer Name: XEON4
    Current User Name: prinect
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "UacDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring" = 1
    "" =

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "49300:TCP" = 49300:TCP:*:Enabled:JDF Portal Port 49300
    "31273:TCP" = 31273:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31273
    "31274:TCP" = 31274:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31274
    "31275:TCP" = 31275:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31275
    "31276:TCP" = 31276:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31276
    "31277:TCP" = 31277:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31277
    "31278:TCP" = 31278:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31278
    "31279:TCP" = 31279:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31279
    "31280:TCP" = 31280:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31280
    "31281:TCP" = 31281:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31281
    "31282:TCP" = 31282:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31282
    "31283:TCP" = 31283:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31283
    "31284:TCP" = 31284:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31284
    "31285:TCP" = 31285:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31285
    "31286:TCP" = 31286:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31286
    "31287:TCP" = 31287:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31287
    "31288:TCP" = 31288:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31288
    "31289:TCP" = 31289:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31289
    "31290:TCP" = 31290:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31290
    "31291:TCP" = 31291:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31291
    "31292:TCP" = 31292:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31292
    "31293:TCP" = 31293:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31293
    "31294:TCP" = 31294:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31294
    "31295:TCP" = 31295:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31295
    "31296:TCP" = 31296:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31296
    "31297:TCP" = 31297:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31297
    "31298:TCP" = 31298:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31298
    "31299:TCP" = 31299:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31299
    "31300:TCP" = 31300:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31300
    "31301:TCP" = 31301:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31301
    "31302:TCP" = 31302:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31302
    "31303:TCP" = 31303:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31303
    "31304:TCP" = 31304:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31304
    "31305:TCP" = 31305:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31305
    "8080:TCP" = 8080:TCP:*:Enabled:Web Interface Port 8080
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "6401:TCP" = 6401:TCP:*:Enabled:Heidelberg Prinect JDF Connector (6401)
    "8888:TCP" = 8888:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (8888)
    "6325:TCP" = 6325:TCP:*:Enabled:Heidelberg Prinect Master Data Service (6325)
    "6329:TCP" = 6329:TCP:*:Enabled:Heidelberg Prinect Master Data Service (6329)
    "49310:TCP" = 49310:TCP:*:Enabled:JDF Bridge Port 49310
    "49311:TCP" = 49311:TCP:*:Enabled:JDF Bridge Port 49311
    "49312:TCP" = 49312:TCP:*:Enabled:JDF Bridge Port 49312
    "49313:TCP" = 49313:TCP:*:Enabled:JDF Bridge Port 49313
    "49314:TCP" = 49314:TCP:*:Enabled:JDF Bridge Port 49314
    "49315:TCP" = 49315:TCP:*:Enabled:JDF Bridge Port 49315
    "49320:TCP" = 49320:TCP:*:Enabled:pDF-PE JDF Portal Port 49320
    "49321:TCP" = 49321:TCP:*:Enabled:pDF-PE JDF Portal Port 49321
    "49322:TCP" = 49322:TCP:*:Enabled:pDF-PE JDF Portal Port 49322
    "49323:TCP" = 49323:TCP:*:Enabled:pDF-PE JDF Portal Port 49323
    "49324:TCP" = 49324:TCP:*:Enabled:pDF-PE JDF Portal Port 49324
    "49325:TCP" = 49325:TCP:*:Enabled:pDF-PE JDF Portal Port 49325
    "4560:TCP" = 4560:TCP:*:Enabled:MetaDTVService Port 4560
    "6351:TCP" = 6351:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (6351)
    "6351:UDP" = 6351:UDP:*:Enabled:Heidelberg Prinect JDF Connector Service (6351)
    "8889:TCP" = 8889:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (8889)
    "8889:UDP" = 8889:UDP:*:Enabled:Heidelberg Prinect JDF Connector Service (8889)
    "6315:TCP" = 6315:TCP:*:Enabled:Heidelberg Prinect JDF Storage Service (6315)
    "6319:TCP" = 6319:TCP:*:Enabled:Heidelberg Prinect JDF Storage Service (6319)
    "6335:TCP" = 6335:TCP:*:Enabled:Heidelberg Prinect JMF Message Service (6335)
    "6339:TCP" = 6339:TCP:*:Enabled:Heidelberg Prinect JMF Message Service (6339)
    "6362:TCP" = 6362:TCP:*:Enabled:Heidelberg Prinect Central Device Manager Service (6362)
    "65002:UDP" = 65002:UDP:*:Enabled:Heidelberg Local Information Service Monitor (65002 UDP IN)
    "6321:TCP" = 6321:TCP:*:Enabled:Heidelberg Master Data Service (6321 TCP IN)
    "5353:UDP" = 5353:UDP:*:Enabled:Heidelberg Master Data Service (5353 UDP IN)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "31273:TCP" = 31273:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31273
    "31274:TCP" = 31274:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31274
    "31275:TCP" = 31275:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31275
    "31276:TCP" = 31276:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31276
    "31277:TCP" = 31277:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31277
    "31278:TCP" = 31278:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31278
    "31279:TCP" = 31279:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31279
    "31280:TCP" = 31280:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31280
    "31281:TCP" = 31281:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31281
    "31282:TCP" = 31282:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31282
    "31283:TCP" = 31283:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31283
    "31284:TCP" = 31284:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31284
    "31285:TCP" = 31285:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31285
    "31286:TCP" = 31286:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31286
    "31287:TCP" = 31287:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31287
    "31288:TCP" = 31288:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31288
    "31289:TCP" = 31289:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31289
    "31290:TCP" = 31290:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31290
    "31291:TCP" = 31291:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31291
    "31292:TCP" = 31292:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31292
    "31293:TCP" = 31293:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31293
    "31294:TCP" = 31294:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31294
    "31295:TCP" = 31295:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31295
    "31296:TCP" = 31296:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31296
    "31297:TCP" = 31297:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31297
    "31298:TCP" = 31298:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31298
    "31299:TCP" = 31299:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31299
    "31300:TCP" = 31300:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31300
    "31301:TCP" = 31301:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31301
    "31302:TCP" = 31302:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31302
    "31303:TCP" = 31303:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31303
    "31304:TCP" = 31304:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31304
    "31305:TCP" = 31305:TCP:*:Enabled:Heidelberg Prinect MetaDimension MDS Client API Port 31305
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "6401:TCP" = 6401:TCP:*:Enabled:Heidelberg Prinect JDF Connector (6401)
    "8888:TCP" = 8888:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (8888)
    "123:UDP" = 123:UDP:*:Enabled:System Time (NTP) Port
    "427:UDP" = 427:UDP:*:Enabled:AppleShare IP TCP Port 427
    "548:UDP" = 548:UDP:*:Enabled:AppleShare IP TCP Port 548
    "520:UDP" = 520:UDP:*:Enabled:Routing Information Protocol (RIP) Port
    "6325:TCP" = 6325:TCP:*:Enabled:Heidelberg Prinect Master Data Service (6325)
    "6329:TCP" = 6329:TCP:*:Enabled:Heidelberg Prinect Master Data Service (6329)
    "6351:TCP" = 6351:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (6351)
    "6351:UDP" = 6351:UDP:*:Enabled:Heidelberg Prinect JDF Connector Service (6351)
    "8889:TCP" = 8889:TCP:*:Enabled:Heidelberg Prinect JDF Connector Service (8889)
    "8889:UDP" = 8889:UDP:*:Enabled:Heidelberg Prinect JDF Connector Service (8889)
    "6315:TCP" = 6315:TCP:*:Enabled:Heidelberg Prinect JDF Storage Service (6315)
    "6319:TCP" = 6319:TCP:*:Enabled:Heidelberg Prinect JDF Storage Service (6319)
    "6335:TCP" = 6335:TCP:*:Enabled:Heidelberg Prinect JMF Message Service (6335)
    "6339:TCP" = 6339:TCP:*:Enabled:Heidelberg Prinect JMF Message Service (6339)
    "6362:TCP" = 6362:TCP:*:Enabled:Heidelberg Prinect Central Device Manager Service (6362)
    "65002:UDP" = 65002:UDP:*:Enabled:Heidelberg Local Information Service Monitor (65002 UDP IN)
    "6321:TCP" = 6321:TCP:*:Enabled:Heidelberg Master Data Service (6321 TCP IN)
    "5353:UDP" = 5353:UDP:*:Enabled:Heidelberg Master Data Service (5353 UDP IN)

    ========== Authorized Applications List ==========
     
  9. crunchie

    crunchie Malware Helper Posts: 728

    Sorry, but you will need to post the logs here.
    You can either break up the log into separate posts, or attach them instead.
     
  10. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Program Files\Heidelberg\MetaDimension\jre\bin\java_locator.exe" = C:\Program Files\Heidelberg\MetaDimension\jre\bin\java_locator.exe:*:Enabled:Heidelberg Prinect MetaDimension Java Locator -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\Sequencer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\Sequencer.exe:*:Enabled:Heidelberg Prinect MetaDimension Sequencer -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UIServer.exe:*:Enabled:Heidelberg Prinect MetaDimension UIServer -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UserUIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UserUIServer.exe:*:Enabled:Heidelberg Prinect MetaDimension UserUIServer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\AdminService\AdminService.exe" = C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\AdminService\AdminService.exe:*:Enabled:prinect Workflow Adminservice -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CockpitServer\Cockpitserver.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CockpitServer\Cockpitserver.exe:*:Enabled:prinect Workflow CockpitServer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CEPSConverter\HDMCEPSConverter.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CEPSConverter\HDMCEPSConverter.exe:*:Enabled:prinect Workflow CEPSConverter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ColorTableSyncService\ColorTableSyncService.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ColorTableSyncService\ColorTableSyncService.exe:*:Enabled:prinect Workflow ColorTableSyncService -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ContentHotfolder\HDMContentHotFolder.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ContentHotfolder\HDMContentHotFolder.exe:*:Enabled:prinect Workflow ContentHotfolder -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CopydotConverter\HDMCopydotConverter.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CopydotConverter\HDMCopydotConverter.exe:*:Enabled:prinect Workflow CopydotConverter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\DocumentHandler\HDMPDFDocumentHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\DocumentHandler\HDMPDFDocumentHandler.exe:*:Enabled:prinect Workflow DocumentHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ImageHandler\HDMPDFImageHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ImageHandler\HDMPDFImageHandler.exe:*:Enabled:prinect Workflow ImageHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Imposer\HDMPDFImposer.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Imposer\HDMPDFImposer.exe:*:Enabled:prinect Workflow Imposer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\JobImExporter\HDMJobImportExport.exe" = C:\Program Files\Heidelberg\Prinect Workflow\JobImExporter\HDMJobImportExport.exe:*:Enabled:prinect Workflow JobImExporter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Messenger\HDMMessenger.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Messenger\HDMMessenger.exe:*:Enabled:prinect Workflow Messenger -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Normalizer\HDMNormalizer.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Normalizer\HDMNormalizer.exe:*:Enabled:prinect Workflow Normalizer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\PageOutput\HDMPageOutput.exe" = C:\Program Files\Heidelberg\Prinect Workflow\PageOutput\HDMPageOutput.exe:*:Enabled:prinect Workflow PageOutput -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Preflighter\HDMPreflight.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Preflighter\HDMPreflight.exe:*:Enabled:prinect Workflow Preflighter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Recombiner\HDMPDFRecombiner.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Recombiner\HDMPDFRecombiner.exe:*:Enabled:prinect Workflow Recombiner -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ResponseHandler\HDMResponseHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ResponseHandler\HDMResponseHandler.exe:*:Enabled:prinect Workflow ResponseHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\SheetOutput\HDMSheetOutput.exe" = C:\Program Files\Heidelberg\Prinect Workflow\SheetOutput\HDMSheetOutput.exe:*:Enabled:prinect Workflow SheetOutput -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Trapper\HDMTrapper.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Trapper\HDMTrapper.exe:*:Enabled:prinect Workflow Trapper -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Workplace Interface\Workplace Interface.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Workplace Interface\Workplace Interface.exe:*:Enabled:prinect Workflow Workplace Interface -- File not found
    "C:\PTConfig\JoinPrintready\JoinPrintready.exe" = C:\PTConfig\JoinPrintready\JoinPrintready.exe:*:Enabled:prinect Workflow JoinPrintready -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\HTTPServer\Apache\bin\Apache.exe" = C:\Program Files\Heidelberg\MetaDimension\HTTPServer\Apache\bin\Apache.exe:*:Enabled:Apache -- (Apache Software Foundation)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDEmailJ.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDEmailJ.exe:*:Enabled:HDEMailJ -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDLocatorJ.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDLocatorJ.exe:*:Enabled:HDLocatorJ -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDTomcatJ.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDTomcatJ.exe:*:Enabled:HDTomcatJ -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDServiceControl.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDServiceControl.exe:*:Enabled:HDServiceControl -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDPrintManager.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDPrintManager.exe:*:Enabled:HDPrintManager -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDPrintManagerW.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDPrintManagerW.exe:*:Enabled:HDPrintManagerW -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\bin\jstarter.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\bin\jstarter.exe:*:Enabled:jstarter -- ()
    "C:\Program Files\Heidelberg\MetaDimension\jre\bin\java.exe" = C:\Program Files\Heidelberg\MetaDimension\jre\bin\java.exe:*:Enabled:Java -- (Sun Microsystems, Inc.)
    "C:\Program Files\Heidelberg\MetaDimension\jre\bin\javaw.exe" = C:\Program Files\Heidelberg\MetaDimension\jre\bin\javaw.exe:*:Enabled:JavaW -- (Sun Microsystems, Inc.)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDNamingService.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDNamingService.exe:*:Enabled:HDNamingService -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\MCSSRV.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\MCSSRV.exe:*:Enabled:MCSSRV -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDSequencer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDSequencer.exe:*:Enabled:HDSequencer -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUIServer.exe:*:Enabled:HDUIServer -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUserUIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUserUIServer.exe:*:Enabled:HDUserUIServer -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDSave.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDSave.exe:*:Enabled:Save -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDSaveW.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDSaveW.exe:*:Enabled:SaveW -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDRestore.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDRestore.exe:*:Enabled:HDRestore -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\UI\HDRestoreW.exe" = C:\Program Files\Heidelberg\MetaDimension\UI\HDRestoreW.exe:*:Enabled:HDRestoreW -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\ProofOpen\exe\HDProofServer.exe" = C:\Program Files\Heidelberg\MetaDimension\ProofOpen\exe\HDProofServer.exe:*:Enabled:ConceptProof HDProofServer -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\ProofOpen\exe\ProofEngMgrW.exe" = C:\Program Files\Heidelberg\MetaDimension\ProofOpen\exe\ProofEngMgrW.exe:*:Enabled:ConceptProof ProofEngMgrW -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Client\ColorProofPro.exe" = C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Client\ColorProofPro.exe:*:Enabled:Color Proof Pro -- (EFI, Electronics for Imaging)
    "C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Client\ColorProofPro_Settings.exe" = C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Client\ColorProofPro_Settings.exe:*:Enabled:Color Proof Pro Settings -- (EFI, Electronics for Imaging)
    "C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\EPLView.exe" = C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\EPLView.exe:*:Enabled:EPLView -- (EFI)
    "C:\Program Files\Heidelberg\MetaDimension\Tiff-B Export\HDTiffBW.exe" = C:\Program Files\Heidelberg\MetaDimension\Tiff-B Export\HDTiffBW.exe:*:Enabled:HDTiffBW -- (Heidelberger Druckmaschinen AG)
    "C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\PrinectService\HDPrinectService.exe" = C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\PrinectService\HDPrinectService.exe:*:Enabled:prinect Workflow Administration Service -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CockpitServer\HDCockpitserver.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CockpitServer\HDCockpitserver.exe:*:Enabled:prinect Workflow CockpitServer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CEPSConverter\HDCEPSConverter.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CEPSConverter\HDCEPSConverter.exe:*:Enabled:prinect Workflow CEPSConverter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ColorCarver\HDColorCarver.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ColorCarver\HDColorCarver.exe:*:Enabled:prinect Workflow ColorCarver -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ContentHotfolder\HDContentHotfolder.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ContentHotfolder\HDContentHotfolder.exe:*:Enabled:prinect Workflow ContentHotfolder -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\CopydotConverter\HDCopydotConverter.exe" = C:\Program Files\Heidelberg\Prinect Workflow\CopydotConverter\HDCopydotConverter.exe:*:Enabled:prinect Workflow CopydotConverter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\DocumentHandler\HDPDFDocumentHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\DocumentHandler\HDPDFDocumentHandler.exe:*:Enabled:prinect Workflow DocumentHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ImageHandler\HDPDFImageHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ImageHandler\HDPDFImageHandler.exe:*:Enabled:prinect Workflow ImageHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Imposer\HDPDFImposer.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Imposer\HDPDFImposer.exe:*:Enabled:prinect Workflow Imposer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\JobImExporter\HDJobImportExport.exe" = C:\Program Files\Heidelberg\Prinect Workflow\JobImExporter\HDJobImportExport.exe:*:Enabled:prinect Workflow JobImExporter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Messenger\HDMessenger.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Messenger\HDMessenger.exe:*:Enabled:prinect Workflow Messenger -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Normalizer\HDNormalizer.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Normalizer\HDNormalizer.exe:*:Enabled:prinect Workflow Normalizer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\AutoPage\HDAutoPage.exe" = C:\Program Files\Heidelberg\Prinect Workflow\AutoPage\HDAutoPage.exe:*:Enabled:prinect Workflow AutoPage -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\PPF Out\PPF Out.exe" = C:\Program Files\Heidelberg\Prinect Workflow\PPF Out\PPF Out.exe:*:Enabled:prinect Workflow PPF Out -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Auto Preset\Auto Preset.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Auto Preset\Auto Preset.exe:*:Enabled:prinect Workflow Auto Preset -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Preflighter\HDPreflighter.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Preflighter\HDPreflighter.exe:*:Enabled:prinect Workflow Preflighter -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Recombiner\HDRecombiner.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Recombiner\HDRecombiner.exe:*:Enabled:prinect Workflow Recombiner -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\ResponseHandler\HDResponseHandler.exe" = C:\Program Files\Heidelberg\Prinect Workflow\ResponseHandler\HDResponseHandler.exe:*:Enabled:prinect Workflow ResponseHandler -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\AutoSheet\HDAutoSheet.exe" = C:\Program Files\Heidelberg\Prinect Workflow\AutoSheet\HDAutoSheet.exe:*:Enabled:prinect Workflow AutoSheet -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Timer\HDTimer.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Timer\HDTimer.exe:*:Enabled:prinect Workflow Timer -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Trapper\HDTrapper.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Trapper\HDTrapper.exe:*:Enabled:prinect Workflow Trapper -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Workplace Interface\HDWorkplaceInterface.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Workplace Interface\HDWorkplaceInterface.exe:*:Enabled:prinect Workflow Workplace Interface -- File not found
    "C:\PTConfig\JoinPrinect\JoinPrintready.exe" = C:\PTConfig\JoinPrinect\JoinPrintready.exe:*:Enabled:prinect Workflow JoinPrinect -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\Cockpit\PTClient.exe" = C:\Program Files\Heidelberg\Prinect Workflow\Cockpit\PTClient.exe:*:Enabled:prinect Workflow Cockpit -- File not found
    "C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\JRE\bin\java.exe" = C:\Program Files\Heidelberg\Prinect Workflow\PTSupport\JRE\bin\java.exe:*:Enabled:prinect Workflow Java runtime -- File not found
    "C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe" = C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe:*:Enabled:Heidelberg License Server Service (HDLicenseServer TCP,UDP IN) -- ()

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Heidelberg\MetaDimension\jre\bin\java_locator.exe" = C:\Program Files\Heidelberg\MetaDimension\jre\bin\java_locator.exe:*:Enabled:Heidelberg Prinect MetaDimension Java Locator -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\Sequencer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\Sequencer.exe:*:Enabled:Heidelberg Prinect MetaDimension Sequencer -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UIServer.exe:*:Enabled:Heidelberg Prinect MetaDimension UIServer -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UserUIServer.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\UserUIServer.exe:*:Enabled:Heidelberg Prinect MetaDimension UserUIServer -- File not found
    "C:\Documents and Settings\prinect\Desktop\utorrent.exe" = C:\Documents and Settings\prinect\Desktop\utorrent.exe:*:Enabled:µTorrent -- File not found
    "C:\Documents and Settings\prinect\Desktop\Skype.exe" = C:\Documents and Settings\prinect\Desktop\Skype.exe:*:Enabled:Skype -- File not found
    "C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- File not found
    "C:\Program Files\eMule\emule.exe" = C:\Program Files\eMule\emule.exe:*:Enabled:eMule -- File not found
    "C:\Program Files\ICQ6\ICQ.exe" = C:\Program Files\ICQ6\ICQ.exe:*:Enabled:ICQ6 -- File not found
    "C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDNamingService.exe" = C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDNamingService.exe:*:Enabled:HDNamingService -- File not found
    "C:\Program Files\ICQ6.5\ICQ.exe" = C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6 -- (ICQ, LLC.)
    "C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe" = C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe:*:Enabled:Heidelberg License Server Service (HDLicenseServer TCP,UDP IN) -- ()
    "C:\Documents and Settings\prinect\Desktop\Phone\Skype.exe" = C:\Documents and Settings\prinect\Desktop\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========
     
  11. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0A0873E1-D9BA-4994-B85D-A0A331EF1F0C}" = Intel(R) PRO Network Connections
    "{104097C5-ADCF-4857-8475-582C76B64992}" = Heidelberg Prinect Licensing
    "{1675942B-FC09-41E0-B777-F9E9EC68356A}" = Color Proof Pro
    "{1B1586CC-DEE3-48AD-AD92-58DD8FC7B1E9}" = Heidelberg Prinect MetaDimension 7.5.542
    "{1B419CE6-A1AA-4207-8581-A414BE9C7B85}" = Kaspersky Anti-Virus 6.0 for Windows Servers
    "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 21
    "{2E97DE76-851A-48AA-A0D6-665860FAD9CA}" = Keyspan USB Serial Adapter
    "{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}" = ASUS Enhanced Display Driver
    "{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{43536D30-BDDF-4120-94EA-3A880188C1FB}" = Heidelberg Prinect JDF Connector Service
    "{467A0A77-B08B-432C-9973-4A2F05F31C59}" = BOINC
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{55D6FC80-5B6D-4CD7-9DDE-B0A59835DAD5}" = Heidelberg Prinect Master Data Service
    "{60DE4033-9503-48D1-A483-7846BD217CA9}" = ICQ6.5
    "{7148F0A8-6813-11D6-A77B-00B0D0142020}" = Java 2 Runtime Environment, SE v1.4.2_02
    "{71D4305B-56E6-4971-A799-FB7678A1D1A5}" = ASUS ATI Driver
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{75F46C9C-0A4D-4873-AACD-269AFA433979}" = Intel(R) PRO Alerting Agent
    "{786C081F-5C0D-40A8-BDA7-AB11E6E608EE}" = Heidelberg Prinect PDF PrintEngine 3.0.542
    "{870c5c9f-1214-478f-9cdd-bf6eb66d2ecd}.sdb" = CPPro_DeviceControl_Fix_W2003SP1
    "{97407E09-4EA8-49F0-A513-2C1776A6DEC0}" = Sentinel Protection Installer 7.2.1
    "{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
    "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C1CDE927-3A9E-4D5E-8AAF-DAB52A4AAEB4}" = Color Proof Pro Profiles
    "{C8E04A12-E823-4D8C-BB7A-C01118A34CF7}" = NetProfiler2
    "{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}" = AVIVO Codecs
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
    "{D4600A75-2AC3-46CD-90BD-98649D7FB990}" = Heidelberg Prinect PDF Toolbox 4.0
    "{D9946A68-2CC6-483B-9837-292FB35E7378}" = Heidelberg Color Tool 3.0
    "{E49CFA0B-6163-424E-9671-B6B02104C54E}" = Heidelberg Prinect Service Tools
    "{EA5F8109-497A-46DF-BA1E-94009CF1F43C}" = DIAG Suprasetter
    "{FAEE61D3-2A5E-4F7F-926F-77AAC08CE4DD}" = Sentinel System Driver Installer 7.5.0
    "Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "Bulgarian_KBD'S_Atanasov" = Bulgarian Keyboards XP by G. Atanasov
    "EPSON Printer and Utilities" = EPSON Printer Software
    "ESET Online Scanner" = ESET Online Scanner v3
    "FBDBServer_2_0_is1" = Firebird 2.0.3
    "GLOBEtrotter FLEXid Drivers" = GLOBEtrotter FLEXid Drivers
    "GretagMacbeth Color Quality 5.0" = GretagMacbeth Color Quality 5.0
    "GretagMacbeth DownloadUtility" = GretagMacbeth DownloadUtility
    "GretagMacbeth Ink Formulation 5.0" = GretagMacbeth Ink Formulation 5.0
    "GretagMacbeth SpectroServer 2.61" = GretagMacbeth SpectroServer 2.61
    "GretagMacbeth UserAdministration" = GretagMacbeth UserAdministration
    "Heidelberg Color Tool 3.0 _(3.0.22.2)" = Heidelberg Color Tool 3.0 (3.0.22.2)
    "Heidelberg MetaDimension 6.5 update_is1" = Heidelberg MetaDimension 6.5
    "Heidelberg MetaDimension 6.5.391 update_is1" = Heidelberg MetaDimension 6.5.391
    "Heidelberg Prinect PDF PrintEngine 1.0.355 update_is1" = Heidelberg Prinect PDF PrintEngine 1.0.355
    "Heidelberg Prinect PDF PrintEngine 1.0.391 update_is1" = Heidelberg Prinect PDF PrintEngine 1.0.391
    "HijackThis" = HijackThis 2.0.0
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{104097C5-ADCF-4857-8475-582C76B64992}" = Heidelberg Prinect Licensing 4.3.19.1
    "InstallShield_{43536D30-BDDF-4120-94EA-3A880188C1FB}" = Heidelberg Prinect JDF Connector Service 4.0.394.1
    "InstallShield_{55D6FC80-5B6D-4CD7-9DDE-B0A59835DAD5}" = Heidelberg Prinect Master Data Service 4.5.58.5
    "InstallShield_{D4600A75-2AC3-46CD-90BD-98649D7FB990}" = Heidelberg Prinect PDF Toolbox 4.0.46.0
    "InstallShield_{E49CFA0B-6163-424E-9671-B6B02104C54E}" = Heidelberg Prinect Service Tools 1.1.18.1
    "KeyWizard 2.5" = KeyWizard 2.5
    "LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "Plate Quality" = Plate Quality
    "Radmin Viewer 3.0" = Radmin Viewer 3.0
    "Rainbow Sentinel Driver" = Sentinel System Driver
    "SpectroEye CXF Loader" = SpectroEye CXF Loader
    "Tardis 2000_is1" = Tardis 2000 V1.6
    "WIC" = Windows Imaging Component
    "Windows Server 2003 Service Pack" = Windows Server 2003 Service Pack 2
    "winpcap-nmap" = winpcap-nmap 4.02
    "WinRAR archiver" = WinRAR archiver
    "XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Facebook Plug-In" = Facebook Plug-In
    "SM 102-8-P-S - Prinect Press Reporting" = SM 102-8-P-S - Prinect Press Reporting

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12.8.2010 г. 04:43:24 | Computer Name = XEON4 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 12.8.2010 г. 04:43:27 | Computer Name = XEON4 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 12.8.2010 г. 04:43:27 | Computer Name = XEON4 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This network connection does not exist.

    Error - 12.8.2010 г. 04:53:45 | Computer Name = XEON4 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 12.8.2010 г. 04:53:45 | Computer Name = XEON4 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 12.8.2010 г. 04:54:01 | Computer Name = XEON4 | Source = crypt32 | ID = 131080
    Description = Failed auto update retrieval of third-party root list sequence number
    from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
    with error: This operation returned because the timeout period expired.

    Error - 12.8.2010 г. 05:10:46 | Computer Name = XEON4 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 12.8.2010 г. 05:10:46 | Computer Name = XEON4 | Source = crypt32 | ID = 131083
    Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
    with error: A required certificate is not within its validity period when verifying
    against the current system clock or the timestamp in the signed file.

    Error - 12.8.2010 г. 05:30:12 | Computer Name = XEON4 | Source = Application Hang | ID = 1002
    Description = Hanging application explorer.exe, version 6.0.3790.3959, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    Error - 12.8.2010 г. 07:59:13 | Computer Name = XEON4 | Source = Application Hang | ID = 1002
    Description = Hanging application taskmgr.exe, version 5.2.3790.3959, hang module
    hungapp, version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 12.8.2010 г. 05:42:56 | Computer Name = XEON4 | Source = System Error | ID = 1003
    Description = Error code 0000004e, parameter1 00000007, parameter2 000096d6, parameter3
    00000001, parameter4 00000000.

    Error - 12.8.2010 г. 05:49:37 | Computer Name = XEON4 | Source = Service Control Manager | ID = 7034
    Description = The Color Proof Pro Server service terminated unexpectedly. It has
    done this 1 time(s).

    Error - 12.8.2010 г. 05:56:46 | Computer Name = XEON4 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 30 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 12.8.2010 г. 06:26:58 | Computer Name = XEON4 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 60 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 12.8.2010 г. 07:27:46 | Computer Name = XEON4 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 120 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 12.8.2010 г. 07:50:36 | Computer Name = XEON4 | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 14:47:38 on 12.8.2010 г. was unexpected.

    Error - 12.8.2010 г. 07:51:04 | Computer Name = XEON4 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 15 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 12.8.2010 г. 08:06:16 | Computer Name = XEON4 | Source = W32Time | ID = 39452689
    Description = Time Provider NtpClient: An error occurred during DNS lookup of the
    manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
    again in 30 minutes. The error was: A socket operation was attempted to an unreachable
    host. (0x80072751)

    Error - 12.8.2010 г. 08:10:15 | Computer Name = XEON4 | Source = MRxSmb | ID = 8003
    Description = The master browser has received a server announcement from the computer
    METADORIG that believes that it is the master browser for the domain on transport
    NetBT_Tcpip_{74E33E26-5026-4A10. The master browser is stopping or an election is
    being forced.

    Error - 12.8.2010 г. 08:27:43 | Computer Name = XEON4 | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 15:25:15 on 12.8.2010 г. was unexpected.


    < End of report >
     
  12. crunchie

    crunchie Malware Helper Posts: 728

    Hi. It appears you have only posted the attach.txt log.

    Please post the OTL.txt log. If you need to run OTL again, please do so.
     
  13. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    OTL logfile created on: 16.8.2010 г. 11:39:16 - Run 2
    OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\prinect\Desktop
    Windows Server 2003 Standard Edition Service Pack 2 (Version = 5.2.3790) - Type = NTServer
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000402 | Country: Bulgaria | Language: BGR | Date Format: dd.M.yyyy 'г.'

    4,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 79,00% Memory free
    10,00 Gb Paging File | 6,00 Gb Available in Paging File | 58,00% Paging File free
    Paging file location(s): c:\pagefile.sys 6141 12192 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 97,65 Gb Total Space | 67,71 Gb Free Space | 69,33% Space Free | Partition Type: NTFS
    Drive D: | 200,43 Gb Total Space | 200,36 Gb Free Space | 99,96% Space Free | Partition Type: NTFS
    Drive E: | 250,92 Gb Total Space | 205,96 Gb Free Space | 82,08% Space Free | Partition Type: NTFS
    Drive F: | 214,84 Gb Total Space | 214,77 Gb Free Space | 99,97% Space Free | Partition Type: NTFS
    Drive G: | 298,09 Gb Total Space | 243,41 Gb Free Space | 81,66% Space Free | Partition Type: NTFS
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded
    Drive W: | 146,48 Gb Total Space | 131,77 Gb Free Space | 89,96% Space Free | Partition Type: NTFS
    Drive X: | 132,40 Gb Total Space | 0,01 Gb Free Space | 0,01% Space Free | Partition Type: NTFS
    Drive Y: | 255,34 Gb Total Space | 12,89 Gb Free Space | 5,05% Space Free | Partition Type: NTFS

    Computer Name: XEON4
    Current User Name: prinect
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Standard

    ========== Processes (SafeList) ==========

    PRC - [2010.08.13 11:26:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\prinect\Desktop\OTL.exe
    PRC - [2010.06.08 15:54:14 | 004,263,424 | ---- | M] () -- C:\Program Files\Tasks\Tasks.exe
    PRC - [2010.04.27 12:31:20 | 000,106,496 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDService.exe
    PRC - [2010.04.27 12:31:02 | 002,031,616 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDVirtualPrinter.exe
    PRC - [2010.04.27 12:31:02 | 001,044,480 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDXMRJobServant.exe
    PRC - [2010.04.27 12:31:02 | 000,843,776 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUserManager.exe
    PRC - [2010.04.27 12:31:02 | 000,385,024 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUIServer.exe
    PRC - [2010.04.27 12:31:02 | 000,225,280 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDUserUIServer.exe
    PRC - [2010.04.27 12:31:02 | 000,135,168 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDTiffBImport.exe
    PRC - [2010.04.27 12:31:02 | 000,102,400 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDTomcatJ.exe
    PRC - [2010.04.27 12:31:00 | 003,059,712 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDSequencer.exe
    PRC - [2010.04.27 12:31:00 | 001,138,688 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDPreflight.exe
    PRC - [2010.04.27 12:31:00 | 000,688,128 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDProcessSupervisor.exe
    PRC - [2010.04.27 12:31:00 | 000,589,824 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDSubscriptionServer.exe
    PRC - [2010.04.27 12:31:00 | 000,147,456 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDPostOffice.exe
    PRC - [2010.04.27 12:31:00 | 000,143,360 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDSniffer.exe
    PRC - [2010.04.27 12:30:58 | 003,051,520 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDMarksRendererServer.exe
    PRC - [2010.04.27 12:30:58 | 001,060,864 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDPJTF2JDFConverter.exe
    PRC - [2010.04.27 12:30:58 | 000,544,768 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDLayGen.exe
    PRC - [2010.04.27 12:30:58 | 000,102,400 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDLocatorJ.exe
    PRC - [2010.04.27 12:30:58 | 000,098,304 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDLinks.exe
    PRC - [2010.04.27 12:30:58 | 000,073,728 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDMessageServer.exe
    PRC - [2010.04.27 12:30:56 | 004,435,968 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDJDFPortal.exe
    PRC - [2010.04.27 12:30:56 | 003,670,016 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDJobServices.exe
    PRC - [2010.04.27 12:30:56 | 003,661,824 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDInterpreter.exe
    PRC - [2010.04.27 12:30:56 | 000,790,528 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDJTMerger.exe
    PRC - [2010.04.27 12:30:56 | 000,692,224 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDJDFBridge.exe
    PRC - [2010.04.27 12:30:54 | 004,067,328 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDCalToolServer.exe
    PRC - [2010.04.27 12:30:54 | 002,732,032 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDFontInstaller.exe
    PRC - [2010.04.27 12:30:54 | 001,896,448 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDDevConProv.exe
    PRC - [2010.04.27 12:30:54 | 001,183,744 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDDeviceControl.exe
    PRC - [2010.04.27 12:30:54 | 000,258,048 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDDiControl.exe
    PRC - [2010.04.27 12:30:54 | 000,221,184 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDFinalizer.exe
    PRC - [2010.04.27 12:30:54 | 000,180,224 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDDLImport.exe
    PRC - [2010.04.27 12:30:54 | 000,163,840 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDFBDIControl.exe
    PRC - [2010.04.27 12:30:54 | 000,122,880 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDDriveMonitor.exe
    PRC - [2010.04.27 12:30:54 | 000,102,400 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDEmailJ.exe
    PRC - [2010.04.27 12:30:54 | 000,069,632 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDEventService.exe
    PRC - [2010.04.27 12:30:52 | 000,360,448 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDCQMClientUpdateServer.exe
    PRC - [2010.04.27 12:30:52 | 000,360,448 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDCQMClientServer.exe
    PRC - [2010.04.27 12:30:52 | 000,204,800 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDCalToolAccessServer.exe
    PRC - [2010.04.27 12:30:44 | 000,667,648 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\ProofOpen\exe\HDProofServer.exe
    PRC - [2010.04.27 12:30:28 | 000,077,824 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\UI\HDPrintManagerW.exe
    PRC - [2010.04.26 14:27:00 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDService.exe
    PRC - [2010.04.26 14:26:58 | 001,420,464 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDRenderer.exe
    PRC - [2010.04.26 14:26:52 | 000,076,976 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDMessageServer.exe
    PRC - [2010.04.26 14:26:50 | 004,058,288 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDJDFPortal.exe
    PRC - [2010.04.26 14:26:50 | 000,208,048 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDFinalizer.exe
    PRC - [2010.04.26 14:26:46 | 000,707,760 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDProcessSupervisor.exe
    PRC - [2010.04.26 14:26:46 | 000,289,968 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDJobSequencer.exe
    PRC - [2010.04.26 14:26:46 | 000,150,704 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDPostOffice.exe
    PRC - [2010.04.26 14:26:30 | 000,072,880 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDEventService.exe
    PRC - [2010.04.26 14:26:26 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDService.exe
    PRC - [2010.04.26 14:26:22 | 000,289,968 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDJobSequencer.exe
    PRC - [2010.04.26 14:26:20 | 004,058,288 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDJDFPortal.exe
    PRC - [2010.04.26 14:26:10 | 000,208,048 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDFinalizer.exe
    PRC - [2010.04.26 14:26:06 | 000,707,760 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDProcessSupervisor.exe
    PRC - [2010.04.26 14:26:04 | 000,150,704 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDPostOffice.exe
    PRC - [2010.04.26 14:25:56 | 001,420,464 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDRenderer.exe
    PRC - [2010.04.26 14:25:52 | 000,076,976 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDMessageServer.exe
    PRC - [2010.04.26 14:25:46 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDService.exe
    PRC - [2010.04.26 14:25:46 | 000,072,880 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDEventService.exe
    PRC - [2010.04.26 14:25:44 | 000,150,704 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDPostOffice.exe
    PRC - [2010.04.26 14:25:42 | 001,420,464 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDRenderer.exe
    PRC - [2010.04.26 14:25:36 | 004,058,288 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDJDFPortal.exe
    PRC - [2010.04.26 14:25:26 | 000,208,048 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDFinalizer.exe
    PRC - [2010.04.26 14:25:26 | 000,076,976 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDMessageServer.exe
    PRC - [2010.04.26 14:25:20 | 000,707,760 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDProcessSupervisor.exe
    PRC - [2010.04.26 14:25:20 | 000,289,968 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDJobSequencer.exe
    PRC - [2010.04.26 14:25:14 | 000,072,880 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDEventService.exe
    PRC - [2010.03.12 19:29:22 | 000,311,680 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe
    PRC - [2010.02.01 11:15:10 | 003,215,360 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\ColorProofPro_Server.exe
    PRC - [2009.05.06 00:54:04 | 000,111,920 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDCOSNameService.exe
    PRC - [2009.02.12 09:51:30 | 001,070,384 | ---- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Heidelberg\Service Tools\bin\HDLISMonitor.exe
    PRC - [2008.12.09 12:08:00 | 000,058,112 | ---- | M] (Space Sciences Laboratory) -- C:\Program Files\BOINC\boinctray.exe
    PRC - [2008.04.28 02:00:34 | 000,020,541 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Heidelberg\MetaDimension\HTTPServer\Apache\bin\Apache.exe
    PRC - [2008.04.23 02:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    PRC - [2008.02.26 16:36:06 | 000,564,328 | R--- | M] (Heidelberger Druckmaschinen AG) -- C:\Program Files\Common Files\Heidelberg\DTVService\MetaDTVService.exe
    PRC - [2007.02.17 17:04:00 | 000,065,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sfmsvc.exe
    PRC - [2007.02.17 17:03:39 | 001,053,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2006.09.12 11:11:46 | 000,053,248 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Heidelberg\JDF Connector Service\Tomcat\bin\HDJDFConnector.exe
    PRC - [2006.09.12 10:11:46 | 000,053,248 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Heidelberg\Master Data Service\Tomcat\bin\HDMasterData.exe
    PRC - [2006.08.18 19:21:04 | 000,241,664 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe
    PRC - [2006.04.04 15:00:00 | 000,021,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
    PRC - [2006.03.19 05:35:44 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    PRC - [2005.03.31 17:26:54 | 000,172,032 | ---- | M] () -- C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\Debuglog.exe
    PRC - [2004.09.13 15:23:38 | 000,221,184 | ---- | M] () -- C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe
     
  14. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    ========== Modules (SafeList) ==========

    MOD - [2010.08.13 11:26:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\prinect\Desktop\OTL.exe
    MOD - [2007.02.18 00:26:08 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
    MOD - [2007.02.17 17:00:18 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
    SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010.04.27 12:31:20 | 000,106,496 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\LHPS\Exe\HDService.exe -- (MetaDimension)
    SRV - [2010.04.26 14:27:00 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Preview\Bin\HDService.exe -- (Heidelberg_Prinect_PDF_PrintEngine_Preview_3.0.542)
    SRV - [2010.04.26 14:26:26 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\Proof\Bin\HDService.exe -- (Heidelberg_Prinect_PDF_PrintEngine_Proof_3.0.542)
    SRV - [2010.04.26 14:25:46 | 000,109,744 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\PDF PrintEngine\Heidelberg Prinect PDF PrintEngine\3.0.542\HighRes\Bin\HDService.exe -- (Heidelberg_Prinect_PDF_PrintEngine_Highres_3.0.542)
    SRV - [2010.03.12 19:29:22 | 000,311,680 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe -- (AVP)
    SRV - [2010.02.01 11:15:10 | 003,215,360 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\ColorProofPro_Server.exe -- (Color Proof Pro Server)
    SRV - [2009.02.12 09:51:30 | 001,070,384 | ---- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Heidelberg\Service Tools\bin\HDLISMonitor.exe -- (HDLISMonitor)
    SRV - [2008.12.10 15:46:58 | 003,093,880 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2008.04.28 02:00:34 | 000,020,541 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\HTTPServer\Apache\bin\Apache.exe -- (Apache2) Heidelberg Webservice (Apache2)
    SRV - [2008.02.26 16:36:06 | 000,564,328 | R--- | M] (Heidelberger Druckmaschinen AG) [Auto | Running] -- C:\Program Files\Common Files\Heidelberg\DTVService\MetaDTVService.exe -- (DTVService)
    SRV - [2007.02.17 17:04:02 | 000,071,168 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tssdis.exe -- (Tssdis)
    SRV - [2007.02.17 17:04:00 | 000,065,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sfmsvc.exe -- (MacFile)
    SRV - [2007.02.17 17:03:59 | 000,076,288 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\sfmprint.exe -- (MacPrint)
    SRV - [2007.02.17 17:03:58 | 000,067,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsopprov.exe -- (RSoPProv)
    SRV - [2007.02.17 17:03:53 | 000,792,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntfrs.exe -- (NtFrs)
    SRV - [2007.02.17 17:03:43 | 000,094,720 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\llssrv.exe -- (LicenseService)
    SRV - [2007.02.17 17:03:42 | 000,040,448 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\ismserv.exe -- (IsmServ)
    SRV - [2007.02.17 17:03:35 | 000,164,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dfssvc.exe -- (Dfs)
    SRV - [2006.09.12 11:11:46 | 000,053,248 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Heidelberg\JDF Connector Service\Tomcat\bin\HDJDFConnector.exe -- (HDJDFConnector)
    SRV - [2006.09.12 10:11:46 | 000,053,248 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Heidelberg\Master Data Service\Tomcat\bin\HDMasterData.exe -- (HDMasterData)
    SRV - [2006.08.18 19:21:04 | 000,241,664 | ---- | M] (ASUSTeK COMPUTER INC.) [Auto | Running] -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)
    SRV - [2006.04.04 15:00:00 | 000,050,688 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\trksvr.dll -- (TrkSvr)
    SRV - [2006.04.04 15:00:00 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)
    SRV - [2006.04.04 15:00:00 | 000,012,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sacsvr.dll -- (sacsvr)
    SRV - [2006.03.19 05:35:44 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\ASF Agent\ASFAgent.exe -- (ASFAgent)
    SRV - [2005.03.31 17:26:54 | 000,172,032 | ---- | M] () [Auto | Running] -- C:\Program Files\Heidelberg\MetaDimension\Color Proof Pro\Server\Debuglog.exe -- (DebugLog)
    SRV - [2005.02.16 10:18:16 | 000,233,472 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\system32\tardisnt.exe -- (Tardis)
    SRV - [2004.09.13 15:23:38 | 000,221,184 | ---- | M] () [Auto | Running] -- C:\Program Files\Heidelberg\Licensing\License Server\HDLicenseServer.exe -- (HDLicenseServer)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS -- (SNTNLUSB)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\lmimirr.sys -- (lmimirr)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - [2010.08.12 16:08:43 | 000,226,320 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
    DRV - [2009.11.12 17:49:02 | 000,126,480 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
    DRV - [2008.07.11 07:05:00 | 000,092,712 | ---- | M] (SafeNet, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel)
    DRV - [2008.06.01 10:13:10 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (npf)
    DRV - [2008.03.12 14:50:05 | 000,016,376 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
    DRV - [2007.10.30 12:41:46 | 000,704,000 | ---- | M] (Keyspan) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usa19h2k.sys -- (USA19H)
    DRV - [2007.07.30 14:07:56 | 000,639,224 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2007.05.29 16:32:58 | 000,024,192 | ---- | M] (Keyspan) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usa19h2kp.sys -- (USA19H2KP)
    DRV - [2007.05.28 14:05:10 | 000,047,616 | ---- | M] (Aladdin Knowledge Systems) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Haspnt.sys -- (Haspnt)
    DRV - [2007.02.17 09:29:40 | 000,169,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wlbs.sys -- (WLBS)
    DRV - [2007.02.17 09:14:59 | 000,043,520 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\arc.sys -- (arc)
    DRV - [2007.02.17 09:14:58 | 000,023,552 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\hpcisss.sys -- (hpcisss)
    DRV - [2007.02.17 09:02:56 | 000,069,120 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\clusdisk.sys -- (ClusDisk)
    DRV - [2007.02.17 08:59:56 | 000,150,528 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\sfmatalk.sys -- (AppleTalk)
    DRV - [2007.02.17 08:59:54 | 000,165,376 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sfmsrv.sys -- (MACSRV)
    DRV - [2007.02.17 08:51:18 | 000,034,816 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\Dfs.sys -- (DfsDriver)
    DRV - [2007.02.02 23:03:25 | 001,975,296 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006.06.14 08:56:00 | 000,012,288 | R--- | M] (ASUSTeK Computer Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\EIO.sys -- (EIO)
    DRV - [2006.06.05 08:49:08 | 000,230,400 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
    DRV - [2006.03.28 04:51:08 | 000,025,088 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ioatdma.sys -- (ioatdma) IOATDMA.SYS Intel(R)
    DRV - [2006.02.15 08:58:22 | 000,035,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Asfalrt.sys -- (AsfAlrt)
    DRV - [2005.10.18 16:01:38 | 000,011,008 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
    DRV - [2005.07.28 08:18:40 | 000,685,056 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\hardlock.sys -- (hardlock)
    DRV - [2005.02.16 18:42:06 | 000,015,040 | ---- | M] (X-Rite, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\XrUsb.sys -- (X-Rite)
    DRV - [1998.07.10 04:31:00 | 000,007,328 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ds1410d.sys -- (DS1410D)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
    FF - prefs.js..browser.search.selectedEngine: "ICQ Search"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.google.bg/"
    FF - prefs.js..extensions.enabledItems: {800b5000-a755-47e1-992b-48a1c1357f07}:1.1.4.1
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..keyword.URL: "http://search.icq.com/search/afe_results.php?ch_id=afex&q="

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010.07.26 11:25:21 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010.07.26 11:25:21 | 000,000,000 | ---D | M]

    [2009.05.22 15:36:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\prinect\Application Data\Mozilla\Extensions
    [2010.08.12 15:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\extensions
    [2010.07.22 14:22:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010.07.22 14:22:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
    [2010.08.13 08:09:44 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-1.xml
    [2009.10.28 16:17:21 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-11.xml
    [2010.07.26 11:25:37 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-12.xml
    [2009.06.09 08:09:56 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-2.xml
    [2008.08.04 08:18:01 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-3.xml
    [2008.09.24 08:17:41 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-4.xml
    [2008.12.18 19:48:52 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-5.xml
    [2008.12.20 09:18:40 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-6.xml
    [2009.05.23 06:41:04 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-7.xml
    [2009.07.22 14:03:13 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-8.xml
    [2009.08.04 10:15:51 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin-9.xml
    [2009.03.01 14:02:44 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\prinect\Application Data\Mozilla\Firefox\Profiles\g8ir2rsm.default\searchplugins\icqplugin.xml
    [2010.08.12 15:54:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009.03.25 17:37:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
    [2010.05.31 08:53:08 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010.08.11 14:17:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010.07.17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
     
  15. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    O1 HOSTS File: ([2006.04.04 15:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe (Kaspersky Lab)
    O4 - HKLM..\Run: [boincmgr] C:\Program Files\BOINC\boincmgr.exe (Space Sciences Laboratory)
    O4 - HKLM..\Run: [boinctray] C:\Program Files\BOINC\boinctray.exe (Space Sciences Laboratory)
    O4 - HKLM..\Run: [NetShareMonitor] C:\Documents and Settings\prinect\Desktop\NetShareMonitor 1.1\NetShareMonitor.exe ()
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://access.ceu.heidelberg.com/dana-cached/setup/JuniperSetupSP1.cab (JuniperSetupControlXP Class)
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
    O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O24 - Desktop Components:AutorunsDisabled () -
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2007.03.22 02:05:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2009.03.10 18:00:46 | 000,000,019 | ---- | M] () - X:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2008.12.01 10:38:57 | 000,000,000 | ---D | M] - Y:\autonet -- [ NTFS ]
    O32 - AutoRun File - [2009.03.10 18:00:29 | 000,000,021 | ---- | M] () - Y:\autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010.08.02 09:48:31 | 000,000,000 | ---D | M] - Y:\automedia -- [ NTFS ]
    O33 - MountPoints2\{1bb81c02-ce08-11dd-9fbb-001a923ee6ce}\Shell - "" = AutoRun
    O33 - MountPoints2\{1bb81c02-ce08-11dd-9fbb-001a923ee6ce}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{1bb81c02-ce08-11dd-9fbb-001a923ee6ce}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
    O33 - MountPoints2\{72a7b27f-84cf-11df-887b-001a923ee6ce}\Shell\AutoRun\command - "" = J:\Autorun.exe -- File not found
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: Sacsvr - C:\WINDOWS\system32\sacsvr.dll (Microsoft Corporation)
    NetSvcs: TrkSvr - C:\WINDOWS\system32\trksvr.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found
    SystemRestore not available.

    ========== Files/Folders - Created Within 30 Days ==========

    [2010.08.16 11:39:00 | 000,000,000 | ---D | C] -- C:\_OTL
    [2010.08.13 11:26:31 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\prinect\Desktop\OTL.exe
    [2010.08.12 16:08:55 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky Lab
    [2010.08.12 16:08:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    [2010.08.12 16:08:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2010.08.12 16:08:43 | 000,226,320 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2010.08.12 12:14:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\prinect\Application Data\Malwarebytes
    [2010.08.12 12:14:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010.08.12 12:14:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010.08.12 12:14:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010.08.12 12:14:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010.08.12 12:11:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    [2010.08.12 11:52:06 | 000,000,000 | ---D | C] -- C:\KAV
    [2010.08.12 11:36:16 | 000,000,000 | ---D | C] -- C:\av
    [2010.08.12 10:04:45 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\iepeers.dll
    [2010.08.12 10:04:45 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iepeers.dll
    [2010.08.12 10:04:45 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeedsbs.dll
    [2010.08.12 10:04:44 | 005,951,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
    [2010.08.12 10:04:44 | 001,210,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\urlmon.dll
    [2010.08.12 10:04:44 | 000,916,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wininet.dll
    [2010.08.12 10:04:44 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msfeeds.dll
    [2010.08.11 14:17:11 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010.08.11 14:17:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010.08.11 14:17:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
    [2010.08.11 14:01:26 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
    [2010.07.27 09:25:36 | 008,361,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll

    ========== Files - Modified Within 30 Days ==========
     
  16. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    [2010.08.16 11:36:11 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
    [2010.08.16 10:44:40 | 000,000,238 | ---- | M] () -- C:\WINDOWS\Tasks.INI
    [2010.08.16 09:12:12 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{73B7F248-4FCA-4A24-992A-EA3C6460E998}.job
    [2010.08.15 15:29:00 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010.08.13 11:26:35 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\prinect\Desktop\OTL.exe
    [2010.08.12 16:08:43 | 000,226,320 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
    [2010.08.12 15:28:54 | 000,444,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010.08.12 15:28:53 | 000,513,304 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010.08.12 15:28:53 | 000,075,364 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010.08.12 15:27:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
    [2010.08.12 15:27:44 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010.08.12 15:27:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010.08.12 12:40:55 | 281,153,536 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
    [2010.08.12 12:14:20 | 000,000,702 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010.08.12 12:02:32 | 010,223,616 | -H-- | M] () -- C:\Documents and Settings\prinect\NTUSER.DAT
    [2010.08.12 11:49:01 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\prinect\ntuser.ini
    [2010.08.12 11:39:34 | 004,832,176 | -H-- | M] () -- C:\Documents and Settings\prinect\Local Settings\Application Data\IconCache.db
    [2010.08.12 11:39:18 | 000,002,801 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2010.08.12 10:34:38 | 000,119,744 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010.08.12 10:15:22 | 000,003,423 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010.07.27 09:25:36 | 008,361,984 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
    [2010.07.19 17:33:14 | 001,677,824 | ---- | M] (Laconic Software) -- C:\Documents and Settings\prinect\My Documents\fireheart.exe

    ========== Files Created - No Company Name ==========

    [2010.08.12 12:14:20 | 000,000,702 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010.08.12 11:39:17 | 000,002,801 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
    [2010.04.27 18:19:45 | 000,000,238 | ---- | C] () -- C:\WINDOWS\Tasks.INI
    [2008.06.10 14:51:39 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\newdll.dll
    [2008.06.01 10:13:10 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2008.05.29 16:21:13 | 000,000,316 | ---- | C] () -- C:\WINDOWS\Spektar_Store.INI
    [2008.03.26 15:39:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
    [2008.03.14 12:41:26 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CBNDLL.DLL
    [2008.01.24 14:46:05 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2007.09.28 11:42:03 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2007.08.24 12:26:49 | 000,000,009 | ---- | C] () -- C:\WINDOWS\csn.ini
    [2007.07.30 14:07:56 | 000,639,224 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
    [2007.07.13 11:23:17 | 000,214,263 | R--- | C] () -- C:\WINDOWS\System32\drivers\tcprass3.SYS
    [2007.07.13 11:23:17 | 000,104,000 | R--- | C] () -- C:\WINDOWS\System32\drivers\VirtualSerial.SYS
    [2007.07.13 11:23:17 | 000,057,344 | R--- | C] () -- C:\WINDOWS\System32\VspApi.dll
    [2007.07.12 17:42:38 | 000,000,034 | ---- | C] () -- C:\WINDOWS\autorun.ini
    [2007.07.12 17:22:53 | 000,000,030 | ---- | C] () -- C:\WINDOWS\SpectroEyeCXFLoader.ini
    [2007.07.12 17:16:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\k19hinst.dll
    [2007.07.12 16:48:15 | 000,000,422 | ---- | C] () -- C:\WINDOWS\Gretag.ini
    [2007.07.12 16:44:36 | 000,000,213 | ---- | C] () -- C:\WINDOWS\i1Share.ini
    [2007.05.28 14:05:10 | 000,000,383 | ---- | C] () -- C:\WINDOWS\System32\haspdos.sys
    [2007.05.28 14:05:05 | 000,007,328 | ---- | C] () -- C:\WINDOWS\System32\drivers\ds1410d.sys
    [2007.05.22 19:14:58 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
    [2007.04.26 12:38:02 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\kbdBF.dll
    [2007.03.22 01:54:47 | 000,003,903 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2007.03.22 01:54:45 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2007.03.22 01:51:56 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
    [2007.03.22 01:51:56 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
    [2007.03.22 01:51:56 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
    [2007.03.22 01:51:56 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
    [2007.03.22 01:51:56 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
    [2007.03.22 01:51:56 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
    [2007.03.22 01:51:56 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
    [2007.03.22 01:51:56 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
    [2007.03.22 01:51:56 | 000,010,496 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
    [2007.03.22 01:51:56 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
    [2006.04.04 15:00:00 | 000,179,577 | ---- | C] () -- C:\WINDOWS\System32\schema.ini
    [2006.04.04 15:00:00 | 000,024,819 | ---- | C] () -- C:\WINDOWS\System32\ntdsctrs.ini
    [2006.04.04 15:00:00 | 000,020,386 | ---- | C] () -- C:\WINDOWS\System32\ntfrsrep.ini
    [2006.04.04 15:00:00 | 000,011,817 | ---- | C] () -- C:\WINDOWS\System32\iasperf.ini
    [2006.04.04 15:00:00 | 000,011,030 | ---- | C] () -- C:\WINDOWS\System32\ipsecprf.ini
    [2006.04.04 15:00:00 | 000,005,597 | ---- | C] () -- C:\WINDOWS\System32\ntfrscon.ini
    [2006.03.14 03:32:24 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\AsfBios.dll
    [2006.02.15 08:58:22 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\netamsg.dll

    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2006.04.04 15:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:AGP440.sys
    [2007.03.30 16:34:46 | 019,481,285 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2007.03.30 16:34:46 | 019,481,285 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
    [2007.02.17 08:58:53 | 000,044,032 | ---- | M] (Microsoft Corporation) MD5=B9985042687A43685FC64B282B627653 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2006.04.04 15:00:00 | 014,191,965 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
    [2007.03.30 16:34:46 | 019,481,285 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2007.03.30 16:34:46 | 019,481,285 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
    [2005.03.24 18:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
    [2006.04.04 15:00:00 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\atapi.sys
    [2005.03.24 18:55:32 | 000,095,744 | ---- | M] (Microsoft Corporation) MD5=9CAB5B612E3AF65810F276BA051D56CD -- C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\atapi.sys
    [2007.02.17 09:07:35 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2007.02.17 09:07:35 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=FF953A8F08CA3F822127654375786BBE -- C:\WINDOWS\system32\drivers\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2007.02.17 17:02:49 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
    [2007.02.17 17:02:49 | 000,068,608 | ---- | M] (Microsoft Corporation) MD5=3AAB2418271343FE97F98AEF93F50E5F -- C:\WINDOWS\system32\eventlog.dll
    [2006.04.04 15:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation) MD5=782A70845E7A2FBD347161671BDE60A9 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2007.02.17 17:03:02 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
    [2007.02.17 17:03:02 | 000,430,592 | ---- | M] (Microsoft Corporation) MD5=451564B8F22461D90CF8ED3945637845 -- C:\WINDOWS\system32\netlogon.dll
    [2006.04.04 15:00:00 | 000,419,328 | ---- | M] (Microsoft Corporation) MD5=9DA343027F3B72029AB499D3F7FFACAA -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

    < MD5 for: SCECLI.DLL >
    [2006.04.04 15:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) MD5=71FB876580530E7B0429312A8BCE5E04 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
    [2007.02.17 17:03:09 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
    [2007.02.17 17:03:09 | 000,188,928 | ---- | M] (Microsoft Corporation) MD5=E7B7FD7D8907DADED4928E922608887F -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >
    [2007.02.17 17:03:01 | 001,386,496 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll

    < %systemroot%\System32\config\*.sav >
    [2007.03.22 02:53:38 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2007.03.22 02:53:38 | 000,741,376 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2007.03.22 02:53:38 | 000,520,192 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 60 bytes -> C:\Documents and Settings\prinect\Desktop\17187_Katalozi.pdf:AFP_AfpInfo
    @Alternate Data Stream - 247 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2DC505F6
    @Alternate Data Stream - 241 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C68A2173
    @Alternate Data Stream - 240 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:253C6C2E
    < End of report >
     
  17. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    The Virus/Trojan is still active, but didn't do more than just creating this files...
     
  18. crunchie

    crunchie Malware Helper Posts: 728

    Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

    C:\Program Files\Tasks\Tasks.exe

    ============

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :file
      C:\Program Files\Tasks\Tasks.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    ================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      
      :OTL
      DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS -- (SNTNLUSB)
      DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\lmimirr.sys -- (lmimirr)
      DRV - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ipinip.sys -- (IpInIp)
      SRV - File not found [On_Demand | Stopped] -- -- (WinHttpAutoProxySvc)
      SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe -- (Smcinst)
      SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
      IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
      :Commands
      [emptyflash]
      [purity]
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  19. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    Jotti's - found nothing on all scaners
    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 15:07 on 16/08/2010 by prinect (Administrator - Elevation successful)

    No Context: C:\Program Files\Tasks\Tasks.exe

    This tasks.exe is our software. Not the problem I think.

    OTL Log file after fix, restart the system.
    All processes killed
    ========== OTL ==========
    Service SNTNLUSB stopped successfully!
    Service SNTNLUSB deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\SNTNLUSB.SYS not found.
    Service lmimirr stopped successfully!
    Service lmimirr deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\lmimirr.sys not found.
    Service IpInIp stopped successfully!
    Service IpInIp deleted successfully!
    File C:\WINDOWS\System32\DRIVERS\ipinip.sys not found.
    Service WinHttpAutoProxySvc stopped successfully!
    Service WinHttpAutoProxySvc deleted successfully!
    Service Smcinst stopped successfully!
    Service Smcinst deleted successfully!
    File C:\Program Files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe not found.
    Service HidServ stopped successfully!
    Service HidServ deleted successfully!
    File C:\WINDOWS\System32\hidserv.dll not found.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
    ========== COMMANDS ==========

    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default User

    User: LocalService

    User: luzterin

    User: NetworkService

    User: Prepress

    User: prinect
    ->Flash cache emptied: 725 bytes

    Total Flash Files Cleaned = 0,00 mb


    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: luzterin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Prepress
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: prinect
    ->Temp folder emptied: 12220172 bytes
    ->Temporary Internet Files folder emptied: 1806843 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 30490838 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2257154 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 4297903 bytes

    Total Files Cleaned = 49,00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08162010_142504

    Files\Folders moved on Reboot...
    File\Folder C:\Documents and Settings\prinect\Local Settings\Temp\hsperfdata_prinect\2604 not found!
    File\Folder C:\Documents and Settings\prinect\Local Settings\Temp\hsperfdata_prinect\2648 not found!
    File\Folder C:\Documents and Settings\prinect\Local Settings\Temp\hsperfdata_prinect\2712 not found!

    Registry entries deleted on Reboot...

    -=End Of File=-
     
  20. crunchie

    crunchie Malware Helper Posts: 728

    Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on the Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  21. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    I scan on of this infected file with Jotti's... Here's the results.
    I have a Kasperski and made a full system scan, but it only find the created files, not the source.
    I do the online scan now.

    [ArcaVir]
    2010-08-16 Found nothing
    [G DATA]
    2010-08-16 Trojan.Generic.2911046
    [Avast! antivirus]
    2010-08-16 Win32:Rootkit-gen
    [Ikarus]
    2010-08-16 Trojan.Win32.KillAV
    [Grisoft AVG Anti-Virus]
    2010-08-16 BackDoor.Generic12.TSA
    [Kaspersky Anti-Virus]
    2010-08-16 Found nothing
    [Avira AntiVir]
    2010-08-16 Found nothing
    [ESET NOD32]
    2010-08-16 Win32/AutoRun.Agent.UD worm
    [Softwin BitDefender]
    2010-08-16 Trojan.Generic.2911046
    [Panda Antivirus]
    2010-08-15 Generic
    [ClamAV]
    2010-08-16 Trojan.KillAV-241
    [Quick Heal]
    2010-08-16 Trojan.Scar.bany
    [CPsecure]
    2010-08-16 Found nothing
    [Sophos]
    2010-08-16 Troj/Bckdr-RAJ
    [Dr.Web]
    2010-08-16 Trojan.Packed.654
    [VirusBlokAda VBA32]
    2010-08-13 Trojan.Win32.AntiAV.emk
    [Frisk F-Prot Antivirus]
    2010-08-15 W32/Trojan2.LOJC
    [VirusBuster]
    2010-08-16 Trojan.Scar.HIT
    [F-Secure Anti-Virus]
    2010-08-16 Trojan.Generic.2911046
     
  22. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    The online kasperski scanner didn't find anything. I found that 4 hours after runing the scan, the problem files appear again in location that was scanned, I run my standalone kasperski 6.0 ..

    Active threats
    --------------
    Status Object
    ------ ------


    Quarantine
    ----------
    Status Object Time
    ------ ------ ----
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001153\GTO_HF.pif 17.8.2010 ?. 14:37:30
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\MD_SpoolDir_175lpi.scr 17.8.2010 ?. 15:26:49
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000771\JID_840000771.pif 17.8.2010 ?. 15:26:51
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000857\JID_840000857.bat 17.8.2010 ?. 15:26:50
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001155\import.tiffit.exe 17.8.2010 ?. 14:37:33
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000857\BridgeData\BridgeData.exe 17.8.2010 ?. 15:26:53
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000857\BridgeData\BridgePreviewRenderer_JID_840000857\BridgePreviewRenderer_JID_840000857.bat 17.8.2010 ?. 15:26:53
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001156\Trash Folder.pif 17.8.2010 ?. 14:37:34
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000923\JID_840000923.bat 17.8.2010 ?. 15:26:54
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000926\JID_840000926.exe 17.8.2010 ?. 15:26:54
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001160\GTP_VP_HF.pif 17.8.2010 ?. 14:37:37
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000926\BridgeData\BridgeData.exe 17.8.2010 ?. 15:26:55
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840000926\BridgeData\BridgePreviewRenderer_JID_840000926\BridgePreviewRenderer_JID_840000926.exe 17.8.2010 ?. 15:26:55
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013301\JID_840013301.exe 17.8.2010 ?. 15:27:02
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013301\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:02
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013301\BridgeData\BridgeCombiRenderer_JID_840013301\BridgeCombiRenderer_JID_840013301.exe 17.8.2010 ?. 15:27:02
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013301\BridgeData\BridgePreviewRenderer_JID_840013301\BridgePreviewRenderer_JID_840013301.exe 17.8.2010 ?. 15:27:03
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013301\BridgeData\BridgePreviewRenderer_JID_840013301_1\BridgePreviewRenderer_JID_840013301_1.scr 17.8.2010 ?. 15:27:03
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013303\JID_840013303.exe 17.8.2010 ?. 15:27:04
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013303\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:04
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013303\BridgeData\BridgeCombiRenderer_JID_840013303\BridgeCombiRenderer_JID_840013303.exe 17.8.2010 ?. 15:27:05
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013303\BridgeData\BridgePreviewRenderer_JID_840013303\BridgePreviewRenderer_JID_840013303.exe 17.8.2010 ?. 15:27:06
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013303\BridgeData\BridgePreviewRenderer_JID_840013303_1\BridgePreviewRenderer_JID_840013303_1.pif 17.8.2010 ?. 15:27:06
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013306\JID_840013306.pif 17.8.2010 ?. 15:27:07
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013306\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:07
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013306\BridgeData\BridgeCombiRenderer_JID_840013306\BridgeCombiRenderer_JID_840013306.pif 17.8.2010 ?. 15:27:07
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013306\BridgeData\BridgePreviewRenderer_JID_840013306\BridgePreviewRenderer_JID_840013306.pif 17.8.2010 ?. 15:27:07
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013306\BridgeData\BridgePreviewRenderer_JID_840013306_1\BridgePreviewRenderer_JID_840013306_1.exe 17.8.2010 ?. 15:27:08
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013307\JID_840013307.exe 17.8.2010 ?. 15:27:09
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013307\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:09
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013307\BridgeData\BridgeCombiRenderer_JID_840013307\BridgeCombiRenderer_JID_840013307.exe 17.8.2010 ?. 15:27:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013307\BridgeData\BridgePreviewRenderer_JID_840013307\BridgePreviewRenderer_JID_840013307.exe 17.8.2010 ?. 15:27:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013307\BridgeData\BridgePreviewRenderer_JID_840013307_1\BridgePreviewRenderer_JID_840013307_1.scr 17.8.2010 ?. 15:27:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013308\JID_840013308.exe 17.8.2010 ?. 15:27:12
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013308\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:12
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013308\BridgeData\BridgeCombiRenderer_JID_840013308\BridgeCombiRenderer_JID_840013308.exe 17.8.2010 ?. 15:27:13
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013308\BridgeData\BridgePreviewRenderer_JID_840013308\BridgePreviewRenderer_JID_840013308.exe 17.8.2010 ?. 15:27:13
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013308\BridgeData\BridgePreviewRenderer_JID_840013308_1\BridgePreviewRenderer_JID_840013308_1.bat 17.8.2010 ?. 15:27:13
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013310\JID_840013310.exe 17.8.2010 ?. 15:27:14
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013310\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:14
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013310\BridgeData\BridgeCombiRenderer_JID_840013310\BridgeCombiRenderer_JID_840013310.exe 17.8.2010 ?. 15:27:15
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013310\BridgeData\BridgePreviewRenderer_JID_840013310\BridgePreviewRenderer_JID_840013310.exe 17.8.2010 ?. 15:27:15
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013310\BridgeData\BridgePreviewRenderer_JID_840013310_1\BridgePreviewRenderer_JID_840013310_1.exe 17.8.2010 ?. 15:27:15
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013316\JID_840013316.exe 17.8.2010 ?. 15:27:16
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013316\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:16
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013316\BridgeData\BridgeCombiRenderer_JID_840013316\BridgeCombiRenderer_JID_840013316.exe 17.8.2010 ?. 15:27:16
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013316\BridgeData\BridgePreviewRenderer_JID_840013316\BridgePreviewRenderer_JID_840013316.exe 17.8.2010 ?. 15:27:17
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013316\BridgeData\BridgePreviewRenderer_JID_840013316_1\BridgePreviewRenderer_JID_840013316_1.exe 17.8.2010 ?. 15:27:17
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013324\JID_840013324.pif 17.8.2010 ?. 15:27:17
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013324\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:18
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013324\BridgeData\BridgeCombiRenderer_JID_840013324\BridgeCombiRenderer_JID_840013324.pif 17.8.2010 ?. 15:27:18
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013324\BridgeData\BridgePreviewRenderer_JID_840013324\BridgePreviewRenderer_JID_840013324.pif 17.8.2010 ?. 15:27:18
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013324\BridgeData\BridgePreviewRenderer_JID_840013324_1\BridgePreviewRenderer_JID_840013324_1.exe 17.8.2010 ?. 15:27:20
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013341\JID_840013341.bat 17.8.2010 ?. 15:27:20
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001174\GTO_HF.pif 17.8.2010 ?. 15:26:49
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001175\import.tiffit.exe 17.8.2010 ?. 15:26:52
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001176\Trash Folder.pif 17.8.2010 ?. 15:26:54
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840001179\GTP_VP_HF.pif 17.8.2010 ?. 15:26:55
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013341\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:23
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013341\BridgeData\BridgeCombiRenderer_JID_840013341\BridgeCombiRenderer_JID_840013341.bat 17.8.2010 ?. 15:27:23
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013341\BridgeData\BridgePreviewRenderer_JID_840013341\BridgePreviewRenderer_JID_840013341.bat 17.8.2010 ?. 15:27:24
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013341\BridgeData\BridgePreviewRenderer_JID_840013341_1\BridgePreviewRenderer_JID_840013341_1.scr 17.8.2010 ?. 15:27:36
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013342\JID_840013342.pif 17.8.2010 ?. 15:27:56
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013342\BridgeData\BridgeData.exe 17.8.2010 ?. 15:27:56
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013342\BridgeData\BridgeCombiRenderer_JID_840013342\BridgeCombiRenderer_JID_840013342.pif 17.8.2010 ?. 15:27:57
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013342\BridgeData\BridgePreviewRenderer_JID_840013342\BridgePreviewRenderer_JID_840013342.pif 17.8.2010 ?. 15:28:08
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013342\BridgeData\BridgePreviewRenderer_JID_840013342_1\BridgePreviewRenderer_JID_840013342_1.bat 17.8.2010 ?. 15:28:08
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013343\JID_840013343.exe 17.8.2010 ?. 15:28:20
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013343\BridgeData\BridgeData.exe 17.8.2010 ?. 15:28:22
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013343\BridgeData\BridgeCombiRenderer_JID_840013343\BridgeCombiRenderer_JID_840013343.exe 17.8.2010 ?. 15:28:22
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013343\BridgeData\BridgePreviewRenderer_JID_840013343\BridgePreviewRenderer_JID_840013343.exe 17.8.2010 ?. 15:28:23
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013343\BridgeData\BridgePreviewRenderer_JID_840013343_1\BridgePreviewRenderer_JID_840013343_1.pif 17.8.2010 ?. 15:29:10
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013345\JID_840013345.exe 17.8.2010 ?. 15:29:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013345\BridgeData\BridgeData.exe 17.8.2010 ?. 15:29:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013345\BridgeData\BridgeCombiRenderer_JID_840013345\BridgeCombiRenderer_JID_840013345.exe 17.8.2010 ?. 15:29:12
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013345\BridgeData\BridgePreviewRenderer_JID_840013345\BridgePreviewRenderer_JID_840013345.exe 17.8.2010 ?. 15:29:12
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013345\BridgeData\BridgePreviewRenderer_JID_840013345_1\BridgePreviewRenderer_JID_840013345_1.exe 17.8.2010 ?. 15:29:37
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013346\JID_840013346.scr 17.8.2010 ?. 15:30:11
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013346\BridgeData\BridgeData.exe 17.8.2010 ?. 15:30:17
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013346\BridgeData\BridgeCombiRenderer_JID_840013346\BridgeCombiRenderer_JID_840013346.scr 17.8.2010 ?. 15:30:18
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013346\BridgeData\BridgePreviewRenderer_JID_840013346\BridgePreviewRenderer_JID_840013346.scr 17.8.2010 ?. 15:30:19
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013346\BridgeData\BridgePreviewRenderer_JID_840013346_1\BridgePreviewRenderer_JID_840013346_1.exe 17.8.2010 ?. 15:30:41
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013365\JID_840013365.bat 17.8.2010 ?. 15:30:56
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013365\BridgeData\BridgeData.exe 17.8.2010 ?. 15:30:57
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013365\BridgeData\BridgeCombiRenderer_JID_840013365\BridgeCombiRenderer_JID_840013365.bat 17.8.2010 ?. 15:30:58
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013365\BridgeData\BridgePreviewRenderer_JID_840013365\BridgePreviewRenderer_JID_840013365.bat 17.8.2010 ?. 15:30:58
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) E:\MD_SpoolDir_175lpi\JID_840013365\BridgeData\BridgePreviewRenderer_JID_840013365_1\BridgePreviewRenderer_JID_840013365_1.exe 17.8.2010 ?. 15:30:58
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) F:\SM102\SM102.pif 17.8.2010 ?. 15:33:37
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) G:\HF_74\data.tmp\data.tmp.scr 17.8.2010 ?. 15:33:40
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) G:\HF_102\data.tmp\data.tmp.scr 17.8.2010 ?. 15:33:44
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) G:\HF_838\data.tmp\data.tmp.scr 17.8.2010 ?. 15:33:50
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) G:\HF_GTO\data.tmp\data.tmp.scr 17.8.2010 ?. 15:33:55
    Quarantined virus HEUR:Trojan.Win32.Generic (modification) G:\HF_Proof\data.tmp\data.tmp.scr 17.8.2010 ?. 15:33:57


    Backup
    ------
    Status Object Time
    ------ ------ ----

    HEUR:Trojan.Win32.Generic (modification) This is the problem.. but didn't find where is the source
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    I could be wrong, but this looks like it may be a false positive.
    Did this stat happening after an update to your AV?

    Those files belong to Adobe.

    Is there any way you can upload them files to symantec for analysis? They would be able to confirm if it is a FP.
     
  24. luzterin

    luzterin TS Rookie Topic Starter Posts: 36

    On my previous post i put this file to scan by a Jotti's site. Every antivirus progrom has a different name.. I check the kaspersky forum for HEUR:Trojan.Win32.Generic (modification) and there are a lot of topics about this ****.... It's the same on a 6 computers, i had a kaspersky tryout, and it stops the files for now.
    I try almost everything, i now that it's masked like a maybe a process, but nothing can find it.
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    Ok then.

    Make sure to use Internet Explorer for this

    Please go to VirSCAN.org FREE on-line scan service

    Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\system32\userinit.exe


    Click on the Upload button

    If a pop-up appears saying the file has been scanned already, please select the ReScan button.

    Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

    Paste the contents of the Clipboard in your next reply.

    Also scan these,
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe



    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
    It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    Good explanation here:
    http://miekiemoes.blogspot.com/2009/...-throwing.html
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...