Taskmgr & Regedit programs blocked by administrator, and if run, the program window got minimized

BullGuard Antivirus Forum > Virus Removal > Removal Tools > Taskmgr & Regedit programs blocked by administrator, and if run, the program window got minimized

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 5:17 (GMT +1)

Hi,

A couple days ago, I tried to run taskmgr.exe and a window appeared saying It was blocked by administrator, but I'm the administrator, so I did not blocked it. Then I tried to run Regedit and that window got minimized. So I looked in internet for some help and got taskmgr clone, but when it is run, the window gets minimized, in every attempt I do to look at it, but between window flashes I could see Windows Updater running. I downloaded some code to avoid this blocking situation but after restarting my PC this thing returns.

I need some help, I think my PC is infected by a virus, or maybe a trojan horse, I've removed recently the "generic dropper.p" with McAffe antivirus, but the problem persists.

thanks,

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 5:34 (GMT +1)

Here is my HijackThis logfile (I shall say, when I clicked to install this, I got the window minimized too, so I maximized it, several times to get Hi¿jack installed):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:59 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WindowsUpdates.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\IBM\Personal Communications\pcsws.exe
C:\Program Files\IBM\Personal Communications\pcsws.exe
C:\Program Files\IBM\Personal Communications\pcsws.exe
C:\Program Files\IBM\Personal Communications\pcsws.exe
C:\Program Files\IBM\Personal Communications\PCSCM.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\cmm\Data\mpam4_taskmgrXP.exe
C:\Documents and Settings\mexqa\Application Data\Juniper Networks\Host Checker\dsHostChecker.exe
C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe
C:\Program Files\Juniper Networks\Secure Application Manager\dsSamUI.exe
C:\Program Files\AR System\User\aruser.exe
C:\Program Files\BMCIT\BMCCM\Target\lib\minituner.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bmc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\WindowsUpdates.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'Default user')
O4 - S-1-5-18 Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - .DEFAULT User Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adprod.com
O15 - Trusted Zone: *.bmc.com
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - https://ncai.bmc.com:9440/jinitiator/oajinit.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sgate.bmc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CD3CAE-B929-450C-BBAA-F2470453B836}: NameServer = 207.249.166.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BMCCM_Target (BMCCMTarget) - BMC Software, Inc. - C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 10260 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-19-2008 5:45 (GMT +1)

Hello

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\WindowsUpdates.exe

O4 - HKUS\S-1-5-18\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'Default user')
O4 - S-1-5-18 Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - .DEFAULT User Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Important-> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Close all other browser windows. Go offline

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Go online. Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 7:33 (GMT +1)

Here is Hijack with selected options:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:49 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\WindowsUpdates.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\cmm\Data\mpam4_taskmgrXP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
C:\Program Files\BMCIT\BMCCM\Target\lib\minituner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bmc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\WindowsUpdates.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [chngpw] C:\I386\~configs\User-CFG\pcacct.exe (User 'Default user')
O4 - S-1-5-18 Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - .DEFAULT User Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adprod.com
O15 - Trusted Zone: *.bmc.com
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - https://ncai.bmc.com:9440/jinitiator/oajinit.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sgate.bmc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CD3CAE-B929-450C-BBAA-F2470453B836}: NameServer = 207.249.166.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BMCCM_Target (BMCCMTarget) - BMC Software, Inc. - C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 9471 bytes

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 7:38 (GMT +1)

Thanks Touch,

This is ComboFix log:

ComboFix 08-02-20.1 - mexqa 2008-02-19 12:13:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1570 [GMT -6:00]
Running from: C:\Documents and Settings\mexqa\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-20 12:16 . 2007-06-13 10:41 182,784 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2008-02-19 10:22 . 2008-02-19 10:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-15 17:24 . 2008-02-15 17:24 268 --ah----- C:\sqmdata09.sqm
2008-02-15 17:24 . 2008-02-15 17:24 244 --ah----- C:\sqmnoopt09.sqm
2008-02-15 14:11 . 2008-02-15 14:11 268 --ah----- C:\sqmdata08.sqm
2008-02-15 14:11 . 2008-02-15 14:11 244 --ah----- C:\sqmnoopt08.sqm
2008-02-15 13:58 . 2008-02-15 13:58 268 --ah----- C:\sqmdata07.sqm
2008-02-15 13:58 . 2008-02-15 13:58 244 --ah----- C:\sqmnoopt07.sqm
2008-02-15 12:55 . 2008-02-15 12:55 268 --ah----- C:\sqmdata06.sqm
2008-02-15 12:55 . 2008-02-15 12:55 244 --ah----- C:\sqmnoopt06.sqm
2008-02-15 12:29 . 2008-02-15 12:29 268 --ah----- C:\sqmdata05.sqm
2008-02-15 12:29 . 2008-02-15 12:29 244 --ah----- C:\sqmnoopt05.sqm
2008-02-14 13:58 . 2008-02-14 13:58 2,157,568 --a------ C:\WINDOWS\350789.scr
2008-02-14 13:54 . 2008-02-14 13:54 2,157,568 --a------ C:\WINDOWS\WindowsUpdates.exe
2008-02-14 13:54 . 2008-02-14 13:54 0 --a------ C:\WINDOWS\WindowsUpdate.ini
2008-02-14 13:52 . 2008-02-14 13:54 2,157,568 --a------ C:\WINDOWS\39558.scr
2008-02-05 14:44 . 2008-02-15 15:52 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-05 14:44 . 2008-02-05 14:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 09:19 . 2008-02-05 09:19 <DIR> d-------- C:\Documents and Settings\mexqa\Application Data\Apple Computer
2008-02-05 09:18 . 2008-02-05 09:18 <DIR> d-------- C:\Program Files\QuickTime
2008-02-05 09:18 . 2008-02-05 09:19 <DIR> d-------- C:\Program Files\iTunes
2008-02-05 09:18 . 2008-02-05 09:18 <DIR> d-------- C:\Program Files\iPod
2008-02-05 09:16 . 2008-02-05 09:16 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-05 09:08 . 2008-02-05 09:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-30 09:46 . 2008-01-30 09:46 <DIR> d-------- C:\Documents and Settings\mexqa\Application Data\InterVideo
2008-01-30 09:41 . 2008-01-30 09:41 <DIR> d-------- C:\Program Files\InterVideo Information Service
2008-01-30 09:41 . 2008-01-30 09:41 <DIR> d-------- C:\Program Files\Common Files\Ulead
2008-01-30 09:41 . 2008-02-05 09:08 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-30 09:41 . 2008-02-05 09:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-30 09:41 . 2006-05-11 18:41 654 --------- C:\WINDOWS\remove.iss
2008-01-30 09:40 . 2008-01-30 09:40 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-01-30 09:40 . 2008-01-30 09:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-30 09:39 . 2008-01-30 09:40 <DIR> d-------- C:\Program Files\InterVideo
2008-01-30 09:38 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-30 09:35 . 2008-01-30 09:38 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-01-30 09:04 . 2008-01-30 09:07 <DIR> d-------- C:\Program Files\Winamp
2008-01-30 09:04 . 2008-01-30 09:36 <DIR> d-------- C:\Documents and Settings\mexqa\Application Data\Winamp
2008-01-23 12:38 . 2007-06-06 19:10 45,912 --a------ C:\WINDOWS\system32\lmdimon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 18:16 --------- d-----w C:\Program Files\LogMeIn
2008-02-20 18:16 --------- d-----w C:\Documents and Settings\mexqa\Application Data\Skype
2008-01-30 15:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 15:39 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-18 23:58 --------- d-----w C:\Program Files\Translation Office 3000 V8
2008-01-07 22:28 --------- d-----w C:\Program Files\ElcomSoft
2007-12-26 20:07 --------- d-----w C:\Program Files\ezt
2007-12-26 19:44 --------- d-----w C:\Documents and Settings\mexqa\Application Data\Sony
2007-12-26 19:43 --------- d-----w C:\Program Files\Vstplugins
2007-12-26 19:43 --------- d-----w C:\Program Files\Sony
2007-12-26 19:40 --------- d-----w C:\Program Files\Sony Setup
2007-09-06 14:07 13,824 ----a-w C:\Documents and Settings\mexqa\atwbxdet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 11:40 4167376]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-31 16:40 22879528]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-08-13 19:50 111952]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 12:39 136768]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe" [2005-02-24 12:09 147514]
"Tpam.exe"="C:\Program Files\IBM\Personal Communications\tpam.exe" [2004-09-02 05:08 28672]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 09:20 63048]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 01:56 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"chngpw"="C:\I386\~configs\User-CFG\pcacct.exe" [ ]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 11:40 4167376]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
mail.lnk - C:\I386\~Configs\email.exe [2006-05-24 10:42:56 994463]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atmgrtok]
atmgrtok.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]
pcsinst.dll 2004-09-02 22:49 49152 C:\WINDOWS\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN Services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2006-05-01 10:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 16:54 37376 C:\Program Files\Winamp\winampa.exe

R1 NEOFLTR_550_11965;Juniper Networks TDI Filter Driver (NEOFLTR_550_11965);C:\WINDOWS\system32\Drivers\NEOFLTR_550_11965.SYS [2007-07-16 16:27]
R2 AppnApi;AppnApi;C:\WINDOWS\system32\drivers\appnapi.sys [2004-09-02 05:08]
R2 BMCCMTarget;BMCCM_Target;C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe [2007-08-06 06:34]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe" [2007-06-13 10:47]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINDOWS\system32\DRIVERS\llc2.sys [2004-09-02 05:08]
R2 iPCAgent;iPCAgent;C:\Program Files\iPass\iPassConnect\iPCAgent.exe [2004-10-19 09:23]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-09-12 09:20]
R2 MDC80211;iPass Protocol (IEEE 802.1x) v2.3.1.9;C:\WINDOWS\system32\DRIVERS\mdc80211.sys [2007-02-06 12:32]
R2 NsTrcNT;NsTrcNT;C:\WINDOWS\system32\drivers\nstrcnt.sys [2004-09-02 05:08]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINDOWS\system32\drivers\pdlnctdl.sys [2004-09-02 05:08]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINDOWS\system32\drivers\pdlndldl.sys [2004-09-02 05:08]
R3 Anydlc;Anydlc;C:\WINDOWS\system32\drivers\anydlc.sys [2004-09-02 05:08]
R3 Appn;Appn;C:\WINDOWS\system32\drivers\appn.sys [2004-09-02 05:08]
R3 AppnBase;AppnBase;C:\WINDOWS\system32\drivers\AppnBase.sys [2004-09-02 05:08]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-04-04 18:21]
R3 hidsys;hidsys;C:\WINDOWS\system32\Drivers\hidsys.sys [2007-06-13 10:41]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 18:20]
R3 KLOGNT;KLOGNT;C:\WINDOWS\system32\drivers\klognt.sys [2004-09-02 05:08]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINDOWS\system32\drivers\pdlnacom.sys [2004-09-02 05:08]
R3 pdlnafac;PDLC Adapter Factory;C:\WINDOWS\system32\drivers\pdlnafac.sys [2004-09-02 05:08]
R3 pdlnatcm;Twinax Adapter Common;C:\WINDOWS\system32\drivers\pdlnatcm.sys [2004-09-02 05:08]
R3 pdlnatdl;Twinax Adapter;C:\WINDOWS\system32\drivers\pdlnatdl.sys [2004-09-02 05:08]
R3 pdlncbas;PDLC CxM Classes;C:\WINDOWS\system32\drivers\pdlncbas.sys [2004-09-02 05:08]
R3 pdlncfwk;PDLC Connection Manager;C:\WINDOWS\system32\drivers\pdlncfwk.sys [2004-09-02 05:08]
R3 pdlndint;PDLC DLC Classes;C:\WINDOWS\system32\drivers\pdlndint.sys [2004-09-02 05:08]
R3 pdlndlpb;PDLC LAPB;C:\WINDOWS\system32\drivers\pdlndlpb.sys [2004-09-02 05:08]
R3 pdlndoem;PDLC OEM Interface;C:\WINDOWS\system32\drivers\pdlndoem.sys [2004-09-02 05:08]
R3 pdlndqll;PDLC QLLC;C:\WINDOWS\system32\drivers\pdlndqll.sys [2004-09-02 05:08]
R3 pdlndsdl;PDLC SDLC;C:\WINDOWS\system32\drivers\pdlndsdl.sys [2004-09-02 05:08]
R3 pdlndtdl;Twinax DLC;C:\WINDOWS\system32\drivers\pdlndtdl.sys [2004-09-02 05:08]
R3 pdlnebas;PDLC Environment;C:\WINDOWS\system32\drivers\pdlnebas.sys [2004-09-02 05:08]
R3 pdlnecfg;PDLC Configuration;C:\WINDOWS\system32\drivers\pdlnecfg.sys [2004-09-02 05:08]
R3 pdlnemap;PDLC Mapper;C:\WINDOWS\system32\drivers\pdlnemap.sys [2004-09-02 05:08]
R3 pdlnemsg;PDLC Message Driver;C:\WINDOWS\system32\drivers\pdlnemsg.sys [2004-09-02 05:08]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINDOWS\system32\drivers\pdlnepkt.sys [2004-09-02 05:08]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINDOWS\system32\drivers\pdlnshay.sys [2004-09-02 05:08]
R3 pdlnslea;PDLC SDLC Leased;C:\WINDOWS\system32\drivers\pdlnslea.sys [2004-09-02 05:08]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINDOWS\system32\drivers\pdlnsv25.sys [2004-09-02 05:08]
R3 pdlnsx25;PDLC X.25;C:\WINDOWS\system32\drivers\pdlnsx25.sys [2004-09-02 05:08]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-09-12 09:21]
S3 dkab_device;dkab_device;C:\WINDOWS\system32\DKabcoms.exe [2006-10-21 11:38]
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe" [2005-04-04 18:09]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 18:20]

*Newly Created Service* - HIDSYS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 14:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 12:16:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\hidapi.dll 176128 bytes executable
C:\WINDOWS\system32\hidapistub.dll 53248 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BMCIT\BMCCM\Target\lib\jre\bin\java.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
.
**************************************************************************
.
Completion time: 2008-02-20 12:19:16 - machine was rebooted [mexqa]

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-19-2008 7:53 (GMT +1)

Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

KILLALL::

Snapshot::

File::

C:\WINDOWS\WindowsUpdates.exe

C:\I386\~Configs\email.exe

C:\I386\~configs\User-CFG\pcacct.exe

C:\WINDOWS\system32\hidapi.dll
C:\WINDOWS\system32\hidapistub.dll

Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"chngpw"=-

----------------------------------------------

Save this as CFScript.txt

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

Post new hijackthis log along with fresh combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 9:08 (GMT +1)

Touch,

this is my last Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\kmd.exe
C:\ComboFix\psexec.cfexe
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bmc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - .DEFAULT User Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adprod.com
O15 - Trusted Zone: *.bmc.com
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - https://ncai.bmc.com:9440/jinitiator/oajinit.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sgate.bmc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CD3CAE-B929-450C-BBAA-F2470453B836}: NameServer = 207.249.166.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BMCCM_Target (BMCCMTarget) - BMC Software, Inc. - C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 8534 bytes

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-19-2008 9:14 (GMT +1)

Hi Touch,

I had a problem with ComboFix, as I drag and drop txt file, I couldn't disable again my antivirus, it seemed to work well it deleted some those files that appeared in the first ComboFix log, but I lost the log file, so I tried to apply it again, and it took so long, so I closed the window. What Shall I do ?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-20-2008 6:15 (GMT +1)

Download and run SDFix ;-)

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
and save it to your desktop.

When you have done this, please boot into Safe Mode (Tap F8 during startup).

Open the extracted folder - C:\ SDFix and doubleclick on RunThis.bat to start the script.

Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons.

Finally open the SDFix folder on your desktop and copy and paste the contents of Report.txt back in this thread along with fresh hijackthis log, and tell how things are running

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-21-2008 6:39 (GMT +1)

Hi touch, These are the last Hijack log & SDFix Report.txt:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30, on 2008-02-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\BMCIT\BMCCM\Target\lib\jre\bin\java.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Drivers\ldlcserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bmc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\McAfee Inc\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [MSN Services] msnserv.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-18 Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - .DEFAULT User Startup: mail.lnk = C:\I386\~Configs\email.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adprod.com
O15 - Trusted Zone: *.bmc.com
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {CAFECAFE-0013-0001-0026-ABCDEFABCDEF} (JInitiator 1.3.1.26) - https://ncai.bmc.com:9440/jinitiator/oajinit.exe
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sgate.bmc.com/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\Software\..\Telephony: DomainName = adprod.bmc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CD3CAE-B929-450C-BBAA-F2470453B836}: NameServer = 207.249.166.97
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = adprod.bmc.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\system32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BMCCM_Target (BMCCMTarget) - BMC Software, Inc. - C:\Program Files\BMCIT\BMCCM\Target\Tuner.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\system32\Drivers\ldlcserv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\system32\Drivers\trcboot.exe

--
End of file - 10036 bytes

SDFix --> Report.txt

SDFix: Version 1.144

Run by mexqa on 2008-02-21 at 10:31

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Checking Files:

No Trojan Files Found

Any other directions ? I'm checking how my PC goes, looks good

Potestatem_Deorum
New Member

Date Joined Feb 2008
Total Posts : 16

Posted 2-21-2008 7:03 (GMT +1)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812