Root Cause
2008-07-28, 22:33
I read a thread in the archives about this I have and performed the SDFix and have attatched the report.txt file. I have also ran HJT and attched that file as well.
Thank you for looking at this.
SDFIX Report.txt
SDFix: Version 1.209
Run by Operator on Mon 07/28/2008 at 01:04 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}
CMGShield
Path :
\??\C:\WINDOWS\TEMP\CE.tmp
%SystemRoot%\system32\CmgShieldSvc.exe
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted
CMGShield - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
%SystemRoot%\system32\CmgShieldSvc.exe - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector (http://www2.gmer.net/mbr/) by Gmer or CureIt (http://www.freedrweb.com/cureit) by Dr.Web
Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$
Folder C:\Documents and Settings\kkerns\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 13:10:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt]
"KeyValidation"=dword:7ef25076
"LastKeyUpdate"="07/21/2008:16:06:45"
"PCP"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt\SECURITY]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt\SECURITY\CACHE]
"NL$1"=hex:71,56,2a,ed,5a,9a,96,83,7b,da,d1,d9,8f,49,38,20,09,29,19,fe,61,..
"NL$2"=hex:7a,dd,26,c9,d5,20,5c,47,19,37,54,25,d4,38,9e,01,c7,75,3b,e4,f1,..
"NL$3"=hex:e0,e9,8f,21,df,b2,33,b3,ed,1f,f7,40,f0,b5,8c,b3,71,cb,bc,2f,d6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt]
"KeyValidation"=dword:7ef25076
"LastKeyUpdate"="07/21/2008:16:06:45"
"PCP"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt\SECURITY]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt\SECURITY\CACHE]
"NL$1"=hex:71,56,2a,ed,5a,9a,96,83,7b,da,d1,d9,8f,49,38,20,09,29,19,fe,61,..
"NL$2"=hex:7a,dd,26,c9,d5,20,5c,47,19,37,54,25,d4,38,9e,01,c7,75,3b,e4,f1,..
"NL$3"=hex:e0,e9,8f,21,df,b2,33,b3,ed,1f,f7,40,f0,b5,8c,b3,71,cb,bc,2f,d6,..
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SHELLNEW\CredDB.CEF 1184 bytes
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Office\CredDB.CEF 1184 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Office\Recent\CredDB.CEF 5146 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Outlook\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Proof\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Signatures\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Templates\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Web Server Extensions\Cache\CredDB.CEF 312 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\Config\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\ConfigVanDyke\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\Known Hosts\CredDB.CEF 5444 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\SecureCRT\Config\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\AFE's\CredDB.CEF 2092 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\CredDB.CEF 600 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\OmniPeek Install\OmniPeek\1033\Documents\CredDB.CEF 2664 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\OmniPeek Install\OmniPeek\1041\Documents\CredDB.CEF 2664 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Bandwidth for Dan C\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Berwyn\CredDB.CEF 2388 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Berwyn\Port Maps\CredDB.CEF 3552 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Casita\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\CredDB.CEF 2748 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Configs\New Configs\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Diagrams\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Documents\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Spreadsheets\CredDB.CEF 1184 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Deland\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Denver West\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\HCP Norfolk\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Irvine\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Minneapolis\CredDB.CEF 6024 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Orlando\CredDB.CEF 3638 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\San Mateo\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Tacoma\CredDB.CEF 2368 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Village Health\CredDB.CEF 2368 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Contact Info\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CredDB.CEF 3886 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DMVPN\CredDB.CEF 314 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DMZ\CredDB.CEF 2394 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DR 2007\Configs\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DR 2007\CredDB.CEF 636 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Drawings\CredDB.CEF 4804 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Equipment Quotes\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Excel\CredDB.CEF 15316 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Lab Info\CredDB.CEF 324 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Netscout Reports\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Openview\CredDB.CEF 2072 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Procedures\CredDB.CEF 932 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Switch Clean-up\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Visio\CredDB.CEF 4736 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Word\CredDB.CEF 5992 bytes
C:\Documents and Settings\kkerns\Local Settings\Application Data\Microsoft\Visio\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\NetHood\My Web Sites on MSN\CredDB.CEF 592 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 53
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\cba\\pds.exe:*:Enabled:LANDesk Ping Discovery Service"
"C:\\WINDOWS\\system32\\msgsys.exe"="C:\\WINDOWS\\system32\\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:Enabled:LANDesk Targeted Multicast"
"c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe"="c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe:*:Enabled:CMG Gatekeeper"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe"="c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe:*:Enabled:CMG Gatekeeper"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
Remaining Files :
C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri 5 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 18 Jul 2007 34,156,544 A..H. --- "C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Minneapolis\~WRL2861.tmp"
Finished!
HJT File
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:34 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Davita Remote Access\iPCAgent.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\mcshield.exe
C:\Program Files\McAfee\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
c:\Oracle9i\BIN\ONRSD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\system32\mstsc.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DaVita
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=landesk.davita.com:5007 /S=landesk.davita.com /I=HTTP://landesk.davita.com/ldlogon/ldappl3.ldz /NOUI /rstart=15
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /noreboot /rstart=30
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [QMs Server Settings] regedit -s "C:\Program Files\QMS\Focus 2000\qms.reg"
O4 - HKLM\..\Run: [DaVitaScreenSaver] "C:\_davsupp\ScreenSaver\renew.exe"
O4 - HKLM\..\Run: [DaVitaEncryption] c:\_davsupp\Encryption\Credant\CredantLogon2.vbs
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [CmgGkProbe] "C:\Program Files\Credant\Gatekeeper\GKProbe.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Microsoft Office Communicator 2005.lnk = C:\Program Files\Microsoft Office Communicator\communicator.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O15 - Trusted Zone: learn.davita.com
O15 - Trusted Zone: sslvpn.davita.com
O15 - Trusted Zone: webmail.davita.com
O15 - Trusted Zone: *.davita.com
O15 - Trusted Zone: *.davita.com
O15 - Trusted Zone: *.davita.corp
O15 - Trusted Zone: *.emailopen.com
O15 - Trusted Zone: phys.labscope.com
O15 - Trusted IP range: 10.*.*.*
O15 - Trusted IP range: 172.16.*.*
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://sea-solarwind01.davita.com/SWToolset.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186502614406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186502593079
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://davita.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = davita.corp
O17 - HKLM\Software\..\Telephony: DomainName = davita.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A609E51-8B1D-4C8E-BBDF-512DA9F52041}: Domain = davita.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A609E51-8B1D-4C8E-BBDF-512DA9F52041}: NameServer = 172.16.34.10,172.16.64.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = davita.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = davita.com,davita.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = davita.com,davita.corp
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: SoPwdClt - C:\WINDOWS\SYSTEM32\SPP2Clt.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: CMG Gatekeeper (guardian) - CREDANT Technologies, Inc. - c:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect Davita Remote Access\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect Davita Remote Access\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleOracle9iClientCache - Unknown owner - c:\Oracle9i\BIN\ONRSD.EXE
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 11437 bytes
Thank you for looking at this.
SDFIX Report.txt
SDFix: Version 1.209
Run by Operator on Mon 07/28/2008 at 01:04 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
{DEF85C80-216A-43ab-AF70-1665EDBE2780}
CMGShield
Path :
\??\C:\WINDOWS\TEMP\CE.tmp
%SystemRoot%\system32\CmgShieldSvc.exe
{DEF85C80-216A-43ab-AF70-1665EDBE2780} - Deleted
CMGShield - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
%SystemRoot%\system32\CmgShieldSvc.exe - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the MBR Rootkit Detector (http://www2.gmer.net/mbr/) by Gmer or CureIt (http://www.freedrweb.com/cureit) by Dr.Web
Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$
Folder C:\Documents and Settings\kkerns\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 13:10:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt]
"KeyValidation"=dword:7ef25076
"LastKeyUpdate"="07/21/2008:16:06:45"
"PCP"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt\SECURITY]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CMGShieldReg\CredProt\SECURITY\CACHE]
"NL$1"=hex:71,56,2a,ed,5a,9a,96,83,7b,da,d1,d9,8f,49,38,20,09,29,19,fe,61,..
"NL$2"=hex:7a,dd,26,c9,d5,20,5c,47,19,37,54,25,d4,38,9e,01,c7,75,3b,e4,f1,..
"NL$3"=hex:e0,e9,8f,21,df,b2,33,b3,ed,1f,f7,40,f0,b5,8c,b3,71,cb,bc,2f,d6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt]
"KeyValidation"=dword:7ef25076
"LastKeyUpdate"="07/21/2008:16:06:45"
"PCP"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt\SECURITY]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\CMGShieldReg\CredProt\SECURITY\CACHE]
"NL$1"=hex:71,56,2a,ed,5a,9a,96,83,7b,da,d1,d9,8f,49,38,20,09,29,19,fe,61,..
"NL$2"=hex:7a,dd,26,c9,d5,20,5c,47,19,37,54,25,d4,38,9e,01,c7,75,3b,e4,f1,..
"NL$3"=hex:e0,e9,8f,21,df,b2,33,b3,ed,1f,f7,40,f0,b5,8c,b3,71,cb,bc,2f,d6,..
scanning hidden registry entries ...
scanning hidden files ...
C:\WINDOWS\SHELLNEW\CredDB.CEF 1184 bytes
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Office\CredDB.CEF 1184 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Office\Recent\CredDB.CEF 5146 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Outlook\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Proof\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Signatures\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Templates\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\Microsoft\Web Server Extensions\Cache\CredDB.CEF 312 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\Config\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\ConfigVanDyke\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\Known Hosts\CredDB.CEF 5444 bytes
C:\Documents and Settings\kkerns\Application Data\VanDyke\SecureCRT\Config\Sessions\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\AFE's\CredDB.CEF 2092 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\CredDB.CEF 600 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\OmniPeek Install\OmniPeek\1033\Documents\CredDB.CEF 2664 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Applications\OmniPeek Install\OmniPeek\1041\Documents\CredDB.CEF 2664 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Bandwidth for Dan C\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Berwyn\CredDB.CEF 2388 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Berwyn\Port Maps\CredDB.CEF 3552 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Casita\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\CredDB.CEF 2748 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Configs\New Configs\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Diagrams\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Documents\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Dallas\Dallas\Spreadsheets\CredDB.CEF 1184 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Deland\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Denver West\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\HCP Norfolk\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Irvine\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Minneapolis\CredDB.CEF 6024 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Orlando\CredDB.CEF 3638 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\San Mateo\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Tacoma\CredDB.CEF 2368 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Village Health\CredDB.CEF 2368 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Contact Info\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\CredDB.CEF 3886 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DMVPN\CredDB.CEF 314 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DMZ\CredDB.CEF 2394 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DR 2007\Configs\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\DR 2007\CredDB.CEF 636 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Drawings\CredDB.CEF 4804 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Equipment Quotes\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Excel\CredDB.CEF 15316 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Lab Info\CredDB.CEF 324 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Netscout Reports\CredDB.CEF 592 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Openview\CredDB.CEF 2072 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Procedures\CredDB.CEF 932 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Switch Clean-up\CredDB.CEF 888 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Visio\CredDB.CEF 4736 bytes
C:\Documents and Settings\kkerns\Desktop\Network Doc's\Word\CredDB.CEF 5992 bytes
C:\Documents and Settings\kkerns\Local Settings\Application Data\Microsoft\Visio\CredDB.CEF 296 bytes
C:\Documents and Settings\kkerns\NetHood\My Web Sites on MSN\CredDB.CEF 592 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 53
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\WINDOWS\\system32\\cba\\pds.exe"="C:\\WINDOWS\\system32\\cba\\pds.exe:*:Enabled:LANDesk Ping Discovery Service"
"C:\\WINDOWS\\system32\\msgsys.exe"="C:\\WINDOWS\\system32\\msgsys.exe:*:Enabled:LANDesk Message Service"
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"="C:\\Program Files\\LANDesk\\LDClient\\issuser.exe:*:Enabled:LANDesk Remote Control Agent"
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"="C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe:*:Enabled:LANDesk Targeted Multicast"
"c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe"="c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe:*:Enabled:CMG Gatekeeper"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe"="c:\\Program Files\\Credant\\Gatekeeper\\GatekeeperNC.exe:*:Enabled:CMG Gatekeeper"
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"="C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe:*:Enabled:LANDesk(R) Management Agent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"="C:\\Program Files\\Microsoft Office Communicator\\communicator.exe:*:Enabled:Communicator"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
Remaining Files :
C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Fri 5 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 18 Jul 2007 34,156,544 A..H. --- "C:\Documents and Settings\kkerns\Desktop\Network Doc's\CBO's\Minneapolis\~WRL2861.tmp"
Finished!
HJT File
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:34 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CmgShieldSvc.exe
C:\WINDOWS\system32\EMSService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\iPass\iPassConnect Davita Remote Access\iPCAgent.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\mcshield.exe
C:\Program Files\McAfee\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
c:\Oracle9i\BIN\ONRSD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\LANDesk\LDClient\vulScan.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\System32\CMGShieldUI.exe
C:\WINDOWS\system32\EmsServiceHelper.exe
C:\Program Files\Credant\Gatekeeper\GKProbe.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\WINDOWS\system32\mstsc.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DaVita
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\McAfee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=landesk.davita.com:5007 /S=landesk.davita.com /I=HTTP://landesk.davita.com/ldlogon/ldappl3.ldz /NOUI /rstart=15
O4 - HKLM\..\Run: [LANDeskVulscanClient] "C:\Program Files\LANDesk\LDClient\vulScan.exe" /noreboot /rstart=30
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [QMs Server Settings] regedit -s "C:\Program Files\QMS\Focus 2000\qms.reg"
O4 - HKLM\..\Run: [DaVitaScreenSaver] "C:\_davsupp\ScreenSaver\renew.exe"
O4 - HKLM\..\Run: [DaVitaEncryption] c:\_davsupp\Encryption\Credant\CredantLogon2.vbs
O4 - HKLM\..\Run: [CmgShieldUI] C:\WINDOWS\System32\CMGShieldUI.exe
O4 - HKLM\..\Run: [EmsService] EmsServiceHelper.exe
O4 - HKLM\..\Run: [CmgGkProbe] "C:\Program Files\Credant\Gatekeeper\GKProbe.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Microsoft Office Communicator 2005.lnk = C:\Program Files\Microsoft Office Communicator\communicator.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O15 - Trusted Zone: learn.davita.com
O15 - Trusted Zone: sslvpn.davita.com
O15 - Trusted Zone: webmail.davita.com
O15 - Trusted Zone: *.davita.com
O15 - Trusted Zone: *.davita.com
O15 - Trusted Zone: *.davita.corp
O15 - Trusted Zone: *.emailopen.com
O15 - Trusted Zone: phys.labscope.com
O15 - Trusted IP range: 10.*.*.*
O15 - Trusted IP range: 172.16.*.*
O16 - DPF: {26700CD9-6157-4B72-B46F-EC93C952F19C} (SWToolSet.Engine) - http://sea-solarwind01.davita.com/SWToolset.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186502614406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186502593079
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://davita.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = davita.corp
O17 - HKLM\Software\..\Telephony: DomainName = davita.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A609E51-8B1D-4C8E-BBDF-512DA9F52041}: Domain = davita.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A609E51-8B1D-4C8E-BBDF-512DA9F52041}: NameServer = 172.16.34.10,172.16.64.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = davita.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = davita.com,davita.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = davita.com,davita.corp
O20 - Winlogon Notify: CMGShieldNP - C:\WINDOWS\SYSTEM32\CmgShieldNP.dll
O20 - Winlogon Notify: SoPwdClt - C:\WINDOWS\SYSTEM32\SPP2Clt.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EMS - CREDANT Technologies, Inc. - C:\WINDOWS\system32\EMSService.exe
O23 - Service: CMG Gatekeeper (guardian) - CREDANT Technologies, Inc. - c:\Program Files\Credant\Gatekeeper\GatekeeperNC.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect Davita Remote Access\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect Davita Remote Access\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\McAfee\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleOracle9iClientCache - Unknown owner - c:\Oracle9i\BIN\ONRSD.EXE
O23 - Service: PsShutdown (PsShutdownSvc) - Systems Internals - C:\WINDOWS\System32\PSSDNSVC.EXE
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: SolarWinds TFTP Server - SolarWinds - C:\Program Files\SolarWinds\Engineer's Toolset\SolarWinds TFTP Server.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 11437 bytes