Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page strange pop ups
Register FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old June 2nd, 2010, 03:45 PM
coreyk67 coreyk67 is offline
Senior Member
  
Join Date: Oct 2004
Posts: 210
strange pop ups
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:07 AM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\NComputer\bootsrv.exe
C:\WINDOWS\System32\KmServc.exe
C:\Program Files\Lightspeed Systems\User Agent\UAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NComputing vSpace\KmMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://royalisd/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://royalisd/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HpMessage] C:\Program Files\NComputing vSpace\KmMsg.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://RISD/IT
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = royal.isd.esc4.local
O17 - HKLM\Software\..\Telephony: DomainName = ####
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ####O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ####O20 - Winlogon Notify: KmWinLog - C:\WINDOWS\SYSTEM32\Kmlogon.dll
O23 - Service: Multiuser Boot Server for Miniterm (HpBootSrv) - Unknown owner - C:\Program Files\Common Files\NComputer\bootsrv.exe
O23 - Service: Multiuser Service (HpService) - NComputing Inc. - C:\WINDOWS\System32\KmServc.exe
O23 - Service: User Agent Service (UAService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\User Agent\UAService.exe
--
End of file - 4147 bytes
Reply With Quote
  #2  
Old June 3rd, 2010, 04:06 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
  
Join Date: Dec 2004
Posts: 52,282
Hello coreyk67,

Not sure I see any malware in this one view. But before we go any further, the log suggests perhaps this system is owned by a school district. If so, we would refer repairs for it to the district's own choices of local repairs. I also notice what appears to be a glitch in your start page choice. If my web search is correct, "royalisd" is a "parked" web page - one that is no longer registered, and some vendor has stuck there flaky search options on it. I think the correct domain web page wording would be with a hyphen - "royal-isd".
Reply With Quote
Reply

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
strange chuckweis Malware Removal 11 July 23rd, 2009 02:45 AM
a strange name psu doanminhchau Hardware 3 December 13th, 2007 11:29 AM
strange...please help Larkon Windows XP 1 October 5th, 2006 03:03 PM
Something strange... daniel101 Malware Removal 16 January 29th, 2005 04:21 PM


All times are GMT +1. The time now is 06:42 AM.