Old June 2nd, 2010, 03:45 PM
strange pop ups

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:07 AM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Program Files\Common Files\NComputer\bootsrv.exe
C:\Program Files\Lightspeed Systems\User Agent\UAService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NComputing vSpace\KmMsg.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://royalisd/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://royalisd/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HpMessage] C:\Program Files\NComputing vSpace\KmMsg.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = royal.isd.esc4.local
O17 - HKLM\Software\..\Telephony: DomainName = ####
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ####O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ####O20 - Winlogon Notify: KmWinLog - C:\WINDOWS\SYSTEM32\Kmlogon.dll
O23 - Service: Multiuser Boot Server for Miniterm (HpBootSrv) - Unknown owner - C:\Program Files\Common Files\NComputer\bootsrv.exe
O23 - Service: Multiuser Service (HpService) - NComputing Inc. - C:\WINDOWS\System32\KmServc.exe
O23 - Service: User Agent Service (UAService) - Lightspeed Systems - C:\Program Files\Lightspeed Systems\User Agent\UAService.exe
End of file - 4147 bytes
Old June 3rd, 2010, 04:06 AM
Hello coreyk67,

Not sure I see any malware in this one view. But before we go any further, the log suggests perhaps this system is owned by a school district. If so, we would refer repairs for it to the district's own choices of local repairs. I also notice what appears to be a glitch in your start page choice. If my web search is correct, "royalisd" is a "parked" web page - one that is no longer registered, and some vendor has stuck there flaky search options on it. I think the correct domain web page wording would be with a hyphen - "royal-isd".
