• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
placid psychosis

TV Media infection? Business setting...

8 posts in this topic

I work for a large company designing medical and surgical instrumentation. My work as of late has been hampered by hundreds of popups, mostly with adult content. Even if IE isn't running! You can just imagine the embarrasement when I'm working and Jenna Jamenson pops up on my screen in front of everyone at the office. Anyway, I've run Spybot S&D and Ad-Aware to no avail. Sure, I eliminate 300-350 objects each time I run them, but after waiting an hour or so, they're all right back. There is one in particular, "TV Media", that every time the folder is deleted, the regkey is destroyed, or the BHO is unhooked, it restores immediatly. Could this be the trojan installer that seems to have embedded its self into my computer? I know everyone is busy helping and all, but this is a business setting and I would really appreciate some help, before I get fired for the pornographic content that appears on my computer every 5 minutes!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:16:52 AM, on 6/11/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\System32\QCONSVC.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\spool\ugplot\ugiipqd.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\LTSMMSG.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\RunDll32.exe

C:\WINNT\System32\hpnra.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\yebmvxxc.exe

C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

F:\Data\Share\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE

O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK

O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe

O4 - HKLM\..\Run: [rwhyt] C:\WINNT\rwhyt.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [dfkijgen] C:\WINNT\yebmvxxc.exe

O4 - Global Startup: SPACE MOUSE-Magellan 3D Controller.lnk = C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Research (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawings/download.cfm

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://pmivisual/viewer/activeXViewer/activexviewer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.[removed company name]

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.[removed company name]

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.[removed company name]

Edited by placid psychosis

Share this post


Link to post
Share on other sites

StartupList report, 6/11/2004, 10:17:07 AM

StartupList version: 1.52

Started from : F:\Data\Share\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v5.00 SP2 (5.00.2920.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\System32\QCONSVC.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\spool\ugplot\ugiipqd.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\LTSMMSG.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\RunDll32.exe

C:\WINNT\System32\hpnra.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\WINNT\yebmvxxc.exe

C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

F:\Data\Share\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

SPACE MOUSE-Magellan 3D Controller.lnk = C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

TrackPointSrv = tp4serv.exe

AtiPTA = atiptaxx.exe

LTSMMSG = LTSMMSG.exe

Synchronization Manager = mobsync.exe /logon

dla = C:\WINNT\system32\dla\tfswctrl.exe

TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

TP4EX = tp4ex.exe

PRPCMonitor = PRPCUI.exe

QCTRAY = C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

ConfigSafe = C:\CFGSAFE\NTFSCLUP.EXE

CSScheduleCheck = C:\CFGSAFE\SCHWIZEX.EXE -CHECK

NDPS = C:\WINNT\System32\dpmw32.exe

NWTRAY = NWTRAY.EXE

POINTER = point32.exe

BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

HP Network Registry Agent = C:\WINNT\System32\hpnra.exe

rwhyt = C:\WINNT\rwhyt.exe

vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

dfkijgen = C:\WINNT\yebmvxxc.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

TV Media = C:\Program Files\TV Media\Tvm.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

TV Media = C:\Program Files\TV Media\Tvm.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - (no file) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E}

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

BMMTask.job

Scheduled Snapshot.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[EModelNonVersionSpecificViewControl Class]

InProcServer32 = C:\Program Files\eDrawings2004\EModelView.dll

CODEBASE = http://www.solidworks.com/plugins/edrawings/download.cfm

 

[AcDcToday Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

 

[Crystal Report Viewer Control]

InProcServer32 = C:\WINNT\Downloaded Program Files\CRViewer.dll

CODEBASE = http://pmivisual/viewer/activeXViewer/activexviewer.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[AcPreview Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\winnt\system32\hzemdl.exe

 

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 6,885 bytes

Report generated in 0.040 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Edited by placid psychosis

Share this post


Link to post
Share on other sites

Make sure all browser and all Windows Explorer windows are closed before fixing.

 

 

 

this looks kinda odd:

 

C:\WINNT\yebmvxxc.exe

 

take these baddies off:(that r3 is prolly your problem)

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

 

this looks fishy:

 

O4 - HKLM\..\Run: [rwhyt] C:\WINNT\rwhyt.exe

 

dont need:

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

 

look at my signature and use adaware

 

adaware click the gear once loaded up then click scanning option then under memory and registry

 

check all of them (the last 2 prolly are the only ones not checked)

 

also use cwshredeer too and spyware blaster

 

hope this helps {SoW}Rob

Share this post


Link to post
Share on other sites

I removed C:\WINNT\yebmvxxc.exe. Had to stop the process first.

 

That R3 won't remove. I've tried and tried. There has to be a host somewhere on the machine monitoring and restoring it. Blah.

 

I also removed those O4s. Ad-Aware has been updated and is revealing a BroadcastPC infection that it can't clean. Spybot can't either.

 

Here are the latest logs...

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:19:41 AM, on 6/11/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\System32\QCONSVC.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\spool\ugplot\ugiipqd.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\LTSMMSG.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\RunDll32.exe

C:\WINNT\System32\hpnra.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

F:\Data\Share\HijackThis.exe

 

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE

O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK

O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Global Startup: SPACE MOUSE-Magellan 3D Controller.lnk = C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Research (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawings/download.cfm

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://pmivisual/viewer/activeXViewer/activexviewer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.[Company name removed.]

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.[Company name removed.]

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.[Company name removed.]

Share this post


Link to post
Share on other sites

StartupList report, 6/11/2004, 11:19:50 AM

StartupList version: 1.52

Started from : F:\Data\Share\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v5.00 SP2 (5.00.2920.0000)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINNT\System32\NALNTSRV.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\System32\QCONSVC.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\spool\ugplot\ugiipqd.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wm.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\tp4serv.exe

C:\WINNT\system32\atiptaxx.exe

C:\WINNT\LTSMMSG.exe

C:\WINNT\system32\dla\tfswctrl.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINNT\system32\PRPCUI.exe

C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\System32\dpmw32.exe

C:\WINNT\system32\NWTRAY.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\WINNT\system32\RunDll32.exe

C:\WINNT\System32\hpnra.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

C:\Corel\Graphics8\Programs\MFIndexer.exe

F:\Data\Share\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

SPACE MOUSE-Magellan 3D Controller.lnk = C:\Program Files\LogiCad3D\Magellan\Mgldrv.exe

Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

TrackPointSrv = tp4serv.exe

AtiPTA = atiptaxx.exe

LTSMMSG = LTSMMSG.exe

Synchronization Manager = mobsync.exe /logon

dla = C:\WINNT\system32\dla\tfswctrl.exe

TPHOTKEY = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

TP4EX = tp4ex.exe

PRPCMonitor = PRPCUI.exe

QCTRAY = C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe

TPTRAY = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

ConfigSafe = C:\CFGSAFE\NTFSCLUP.EXE

CSScheduleCheck = C:\CFGSAFE\SCHWIZEX.EXE -CHECK

NDPS = C:\WINNT\System32\dpmw32.exe

NWTRAY = NWTRAY.EXE

POINTER = point32.exe

BMMGAG = RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

HP Network Registry Agent = C:\WINNT\System32\hpnra.exe

vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

TV Media = C:\Program Files\TV Media\Tvm.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

TV Media = C:\Program Files\TV Media\Tvm.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

BMMTask.job

Scheduled Snapshot.job

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[EModelNonVersionSpecificViewControl Class]

InProcServer32 = C:\Program Files\eDrawings2004\EModelView.dll

CODEBASE = http://www.solidworks.com/plugins/edrawings/download.cfm

 

[AcDcToday Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

 

[Crystal Report Viewer Control]

InProcServer32 = C:\WINNT\Downloaded Program Files\CRViewer.dll

CODEBASE = http://pmivisual/viewer/activeXViewer/activexviewer.cab

 

[shockwave Flash Object]

InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[AcPreview Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: ||

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 6,464 bytes

Report generated in 0.030 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0