In safe mode, the amrbiuo file didn't show up in regedit. Here's the updated KRC HJT log and Silent Runner. In the midst of all this, I appear to have lost the driver for my media handler. Any ideas on that one?
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at
http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 10:38:21 AM, on 4/21/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
c:\winnt\system32\ujbegy.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://mygene.ne.ge.com/portal/mypag....asp?UserID=2&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English
O4 - HKLM\..\Run: [oaksoyc] c:\winnt\system32\ujbegy.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) -
http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\INSIGHT\TOOLS\Aiclient.EXE
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
End of KRC HijackThis Analyzer Log.
====================================================================
"Silent Runners.vbs", revision 35,
http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"TempRemove" = ""C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"" [null data]
"vptray" = "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" ["Symantec Corporation"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"RUNCIS" = "C:\Program Files\1E\CIS\\RUNCIS.EXE" [MS]
"SMS Application Launcher" = "C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE" [MS]
"Asset Insight SUM" = "C:\INSIGHT\TOOLS\AISOFTMN.EXE -B" [null data]
"VerifyStartMenu" = "RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"MMTray" = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" ["Musicmatch, Inc."]
"Matrox Powerdesk" = "C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."]
"MGA_CD_Install" = "E:\mgasetup.exe /No_Welcome /Lang:English" [file not found]
"oaksoyc" = "c:\winnt\system32\ujbegy.exe" ["TODO: <Company name>"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\OLKFSTUB.DLL" [MS]
"{7F287F67-C629-11D0-8745-0000E8C9F421}" = "PKZIP Archive"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHELL.dll" ["PKWARE, Inc."]
"{7414E744-CEFF-11D1-BBE3-0000E8C9F421}" = "PKContextMenuHandler Class"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."]
"{80CED3A7-7FED-11D3-9C3A-00104BD14091}" = "PKZIP Folder Shortcut"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."]
"{12490005-D2D5-11D1-BBE4-0000E8C9F421}" = "PKZIP Archive Manager"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKZC_AT.dll" ["PKWARE, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll" ["Hummingbird Ltd."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data]
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssflwbox.scr" [MS]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is enabled.
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\My Documents\My Pictures\100_0539.JPG"
Startup items in "NEV90175" & "All Users" startup folders:
----------------------------------------------------------
D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Asset Insight Client, AICLIENT, "C:\INSIGHT\TOOLS\Aiclient.EXE" [null data]
DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"]
Hummingbird Inetd, HCLInetd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe" ["Hummingbird Ltd."]
Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe" ["Hummingbird Ltd."]
MGABGEXE, MGABGEXE, "C:\WINNT\system32\mgabg.exe" ["Matrox Graphics Inc."]
Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]
SAVRoam, SAVRoam, "C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe" ["symantec"]
SMS Client Service, clisvc, "C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE" [MS]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"]
TCP/IP Print Server, LPDSVC, "C:\WINNT\System32\tcpsvcs.exe" [MS]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------