TMARRON505
2009-02-26, 03:39
here is the systemscan file...thanks
StartupList report, 2/25/2009, 5:54:47 PM
StartupList version: 1.52.2
Started from : C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================
Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Tai\AppData\Local\Temp\Rar$EX00.479\gmer.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
readericon10 = C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
DpAgent = C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe
hpWirelessAssistant = C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
UCam_Menu = "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
DVDAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
TSMAgent = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
CLMLServer for HP TouchSmart = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
TVAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
Adobe Reader Speed Launcher = "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
QlbCtrl.exe = "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
HP Health Check Scheduler = c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HP Software Update = C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
GrooveMonitor = "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
ALUAlert = "c:\Program Files (x86)\Symantec\LiveUpdate\ALuNotify.exe"
LELA = "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
nmctxth = "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ehTray.exe = C:\windows\ehome\ehTray.exe
SUPERAntiSpyware = C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
=
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*
--------------------------------------------------
Shell & screensaver key from C:\windows\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\windows\system32\Aurora.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
AcroIEHelperStub - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Symantec NCO BHO - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
Symantec Intrusion Prevention - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL - {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
(no name) - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files (x86)\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
--------------------------------------------------
Enumerating Task Scheduler jobs:
GlaryInitialize.job
HPCeeScheduleForTai.job
Norton Internet Security - Run Full System Scan - Tai.job
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\windows\SysWow64\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
[Windows Live OneCare safety scanner control]
InProcServer32 = %ProgramFiles(x86)%\Windows Live Safety Center\wlscCtrl2.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
[MSN Photo Upload Tool]
InProcServer32 = C:\windows\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
[GMNRev Class]
InProcServer32 = C:\Program Files (x86)\HP\Common\HPGMNRev.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
[{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}]
InProcServer32 = C:\ProgramData\webex\ieatgpc.dll
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\windows\system32\NLAapi.dll
NameSpace #2: C:\windows\system32\napinsp.dll
NameSpace #3: C:\windows\system32\pnrpnsp.dll
NameSpace #4: C:\windows\system32\pnrpnsp.dll
NameSpace #7: C:\windows\system32\wshbth.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\Users\Tai\Local Settings\temp\Wd0000000.doc||C:\Users\Tai\Local Settings\temp\Wd0000001.doc||C:\Users\Tai\Local Settings\temp\Wd0000002.doc||C:\Users\Tai\Local Settings\temp\Wd0000003.doc||C:\Users\Tai\Local Settings\temp\_isF3C0.tmp||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\Windows\SysWOW64\webcheck.dll
--------------------------------------------------
End of report, 8,868 bytes
Report generated in 0.031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
StartupList report, 2/25/2009, 5:54:47 PM
StartupList version: 1.52.2
Started from : C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================
Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Tai\AppData\Local\Temp\Rar$EX00.479\gmer.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
readericon10 = C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
DpAgent = C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe
hpWirelessAssistant = C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
UCam_Menu = "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
DVDAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
TSMAgent = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
CLMLServer for HP TouchSmart = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
TVAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
Adobe Reader Speed Launcher = "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
QlbCtrl.exe = "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
HP Health Check Scheduler = c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HP Software Update = C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
GrooveMonitor = "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
ALUAlert = "c:\Program Files (x86)\Symantec\LiveUpdate\ALuNotify.exe"
LELA = "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
nmctxth = "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ehTray.exe = C:\windows\ehome\ehTray.exe
SUPERAntiSpyware = C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
=
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*
--------------------------------------------------
Shell & screensaver key from C:\windows\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\windows\system32\Aurora.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
AcroIEHelperStub - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Symantec NCO BHO - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
Symantec Intrusion Prevention - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL - {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
(no name) - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files (x86)\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
--------------------------------------------------
Enumerating Task Scheduler jobs:
GlaryInitialize.job
HPCeeScheduleForTai.job
Norton Internet Security - Run Full System Scan - Tai.job
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\windows\SysWow64\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
[Windows Live OneCare safety scanner control]
InProcServer32 = %ProgramFiles(x86)%\Windows Live Safety Center\wlscCtrl2.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
[MSN Photo Upload Tool]
InProcServer32 = C:\windows\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
[GMNRev Class]
InProcServer32 = C:\Program Files (x86)\HP\Common\HPGMNRev.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
[{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}]
InProcServer32 = C:\ProgramData\webex\ieatgpc.dll
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\windows\system32\NLAapi.dll
NameSpace #2: C:\windows\system32\napinsp.dll
NameSpace #3: C:\windows\system32\pnrpnsp.dll
NameSpace #4: C:\windows\system32\pnrpnsp.dll
NameSpace #7: C:\windows\system32\wshbth.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\Users\Tai\Local Settings\temp\Wd0000000.doc||C:\Users\Tai\Local Settings\temp\Wd0000001.doc||C:\Users\Tai\Local Settings\temp\Wd0000002.doc||C:\Users\Tai\Local Settings\temp\Wd0000003.doc||C:\Users\Tai\Local Settings\temp\_isF3C0.tmp||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\Windows\SysWOW64\webcheck.dll
--------------------------------------------------
End of report, 8,868 bytes
Report generated in 0.031 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only