PDA

View Full Version : Help im infected w/ a trojan



TMARRON505
2009-02-26, 03:39
here is the systemscan file...thanks

StartupList report, 2/25/2009, 5:54:47 PM
StartupList version: 1.52.2
Started from : C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================

Running processes:

C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Tai\AppData\Local\Temp\Rar$EX00.479\gmer.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

readericon10 = C:\Program Files (x86)\Multimedia Card Reader\readericon10.exe
DpAgent = C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe
hpWirelessAssistant = C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
UCam_Menu = "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
DVDAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
TSMAgent = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
CLMLServer for HP TouchSmart = "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
TVAgent = "C:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exe"
Adobe Reader Speed Launcher = "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
QlbCtrl.exe = "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
HP Health Check Scheduler = c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HP Software Update = C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
GrooveMonitor = "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
ALUAlert = "c:\Program Files (x86)\Symantec\LiveUpdate\ALuNotify.exe"
LELA = "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
nmctxth = "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
SunJavaUpdateSched = "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ehTray.exe = C:\windows\ehome\ehTray.exe
SUPERAntiSpyware = C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\windows\system32\Aurora.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Symantec NCO BHO - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
Symantec Intrusion Prevention - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL - {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
(no name) - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
(no name) - C:\Program Files (x86)\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GlaryInitialize.job
HPCeeScheduleForTai.job
Norton Internet Security - Run Full System Scan - Tai.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\windows\SysWow64\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

[Windows Live OneCare safety scanner control]
InProcServer32 = %ProgramFiles(x86)%\Windows Live Safety Center\wlscCtrl2.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\windows\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab

[GMNRev Class]
InProcServer32 = C:\Program Files (x86)\HP\Common\HPGMNRev.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

[{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}]
InProcServer32 = C:\ProgramData\webex\ieatgpc.dll

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\windows\system32\NLAapi.dll
NameSpace #2: C:\windows\system32\napinsp.dll
NameSpace #3: C:\windows\system32\pnrpnsp.dll
NameSpace #4: C:\windows\system32\pnrpnsp.dll
NameSpace #7: C:\windows\system32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\Users\Tai\Local Settings\temp\Wd0000000.doc||C:\Users\Tai\Local Settings\temp\Wd0000001.doc||C:\Users\Tai\Local Settings\temp\Wd0000002.doc||C:\Users\Tai\Local Settings\temp\Wd0000003.doc||C:\Users\Tai\Local Settings\temp\_isF3C0.tmp||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe||C:\windows\temp\UDD8DA3.tmp||C:\windows\temp\UDDBA4D.tmp||C:\Users\Tai\Local Settings\temp\ehmsas.txt||C:\Users\Tai\Local Settings\temp\ose00000.exe


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\SysWOW64\webcheck.dll

--------------------------------------------------
End of report, 8,868 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Mr_JAk3
2009-02-27, 18:15
Hiya :)

Please post a standard HijackThis log to here.

Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.