Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91818 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Scan log please


  • This topic is locked This topic is locked
6 replies to this topic

#1 dschu

dschu

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 02 November 2005 - 07:58 PM

Logfile of HijackThis v1.99.1 Scan saved at 7:55:33 PM, on 11/2/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\WUAUBOOT.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE C:\MY DOCUMENTS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing) O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O15 - Trusted IP range: 66.230.143.209

    Advertisements

Register to Remove


#2 daparker

daparker

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 779 posts

Posted 22 November 2005 - 08:46 PM

Please see the following thread if you have not received a response to your thread in 5 days:

http://forums.tomcoy...showtopic=31622

#3 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 25 November 2005 - 06:19 AM

Hello and welcome to TomCoyote forums. Please start by returning to My Documents and RIGHT clicking a blank spot. Make a new folder called HJT. Move the HJT.exe and the log that is there into that folder. Backups for safety will also store there.

I am fairly sure this is good: C:\WINDOWS\WUAUBOOT.EXE but I rarely see it running in a log. If you know what it is move on, if not use these free scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustota...h/index_en.html

Do you know this item: O15 - Trusted IP range: 66.230.143.209 that is running from your trusted zone? If you don't know it use HJT to remove it. I show this information:
ISPrime, Inc. NET-66-230-128-0-1 (NET-66-230-128-0-1)
66.230.128.0 - 66.230.191.255
oXeo Networks OXEO-66-230-142-0 (NET-66-230-142-0-1)
66.230.142.0 - 66.230.143.255

Is it possible that you have cut off part of the HJT log. It is rare that it stops at 015?

If all of these items check out with you then you are good to go and here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Thanks...pskelley
TomCoyote forum
Expert Member
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#4 dschu

dschu

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 29 November 2005 - 10:22 PM

Thanks for the help. I've tried to get rid of the TRUSTED ZONE but it keeps coming back. Thats why I thought I would contact you. I've tried to delete it several times. What else do I need to do?

#5 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 30 November 2005 - 08:17 AM

OK, here is what you need to do. First it has been a long time since I have seen a log, and these infections change quickly. 1) HJT needs a folder, if you wish to run from MyDocuments, return there and RIGHT click on a blank spot and make a New Folder, name it HJT. Move the HIJACKTHIS.EXE and the logfile that should be there into that new folder. Backups for safety will also store in there. 2) Return to my instructions and read them again, then give me the answers to the questions I asked. I do not need to know about the Trusted Zone line again, you have supplied the answer to that question. 3) After you have repositioned HJT, post a new log with the information I requested and I will respond as soon as possible after you post. Thanks...Phil

Edited by pskelley, 30 November 2005 - 08:18 AM.

MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#6 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 05 December 2005 - 07:37 AM

No response, I will close this topic in 24 hours. Thanks...pskelley
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

#7 pskelley

pskelley

    R.I.P Always in our hearts

  • Authentic Member
  • PipPipPipPipPip
  • 3,879 posts
  • Interests:Computers, fishing, biking, basketball, travel

Posted 07 December 2005 - 06:13 PM

No response...pskelley
MS-MVP Windows Security 2007-8-9 Proud Member ASAP UNITE Member 2006

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users