6 replies to this topic

[dschu]

Logfile of HijackThis v1.99.1 Scan saved at 7:55:33 PM, on 11/2/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\WUAUBOOT.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE C:\MY DOCUMENTS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing) O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O15 - Trusted IP range: 66.230.143.209

[daparker]

Please see the following thread if you have not received a response to your thread in 5 days:

http://forums.tomcoy...showtopic=31622

[pskelley]

Hello and welcome to TomCoyote forums. Please start by returning to My Documents and RIGHT clicking a blank spot. Make a new folder called HJT. Move the HJT.exe and the log that is there into that folder. Backups for safety will also store there.

I am fairly sure this is good: C:\WINDOWS\WUAUBOOT.EXE but I rarely see it running in a log. If you know what it is move on, if not use these free scanners to find out:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustota...h/index_en.html

Do you know this item: O15 - Trusted IP range: 66.230.143.209 that is running from your trusted zone? If you don't know it use HJT to remove it. I show this information:
ISPrime, Inc. NET-66-230-128-0-1 (NET-66-230-128-0-1)
66.230.128.0 - 66.230.191.255
oXeo Networks OXEO-66-230-142-0 (NET-66-230-142-0-1)
66.230.142.0 - 66.230.143.255

Is it possible that you have cut off part of the HJT log. It is rare that it stops at 015?

If all of these items check out with you then you are good to go and here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html

Thanks...pskelley
TomCoyote forum
Expert Member

[dschu]

Thanks for the help. I've tried to get rid of the TRUSTED ZONE but it keeps coming back. Thats why I thought I would contact you. I've tried to delete it several times. What else do I need to do?

[pskelley]

OK, here is what you need to do. First it has been a long time since I have seen a log, and these infections change quickly. 1) HJT needs a folder, if you wish to run from MyDocuments, return there and RIGHT click on a blank spot and make a New Folder, name it HJT. Move the HIJACKTHIS.EXE and the logfile that should be there into that new folder. Backups for safety will also store in there. 2) Return to my instructions and read them again, then give me the answers to the questions I asked. I do not need to know about the Trusted Zone line again, you have supplied the answer to that question. 3) After you have repositioned HJT, post a new log with the information I requested and I will respond as soon as possible after you post. Thanks...Phil

Edited by pskelley, 30 November 2005 - 08:18 AM.

[pskelley]

No response, I will close this topic in 24 hours. Thanks...pskelley

[pskelley]

No response...pskelley