Options
Hi Jacker Need Help for ME os
Here is what I have. I followed the instructions per this website. Please help.
Logfile of HijackThis v1.99.0
Scan saved at 12:23:36 PM, on 12/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\SYSTEM\APPLD32.EXE
C:\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\NORMAN\NVC\BIN\NJEEVES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\NORMAN\NVC\BIN\NYMSE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\Program Files\StrataLink\stratlnk.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NORMAN\NVC\BIN\NIP.EXE
C:\PROGRAM FILES\ORDER XPRESS\ORDEREXPRESS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyberteck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O2 - BHO: Class - {3930C514-F461-E0B5-435D-2550DAD24CF6} - C:\WINDOWS\SYSTEM\IEGB32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [fzbkluh] "C:\WINDOWS\SYSTEM\FZBKLUH.exe"
O4 - HKLM\..\Run: [30F2.TMP] C:\WINDOWS\TEMP\30F2.TMP.exe 1 28129
O4 - HKLM\..\Run: [30F2.TMP.EXE] C:\WINDOWS\TEMP\30F2.TMP.EXE 1 28129
O4 - HKLM\..\Run: [CRFM.EXE] C:\WINDOWS\CRFM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [APPLD32.EXE] C:\WINDOWS\SYSTEM\APPLD32.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: StrataLink.lnk = C:\Program Files\StrataLink\stratlnk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/find.html (file missing)
O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/antivirus.html (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/ggo.html (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/warning.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/topsearch.html (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.254.254
Help!
jon
Logfile of HijackThis v1.99.0
Scan saved at 12:23:36 PM, on 12/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\SYSTEM\APPLD32.EXE
C:\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\NORMAN\NVC\BIN\NJEEVES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\NORMAN\NVC\BIN\NYMSE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\Program Files\StrataLink\stratlnk.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NORMAN\NVC\BIN\NIP.EXE
C:\PROGRAM FILES\ORDER XPRESS\ORDEREXPRESS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyberteck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O2 - BHO: Class - {3930C514-F461-E0B5-435D-2550DAD24CF6} - C:\WINDOWS\SYSTEM\IEGB32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\ACROBAT\ACROIEFAVCLIENT.DLL
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [fzbkluh] "C:\WINDOWS\SYSTEM\FZBKLUH.exe"
O4 - HKLM\..\Run: [30F2.TMP] C:\WINDOWS\TEMP\30F2.TMP.exe 1 28129
O4 - HKLM\..\Run: [30F2.TMP.EXE] C:\WINDOWS\TEMP\30F2.TMP.EXE 1 28129
O4 - HKLM\..\Run: [CRFM.EXE] C:\WINDOWS\CRFM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [APPLD32.EXE] C:\WINDOWS\SYSTEM\APPLD32.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: StrataLink.lnk = C:\Program Files\StrataLink\stratlnk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/find.html (file missing)
O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/antivirus.html (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/ggo.html (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/warning.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/topsearch.html (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.254.254
Help!
jon
0
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cyberteck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www001.upp.so-net.ne:3128@DF....BIZ/search.htm (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cwxjn.dll/sp.html#28129
O4 - HKLM\..\Run: [fzbkluh] "C:\WINDOWS\SYSTEM\FZBKLUH.exe"
O4 - HKLM\..\Run: [30F2.TMP] C:\WINDOWS\TEMP\30F2.TMP.exe 1 28129
O4 - HKLM\..\Run: [30F2.TMP.EXE] C:\WINDOWS\TEMP\30F2.TMP.EXE 1 28129
O4 - HKLM\..\Run: [CRFM.EXE] C:\WINDOWS\CRFM.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
Fix those entries then find and delete the files listed above, reboot and post a new log.
Here is my new response/log
Logfile of HijackThis v1.99.0
Scan saved at 2:38:12 PM, on 12/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\NORMAN\NVC\BIN\ZANDA.EXE
C:\WINDOWS\SYSTEM\APPLD32.EXE
C:\NORMAN\NVC\BIN\CCLAW.EXE
C:\NORMAN\NVC\BIN\NVCSCHED.EXE
C:\NORMAN\NVC\BIN\NJEEVES.EXE
C:\NORMAN\NVC\BIN\NIP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\NORMAN\NVC\BIN\ZLH.EXE
C:\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\DISTILLR\ACROTRAY.EXE
C:\Program Files\StrataLink\stratlnk.exe
C:\NORMAN\NVC\BIN\NYMSE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Norman ZANDA] C:\NORMAN\NVC\BIN\ZANDA.EXE /LOAD
O4 - HKLM\..\RunServices: [APPLD32.EXE] C:\WINDOWS\SYSTEM\APPLD32.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: StrataLink.lnk = C:\Program Files\StrataLink\stratlnk.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.254.254
Fix that entry then find and delete appld32.exe, reboot and post a new log.
I deleted the file APPLD32.EXE with HiJack Program and through the System File. I forgot that I had to un-hide the system files first through the control panel /folder options/ Hide Protected Operating System (un click) file and remove the file through the registry. I had to reboot and then remove else I got an error message saying that the windows program was using the file.
Thanks again. It worked.