Jump to content


Photo

Crashing IE, bridge.dll, yeakukz, halted searches.


  • This topic is locked This topic is locked
15 replies to this topic

#1 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 28 July 2004 - 10:39 AM

Hi,

I've read the information pages. I've scanned my computer with Adaware, Spybot SD, TrojanHunter, and an antivirus program. It has not helped, though it has removed some malware. I cannot get the updates either for the programs. Every time I go online, the computer acts overloaded and I cannot do anything. (I am writting from a different computer.)

Some of the symptoms of my computer (Gateway with XP Home):
- I get a message saying: Rundll: brige.dll module not found. (Though, this has not happened in the last 24 hours.)
- Explorer crashes on startup. It says that the instruction at 0x76205239 is not found.
- When I go online, a page with the head 'yeakukz' opens. Two unknow files are related to it: C:/Documents and Settings/Owner/staff.html and x.html
- Scanning with Search does not work.
- Scanning with Symantec Antivirus does not work.

Thank you for any help that you are able to provide,
Naneh

Logfile of HijackThis v1.98.0
Scan saved at 11:12:06 AM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINNT\System32\smsc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\wserv32.exe
C:\WINNT\System32\lsrv.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\~IntelliMover Files\AIM95\aim.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [7C9121D1] C:\WINNT\System32\mtzaicgfwcsiit.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Update Service] C:\WINNT\System32\tphdlvmj.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [41D6AE00] C:\WINNT\System32\mtzaicgfwcsiit.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

#2 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 29 July 2004 - 04:05 PM

naneh,

Let's proceed as follows:

Looks like the smsc.exe file is the AGOBOT.WF worm.

An on line scan with Housecall at Trend Micro should take care of it: http://housecall.trendmicro.com/

Check in the box by "Auto Clean" before you do the scan.
If it finds anything that cannot be cleaned, have it delete it or make a note of the file location and post it here.

Reeboot after the scan.

Then, make sure all windows and browsers are closed before proceeding to run HJT and scan. Then, have HijackThis fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:

O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [7C9121D1] C:\WINNT\System32\mtzaicgfwcsiit.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [41D6AE00] C:\WINNT\System32\mtzaicgfwcsiit.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

In order to perform the next step, make sure Windows is set to show Hidden Files & Folders: http://www.xtra.co.n...1916458,00.html

Next, reboot into Safe Mode as follows:
-Restart your computer.
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press enter on to boot into Safe Mode.

Search for and delete the following files in bold:
C:\WINDOWS2\System32\wserv32.exe
C:\WINDOWS2\System32\lsrv.exe
C:\WINNT\System32\mtzaicgfwcsiit.exe
C:\WINNT\System32\smsc.exe

Reboot in normal mode.

Run HiJackThis again making sure all windows and browsers are closedand post a new log.

Edited by FZWG, 30 July 2004 - 11:39 AM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#3 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 August 2004 - 03:55 PM

Hi,

Thank you for answering me so quickly. I'm sorry I was unable to respond as speedily; I was unable to reach my computer.

I followed the instructions. However, I could not use the online Trend Micro scan. I had to downlaoad the trial version, instead. Also, I could not find the file: C:\WINNT\System32\mtzaicgfwcsiit.exe. Therefore, I could not delete it.

I am not sure that everything has been fixed. Explorer.exe still crashes when I boot. Also, the search option is still non-functional. I do seem to have more success though, when I go online.

I've posted my new HijackThis log at the bottom of this post.

Thank you again for all your help.
Naneh

Logfile of HijackThis v1.98.0
Scan saved at 4:37:18 PM, on 8/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\imapi.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Update Service] C:\WINNT\System32\tphdlvmj.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

#4 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 08 August 2004 - 02:34 AM

naneh,

Working on the log, but need to ask you a question.

How many Anti-Virus programs do you have running in real time?

It looks as if you have Norton Anti-Virus providing a real-time virus scan service.

There is also a ViRobot Expert, which is Hauri's desktop antivirus real-time service.

And now, there is also PCCillin from TrendMicro doing real-time scanning.

Is this correct? :unsure:

If you have installed one antivirus program with a real-time scanner, you can add other antivirus programs that do not have real-time scanning features. These are called on demand scanners.

However, it is not a good idea to have Norton, ViRobot and TrendMicro PCCillin running in real-time simultaneously.

You may want to uninstall the TrendMicro program. Meant for you to run only an on-line scan. Undertand why you went that route, since the online scan did not work.

On the other two, Norton and ViRobot, is there one you prefer over the other?
Can ViRobot be just run on demand?
IPB Image

There are times when everything is understood...then one regains consciousness!

#5 ursamajoran

ursamajoran

    Member

  • New Member
  • Pip
  • 2 posts

Posted 08 August 2004 - 03:07 AM

The bridge.dll file is from AdWare.WinFavorites. Removal instructions can be found here
http://securityrespo...nfavorites.html

#6 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 August 2004 - 07:52 AM

Hello,

Thank you ursamajoran and FZWG for your help.

I took care of the multiple antivirus programs problem.

I have not been able to take care of the bridge.dll problem though because I cannot get LiveUpdate to work on Symantec Antivirus. I was able to run the TrendMicro Housecall with the updates. It took care of 78 viruses for me, but none with the name Adware.WinFavorites.

I does seem that things are getting much better, since I've been able to get and stay online. I've been able to get the updates for everything but Symantec also.

Naneh

#7 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 08 August 2004 - 03:03 PM

naneh,

Let's do some more cleanup.
You've gone this far, so hang in there! :weee:
May want to copy this for easier reference.

First, let’s sniff out some Trojans.

Disable System Restore as follows:
-Click Start
-Right-click the My Computer icon, and select Properties
-Click the System Restore tab
-Check: "Turn off System Restore"
-Click Apply
When turning off System Restore, the existing restore points will be deleted.
-Click Yes to do this.
-Click OK.

Next, make sure Windows is set to show Hidden Files & Folders (Instructions provided on earlier post. Still the same if you did not change those settings.)

Since you already have TrojanHunter, please update as instructed here: : http://www.misec.net...unter/updating/

[Note: TrojanHunter 3.9 installs to C:\Program Files\TrojanHunter 3.9
Keep this in mind when updating its reference files.
If you need further guidance on this, let me know.]

Run TrojanHunter, and let it remove whatever it finds.
-If there is something that cannot be removed, please provide that info in your next post.
-Reboot when done.


Since you also have AdAware, in the main window, look in the bottom right corner and click on: Check for Updates Now and download the latest reference files.

Next, configure Ad-aware for a Full Scan:
Click on the Gear icon to access the preferences/settings
In the General window make sure the following are selected:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Click on the Scanning button on the left and select :
Scan Within Archives
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file

Under Click here to select drives + folders, choose:
All of your hard drives

Click on the Advanced button on the left and select:
Include additional process information
Include additional file information
Include environment information
Include additional object details

Click the Tweak button and select:
Under the Scanning Engine:
Unload recognized processes during scanning
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile

Under the Cleaning Engine:
Let Windows remove files in use at next reboot

Click: Proceed to save the settings.

Click: Start
On the next screen choose: Activate in-depth Scan
Choose: Use Custom Scanning Options

Click Next and Ad-aware scans your hard drive(s) with the options selected.

When finished, right-click the window with all the entries, choose: Select All from the drop menu, and click Next.
Once AdAware has removed all the items, close the program

Restart the computer.

Now, lets put Spybot Search and Destroy to work.

Since you already have the program (latest version is 1.3), click on: Search for updates button.

-Next, make sure all windows and browsers are closed, and select: Check for Problems.
-Have Spybot remove all the items in RED by clicking on the button labeled: Fix Selected Problems
-Close the program, and reboot after Spybot is done.

Now, please run HijackThis again.

Make sure all windows and browsers are closed before proceeding to run HJT and scan. Then, have it fix the following by placing a check in the appropriate box and selecting the: ‘Fix Checked’ button:

O4 - HKLM\..\Run: [Update Service] C:\WINNT\System32\tphdlvmj.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load


Next, reboot in Safe Mode as instructed in earlier post.
Hiden files and folders should still be set to show.

Search for and remove the following files (bold):
C:\WINNT\System32\tphdlvmj.exe
C:\WINNT\System32\bridge.dll

Reboot in normal mode.

Run HiJackThis again making sure all windows and browsers are closed and post a new log.

We'll see where we are at.

Edited by FZWG, 08 August 2004 - 07:11 PM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#8 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 08 August 2004 - 03:26 PM

naneh,

Made an edit to the post above. Fix two items in red, and delete the corresponding files.

Just in case you read the post before the edit.

Edited by FZWG, 08 August 2004 - 07:13 PM.

IPB Image

There are times when everything is understood...then one regains consciousness!

#9 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 08 August 2004 - 09:43 PM

My apologies, naneh. :oops:

Also need to remove the following:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Will be ready for you when you post a new log.
IPB Image

There are times when everything is understood...then one regains consciousness!

#10 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 10 August 2004 - 08:44 AM

naneh,

How are things going?

Are you are having more problems, or is there improvement?
IPB Image

There are times when everything is understood...then one regains consciousness!

#11 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 August 2004 - 10:49 PM

Hello,

Thanks for all your continued help. Again, I'm sorry it took me so much time to reply.

I followed all your instructions. The following things did not show up in the HijackThis log for me to fix:
O4 - HKLM\..\Run: [Update Service] C:\WINNT\System32\tphdlvmj.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load.

Also, I could not find C:\WINNT\System32\tphdlvmj.exe and C:\WINNT\System32\bridge.dll to delete them. For the bridge.dll problem, recently, I haven't had the popup message with "Bridge.dll module not found."

Actually, I have not had any problems recently. I have yet to spend an extended amount of time online, though, to see if the problems start occuring again. Internet use problems usually occured after a 5-10 minutes of use. Hopefully, all is well.

Thank you again,
Naneh


Logfile of HijackThis v1.98.0
Scan saved at 11:32:51 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\~IntelliMover Files\AIM95\aim.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

#12 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 19 August 2004 - 12:08 AM

naneh,

Glad you are back.

Took a very fast look at your log, and nothing struck me with a red flag.

However, while our dialogue has been going on, a new version of HijackThis (1.98.2) with greater detection capabilities is now available.

Please update your older version (1.98.0) of HijackThis as follows:
-Run the program
-Press: Config (lower right corner)
-Click: Misc. Tools at the top
-Press: Check for online update

You should see version 1.98.2 available
Download the new version

If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from the following link:
http://www.majorgeek...wnload3155.html

Post a log with the new version of HijackThis, just to make sure we got everything covered.

Will await your response.
IPB Image

There are times when everything is understood...then one regains consciousness!

#13 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 August 2004 - 07:14 PM

Hi,

This is my new log file with the new HijackThis.

Thank you again for all your help,
Naneh

Logfile of HijackThis v1.98.2
Scan saved at 8:07:26 PM, on 8/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\~IntelliMover Files\AIM95\aim.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093038883384
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

#14 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 20 August 2004 - 09:23 PM

Naneh,

Good work!! Log looks good. :D

Let’s do some more cleanup and wrap up.

Reboot into Safe Mode:
-Tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu
-Select the option for Safe Mode using the arrow keys
-Press Enter on to boot into Safe Mode

In Safe Mode go to C:\Windows\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.
Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

Finally, go to Control Panel>Internet Options.
-On the General tab under: Temporary Internet Files, click: Delete Files
-Place a check by: Delete Offline Content when the prompt appears, and click OK
-Next, click on the Programs tab, then click: Reset Web Settings button
Click Apply, then OK.

Also, empty the Recycle Bin.

Reboot to Normal mode.

At one point you enabled the viewing of Hidden files and Folders as follows:
[Start>My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults button
Select: Apply, and click OK

Next, since the system is now clean, use System Restore, and create a Restore Point
Turn System Restore back on
-On the Desktop, right-click My Computer
-Select: Properties
-Select the System Restore tab
-Check: Turn on System Restore
-Click: Apply, and then: OK

Now, create a Restore Point:
-Go to: Start>All Programs.
-Go to: Accessories>System Tools, and select: System Restore.
-In the System Restore wizard, select: Create a restore point
-Click the Next button.
-Type a description for the restore point, like: Clean Slate (or whatever you like)
Click: Create

Restart the computer.

Consider mustering up your PC’s line of defense against malware. You already have an Anti-virus program. Make sure it is kept updated and run regularly.

An essential addition to XP is a firewall.
Zone Alarm has a free version:
http://www.zonelabs....reeDownload.jsp

Two other good choices are:
Sygate http://smb.sygate.co...cts/spf_pro.htm
Kerio http://www.kerio.com/us/kpf_home.html

It is a good idea to regularly clean up Temporary Internet Files, Temporary Files, and the Recycle Bin.
Periodically use the Disk Cleanup utility in Windows XP, as follows:
-Click Start>Run
-In the Open box, key in: cleanmgr
-Click: OK
-Place a check next to the categories mentioned above
-Click OK
-Click: Yes to proceed with the action
-Reboot

Visit the Microsoft Windows Update regularly.
Information on the Automatic Update feature for XP is found here: http://www.microsoft...xp/updates.aspx

An excellent reference in developing a plan of defense is Tony Klein’s article: 'How Did I Get Infected In The First Place':
http://forums.net-in...?showtopic=3051
Its information provides some useful tools and their links.

Adding to Tony’s excellent advice, Spybot Search and Destroy and AdAware are programs that you already have, and can use as part of your plan to counteract malware. Update the programs to obtain their latest reference files, and run them on a regular basis.

Thank you for your patience, and performing all the procedures requested.
If you have any further questions or comments, post back.
IPB Image

There are times when everything is understood...then one regains consciousness!

#15 naneh

naneh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 August 2004 - 05:05 PM

Thank you for all the help. I'm so glad my computer is running normally again.

Sincerely,
Naneh

#16 FZWG

FZWG

    Chopper 1 - NTF

  • Emeritus
  • PipPipPipPipPip
  • 2,125 posts

Posted 27 August 2004 - 07:28 PM

Glad to help, naneh!

P.S On your last log it shows you are running HijackThis from the Desktop:
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

vs. in its own folder where you had it before:
C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe :thumbsup:

Next time you use the program, place it in its own folder to keep its backups secure. They may be needed at some point.

Have a great weekend!!

Good luck!! :wave:
IPB Image

There are times when everything is understood...then one regains consciousness!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button