• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
naneh

Crashing IE, bridge.dll, yeakukz, halted searches.

16 posts in this topic

Hi,

 

I've read the information pages. I've scanned my computer with Adaware, Spybot SD, TrojanHunter, and an antivirus program. It has not helped, though it has removed some malware. I cannot get the updates either for the programs. Every time I go online, the computer acts overloaded and I cannot do anything. (I am writting from a different computer.)

 

Some of the symptoms of my computer (Gateway with XP Home):

- I get a message saying: Rundll: brige.dll module not found. (Though, this has not happened in the last 24 hours.)

- Explorer crashes on startup. It says that the instruction at 0x76205239 is not found.

- When I go online, a page with the head 'yeakukz' opens. Two unknow files are related to it: C:/Documents and Settings/Owner/staff.html and x.html

- Scanning with Search does not work.

- Scanning with Symantec Antivirus does not work.

 

Thank you for any help that you are able to provide,

Naneh

 

Logfile of HijackThis v1.98.0

Scan saved at 11:12:06 AM, on 7/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\Program Files\ViRobotXP\vrmonsvc.exe

C:\WINNT\System32\smsc.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\GWHotKey.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\ViRobotXP\vrmonnt.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\System32\wserv32.exe

C:\WINNT\System32\lsrv.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\~IntelliMover Files\AIM95\aim.exe

C:\WINNT\explorer.exe

C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe

O4 - HKLM\..\Run: [7C9121D1] C:\WINNT\System32\mtzaicgfwcsiit.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [update Service] C:\WINNT\System32\tphdlvmj.exe

O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe

O4 - HKLM\..\RunServices: [41D6AE00] C:\WINNT\System32\mtzaicgfwcsiit.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Share this post


Link to post
Share on other sites

naneh,

 

Let's proceed as follows:

 

Looks like the smsc.exe file is the AGOBOT.WF worm.

 

An on line scan with Housecall at Trend Micro should take care of it: http://housecall.trendmicro.com/

 

Check in the box by "Auto Clean" before you do the scan.

If it finds anything that cannot be cleaned, have it delete it or make a note of the file location and post it here.

 

Reeboot after the scan.

 

Then, make sure all windows and browsers are closed before proceeding to run HJT and scan. Then, have HijackThis fix the following by placing a check in the appropriate boxes and selecting the: ‘Fix Checked’ button:

 

O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe

O4 - HKLM\..\Run: [7C9121D1] C:\WINNT\System32\mtzaicgfwcsiit.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe

O4 - HKLM\..\RunServices: [41D6AE00] C:\WINNT\System32\mtzaicgfwcsiit.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe

O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe

O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe

O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe

 

In order to perform the next step, make sure Windows is set to show Hidden Files & Folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Next, reboot into Safe Mode as follows:

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press enter on to boot into Safe Mode.

 

Search for and delete the following files in bold:

C:\WINDOWS2\System32\wserv32.exe

C:\WINDOWS2\System32\lsrv.exe

C:\WINNT\System32\mtzaicgfwcsiit.exe

C:\WINNT\System32\smsc.exe

 

Reboot in normal mode.

 

Run HiJackThis again making sure all windows and browsers are closedand post a new log.

Edited by FZWG

Share this post


Link to post
Share on other sites

Hi,

 

Thank you for answering me so quickly. I'm sorry I was unable to respond as speedily; I was unable to reach my computer.

 

I followed the instructions. However, I could not use the online Trend Micro scan. I had to downlaoad the trial version, instead. Also, I could not find the file: C:\WINNT\System32\mtzaicgfwcsiit.exe. Therefore, I could not delete it.

 

I am not sure that everything has been fixed. Explorer.exe still crashes when I boot. Also, the search option is still non-functional. I do seem to have more success though, when I go online.

 

I've posted my new HijackThis log at the bottom of this post.

 

Thank you again for all your help.

Naneh

 

Logfile of HijackThis v1.98.0

Scan saved at 4:37:18 PM, on 8/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe

C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

C:\Program Files\ViRobotXP\vrmonsvc.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\GWHotKey.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\ViRobotXP\vrmonnt.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

C:\WINNT\explorer.exe

C:\WINNT\System32\imapi.exe

C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [update Service] C:\WINNT\System32\tphdlvmj.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"

O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"

O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run

O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Share this post


Link to post
Share on other sites

naneh,

 

Working on the log, but need to ask you a question.

 

How many Anti-Virus programs do you have running in real time?

 

It looks as if you have Norton Anti-Virus providing a real-time virus scan service.

 

There is also a ViRobot Expert, which is Hauri's desktop antivirus real-time service.

 

And now, there is also PCCillin from TrendMicro doing real-time scanning.

 

Is this correct? :unsure:

 

If you have installed one antivirus program with a real-time scanner, you can add other antivirus programs that do not have real-time scanning features. These are called on demand scanners.

 

However, it is not a good idea to have Norton, ViRobot and TrendMicro PCCillin running in real-time simultaneously.

 

You may want to uninstall the TrendMicro program. Meant for you to run only an on-line scan. Undertand why you went that route, since the online scan did not work.

 

On the other two, Norton and ViRobot, is there one you prefer over the other?

Can ViRobot be just run on demand?

Share this post


Link to post
Share on other sites

Hello,

 

Thank you ursamajoran and FZWG for your help.

 

I took care of the multiple antivirus programs problem.

 

I have not been able to take care of the bridge.dll problem though because I cannot get LiveUpdate to work on Symantec Antivirus. I was able to run the TrendMicro Housecall with the updates. It took care of 78 viruses for me, but none with the name Adware.WinFavorites.

 

I does seem that things are getting much better, since I've been able to get and stay online. I've been able to get the updates for everything but Symantec also.

 

Naneh

Share this post


Link to post
Share on other sites

naneh,

 

Let's do some more cleanup.

You've gone this far, so hang in there! :weee:

May want to copy this for easier reference.

 

First, let’s sniff out some Trojans.

 

Disable System Restore as follows:

-Click Start

-Right-click the My Computer icon, and select Properties

-Click the System Restore tab

-Check: "Turn off System Restore"

-Click Apply

When turning off System Restore, the existing restore points will be deleted.

-Click Yes to do this.

-Click OK.

 

Next, make sure Windows is set to show Hidden Files & Folders (Instructions provided on earlier post. Still the same if you did not change those settings.)

 

Since you already have TrojanHunter, please update as instructed here: : http://www.misec.net/trojanhunter/updating/

 

[Note: TrojanHunter 3.9 installs to C:\Program Files\TrojanHunter 3.9

Keep this in mind when updating its reference files.

If you need further guidance on this, let me know.]

 

Run TrojanHunter, and let it remove whatever it finds.

-If there is something that cannot be removed, please provide that info in your next post.

-Reboot when done.

 

 

Since you also have AdAware, in the main window, look in the bottom right corner and click on: Check for Updates Now and download the latest reference files.

 

Next, configure Ad-aware for a Full Scan:

Click on the Gear icon to access the preferences/settings

In the General window make sure the following are selected:

Automatically save log-file

Automatically quarantine objects prior to removal

Safe Mode (always request confirmation)

 

Click on the Scanning button on the left and select :

Scan Within Archives

Scan Active Processes

Scan Registry

Deep Scan Registry

Scan my IE favorites for banned URL’s

Scan my Hosts file

 

Under Click here to select drives + folders, choose:

All of your hard drives

 

Click on the Advanced button on the left and select:

Include additional process information

Include additional file information

Include environment information

Include additional object details

 

Click the Tweak button and select:

Under the Scanning Engine:

Unload recognized processes during scanning

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

 

Under the Cleaning Engine:

Let Windows remove files in use at next reboot

 

Click: Proceed to save the settings.

 

Click: Start

On the next screen choose: Activate in-depth Scan

Choose: Use Custom Scanning Options

 

Click Next and Ad-aware scans your hard drive(s) with the options selected.

 

When finished, right-click the window with all the entries, choose: Select All from the drop menu, and click Next.

Once AdAware has removed all the items, close the program

 

Restart the computer.

 

Now, lets put Spybot Search and Destroy to work.

 

Since you already have the program (latest version is 1.3), click on: Search for updates button.

 

-Next, make sure all windows and browsers are closed, and select: Check for Problems.

-Have Spybot remove all the items in RED by clicking on the button labeled: Fix Selected Problems

-Close the program, and reboot after Spybot is done.

 

Now, please run HijackThis again.

 

Make sure all windows and browsers are closed before proceeding to run HJT and scan. Then, have it fix the following by placing a check in the appropriate box and selecting the: ‘Fix Checked’ button:

 

O4 - HKLM\..\Run: [update Service] C:\WINNT\System32\tphdlvmj.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load

 

Next, reboot in Safe Mode as instructed in earlier post.

Hiden files and folders should still be set to show.

 

Search for and remove the following files (bold):

C:\WINNT\System32\tphdlvmj.exe

C:\WINNT\System32\bridge.dll

 

Reboot in normal mode.

 

Run HiJackThis again making sure all windows and browsers are closed and post a new log.

 

We'll see where we are at.

Edited by FZWG

Share this post


Link to post
Share on other sites

naneh,

 

Made an edit to the post above. Fix two items in red, and delete the corresponding files.

 

Just in case you read the post before the edit.

Edited by FZWG

Share this post


Link to post
Share on other sites

My apologies, naneh. :oops:

 

Also need to remove the following:

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

Will be ready for you when you post a new log.

Share this post


Link to post
Share on other sites

naneh,

 

How are things going?

 

Are you are having more problems, or is there improvement?

Share this post


Link to post
Share on other sites

Hello,

 

Thanks for all your continued help. Again, I'm sorry it took me so much time to reply.

 

I followed all your instructions. The following things did not show up in the HijackThis log for me to fix:

O4 - HKLM\..\Run: [update Service] C:\WINNT\System32\tphdlvmj.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\System32\bridge.dll",Load.

 

Also, I could not find C:\WINNT\System32\tphdlvmj.exe and C:\WINNT\System32\bridge.dll to delete them. For the bridge.dll problem, recently, I haven't had the popup message with "Bridge.dll module not found."

 

Actually, I have not had any problems recently. I have yet to spend an extended amount of time online, though, to see if the problems start occuring again. Internet use problems usually occured after a 5-10 minutes of use. Hopefully, all is well.

 

Thank you again,

Naneh

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:32:51 PM, on 8/18/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\WINNT\System32\Ati2evxx.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\GWHotKey.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\~IntelliMover Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Share this post


Link to post
Share on other sites

naneh,

 

Glad you are back.

 

Took a very fast look at your log, and nothing struck me with a red flag.

 

However, while our dialogue has been going on, a new version of HijackThis (1.98.2) with greater detection capabilities is now available.

 

Please update your older version (1.98.0) of HijackThis as follows:

-Run the program

-Press: Config (lower right corner)

-Click: Misc. Tools at the top

-Press: Check for online update

 

You should see version 1.98.2 available

Download the new version

 

If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from the following link:

http://www.majorgeeks.com/download3155.html

 

Post a log with the new version of HijackThis, just to make sure we got everything covered.

 

Will await your response.

Share this post


Link to post
Share on other sites

Hi,

 

This is my new log file with the new HijackThis.

 

Thank you again for all your help,

Naneh

 

Logfile of HijackThis v1.98.2

Scan saved at 8:07:26 PM, on 8/20/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\csrss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\alg.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\System32\svchost.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINNT\GWHotKey.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\~IntelliMover Files\AIM95\aim.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\WINNT\System32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKCU\..\Run: [AIM] C:\~IntelliMover Files\AIM95\aim.exe -cnetwait.odl

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\~IntelliMover Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093038883384

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

Share this post


Link to post
Share on other sites

Naneh,

 

Good work!! Log looks good. :D

 

Let’s do some more cleanup and wrap up.

 

Reboot into Safe Mode:

-Tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu

-Select the option for Safe Mode using the arrow keys

-Press Enter on to boot into Safe Mode

 

In Safe Mode go to C:\Windows\Temp folder.

Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

 

Next, go to C:\Documents and Settings\username\Local Settings\Temp folder.

Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

 

Finally, go to Control Panel>Internet Options.

-On the General tab under: Temporary Internet Files, click: Delete Files

-Place a check by: Delete Offline Content when the prompt appears, and click OK

-Next, click on the Programs tab, then click: Reset Web Settings button

Click Apply, then OK.

 

Also, empty the Recycle Bin.

 

Reboot to Normal mode.

 

At one point you enabled the viewing of Hidden files and Folders as follows:

[start>My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]

This time select the: Restore Defaults button

Select: Apply, and click OK

 

Next, since the system is now clean, use System Restore, and create a Restore Point

Turn System Restore back on

-On the Desktop, right-click My Computer

-Select: Properties

-Select the System Restore tab

-Check: Turn on System Restore

-Click: Apply, and then: OK

 

Now, create a Restore Point:

-Go to: Start>All Programs.

-Go to: Accessories>System Tools, and select: System Restore.

-In the System Restore wizard, select: Create a restore point

-Click the Next button.

-Type a description for the restore point, like: Clean Slate (or whatever you like)

Click: Create

 

Restart the computer.

 

Consider mustering up your PC’s line of defense against malware. You already have an Anti-virus program. Make sure it is kept updated and run regularly.

 

An essential addition to XP is a firewall.

Zone Alarm has a free version:

http://www.zonelabs.com/store/content/comp...reeDownload.jsp

 

Two other good choices are:

Sygate http://smb.sygate.com/products/spf_pro.htm

Kerio http://www.kerio.com/us/kpf_home.html

 

It is a good idea to regularly clean up Temporary Internet Files, Temporary Files, and the Recycle Bin.

Periodically use the Disk Cleanup utility in Windows XP, as follows:

-Click Start>Run

-In the Open box, key in: cleanmgr

-Click: OK

-Place a check next to the categories mentioned above

-Click OK

-Click: Yes to proceed with the action

-Reboot

 

Visit the Microsoft Windows Update regularly.

Information on the Automatic Update feature for XP is found here: http://www.microsoft.com/athome/security/p...xp/updates.aspx

 

An excellent reference in developing a plan of defense is Tony Klein’s article: 'How Did I Get Infected In The First Place':

http://forums.net-integration.net/index.php?showtopic=3051

Its information provides some useful tools and their links.

 

Adding to Tony’s excellent advice, Spybot Search and Destroy and AdAware are programs that you already have, and can use as part of your plan to counteract malware. Update the programs to obtain their latest reference files, and run them on a regular basis.

 

Thank you for your patience, and performing all the procedures requested.

If you have any further questions or comments, post back.

Share this post


Link to post
Share on other sites

Glad to help, naneh!

 

P.S On your last log it shows you are running HijackThis from the Desktop:

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

vs. in its own folder where you had it before:

C:\Documents and Settings\Owner\Desktop\Hijack\HijackThis.exe :thumbsup:

 

Next time you use the program, place it in its own folder to keep its backups secure. They may be needed at some point.

 

Have a great weekend!!

 

Good luck!! :wave:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0