a little help please:

Discussion in 'adware, spyware & hijack cleaning' started by rlewis1176, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    i have the 'error in c:\windows\system32\bridge.dll' error message popping up a lot, with lots of popups too. and homepage re-directs.


    I have followed the directions found here: https://www.wilderssecurity.com/showthread.php?t=15913

    Here is my HijackThis log:

    thanks for your time, i'm really at a loss for a solution.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi rlewis1176,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\crds.exe
    C:\WINDOWS\system32\crft.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksqi.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksqi.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksqi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksqi.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uksqi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uksqi.dll/sp.html#37049

    O2 - BHO: (no name) - {5AF4AA16-627A-6C7E-5212-A1970A71F0FB} - C:\WINDOWS\netkw32.dll

    O4 - HKLM\..\Run: [uhxrty] C:\WINDOWS\System32\kiukatx.exe
    O4 - HKLM\..\Run: [crft.exe] C:\WINDOWS\system32\crft.exe

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

    Then reboot into safe mode and delete:
    C:\install.cab
    C:\WINDOWS\system32\crds.exe
    C:\WINDOWS\system32\crft.exe
    C:\WINDOWS\System32\kiukatx.exe
    C:\WINDOWS\uksqi.dll
    C:\WINDOWS\netkw32.dat

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    thanks.

    I did like you said, but there was no C:\WINDOWS\netkw32.dat

    I restarted, and the browser had been hijacked again, so i repeated the whole proceedure (adaware, spybot, hijackthis, then i followed your directions again. most of the stuff was gone this time, though)

    this time my browser wasn't hijacked. thanks for your help, here is my current hijackthis log, i would appreciate if you would look it over again for me:

    EDIT: it has started hijacking my browser again.


    Thanks very much. I shall check back later.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    If you have rebooted in the meantime I will probably need to see another log.

    Check if the service is still disabled and stop this process:
    C:\WINDOWS\system32\apppc32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {32A6CEC2-152D-9C47-1D16-97AAFF45661E} - C:\WINDOWS\msej32.dll

    O4 - HKLM\..\Run: [msej32.exe] C:\WINDOWS\msej32.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\msej32.exe
    C:\WINDOWS\system32\apppc32.exe
    C:\WINDOWS\msej32.dat

    Regards,

    Pieter
     
  5. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    yeah, here is another log:

    thanks.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Check if it is still stopped and disabled.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\winrf.exe
    C:\WINDOWS\crur.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncnhi.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncnhi.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncnhi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncnhi.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ncnhi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ncnhi.dll/sp.html#37049

    O2 - BHO: (no name) - {3804F78A-088D-A205-618F-0B63DFE0A978} - C:\WINDOWS\ielq.dll

    O4 - HKLM\..\Run: [crur.exe] C:\WINDOWS\crur.exe

    O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\winrf.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\ielq.dat
    C:\WINDOWS\ncnhi.dll
    C:\WINDOWS\winrf.exe
    C:\WINDOWS\crur.exe

    Regards,

    Pieter
     
  7. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Thanks, that seems to have worked. Once again, I appreciate all the help. Here is my current log, just in case:
    Also, should i restore the network security service, or just leave it disabled?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
  9. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    :cool: Never seen that one before. Neat. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.