a little help please:

Discussion in 'adware, spyware & hijack cleaning' started by rlewis1176, Jun 17, 2004.

Thread Status:
Not open for further replies.
  1. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    i have the 'error in c:\windows\system32\bridge.dll' error message popping up a lot, with lots of popups too. and homepage re-directs.


    I have followed the directions found here: https://www.wilderssecurity.com/showthread.php?t=15913

    Here is my HijackThis log:

    thanks for your time, i'm really at a loss for a solution.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi rlewis1176,

    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\system32\crds.exe
    C:\WINDOWS\system32\crft.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksqi.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksqi.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uksqi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uksqi.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uksqi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uksqi.dll/sp.html#37049

    O2 - BHO: (no name) - {5AF4AA16-627A-6C7E-5212-A1970A71F0FB} - C:\WINDOWS\netkw32.dll

    O4 - HKLM\..\Run: [uhxrty] C:\WINDOWS\System32\kiukatx.exe
    O4 - HKLM\..\Run: [crft.exe] C:\WINDOWS\system32\crft.exe

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab

    Then reboot into safe mode and delete:
    C:\install.cab
    C:\WINDOWS\system32\crds.exe
    C:\WINDOWS\system32\crft.exe
    C:\WINDOWS\System32\kiukatx.exe
    C:\WINDOWS\uksqi.dll
    C:\WINDOWS\netkw32.dat

    Post a new log when you are done, so we can see if everything worked out as planned.

    Regards,

    Pieter
     
  3. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    thanks.

    I did like you said, but there was no C:\WINDOWS\netkw32.dat

    I restarted, and the browser had been hijacked again, so i repeated the whole proceedure (adaware, spybot, hijackthis, then i followed your directions again. most of the stuff was gone this time, though)

    this time my browser wasn't hijacked. thanks for your help, here is my current hijackthis log, i would appreciate if you would look it over again for me:

    EDIT: it has started hijacking my browser again.


    Thanks very much. I shall check back later.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    If you have rebooted in the meantime I will probably need to see another log.

    Check if the service is still disabled and stop this process:
    C:\WINDOWS\system32\apppc32.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {32A6CEC2-152D-9C47-1D16-97AAFF45661E} - C:\WINDOWS\msej32.dll

    O4 - HKLM\..\Run: [msej32.exe] C:\WINDOWS\msej32.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\msej32.exe
    C:\WINDOWS\system32\apppc32.exe
    C:\WINDOWS\msej32.dat

    Regards,

    Pieter
     
  5. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    yeah, here is another log:

    thanks.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Click Start > Run > Services.msc > OK
    In the services window find Network Security Service.
    Check if it is still stopped and disabled.
    Rightclick and stop it. Put the Startup type to disabled under Properties > General tab

    Then open TaskManager and stop these two processes:
    C:\WINDOWS\winrf.exe
    C:\WINDOWS\crur.exe

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncnhi.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncnhi.dll/index.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncnhi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ncnhi.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ncnhi.dll/index.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ncnhi.dll/sp.html#37049

    O2 - BHO: (no name) - {3804F78A-088D-A205-618F-0B63DFE0A978} - C:\WINDOWS\ielq.dll

    O4 - HKLM\..\Run: [crur.exe] C:\WINDOWS\crur.exe

    O4 - HKLM\..\RunOnce: [winrf.exe] C:\WINDOWS\winrf.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\ielq.dat
    C:\WINDOWS\ncnhi.dll
    C:\WINDOWS\winrf.exe
    C:\WINDOWS\crur.exe

    Regards,

    Pieter
     
  7. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
    Thanks, that seems to have worked. Once again, I appreciate all the help. Here is my current log, just in case:
    Also, should i restore the network security service, or just leave it disabled?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  9. rlewis1176

    rlewis1176 Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    5
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    :cool: Never seen that one before. Neat. :)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.