CSRSS.exe, Bridge.DLL, Allaboutsearching, atom meow, and meal surf dead

Discussion in 'adware, spyware & hijack cleaning' started by edg, May 9, 2004.

Thread Status:
Not open for further replies.
  1. edg

    edg Registered Member

    Joined:
    May 8, 2004
    Posts:
    1
    Hello,

    I have several problems:

    1) CSRSS.exe: I get windows that pops up that say Messenger Service saying that my OS needs to be patched and points me to a site called windowspatch.info. This is not a pop-up ad. I checked the task manager to see what process it is associated with and it says CSRSS.exe

    2) All.About.Searching tries to hijack my browser page when I start up. I have spyware guard to block this from happening, but I would like to get it off my computer.

    3) Bridge.dll: I get this message on startup saying that it is missing.

    4) Atom Meow: This folder keeps appearing in my program files with download plus.exe in the folder

    5) Meal Surf Dead: This also keeps appearing in my program files with hide date pop.dat and stupidbalm.dll in the folder

    I've run AdAware scanning my favorites and host files as well as the registry and active processes. I've also run Spybot and that comes up clean.

    My HJT log is attached. Could you please take a look? Thanks a million!


    Logfile of HijackThis v1.97.7
    Scan saved at 9:47:07 AM, on 5/9/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\MWW32\MANAGER\MWMDMSVC.EXE
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\System32\gearsec.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\PROGRA~1\Novadigm\RADEXECD.exe
    C:\PROGRA~1\Novadigm\RADSCHED.exe
    C:\PROGRA~1\Novadigm\RADSTGMS.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\system32\stisvc.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    c:\netrc\PH32SVC.EXE
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\SYSTEM32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Promon.exe
    C:\WINNT\system32\tp4serv.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINNT\system32\AEIWLSTA.EXE
    C:\WINNT\system32\PRPCUI.exe
    C:\OfficeScan NT\RAUAgent.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\netrc\PHOST32.EXE
    C:\WINNT\system32\RunDll32.exe
    C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe
    C:\OfficeScan NT\Pccntmon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\ATOMME~2\download plus.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\egung\My Documents\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=3
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O1 - Hosts: XJ¦XJ¦¦¦˜¦˜¦ <¦ <¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦hŦhŦè¦è¦ð¦ð¦ø¦ø¦ ˆ¦¦¦˜¦˜¦*¦*¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦
    O1 - Hosts:  ¦˜¦˜¦*¦*¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦
    O1 - Hosts: XJ¯XJ¯¯¯˜¯˜¯a¯˜*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯ ˆ¯¯¯˜¯˜¯*¯*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯
    O1 - Hosts: ¯˜¯˜¯*¯*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯
    O1 - Hosts: XJ¦XJ¦¦¦˜¦˜¦xb¦ <¦8R¦8R¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦ ˆ¦¦¦˜¦˜¦*¦*¦¨¦¨¦8Á¦8Á¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Teoma Bar - {4194307F-65BB-454A-81D4-9E8A9D7CBAEA} - C:\WINNT\System32\teomabAB.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.108-big.dll
    O3 - Toolbar: Spoke - {4FC00340-F75E-4EB5-880C-651A8A76965F} - C:\Program Files\Spoke Client\1.9.400.618\SpokeToolBand.dll (file missing)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Base Cast - {3EE730BD-14B3-2020-A7AF-3191AECC81E8} - C:\PROGRA~1\MEALSU~2\stupidbalm.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [ProxyHostTrayIcon] c:\netrc\PHOST32.EXE -s
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [ACUMon] "C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\Pccntmon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [defy mess] C:\PROGRA~1\ATOMME~2\download plus.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [Anti-Keylogger 5.0] C:\Program Files\Anti-Keylogger\ak5_load.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmcache.html
    O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection-word'"
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmsimilar.html
    O8 - Extra context menu item: Teoma Search - javascript:external.menuArguments.location.href="javascript:TeomaBarcommand='cmd-search-selection'"
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.108-big.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O15 - Trusted Zone: http://*.ent.gartner.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} (Teoma Installer Control) - http://sp.ask.com/docs/teoma/toolbar/download/teomab-inst.cab
    O16 - DPF: {5B2745C4-8488-432C-A985-77C3E2EFA64F} (PpayWallet) - https://www26.americanexpress.com/privatepayments/ppayspw.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi edg,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=3
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O1 - Hosts: XJ¦XJ¦¦¦˜¦˜¦ <¦ <¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦hŦhŦè¦è¦ð¦ð¦ø¦ø¦ ˆ¦¦¦˜¦˜¦*¦*¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦
    O1 - Hosts:  ¦˜¦˜¦*¦*¦¨¦¨¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦
    O1 - Hosts: XJ¯XJ¯¯¯˜¯˜¯a¯˜*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯ ˆ¯¯¯˜¯˜¯*¯*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯
    O1 - Hosts: ¯˜¯˜¯*¯*¯¨¯¨¯°¯°¯¸¯¸¯À¯À¯È¯È¯Ð¯Ð¯Ø¯Ø¯à¯à¯è¯è¯ð¯ð¯ø¯ø¯
    O1 - Hosts: XJ¦XJ¦¦¦˜¦˜¦xb¦ <¦8R¦8R¦°¦°¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦ ˆ¦¦¦˜¦˜¦*¦*¦¨¦¨¦8Á¦8Á¦¸¦¸¦À¦À¦È¦È¦Ð¦Ð¦Ø¦Ø¦à¦à¦è¦è¦ð¦ð¦ø¦ø¦

    O3 - Toolbar: Spoke - {4FC00340-F75E-4EB5-880C-651A8A76965F} - C:\Program Files\Spoke Client\1.9.400.618\SpokeToolBand.dll (file missing)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O3 - Toolbar: Base Cast - {3EE730BD-14B3-2020-A7AF-3191AECC81E8} - C:\PROGRA~1\MEALSU~2\stupidbalm.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\Downloaded Program Files\bridge.dll",Load

    O4 - HKLM\..\Run: [defy mess] C:\PROGRA~1\ATOMME~2\download plus.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder
    C:\Program Files\ATOMME~2 <= entire folder that holds download plus.exe
    C:\Program Files\MEALSU~2 <= entire folder that holds stupidbalm.dll
    C:\Program Files\Toolbar <= entire folder

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.