Familiar Problem Error loading C:\WINDOWS\System32\bridge.dll

Discussion in 'adware, spyware & hijack cleaning' started by 2L84SLEEP, May 8, 2004.

Thread Status:
Not open for further replies.
  1. 2L84SLEEP

    2L84SLEEP Registered Member

    Joined:
    May 8, 2004
    Posts:
    3
    Hi folks

    Looks like a lot of you have been having the same problem as me, recently had the Revop C trojan and although I seem to have got rid of it the following is now appearing Error loading C:\WINDOWS\System32\bridge.dll

    This appears when I load Win XP up, my HJT is as follows

    Logfile of HijackThis v1.97.7
    Scan saved at 00:45:36, on 09/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\AEIWLSTA.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0102.dll (file missing)
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.2448032407
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://gaia.webvis.net/GameDownload/setup.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://play.ladbrokescasino.com/ladbrokes/FlashAX.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/williamhill_lang/williamhill_lang/rnt/rnl/java/RntX.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
    O16 - DPF: {FC9C7D52-C99A-494A-AA79-4A25098F659C} (GVDLoad Control) - http://www.casinoelegance.com/dload/gvdload.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43658E38-A93C-4397-B4B4-0E1CF3508569}: NameServer = 62.241.160.200 158.43.240.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{740386DD-A4BD-4353-B26E-365E2720B8C2}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96B64F4C-FF09-418E-A3BD-BE7E107C5EBE}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3B964B5-0C5F-4DFC-9715-CE66B77C6C27}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    If anyone could help it would be greatly appreciated :cool:
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello,

    Try to fix the following in HijackThis,

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll (file missing)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0102.dll (file missing)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/wi...l/java/RntX.cab


    Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

    C:\WINDOWS\2_0_1browserhelper2.dll
    C:\PROGRA~1\POWERS~1
    C:\WINDOWS\System32\bridge.dll

    Reboot and post a fresh log

    Regards
     
  3. 2L84SLEEP

    2L84SLEEP Registered Member

    Joined:
    May 8, 2004
    Posts:
    3
    Have done the relevant fixes, restarted in safe, none of the files were there to delete, have restarted and the message has gone WOOHOO Here is the HJY log now, does it look ok?

    Logfile of HijackThis v1.97.7
    Scan saved at 02:17:08, on 09/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\AEIWLSTA.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
    O4 - Global Startup: NaturalColorLoad.lnk = ?
    O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37899.2448032407
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://gaia.webvis.net/GameDownload/setup.exe
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://play.ladbrokescasino.com/ladbrokes/FlashAX.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
    O16 - DPF: {FC9C7D52-C99A-494A-AA79-4A25098F659C} (GVDLoad Control) - http://www.casinoelegance.com/dload/gvdload.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43658E38-A93C-4397-B4B4-0E1CF3508569}: NameServer = 62.241.160.200 158.43.240.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{740386DD-A4BD-4353-B26E-365E2720B8C2}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96B64F4C-FF09-418E-A3BD-BE7E107C5EBE}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3B964B5-0C5F-4DFC-9715-CE66B77C6C27}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    Also a huge thank you to you Subratam and taking time out to help me :cool:
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi 2L84SLEEP,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:


    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://play.ladbrokescasino.com/ladbrokes/FlashAX.cab

    O16 - DPF: {FC9C7D52-C99A-494A-AA79-4A25098F659C} (GVDLoad Control) - http://www.casinoelegance.com/dload/gvdload.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38

    O17 - HKLM\System\CCS\Services\Tcpip\..\{740386DD-A4BD-4353-B26E-365E2720B8C2}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96B64F4C-FF09-418E-A3BD-BE7E107C5EBE}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3B964B5-0C5F-4DFC-9715-CE66B77C6C27}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS3\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    Then reboot.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.