Getting the error loading C:/windows/system32/bridge.dll message

Discussion in 'adware, spyware & hijack cleaning' started by allie, May 14, 2004.

Thread Status:
Not open for further replies.
  1. allie

    allie Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    I ran adware and then downloaded hijackthis and below is my log. I was having multiple problems with my computer before but after downloading new NOrton antivirus things are working a bit better but my computer automatically dials up AOL and connects to the internet everytime I turn my computer on. Not sure why it is doing this. Can anyone help? thanks. Also, sometimes I am having trouble with the norton antivirus software. If you give me advice on how to fix this, can you be very explicit because I am pretty computer illiterate and usually require exact directios so I don't mess anything up more than it is. thanks so much - this is very helpful.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:20:03 PM, on 5/14/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\documents and settings\jeremy turoff\local settings\temp\zXs.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\skentlog.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\skentlog.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\skentlog.exe
    C:\WINDOWS\System32\winttr.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\Common Files\AOL\ACS\acsd.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Documents and Settings\Jeremy Turoff\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [zXs] C:\documents and settings\jeremy turoff\local settings\temp\zXs.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Bin9.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [vsnj3EO] skentlog.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [AutoLoadervF411QTQXPaW] "C:\WINDOWS\System32\skentlog.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [AutoLoadervF4N1QTQXPaW] "C:\WINDOWS\System32\skentlog.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\winttr.exe
    O4 - HKCU\..\Run: [datime] C:\WINDOWS\System32\datime.exe
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D52D92F2-3650-439C-AA18-03EE4F6859DE} - http://www.3pic.com/3153.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{825927FC-C534-45B5-A0C3-9900906F2450}: NameServer = 205.188.146.146
     
    Last edited: May 14, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi allie,

    First, download and run: Peper uninstaller

    Before you start using HijackThis please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [zXs] C:\documents and settings\jeremy turoff\local settings\temp\zXs.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Bin9.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\winttr.exe

    Then reboot into safe mode and delete:
    C:\Program Files\AutoUpdate <= entire folder
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\winttr.exe
    C:\documents and settings\jeremy turoff\local settings\temp <= empty this folder, do NOT delete the folder itself

    The Local Settings folder is hidden by default. Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

    That leaves a few that look suspicious, but I don't know what they are:

    O4 - HKLM\..\Run: [vsnj3EO] skentlog.exe
    O4 - HKLM\..\Run: [AutoLoadervF411QTQXPaW] "C:\WINDOWS\System32\skentlog.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [AutoLoadervF4N1QTQXPaW] "C:\WINDOWS\System32\skentlog.exe"
    O4 - HKCU\..\Run: [datime] C:\WINDOWS\System32\datime.exe

    Could you mail C:\WINDOWS\System32\datime.exe and C:\WINDOWS\System32\skentlog.exe to the address in my profile (preferably zipped up)

    Regards,

    Pieter
     
  3. allie

    allie Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Peter,

    Thanks for your help - It seemed to help but i was not able to download and run the Pepper Install (I think my anti-virus mentioned that it was recommended not to install it - so I didn't just in case) but I did the other steps. The one question I have is now when I restart my computer it says that I changed the way Windows starts with the system configuration - do I need to do anything. I just closed it out but it asks me if I want to restore normal mode but I think that changes anything I've done.

    I tried to email you from your profile but it says that you cannot accept emails - how should I send you those files?

    Thanks again for your help - hopefully I did it right and my computer will be acting better.

    Thanks!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi allie,

    Could you post a new HijackThis log please?
    So we can see how far we got.

    Regards,

    Pieter
     
  5. allie

    allie Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Pieter,

    Thanks for your continued help. Below is my log from my most recent hijack this.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:12:14 AM, on 5/16/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\skentlog.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\skentlog.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Jeremy Turoff\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [AutoLoadervF411QTQXPaW] "C:\WINDOWS\System32\skentlog.exe" /PC="AM.WILD" /HideUninstall
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [vsnj3EO] skentlog.exe
    O4 - HKLM\..\Run: [AutoLoadervF4N1QTQXPaW] "C:\WINDOWS\System32\skentlog.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [datime] C:\WINDOWS\System32\datime.exe
    O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
    O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {D52D92F2-3650-439C-AA18-03EE4F6859DE} - http://www.3pic.com/3153.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{825927FC-C534-45B5-A0C3-9900906F2450}: NameServer = 205.188.146.146

    I have a question, should I delete the back-up files that are saved under the un-zipped version of hijackthis and should I delete the zipped file of hijackthis?

    Also, is it normal to always seem to be getting new adware threats - I have fun adaware multiple times and my norton anti-virus and I always seem to have more.

    Thanks for your help - my computer is running better already.

    Allie
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi allie,

    You should get Windows and IE updated as a first.
    Then I would love to have a look at skentlog.exe
    It may tell me some more about what is going on.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

    O4 - HKLM\..\Run: [AutoLoadervF411QTQXPaW] "C:\WINDOWS\System32\skentlog.exe" /PC="AM.WILD" /HideUninstall

    O4 - HKLM\..\Run: [vsnj3EO] skentlog.exe
    O4 - HKLM\..\Run: [AutoLoadervF4N1QTQXPaW] "C:\WINDOWS\System32\skentlog.exe"

    O4 - HKCU\..\Run: [datime] C:\WINDOWS\System32\datime.exe

    Then reboot and delete:
    C:\WINDOWS\System32\IEHost.exe

    Hang on to the backups that HijackThis makes until we are sure everything went fine.

    Regards,

    Pieter
     
  7. allie

    allie Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Pieter,

    Thanks for responding - One question, what do you mean by updating Windows and IE? I am a bit computer illiterate - how do I do this?

    Thanks.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi allie,

    The easiest way is to click in IE on Tools > Windows Update
    Follow the instructions from the site it takes you to.

    Regards,

    Pieter
     
  9. allie

    allie Registered Member

    Joined:
    May 14, 2004
    Posts:
    5
    Hi Pieter,

    I just updated Windows and will do the fix check on the log, but when I delete the file you asked me to - do I need to reboot into safe mode again? Also, when I restart my computer now it says that I have used the system utility component to change the way windows starts. It keeps asking me if I want to go to normal mode because its in selective mode. This is confusing me - what do i need to do. Will going back to normal mode erase everything we have done?

    Thanks.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    No it will not undo all the changes. Once you are done following my instructions you can boot normally. Do that by selecting it in the same way you have selected safe mode before.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.