Help: Hijack WINDOWS\System32\bridge...

Discussion in 'adware, spyware & hijack cleaning' started by Chrissy, May 24, 2004.

Thread Status:
Not open for further replies.
  1. Chrissy

    Chrissy Registered Member

    Joined:
    May 24, 2004
    Posts:
    1
    Hi guys
    my computer is going completly mad: every time I try to enter the Web my Internet explorer shuts down automatically. It is also impossible to fix a "Home" web adress it always reinstalls www.homepage.com as starting site. When i boot my computer i have this message appearing : WINDOWS\System32\bridge.......
    Can you help me?
    I scaned my machine with spyware and HijackThis this is the log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 16:24:28, on 24/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Interwise\Student\pull.exe
    C:\Program Files\Sony\Client Manager\CMSON.EXE
    C:\WINDOWS\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\lsass.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\chuber\LOCALS~1\Temp\Rar$EX26.462\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.root.ehl.ch:8080;https=proxy.root.ehl.ch:8080;ftp=proxy.root.ehl.ch:8080;gopher=proxy.root.ehl.ch:8080;socks=proxy.root.ehl.ch:1080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = galopa;apps.sis;sis;arbok;*.aehl.ch;*.aehl.net;*.aehl.org;*.ehl.ch;*.ehl.edu;*.lhcconsulting.com;*.lhc-consulting.com;<local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://sis/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Navigator\JogServ2.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [ISP] C:\Program Files\Sony\ISPselector\ISPselector.exe /SCHEDULER
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [Launcher] "C:\Program Files\MLH\launcher.exe" /P
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINDOWS\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [Watch] C:\PROGRA~1\Minitel\Watch.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: Push Client.LNK = C:\Interwise\Student\pull.exe
    O4 - Global Startup: Sony Wireless LAN Client Manager.lnk = ?
    O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?
    O15 - Trusted Zone: http://*.apps.sis
    O15 - Trusted Zone: http://apps.sis.root.ehl.ch
    O15 - Trusted Zone: http://sis.ehl.ch
    O15 - Trusted Zone: http://sis.root.ehl.ch
    O15 - Trusted Zone: http://*.sis
    O15 - Trusted Zone: *.sony-europe.com
    O15 - Trusted Zone: *.sonystyle-europe.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hdkzikfk.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - file://C:\Windows\e.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\Software\..\Telephony: DomainName = student.root.ehl.ch
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.root.ehl.ch

    Thanks a lot for your help
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi Chrissy,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com@www.e-finder.cc/hp/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com@www.e-finder.cc/search/ (obfuscated)
    O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe

    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray

    O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html

    O13 - DefaultPrefix: http://ehttp.cc/?
    O13 - WWW Prefix: http://ehttp.cc/?

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\hdkzikfk.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - file://C:\Windows\e.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

    Then download and run: http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\Windows\e.exe
    C:\Program Files\Q330994.exe
    C:\Program Files\Internet Explorer\hdkzikfk.exe
    C:\WINDOWS\lsasss.exe <= NOTE the three sss at the end, the real one only has two
    C:\WINDOWS\System32\bridge.dll

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.