HJT Log -- Need Help

Discussion in 'adware, spyware & hijack cleaning' started by Jedi Jacen, May 30, 2004.

Thread Status:
Not open for further replies.
  1. Jedi Jacen

    Jedi Jacen Registered Member

    Joined:
    May 30, 2004
    Posts:
    1
    My problems with the system are every login/boot I get a Rundll32 error, saying it can't find bridge.dll, and I don't know what effects that has, but I know that my CD drive isn't reading anything, and notepad won't work (not sure if these are related).

    I ran a scan (and delete) with Ad Aware 6 before running HJT.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:21:16 PM, on 30/05/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\PROGRA~1\QUICKT~1\qttask.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\TBLMOUSE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4248
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4248
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mizukori.com/stbb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: EQuill (HKLM)
    O9 - Extra 'Tools' menuitem: EQuill (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6F81552-8004-4870-883F-0EB31B8A5FF2}: NameServer = 203.0.178.191
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Jedi !

    Welcome to Wilders ! :)

    Before you start, please unzip or move HijackThis.Exe to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Now, Please close down all windows instances, Browser windows and have hijackthis fix the following entries :

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=4248
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=4248
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mizukori.com/stbb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
    R3 - Default URLSearchHook is missing

    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com

    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

    O9 - Extra button: EQuill (HKLM)
    O9 - Extra 'Tools' menuitem: EQuill (HKLM)
    O9 - Extra button: Research (HKLM)


    The entries in red color is not recommended as it includes Lop.com. More read on here..http://www.spywareinfoforum.com/newsletter/archives/june-2003/3.php

    The entry in blue color is also optional to remove. These are typically infrequently used tasks that can be started manually if necessary..

    Are you aware about the prgram named Greetings Workshop ??

    Now, Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...
    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present, delete all the following file(s)..

    C:\WINDOWS\System32\bridge.dll

    Reboot your machine and boot into normal mode.

    To set your Home and search pages back to the MS defaults, here's a registry file to download and execute. Just double click on IEFIX.REG to execute.

    http://www.spywareinfoforum.com/downloads/tools/IEFIX.reg

    Be sure to empty your Temporary Internet files too.

    Now, I highly recommend that you go to Windows Update and install all Critical Updates and Service Packs ASAP!. This will patch numerous security holes in IE and Windows Operating System.

    When you have done all, Reboot & Rescan your machine with hijackthis and please post a fresh log..

    With Thanks !
    Newkid !
     
Thread Status:
Not open for further replies.