system32\bridge.dll

Discussion in 'adware, spyware & hijack cleaning' started by atkinssix, May 13, 2004.

Thread Status:
Not open for further replies.
  1. atkinssix

    atkinssix Registered Member

    Joined:
    May 13, 2004
    Posts:
    1
    I used Ad Aware 6 and found the following logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:59:34 AM, on 5/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\cfoudnbf.exe
    C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\documents and settings\robby\local settings\temp\kKzju.exe
    C:\WINDOWS\wasu.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\documents and settings\robby\local settings\temp\kKzju.exe
    C:\documents and settings\robby\local settings\temp\kKzju.exe
    C:\WINDOWS\System32\scaclien.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Hewlett-Packard\hpis\bin\mad.exe
    C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
    C:\WINDOWS\System32\ZymF.exe
    C:\WINDOWS\System32\UvgdT7A.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Thomas Atkins\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.midco.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {091BECA9-B19C-5CC5-D4B2-E4609F61A3F4} - C:\WINDOWS\System32\hcafbbzl.dll
    O2 - BHO: (no name) - {1224BD74-F586-4C9C-9BE3-56E68E22F843} - C:\Program Files\BrowserVillage\SideBarBHO.dll
    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
    O2 - BHO: (no name) - {41AB1CDC-36C7-4237-B96C-52589C5795BF} - C:\WINDOWS\tkczmzhws.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7F9-FE60B89CAC3F} - C:\WINDOWS\DOWNLO~1\bvillage.dll
    O2 - BHO: (no name) - {636F06D8-66DF-4A5D-BCF8-390F80F9539E} - C:\WINDOWS\lsyz.dll
    O2 - BHO: (no name) - {80CADECD-B5A6-4BF2-AFD4-D29FA939B968} - C:\WINDOWS\jhgzckit.dll
    O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O2 - BHO: (no name) - {AA2EC8F1-7E4E-495C-A497-8C84F8F9C0DE} - C:\WINDOWS\xbtbi.dll
    O2 - BHO: (no name) - {F44CAAC0-1CD2-4393-86DB-E45993E5B8F8} - C:\WINDOWS\xzcsga.dll
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O3 - Toolbar: BrowserVillage Toolbar - {4E7BD74F-2B8D-469E-D7F9-FE60B89CAC3F} - C:\WINDOWS\DOWNLO~1\bvillage.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
    O4 - HKLM\..\Run: [brthucpp] C:\WINDOWS\cfoudnbf.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [PPC] C:\WINDOWS\PPC.exe
    O4 - HKLM\..\Run: [GTJATE] C:\WINDOWS\GTJATE.exe
    O4 - HKLM\..\Run: [AHN] C:\WINDOWS\AHN.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [kKzju] C:\documents and settings\robby\local settings\temp\kKzju.exe
    O4 - HKLM\..\Run: [ovuyxlih] C:\WINDOWS\wasu.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\RirZr.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [kKzju.exe] C:\documents and settings\robby\local settings\temp\kKzju.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [5F9Q3nS] scaclien.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: BrowserVillage (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083511736015
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.exe
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
    O16 - DPF: {9DD6A49C-CF35-4544-BF13-34DF413BCF7A} ({9DD6A49C-CF35-4544-BF13-34DF413BCF7A}) - http://195.39.204.19/codebase/Stealthnet.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37845.6660416667
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/budicon.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
     
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello,

    Important: Create a folder on the C: drive called C:\HJT.
    You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
    Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Delete the old copy please.


    You have a peper infection, download this uninstaller:

    http://www.memorywatcher.com/uninst.exe

    When you run the uninstaller, you MUST have an internet connection active for it to work.

    Please run this twice with a reboot in between.


    Next, there is a threat that needs to be taken care of. Webhancer installs itself in the lsp stack and if not removed correctly, it will break your internet connection.

    Use the Control Panel 'Add/Remove Programs' option if possible; if webHancer is not there you could try reinstalling a new version and then removing it.If you still see webhancer in the next hijackthis log, then run Ad-Aware 6 again using these settings and being sure to check for updates:

    * Download Ad-aware from here:http://www.lavasoftusa.com/software/adaware
    * Install by double-clicking on the downloaded file.
    * After installing but before running, update Ad-aware by clicking the words "Check for updates now".
    * After updating, shutdown and restart Ad-aware.

    Ad-aware is ready to scan and clean your system following these steps:

    * Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    * Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    * Press "Scan Now"
    * Check option "Use Custom scanning options"
    * Check option "Activate In-Depth Scan"
    * Press "Select drives\folders to scan"
    * Select the active partition which is usually C:
    * Press "Next" to let Ad-aware scan your drives...
    * If it finds "bad" files and registry keys, press "Next" again
    * Right-click in that pane and choose "select all"
    * Press "next"
    * When it asks to remove all checked items, Press "OK"

    Close Ad-aware and reboot your system.Then post a new log.
     
  3. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    You have the Peper trojan, which requires special treatment to put it out of your misery!
    Please download and run this uninstaller

    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {091BECA9-B19C-5CC5-D4B2-E4609F61A3F4} - C:\WINDOWS\System32\hcafbbzl.dll
    O2 - BHO: (no name) - {1224BD74-F586-4C9C-9BE3-56E68E22F843} - C:\Program Files\BrowserVillage\SideBarBHO.dll
    O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
    O2 - BHO: (no name) - {41AB1CDC-36C7-4237-B96C-52589C5795BF} - C:\WINDOWS\tkczmzhws.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D7F9-FE60B89CAC3F} - C:\WINDOWS\DOWNLO~1\bvillage.dll
    O2 - BHO: (no name) - {636F06D8-66DF-4A5D-BCF8-390F80F9539E} - C:\WINDOWS\lsyz.dll
    O2 - BHO: (no name) - {80CADECD-B5A6-4BF2-AFD4-D29FA939B968} - C:\WINDOWS\jhgzckit.dll
    O2 - BHO: (no name) - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O2 - BHO: (no name) - {AA2EC8F1-7E4E-495C-A497-8C84F8F9C0DE} - C:\WINDOWS\xbtbi.dll
    O2 - BHO: (no name) - {F44CAAC0-1CD2-4393-86DB-E45993E5B8F8} - C:\WINDOWS\xzcsga.dll
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O3 - Toolbar: BrowserVillage Toolbar - {4E7BD74F-2B8D-469E-D7F9-FE60B89CAC3F} - C:\WINDOWS\DOWNLO~1\bvillage.dll

    O4 - HKLM\..\Run: [brthucpp] C:\WINDOWS\cfoudnbf.exe
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [PPC] C:\WINDOWS\PPC.exe
    O4 - HKLM\..\Run: [GTJATE] C:\WINDOWS\GTJATE.exe
    O4 - HKLM\..\Run: [AHN] C:\WINDOWS\AHN.exe
    O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [kKzju] C:\documents and settings\robby\local settings\temp\kKzju.exe
    O4 - HKLM\..\Run: [ovuyxlih] C:\WINDOWS\wasu.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [kKzju.exe] C:\documents and settings\robby\local settings\temp\kKzju.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [5F9Q3nS] scaclien.exe

    O9 - Extra button: BrowserVillage (HKLM)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.6.exe
    O16 - DPF: {9DD6A49C-CF35-4544-BF13-34DF413BCF7A} ({9DD6A49C-CF35-4544-BF13-34DF413BCF7A}) - http://195.39.204.19/codebase/Stealthnet.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...lim/install.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download...ller/dwnldr.cab
    O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/budicon.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

    Reboot after fixing. Just an orphaned registry entry left behind by Spybot when it removed the file.

    files
    C:\WINDOWS\cfoudnbf.exe
    C:\WINDOWS\System32\bridge.dll
    C:\WINDOWS\PPC.exe
    C:\WINDOWS\GTJATE.exe
    C:\WINDOWS\AHN.exe
    C:\WINDOWS\System32\SSUpdate.exe
    C:\WINDOWS\av.exe
    C:\WINDOWS\System32\a.exe
    C:\WINDOWS\System32\idctup20.exe
    C:\documents and settings\robby\local settings\temp\kKzju.exe
    C:\WINDOWS\wasu.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\documents and settings\robby\local settings\temp\kKzju.exe
    scaclien.exe

    folders
    C:\Program Files\MyWebSearch
    C:\Program Files\WildTangent
    C:\Program Files\AutoUpdate
    C:\Program Files\webHancer

    These may be hidden files. See HERE for how to show hidden files.

    Also delete the entire contents of the folder C:\documents and settings\robby\local settings\temp
     
Thread Status:
Not open for further replies.