Solved

I used adaware now I'm getting an error message.

Posted on 2004-08-13
16
636 Views
Last Modified: 2010-05-19
Hi all

A customers laptop with XP PRO SP1a was infected with 6 viruses including sassar korgo and more, these were removed and fixed also service packs were installed to prevent them comming back on the machine.
when I connected to the net I was getting many pop ups and IE was hijacked, I ran adaware and removed all it found then on reboot i got this error:

'error loading C:\windows\downloaded programe files\bridge.dll, the specified modual could not be found.'

I found this link on the net:

http://computercops.biz/postt14722.html

but.......this did not help, I did not have those files on the laptop to remove.

so.......I did a hijack this log so maybe some one can tell me what i should remove from the laptop. I'm pritty sure this is to do with maleware.

Logfile of HijackThis v1.97.7
Scan saved at 08:23:46, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
C:\WINDOWS\System32\jpgpdnxl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

thank you all, this is very important.

H
0
Comment
Question by:Huseyin1
  • 9
  • 6
16 Comments
 
LVL 8

Author Comment

by:Huseyin1
ID: 11790876
...........oh and dont worry about the line 'E:\virus\HijackThis.exe'
this is just a folder i named virus that had the hijack software in

H
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 11790891
Hi Huseyin1,

You're computer is still full of junk :(
I see several virusses and ad/spyware.

Please run an online antivirus like http://housecall.antivirus.com first. At this moment there's just way too much, about half your log has to go!

After you've done that, please post another logfile with the newest version of hijackthis, yours is a bit outdated:
http://aumha.org/downloads/hijackthis.exe

Greetings,

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11790905
ok, i will do this but  are you sure i should connect the laptop to the internet, is this safe, even though it has ad ware on it?

H
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11790913
sorry, ignore the last post, i am doing the housecall scan now.

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11790975
:)
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791030
you were right there were many more viruses on there i've removed them now (i think/hope)
here is the log from the newer hijackthis....that error is still comming up!

Logfile of HijackThis v1.98.2
Scan saved at 09:16:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791057
I still see a lot, but ok... could be some backdoors.

Tick the checkbox in front of the following lines, afterwards click "fix checked"

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Then reboot the computer into safe mode and delete all those files if you can find them.

Good luck,

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791190
what do you mean delete the files in safe mode, you mean navigate the registry and delete the entries from with in the regisrty?

H
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791223
Nope, hijackthis will remove them from the registry, you'll have to remove the actual files yourself. So browse your disk and remove those files then (most of them will be at C:\WINDOWS\system32 for the others, you'll have to search your disk)
0
 
LVL 1

Expert Comment

by:Skull
ID: 11791328
Download Aboutbuster (62KB) which will remove any spyware created file in system32 directory. Before that disable system restore.

Run regedit and try to find path where you have "C:\windows\downloaded programe files\bridge.dll". Delete it. It should be in the HKLM\Software\microsoft\windows\current version\run (and runonce).
Also delete anything that shouldn't be starting with windows.

Navigate to HKLM\Software\microsoft\internet explorer\advancedoptions\browse\usebho

Delete anything suspicious. (carefull)

Run AV, adaware, aboutnuster, hijack this (in safe mode) and make sure everthing is clear.
Then go to IE properties->advanced and uncheck:

"Enable Install On Demand (Internet Explorer)"
"Enable Install On Demand (Other)"
"Enable Third-Party Browser Extensions"

Also you should consider buying same firewall. It improves the safety and gives you information about incomnig and outgoing traffic.  
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791347
ok, I did all you have asked, I finally did a hijack this log, so hopefully im clean....
the error is gone by the way.

Logfile of HijackThis v1.98.2
Scan saved at 10:44:11, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

am i clean?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791378
Just some minor thingies left:

Fix these entries:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe

O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
Seems like this is a virus, but I can't really find much about it.

O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
http://www.sophos.com/virusinfo/analyses/w32rbotfh.html

O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
http://www.pestpatrol.com/pestinfo/u/urpo.asp

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791411
ok, will do, im doing a windows update at the moment, 20 critical updates, after the 22MB download and install on our LAN is done, i'll do the above, ta m8.
H
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791593
ok, m8, I'm happy with the machine now, its usable, so thank you very much for your time. thank you for your efforts
i'd give you more points, but not possible, so thanks again.

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791598
Glad to help :)

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791948
:0)


H
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
C Drive Read / Write 10 126
Drivers for PC, Windows XP Home 10 110
Exe program is not a valid Win 32 application 15 95
Asus ks2003 driver XP 32 33 72
If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now