• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 651
  • Last Modified:

I used adaware now I'm getting an error message.

Hi all

A customers laptop with XP PRO SP1a was infected with 6 viruses including sassar korgo and more, these were removed and fixed also service packs were installed to prevent them comming back on the machine.
when I connected to the net I was getting many pop ups and IE was hijacked, I ran adaware and removed all it found then on reboot i got this error:

'error loading C:\windows\downloaded programe files\bridge.dll, the specified modual could not be found.'

I found this link on the net:

http://computercops.biz/postt14722.html

but.......this did not help, I did not have those files on the laptop to remove.

so.......I did a hijack this log so maybe some one can tell me what i should remove from the laptop. I'm pritty sure this is to do with maleware.

Logfile of HijackThis v1.97.7
Scan saved at 08:23:46, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
C:\WINDOWS\System32\jpgpdnxl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

thank you all, this is very important.

H
0
Huseyin1
Asked:
Huseyin1
  • 9
  • 6
1 Solution
 
Huseyin1Author Commented:
...........oh and dont worry about the line 'E:\virus\HijackThis.exe'
this is just a folder i named virus that had the hijack software in

H
0
 
LucFEMEA Server EngineerCommented:
Hi Huseyin1,

You're computer is still full of junk :(
I see several virusses and ad/spyware.

Please run an online antivirus like http://housecall.antivirus.com first. At this moment there's just way too much, about half your log has to go!

After you've done that, please post another logfile with the newest version of hijackthis, yours is a bit outdated:
http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
 
Huseyin1Author Commented:
ok, i will do this but  are you sure i should connect the laptop to the internet, is this safe, even though it has ad ware on it?

H
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
Huseyin1Author Commented:
sorry, ignore the last post, i am doing the housecall scan now.

H
0
 
LucFEMEA Server EngineerCommented:
:)
0
 
Huseyin1Author Commented:
you were right there were many more viruses on there i've removed them now (i think/hope)
here is the log from the newer hijackthis....that error is still comming up!

Logfile of HijackThis v1.98.2
Scan saved at 09:16:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

H
0
 
LucFEMEA Server EngineerCommented:
I still see a lot, but ok... could be some backdoors.

Tick the checkbox in front of the following lines, afterwards click "fix checked"

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Then reboot the computer into safe mode and delete all those files if you can find them.

Good luck,

LucF
0
 
Huseyin1Author Commented:
what do you mean delete the files in safe mode, you mean navigate the registry and delete the entries from with in the regisrty?

H
0
 
LucFEMEA Server EngineerCommented:
Nope, hijackthis will remove them from the registry, you'll have to remove the actual files yourself. So browse your disk and remove those files then (most of them will be at C:\WINDOWS\system32 for the others, you'll have to search your disk)
0
 
SkullCommented:
Download Aboutbuster (62KB) which will remove any spyware created file in system32 directory. Before that disable system restore.

Run regedit and try to find path where you have "C:\windows\downloaded programe files\bridge.dll". Delete it. It should be in the HKLM\Software\microsoft\windows\current version\run (and runonce).
Also delete anything that shouldn't be starting with windows.

Navigate to HKLM\Software\microsoft\internet explorer\advancedoptions\browse\usebho

Delete anything suspicious. (carefull)

Run AV, adaware, aboutnuster, hijack this (in safe mode) and make sure everthing is clear.
Then go to IE properties->advanced and uncheck:

"Enable Install On Demand (Internet Explorer)"
"Enable Install On Demand (Other)"
"Enable Third-Party Browser Extensions"

Also you should consider buying same firewall. It improves the safety and gives you information about incomnig and outgoing traffic.  
0
 
Huseyin1Author Commented:
ok, I did all you have asked, I finally did a hijack this log, so hopefully im clean....
the error is gone by the way.

Logfile of HijackThis v1.98.2
Scan saved at 10:44:11, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

am i clean?
0
 
LucFEMEA Server EngineerCommented:
Just some minor thingies left:

Fix these entries:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe

O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
Seems like this is a virus, but I can't really find much about it.

O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
http://www.sophos.com/virusinfo/analyses/w32rbotfh.html

O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
http://www.pestpatrol.com/pestinfo/u/urpo.asp

LucF
0
 
Huseyin1Author Commented:
ok, will do, im doing a windows update at the moment, 20 critical updates, after the 22MB download and install on our LAN is done, i'll do the above, ta m8.
H
0
 
Huseyin1Author Commented:
ok, m8, I'm happy with the machine now, its usable, so thank you very much for your time. thank you for your efforts
i'd give you more points, but not possible, so thanks again.

H
0
 
LucFEMEA Server EngineerCommented:
Glad to help :)

LucF
0
 
Huseyin1Author Commented:
:0)


H
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now