Solved

I used adaware now I'm getting an error message.

Posted on 2004-08-13
16
638 Views
Last Modified: 2010-05-19
Hi all

A customers laptop with XP PRO SP1a was infected with 6 viruses including sassar korgo and more, these were removed and fixed also service packs were installed to prevent them comming back on the machine.
when I connected to the net I was getting many pop ups and IE was hijacked, I ran adaware and removed all it found then on reboot i got this error:

'error loading C:\windows\downloaded programe files\bridge.dll, the specified modual could not be found.'

I found this link on the net:

http://computercops.biz/postt14722.html

but.......this did not help, I did not have those files on the laptop to remove.

so.......I did a hijack this log so maybe some one can tell me what i should remove from the laptop. I'm pritty sure this is to do with maleware.

Logfile of HijackThis v1.97.7
Scan saved at 08:23:46, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
C:\WINDOWS\System32\jpgpdnxl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft-Updates] svxhost.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKCU\..\Run: [ccEvtMrg.exe] ccEvtMrg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

thank you all, this is very important.

H
0
Comment
Question by:Huseyin1
  • 9
  • 6
16 Comments
 
LVL 8

Author Comment

by:Huseyin1
ID: 11790876
...........oh and dont worry about the line 'E:\virus\HijackThis.exe'
this is just a folder i named virus that had the hijack software in

H
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 11790891
Hi Huseyin1,

You're computer is still full of junk :(
I see several virusses and ad/spyware.

Please run an online antivirus like http://housecall.antivirus.com first. At this moment there's just way too much, about half your log has to go!

After you've done that, please post another logfile with the newest version of hijackthis, yours is a bit outdated:
http://aumha.org/downloads/hijackthis.exe 

Greetings,

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11790905
ok, i will do this but  are you sure i should connect the laptop to the internet, is this safe, even though it has ad ware on it?

H
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 8

Author Comment

by:Huseyin1
ID: 11790913
sorry, ignore the last post, i am doing the housecall scan now.

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11790975
:)
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791030
you were right there were many more viruses on there i've removed them now (i think/hope)
here is the log from the newer hijackthis....that error is still comming up!

Logfile of HijackThis v1.98.2
Scan saved at 09:16:10, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\zatuyoia.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791057
I still see a lot, but ok... could be some backdoors.

Tick the checkbox in front of the following lines, afterwards click "fix checked"

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {3EAB3371-C41C-7ECC-8626-165504A42949} - C:\WINDOWS\System32\vtgfo.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

O4 - HKLM\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [wtime Service] wtime32.exe
O4 - HKLM\..\Run: [9E105B26] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\Run: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\Run: [bpraucdee] C:\WINDOWS\System32\zatuyoia.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [System Update] wauluclt.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [19B05C55] C:\WINDOWS\System32\ziuzliood.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti16.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] expl0rer.exe
O4 - HKCU\..\Run: [System Update] wauluclt.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft DLL Extensions] SystemDll.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - HKCU\..\Run: [Uvumux] C:\WINDOWS\System32\jpgpdnxl.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [wtime Service] wtime32.exe
O4 - HKCU\..\Run: [Microsoft IT Updates] seclite.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti16.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

Then reboot the computer into safe mode and delete all those files if you can find them.

Good luck,

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791190
what do you mean delete the files in safe mode, you mean navigate the registry and delete the entries from with in the regisrty?

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791223
Nope, hijackthis will remove them from the registry, you'll have to remove the actual files yourself. So browse your disk and remove those files then (most of them will be at C:\WINDOWS\system32 for the others, you'll have to search your disk)
0
 
LVL 1

Expert Comment

by:Skull
ID: 11791328
Download Aboutbuster (62KB) which will remove any spyware created file in system32 directory. Before that disable system restore.

Run regedit and try to find path where you have "C:\windows\downloaded programe files\bridge.dll". Delete it. It should be in the HKLM\Software\microsoft\windows\current version\run (and runonce).
Also delete anything that shouldn't be starting with windows.

Navigate to HKLM\Software\microsoft\internet explorer\advancedoptions\browse\usebho

Delete anything suspicious. (carefull)

Run AV, adaware, aboutnuster, hijack this (in safe mode) and make sure everthing is clear.
Then go to IE properties->advanced and uncheck:

"Enable Install On Demand (Internet Explorer)"
"Enable Install On Demand (Other)"
"Enable Third-Party Browser Extensions"

Also you should consider buying same firewall. It improves the safety and gives you information about incomnig and outgoing traffic.  
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791347
ok, I did all you have asked, I finally did a hijack this log, so hopefully im clean....
the error is gone by the way.

Logfile of HijackThis v1.98.2
Scan saved at 10:44:11, on 13/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\HPOVDX05.EXE
E:\virus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dew1.dupont.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.btbroadbandoffice.com/bbhome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.lvs.dupont.com/is/csc/ist/virus/defs_32bit.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy-eu.nib.dupont.com/proxy.auto
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy-eu.nib.dupont.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.dupont.com;*.dupont.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\RunServices: [ZipMagic] C:\PROGRA~1\ZipMagic\zm32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe
O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP OfficeJet Series 700 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = dupont.com,herberts.de

am i clean?
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791378
Just some minor thingies left:

Fix these entries:
O4 - HKLM\..\RunServices: [Microsoft Update Machine] expl0rer.exe
O4 - HKLM\..\RunServices: [wtime Service] wtime32.exe

O4 - HKLM\..\RunServices: [Microsoft IT Updates] seclite.exe
Seems like this is a virus, but I can't really find much about it.

O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe
http://www.sophos.com/virusinfo/analyses/w32rbotfh.html

O4 - HKLM\..\RunServices: [00000000] C:\WINDOWS\System32\tloyclfhmkenxf.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Hou8497a\Application Data\urpo.exe
http://www.pestpatrol.com/pestinfo/u/urpo.asp

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791411
ok, will do, im doing a windows update at the moment, 20 critical updates, after the 22MB download and install on our LAN is done, i'll do the above, ta m8.
H
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791593
ok, m8, I'm happy with the machine now, its usable, so thank you very much for your time. thank you for your efforts
i'd give you more points, but not possible, so thanks again.

H
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 11791598
Glad to help :)

LucF
0
 
LVL 8

Author Comment

by:Huseyin1
ID: 11791948
:0)


H
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question