Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

LaxStarr

4 Posts

10218

July 10th, 2004 21:00

c:\windows\downloaded program files\bridge.dll

I am receiving an error when I first load up that says my system can not locate this file.  How can I get rid of this error? 

pskelley

933 Posts

July 10th, 2004 22:00

Hi LaxStarr, We would be glad to take a look if you will follow the directions below.

We need to make you aware that many, many logs are being posted.  Because we are few, all volunteers with families and real jobs, we will have to ask you to be patient.  We work the logs in the order they come in, One of the experts (trained at SpywareInfo & Tom Coyote) will assist with your log as soon as possible. They may ask for a fresh log as rebooting can mutate the newest infections.
 
We need you to download and install an analysis and repair tool called HijackThis.
 
Download the zipped file from here: http://www.majorgeeks.com/download3155.html.  Please see the following link for information about downloading and other FAQ's.  There is also a link there to an .exe version of HijackThis if there is anyone who absolutely can not open a .zip file.  Please use this for that purpose only due to limited bandwidth, thank you.   HijackThis FAQ (Frequently Asked Questions) also at: http://russelltexas.com/malware/faqhijackthis.htm
 

Please unzip HijackThis.zip or move the HijackThis.exe file into a new folder you create in the root (first) level of the C: drive. Name this folder HJT for best and safest results. Don't place it on the Wallpaper, in a Temp folder, or the My Documents folder. It will create many backup files and they need to be stored in a unique HijackThis folder. If it is properly placed it will look like this:   C:\HJT\HijackThis.exe. Please be careful with these instructions, a misplaced log can slow down your repair while it is placed properly.
 
After downloading, and unzipping the HijackThis file into a safe folder you create (preferably a folder named HJT in the first level of the C: drive)...run HijackThis, click on the 'scan' button and then 'save log' button.
 
Copy and paste the contents of the text file you save into a reply to this message. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste at http://www.tomcoyote.com/hjt
 
Special Notice! HijackThis is a powerful tool that edits the brains of Windows (the Registry). DO NOT FIX anything in the HijackThis log screen without assistance from the experts! Most of the line items in the scanned log are normal for Windows operation. HijackThis should identify the vast majority of your problems and enable us to help you clean them off your system.
 
Stay in this thread for continuity. Reply to this message.
 
Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com
 
Texruss
http://www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale.

BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.

 

sllothian

6 Posts

July 11th, 2004 22:00

Hi pskelley,

I'm having the same problems as LaxStarr.  I followed your instructions and listed below are my results:

Logfile of HijackThis v1.98.0
Scan saved at 7:30:18 PM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uofoz.dll/sp.html#26560
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uofoz.dll/index.html#26560
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uofoz.dll/index.html#26560
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\uofoz.dll/sp.html#26560
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\uofoz.dll/sp.html#26560
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uofoz.dll/index.html#26560
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netde.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {29095A96-7937-1B82-983D-EDB41DE19E8E} - C:\WINDOWS\ntdi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKLM\..\Run: [xload32] C:\WINDOWS\System32\netdd.exe
O4 - HKLM\..\Run: [addki32.exe] C:\WINDOWS\addki32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vgwrkcgml] C:\WINDOWS\System32\ekhmcfdv.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKLM\..\RunOnce: [msjv32.exe] C:\WINDOWS\system32\msjv32.exe
O4 - HKLM\..\RunOnce: [appzy32.exe] C:\WINDOWS\appzy32.exe
O4 - HKLM\..\RunOnce: [apiej.exe] C:\WINDOWS\apiej.exe
O4 - HKLM\..\RunOnce: [atlgj32.exe] C:\WINDOWS\atlgj32.exe
O4 - HKLM\..\RunOnce: [addnd.exe] C:\WINDOWS\addnd.exe
O4 - HKLM\..\RunOnce: [cras.exe] C:\WINDOWS\cras.exe
O4 - HKLM\..\RunOnce: [atlls.exe] C:\WINDOWS\atlls.exe
O4 - HKLM\..\RunOnce: [addec.exe] C:\WINDOWS\system32\addec.exe
O4 - HKLM\..\RunOnce: [javapp.exe] C:\WINDOWS\javapp.exe
O4 - HKLM\..\RunOnce: [sdkdm.exe] C:\WINDOWS\sdkdm.exe
O4 - HKLM\..\RunOnce: [syscx.exe] C:\WINDOWS\system32\syscx.exe
O4 - HKLM\..\RunOnce: [netqu.exe] C:\WINDOWS\system32\netqu.exe
O4 - HKLM\..\RunOnce: [appnv32.exe] C:\WINDOWS\system32\appnv32.exe
O4 - HKLM\..\RunOnce: [sdksj.exe] C:\WINDOWS\system32\sdksj.exe
O4 - HKLM\..\RunOnce: [sdkms.exe] C:\WINDOWS\sdkms.exe
O4 - HKLM\..\RunOnce: [msnj32.exe] C:\WINDOWS\system32\msnj32.exe
O4 - HKLM\..\RunOnce: [netyw.exe] C:\WINDOWS\system32\netyw.exe
O4 - HKLM\..\RunOnce: [netzc32.exe] C:\WINDOWS\netzc32.exe
O4 - HKLM\..\RunOnce: [atlse.exe] C:\WINDOWS\system32\atlse.exe
O4 - HKLM\..\RunOnce: [addng32.exe] C:\WINDOWS\addng32.exe
O4 - HKLM\..\RunOnce: [javasz.exe] C:\WINDOWS\system32\javasz.exe
O4 - HKLM\..\RunOnce: [sysbb32.exe] C:\WINDOWS\system32\sysbb32.exe
O4 - HKLM\..\RunOnce: [ntmp32.exe] C:\WINDOWS\ntmp32.exe
O4 - HKLM\..\RunOnce: [nttf.exe] C:\WINDOWS\nttf.exe
O4 - HKLM\..\RunOnce: [systr32.exe] C:\WINDOWS\systr32.exe
O4 - HKLM\..\RunOnce: [crdc.exe] C:\WINDOWS\system32\crdc.exe
O4 - HKLM\..\RunOnce: [ippi32.exe] C:\WINDOWS\system32\ippi32.exe
O4 - HKLM\..\RunOnce: [winil32.exe] C:\WINDOWS\winil32.exe
O4 - HKLM\..\RunOnce: [mfccl.exe] C:\WINDOWS\mfccl.exe
O4 - HKLM\..\RunOnce: [addtp32.exe] C:\WINDOWS\addtp32.exe
O4 - HKLM\..\RunOnce: [javakx32.exe] C:\WINDOWS\system32\javakx32.exe
O4 - HKLM\..\RunOnce: [appow.exe] C:\WINDOWS\system32\appow.exe
O4 - HKLM\..\RunOnce: [sdktp32.exe] C:\WINDOWS\system32\sdktp32.exe
O4 - HKLM\..\RunOnce: [sysys32.exe] C:\WINDOWS\sysys32.exe
O4 - HKLM\..\RunOnce: [sdkrg.exe] C:\WINDOWS\system32\sdkrg.exe
O4 - HKLM\..\RunOnce: [d3kt.exe] C:\WINDOWS\d3kt.exe
O4 - HKLM\..\RunOnce: [d3ie.exe] C:\WINDOWS\system32\d3ie.exe
O4 - HKLM\..\RunOnce: [addpe.exe] C:\WINDOWS\addpe.exe
O4 - HKLM\..\RunOnce: [ierq32.exe] C:\WINDOWS\ierq32.exe
O4 - HKLM\..\RunOnce: [apinx32.exe] C:\WINDOWS\system32\apinx32.exe
O4 - HKLM\..\RunOnce: [addpy32.exe] C:\WINDOWS\addpy32.exe
O4 - HKLM\..\RunOnce: [msyk.exe] C:\WINDOWS\system32\msyk.exe
O4 - HKLM\..\RunOnce: [sdkym.exe] C:\WINDOWS\system32\sdkym.exe
O4 - HKLM\..\RunOnce: [msqb.exe] C:\WINDOWS\msqb.exe
O4 - HKLM\..\RunOnce: [atllp32.exe] C:\WINDOWS\system32\atllp32.exe
O4 - HKLM\..\RunOnce: [msmy32.exe] C:\WINDOWS\msmy32.exe
O4 - HKLM\..\RunOnce: [netjp.exe] C:\WINDOWS\netjp.exe
O4 - HKLM\..\RunOnce: [appuv32.exe] C:\WINDOWS\system32\appuv32.exe
O4 - HKLM\..\RunOnce: [iejr32.exe] C:\WINDOWS\iejr32.exe
O4 - HKLM\..\RunOnce: [appdk32.exe] C:\WINDOWS\appdk32.exe
O4 - HKLM\..\RunOnce: [apijg32.exe] C:\WINDOWS\apijg32.exe
O4 - HKLM\..\RunOnce: [javafp.exe] C:\WINDOWS\system32\javafp.exe
O4 - HKLM\..\RunOnce: [ipvj.exe] C:\WINDOWS\system32\ipvj.exe
O4 - HKLM\..\RunOnce: [ipnx.exe] C:\WINDOWS\ipnx.exe
O4 - HKLM\..\RunOnce: [netpb32.exe] C:\WINDOWS\netpb32.exe
O4 - HKLM\..\RunOnce: [mfcjb32.exe] C:\WINDOWS\mfcjb32.exe
O4 - HKLM\..\RunOnce: [msrf32.exe] C:\WINDOWS\system32\msrf32.exe
O4 - HKLM\..\RunOnce: [mfckm.exe] C:\WINDOWS\system32\mfckm.exe
O4 - HKLM\..\RunOnce: [winbk32.exe] C:\WINDOWS\winbk32.exe
O4 - HKLM\..\RunOnce: [appfa.exe] C:\WINDOWS\appfa.exe
O4 - HKLM\..\RunOnce: [atlky.exe] C:\WINDOWS\atlky.exe
O4 - HKLM\..\RunOnce: [atlkn32.exe] C:\WINDOWS\system32\atlkn32.exe
O4 - HKLM\..\RunOnce: [apikl.exe] C:\WINDOWS\apikl.exe
O4 - HKLM\..\RunOnce: [syspj32.exe] C:\WINDOWS\system32\syspj32.exe
O4 - HKLM\..\RunOnce: [creh.exe] C:\WINDOWS\creh.exe
O4 - HKLM\..\RunOnce: [msms.exe] C:\WINDOWS\system32\msms.exe
O4 - HKLM\..\RunOnce: [winsm32.exe] C:\WINDOWS\system32\winsm32.exe
O4 - HKLM\..\RunOnce: [apiss.exe] C:\WINDOWS\system32\apiss.exe
O4 - HKLM\..\RunOnce: [atlss.exe] C:\WINDOWS\system32\atlss.exe
O4 - HKLM\..\RunOnce: [javaiq.exe] C:\WINDOWS\system32\javaiq.exe
O4 - HKLM\..\RunOnce: [mfcku32.exe] C:\WINDOWS\mfcku32.exe
O4 - HKLM\..\RunOnce: [winah32.exe] C:\WINDOWS\winah32.exe
O4 - HKLM\..\RunOnce: [javalu.exe] C:\WINDOWS\system32\javalu.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "Lothian"
O4 - HKCU\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKCU\..\Run: [Txxczpwu] C:\WINDOWS\System32\lmzlntx.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Lothian\Application Data\ttuh.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - HKCU\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

 

 

pskelley

933 Posts

July 12th, 2004 00:00

Hi Sllothian, At first glace I am guessing you have items disabled in msconfig?  We need to see all of the running processes.  I will also guess that you have a lot of trojans on your computer. And there is no doubt you have a CWS Exploit that is hard to remove. Now to another problem, please review this information.

Please post your starter topic in the Main Index as a NEW TOPIC. We want to help and we can help best by seeing your message in its own thread.
 
One person per thread...that's the policy we must insist on as too many victims in one thread makes for a disjointed and confusing mess nobody can understand now or later. We are volunteers and need some control over the threads.
 
Click on the link below for the Main Index and post your message with a new topic.
 
http://forums.us.dell.com/supportforums/board/post?board.id=si_virus
 
We'll be glad to help you when you repost. Be aware we have only a handful of Hijackthis experts here (all volunteers with "real" jobs elsewhere *;-) for suggested fixes for Hijackthis logs and we answer posts in chronological order starting back with the oldest unanswered posts. Be patient as it may be a while before your turn comes up.

Message Edited by pskelley on 07-11-2004 09:09 PM

LaxStarr

4 Posts

July 12th, 2004 14:00

Hi pskelley,

Thanks so much for your quick reply, and help provided thus far.  I have downloaded and run the HJT program and the following is my log file:

Logfile of HijackThis v1.98.0
Scan saved at 11:04:08 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vxiugnuk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eflcsc] C:\WINDOWS\System32\vxiugnuk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1781cf45ffb913062b19/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe

Thanks,

LaxStarr

pskelley

933 Posts

July 13th, 2004 14:00

Hi LaxStarr, Sorry about the other person posting in your thread.  I even confuses me seeing different logs as I move over the thread. Please follow these instructions. Open HijackThis, and with all other explorer windows closed, click on scan.  Put a check in the box to the left of this line item, then click on "Fix Checked", then empty the recycle bin and reboot your computer.

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1781cf45ffb913062b19/netzip/RdxIE601.cab
-Netster

Then please follow these directions:

Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.

Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:

1. Latest version
2. Configured correctly for running options
3. New definitions from update feature

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.

http://www.cjwd.demon.co.uk/spybot-adaware.html

After this is completed, empty the bin, reboot, then post a fresh log for us to view.  There will be some manual cleanup to be done at that point. 

Thanks,
 
pskelley
In Training at TomCoyote.com and Spywareinfo.com


Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.

Also...these longtime DellForum regulars have proven to me time and again their advice is excellent for malware questions in general and many specific items in Hijackthis logs:  jimw, ddeerrff, and msgale.

Clicking on people's usernames at the left will reveal information about them if they chose to have an open profile.

Message Edited by pskelley on 07-13-2004 11:54 AM

LaxStarr

4 Posts

July 13th, 2004 19:00

PSKelly,
Here is the Logfile after I finished your last instructions:

Logfile of HijackThis v1.98.0
Scan saved at 4:47:04 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\vxiugnuk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\HJT\HijackThis.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eflcsc] C:\WINDOWS\System32\vxiugnuk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe

Thanks

Paul Menges

pskelley

933 Posts

July 17th, 2004 03:00

Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries: 
 
vxiugnuk.exe
WebRebates1.exe
WebRebates0.exe
 
Then run HJT and with all other explorer windows closed put a check in front of the following line items, then choose "Fix Checked"
 
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O4 - HKLM\..\Run: [eflcsc] C:\WINDOWS\System32\vxiugnuk.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportdell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
 
Empty your recycle bin and reboot the computer.
 
Then enable hidden files:  http://www.xtra.co.nz/help/0,,4155-1916458,00.html
 
and in the safe mode:  http://www.computerhope.com/issues/chsafe.htm#02
 
Hit Control-Shift-Escape keys at same time. Click on Processes tab and End Task for the following entries:
 
vxiugnuk.exe
WebRebates1.exe   
WebRebates0.exe
 
Then locate and delete the following:
 
C:\WINDOWS\System32\vxiugnuk.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe


Then empty the recycle bin and reboot the computer.
 
Next...Download and run these two programs (Spybot S&D and Adaware) at the link below. Use Spybot first.
 
Most of the Internet baddies can be killed by a one-two punch with Spybot and Adaware assuming these three factors are achieved:
 
1. Latest version
2. Configured correctly for running options
3. New definitions from update feature
 
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
 
Follow the directions in this detailed guide for Spybot and Adaware...print out the directions in the custom scan tutorial as a reference while you set these options for the custom setup of Adaware. These custom settings will be retained for future custom scans so don't go nuts thinking you have to do this every time you run it! It may take you five minutes to set them up, but it's worth it.
 
http://www.cjwd.demon.co.uk/spybot-adaware.html
 
Please note the free Spybot 1.3 does have a slight bug...it detects some DSO exploits falsely. Hopefully an upgrade will fix this.The problem is not serious and should not deter people from using Spybot.
 
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
 
Run Disk Cleanup: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
 
If you have any problems with Disk Cleanup completing...XP users can fix it here:
 
http://www2.whidbey.net/djdenham/DeleteOldFiles.htm
 
After cleaning, reboot, and post a fresh log so we can see where we are.
 
Thanks...pskelley
 

 
 
 

 

LaxStarr

4 Posts

July 19th, 2004 17:00

PSKelly,

I was wondering if you could elaborate on this part of your above listing?  I dont understand what these two lines mean. 

Then enable hidden files:  http://www.xtra.co.nz/help/0,,4155-1916458,00.html
 
and in the safe mode:  http://www.computerhope.com/issues/chsafe.htm#02

Thanks for the help. 

 

LaxStarr

pskelley

933 Posts

July 19th, 2004 20:00

You asked:

I was wondering if you could elaborate on this part of your listing?  I don't understand what these two lines mean.

Then enable hidden files:  http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Some of windows files are hidden by default, in order for you to locate and the delete the files causing your problem (and the spyware/hijackers often hide the files to keep you from deleting them) you have to enable these hidden files. I have mind enabled all of the time, but no one is on the computer but me.  If you believe anyone else in the house might find there way into this area, disable them when you are finished.

Windows XP
Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

and in the safe mode:  http://www.computerhope.com/issues/chsafe.htm#02

This is a diagnostic mode where a bare minimum of programs are started.  If you look at the tutorial in the link you will know what to expect. None of the programs you are trying to remove will be running making it easier to remove them. (no messages like can't delete this because it is running) Once you have completed deleting the bad stuff, a reboot will return your computer to normal function.

Windows 2000 / XP Users

To get into the Windows 2000 / XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.

Trouble Getting into Windows 2000 or Windows XP Safe mode - If after several attempts you are unable to get into Windows 2000 or Windows XP safe mode as the computer is booting into Windows turn off your computer. When the computer is turned on the next time Windows should notice that the computer did not successfully boot and give you the safe mode screen.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message as the computer is booting. If this occurs instead of pressing and holding the "F8 key" tap the "F8 key" continuously until you get the startup menu.

Hope this helps...pskelley

Was this post helpful?

View All

0 events found

No Events found!

Top