Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi,
I'm Shirley from Czech Republic and I think I have some mess in my comp...
Could I post here my HiJack log?
Thank you very much!
Do this, after you can post your log.
Download Ad-Aware and update it.
http://www.lavasoftusa.com/support/download/From lavasoft faqs.
Use the Custom Scan with Memory and Both registry scans ON for your first scan.
I keep it at that setting.Also.... make sure that you activate IN-DEPTH scanning before you proceed.
Actually you should always use IN-DEPTH scanning whichever mode you choose.
This will be made a default setting in Ad-aware 6.2 when released.Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Next...
Run Ad-aware 6.Mark the objects you wish to eliminate for removal. All of them.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.
Then choose to Next to remove the chosen objects.
Finally.....RebootRun cwshredder, click fix not scan.
cwshredder.exeOnline scan, remove what it finds.
(autoclean)
http://www.ravantivirus.com/scan/
0 
Before you post your hijack this log,Have you Scanned with SPYBOT,or AD-AWARE?Do you have SPYGUARD,or SPYBLASTER AS spyware preventors?You will also need a firewall,if you dont have one allready installed,and an antivirus to protect your system.
#1 Firewall- www.zonelabs.com
#2 Antivirus-http://www.grisoft.com/us/us_index.php
#3 Anti spyware- http://www.majorgeeks.com/download886.html
#4 If you have #1,and 2 allready,you can skip those and download SPYBOT,and AD-AWARE to scan your system for spyware infections.After your system is completely clean,you can download SPYBLASTER,and SPYGUARD to prevent further infections.
#5 If SPYBOT,nor AD-Aware was able to clean your system of spyware,you can then ask for someone to inspect your hijackthis log.
#6 Make sure you update all software before you scan your system,and scan offline.HOPE this helps? PEACE!!!!!!!!!!1
0
Hi experts,
I used Ad-Aware, Avast Antivirus etc... (I have some problems with Spybot - when I removed the files - so I deleted the program!)
Ad-Aware found the bride.dll file, but when I deleted this file I got this rundll error everytime I loged on:
"Error Loading C:\WINDOWS\System32\bridge.dll"
So - I put that file back! :_0(
What I should remove?
Thank you very much for your great help! (...and sorry for my English)!
Here is my HiJack log:
Logfile of HijackThis v1.97.7
Scan saved at 10:18:50, on 26.3.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\AVAST32\avupdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\AVAST32\AvMaiSrv.exe
C:\Program Files\CONMET\ConMet.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\PROGRA~1\ALWILS~1\AVAST32\avServer.exe
C:\Hijack\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libra.cz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AvMaiSrv] C:\PROGRA~1\ALWILS~1\AVAST32\AvMaiSrv.exe
O4 - HKLM\..\Run: [Avast32] C:\PROGRA~1\ALWILS~1\AVAST32\ASTART32.exe /keepserver
O4 - HKLM\..\Run: [ConMet] C:\Program Files\CONMET\ConMet.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: Stáhnout pomocí Net Transportu - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Stáhnout vše pomocí &Net Transportu - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: FlashKeeper (HKLM)
O9 - Extra button: WebTran (HKLM)
O9 - Extra 'Tools' menuitem: &Nastavit překladač (HKLM)
O9 - Extra 'Tools' menuitem: Přeložit &označený text (HKLM)
O9 - Extra 'Tools' menuitem: Přeložit &stránku (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.libra.cz
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Ok - I reinstaled Spybot - and removed some files!
and this is new HiJack log:
Is it OK now?
Logfile of HijackThis v1.97.7
Scan saved at 13:13:30, on 26.3.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\AVAST32\avupdsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\AVAST32\AvMaiSrv.exe
C:\Program Files\CONMET\ConMet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\AVAST32\avServer.exe
C:\Hijack\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libra.cz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebTranslator - {BFC32E1D-EE75-4A48-BC60-104E11EE2431} - C:\TRANSLAT\WEBIE.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AvMaiSrv] C:\PROGRA~1\ALWILS~1\AVAST32\AvMaiSrv.exe
O4 - HKLM\..\Run: [Avast32] C:\PROGRA~1\ALWILS~1\AVAST32\ASTART32.exe /keepserver
O4 - HKLM\..\Run: [ConMet] C:\Program Files\CONMET\ConMet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get Flash by FlashKeeper - C:\Program Files\FlashKeeper\GetFlash.htm
O8 - Extra context menu item: Stáhnout pomocí Net Transportu - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Stáhnout vše pomocí &Net Transportu - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: FlashKeeper (HKLM)
O9 - Extra button: WebTran (HKLM)
O9 - Extra 'Tools' menuitem: &Nastavit překladač (HKLM)
O9 - Extra 'Tools' menuitem: Přeložit &označený text (HKLM)
O9 - Extra 'Tools' menuitem: Přeložit &stránku (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.libra.cz
O16 - DPF: KB KTpro Pack - https://www.mojebanka.cz/jars/kt_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebanka.cz/jars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebanka.cz/jars/mib_pack_v1400.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Hi, your log looks ok.
Did the bridge dll errror go away?SpywareBlaster will prevent alot of
spyware from getting in, the list is
what it protects you from, make sure
they are check marked.http://www.javacoolsoftware.com/spywareblaster.html
Good luck from Chicago, and if you have any
problems post back.
0
Hi Abnormal,
I'm glad that my HiJack log looks OK!
I used the CWShredder and then I deleted the bridge.dll and a.exe - and everything it's all right now. The errors go away :0)
I would like to aks you:
Ad-Aware found these objects in my comp:
Aureate/RegKey/Data Miner/ HKEY_CLASSES_ROOT:Software\Aureate
Aureate/RegKey/Data Miner/ HKEY_CURRENT_USER:Software\Aureate
Aureate/RegKey/Data Miner/ HKEY_LOCAL_MACHINE:Software\Aureate
Aureate/File/Data Miner/ c:\windows\system32\advert.dll
Aureate/File/Data Miner/ c:\windows\temp\advert.dll
1) When I remove the objects ---> I can't open CuteFTP program
-----
and:
Windows/RegData/Data Miner/ HKEY_CURRENT_USER:Software\Microsoft\MediaPlayer\Settings"Client ID" () /MediaPlayer Unique ID
2) When I remove this object ---> I can't open Windows Media Player and some Video AVI files in my comp.
So I put these objects back!
Are these objects anyhow dangerous for my comp? I hope they aren't, because I can't remove them...
Thank you for your help again!
Bye Shirley
0
Hi Shirrlleeyy,
some info on Aureate:http://cexx.org/aureate.htm
http://simplythebest.net/info/spyware/aureate_spyware.html
For now you can put them in the ignore list,
until we can find a spyware free replacement.As for the media player, ignore also.
Some say it does not affect the program,
I will look into that, if I find more info
I will post it.By for now.
0
Thank you for the infos Abnormal!
I put the objects in the ignore list...
As for the Windows Media Player - maybe the "Aureate" affect the program...
I don't know if I can delete the WMP ID, because "I don't want to restore my system again...
This is from: http://cexx.org/aureate.htm
One reportedly intercepts calls to the system file oleaut32.dll and substitutes its own while a browser is active, silently switching back when the browser closes. Another reportedly replaces a benign Windows Media Player .dll with one coded to eavesdrop on your audio/movie downloads. Scary stuff!
Bye Shirley
0
It is scary stuff when all these holes,
spyware crap are taking over.
Some more on the media player exploit.http://www.securityfocus.com/archive/1/250363
http://www.pestpatrol.com/PestInfo/w/windows_media_player_exploit.asp
Don't want to scare you, just giving you
info.
Remember, keep everything updated and
surf safe.Your friend from U.S.A.
0
Hi Abnormal,
I tried to delete that WMP ID again - and it's OK!
So I think that the AUREATE affect the WMP and AVI video files for sure!I don't know why... :_0(
Do you think I could use the "NoAura.exe" from this site?
http://sebsauvage.free.fr/noaura/
What do you think?
Thank you! :0)
Bye Shirley
0
I can't say for sure if its good or bad,
your program may not work after.
Good luck to you, if you have any problems
post back.Take care
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
