hijackthis log for bridge.dll file missing - yes version 1.99.0

First of all, you need to go to Windows Update to get the Critical Updates for your system. Hold off on SP2, however, until your computer gets cleaned up.

Next, you should put HJT in it's own folder instead of right on the desktop. You can do this by right-clicking on your desktop, point to New, and click on Folder. A new folder will be created that you can name whatever you wish (like HJT). Once you have the new folder named, drag hijackthis into it.

Whenever you scan with HJT, make sure all browser windows are closed.

This thread should resolve your bridge.dll problem:
http://www.daniweb.com/techtalkforums/thread7370.html

nwiz isn't harmful, it's part of NVidia; check this link for more info:
http://www.liutilities.com/products/wintaskspro/processlibrary/nwiz/

TV Media IS a hijacker, find out more about it here:
http://www.liutilities.com/products/wintaskspro/processlibrary/Tvm/
(Removal instructions will be found below).

CTHELPER.EXE should probably be disabled:
Quote from sysinfo:
CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.

Now for your log. Close all browser windows, scan with HJT, and have it fix the following entries:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {D7BD4FCC-C9D7-42AC-BAE9-D6FD332643BF} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Mosm] C:\Documents and Settings\Cyndi\Application Data\bowa.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...d693e854e5c9a60
O23 - Service: Sakyq Service - Unknown - C:\WINDOWS\System32\sakyq.exe

Reboot into Safe Mode.

Go to C:\Program Files and delete the Web_Rebates folder and the TV Media folder.

Go to C:\Documents and Settings\Cyndi\Application Data and delete bowa.exe (unless you know what it is).

Go to C:\WINDOWS\System32 and delete sakyq.exe

Reboot normally, close all browser windows, scan with HJT, and post a new log.

Hello,

I will do this. Thank you for getting back to me. Thank you for telling me about CTHelper, I have been trying to figure out what is sucking up my system because it's running slow as all H.E. double hockey sticks.

I just have one silly question for you...

How do I get in to safe mode? :o I have only ever gotten there in the past when the computer had problems and prompted me to do so...

I am taking computer courses! I promise!! I paid $9750 to be there but I just started, so I am not sure how to do anything at this point in time!!!

Attina

You get to the Safe Mode boot option by hitting the F8 as the computer starts up. You have to hit the key just before/as Windows starts to load, so if you miss it first time just reboot again and start hitting F8 a bit earlier.

I just have one silly question for you...

How do I get in to safe mode? :o I have only ever gotten there in the past when the computer had problems and prompted me to do so...

I am taking computer courses! I promise!! I paid $9750 to be there but I just started, so I am not sure how to do anything at this point in time!!!

Attina

Didn't any of your teachers ever tell you there's no such thing as a silly question? :) (or the only stupid question is the one that wasn't asked).

DMR's suggestion for getting into Safe Mode is the most common, but there is another way (if you're interested). Go to Start, Run, type in MSCONFIG, hit enter, click on the tab that says Boot.ini, selelect Safe Mode, and then click the OK button. When you're done in Safe Mode, repeat the instructions, but use the General tab, and select Normal.

I don't know what kind of classes you're taking, but you can get a great education just by reading the threads in forums like this one!

Hello everybody,

Thank you for all of the help! I have been learning a lot! Ok, so here's my update. Web_Rebates and TV Media folders were not there when I looked in Safe Mode. Neither was the bridge.dll file...that seems to be resolved. I have no idea what bowa.exe is, but it's gone now. I know what sakyq.exe is. I have been trying to figure out how to get rid of this *forever*. It's a keylogger program I tried for fun and totally didn't work and then I couldn't get it off my computer. I even emailed them to ask them how and they wouldn't tell me! Well, now it's gone!! :)

Here is the new HJT:

Logfile of HijackThis v1.99.0
Scan saved at 8:57:13 PM, on 1/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Documents and Settings\Cyndi\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TaskInfo.exe] "C:\Program Files\Iarsn\TaskInfo2003 5.0\TaskInfo.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1100507948214
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B3E0F81F-73F8-470B-A56B-D895EFF19260} (ATLF3D Class) - http://www.famous3d.com/viewer/latest/axf3d.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please let me know if this is OK.

Thanks,
Attina

PS. I am taking A+, Microsoft, Cisco, project management, database design, etc. etc. It's a JAM PACKED -oops-I-closed-my-eyes-and-missed-something type of class. I am currently working on my A+. I read chapter 9 and then just yesterday I did chapter 10 which tells you how to boot in safe mode!! How ironic is that?!

Your latest log looks clean to me, except for possibly the "WeatherNetwork" program. I don't have the time right now to confirm if that specific program is adware/spyware related, but some other similar programs are.

Let's wait for dlh6213, crunchie, or caperjack to follow up with a "second opinion" on this before you sign you off as clean, but it does look to me like you've gotten the job done.

According to this site, WeatherNetwork is not a pest:
http://research.pestpatrol.com/Analyses/2004-10-14_175914.asp
And I can't find anything indicating it is.

Attina, you really need to get your Critical Updates. You can probably get SP2 now, but you need to at least get SP1. You can find out more about SP2 here that may help you decide:
http://www.daniweb.com/techtalkforums/thread10031.html

I would also recommend getting SpywareBlaster and/or SpywareGaurd, links to both are in DMR's signature.

That's quite a class you're taking on! Good luck with it :) And tell your classmates about DaniWeb!

Thanks everyone for all of your help. I will definitely tell my classmates about Daniweb. We have a list of "helpful websites" and I will add you to that list :) I am glad to see that the weathernetwork.com thing is not a spyware either. It's a really cool little tool. It's telling me right now it's -13 degrees celcius outside. That's not too cold.

I do have another question though. You say to get spyware blaster and/or spyware guard. What is the difference between those and spybot and ad-aware? Also, why was spybot and ad-aware not able to get rid of those problems that I had either? Are they not all the same thing?

Thanks,

Attina

You say to get spyware blaster and/or spyware guard. What is the difference between those and spybot and ad-aware?

Basically, Ad Aware and SpyBot (although SpyBot does have an "immunization" function) are primarily detection and removal tools; they are more "curative" than "preventative". SpywareGuard and SpywareBlaster, on the other hand, put in place protective measures to keep "spyware" from installing itself on your system in the first place.

Also, why was spybot and ad-aware not able to get rid of those problems that I had either? Are they not all the same thing?

Ad Aware and SpyBot, while very good at what they do, will probably never be able detect and clean all of "nasties" out there. The people who write these malicious programs are constantly changing their programs to make them harder to detect and/or remove, and are also creating new programs which take advantage of newly-discovered methods of infection. Just like finding a cure for a newly-discovered disease, it takes time to analyze new spyware/virus/etc. infections and write code which can remove them.

That said though, I would have thought the Ad Aware/SpyBot combination should have been able to eradicate Web_Rebates and TV Media; I'm not really sure why they didn't.... :?: