0

somhow, I have quite a lot of problems in my lately formated computer.
I run the spybot program and here are the results:
BlazeFind.Bridge: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunDLL
Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-02-26 Includes\Cookies.sbi
2004-02-29 Includes\Dialer.sbi
2004-02-29 Includes\Hijackers.sbi
2004-02-26 Includes\Keyloggers.sbi
2004-02-29 Includes\Malware.sbi
2004-02-26 Includes\Security.sbi
2004-02-29 Includes\Spybots.sbi
2004-02-29 Includes\Trojans.sbi
2004-02-26 Includes\Tracks.uti
2004-03-09 Includes\Revision.sbi

and i have this BRIDGE.DLL missing massage at start-up.
Any help is appreciated

2
Contributors
8
Replies
9
Views
13 Years
Discussion Span
Last Post by Mady
0

correction: sorry. I entered as administrator user and ran again the spybot and everything was fixed. Nevertheless, I still have problems:
When I start up I get the Error message: "Execution of the specified command has failed". and I have a strange problem with my Symantec AntiVirus. I try to open it (to update) but it keeps disapear after a second or even refuse to open up. I scaned my computer with Panda ActiveScan and the result was:

Incident Status Location
Virus:W32/Randon Disinfected Operating system
Virus:Bck/Sdbot.gen Renamed C:\WINNT\system32\wuaumgrd_exe.vir
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\Smadar\Local Settings\Temporary Internet Files\Content.IE5\GX4XMVST\wbk6D.tmp
Virus:Trj/Downloader.L Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Belt.exe
Virus:W32/Netsky.P.worm Disinfected Local Folders\Deleted Items\Re: corrected\product_smaddar.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected Local Folders\Inbox\Mail Delivery (failure [email="smaddar@netvision.net.il)message.scr"]smaddar@netvision.net.il)\message.scr[/email]

I have no idea how to deal with it.

The system is Microsoft winsows 2000 5.00.2195

Could you advise me?

0

Logfile of HijackThis v1.97.7
Scan saved at 13:20:37, on 26/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Barak013\fts.exe
C:\WINNT\system32\msmsn.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Barak013\FWPortal.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\Run: [Msg Fixage] msgfixed.exe
O4 - HKLM\..\Run: [Distributed Transaction Coordinator System] svchoct.exe
O4 - HKLM\..\Run: [Microsoft DirectX] SpoolServ.exe
O4 - HKLM\..\Run: [Microsoft MSN Service] msmsn.exe
O4 - HKLM\..\Run: [boy] c:\winnt\fonts\fonts\Windows.exe
O4 - HKLM\..\Run: [w0ndz] C:\WINNT\system32\f4k3\kolder.exe C:\WINNT\system32\f4k3\dirote.exe
O4 - HKLM\..\RunServices: [Msg Fixage] msgfixed.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] SpoolServ.exe
O4 - HKLM\..\RunServices: [Microsoft MSN Service] msmsn.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Msg Fixage] msgfixed.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.413587963
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 212.150.48.169 206.49.94.234

0

First up, you've got worms. Go here for an on-line scan & set it to autoclean for you.

When done get some info on this file "C:\Program Files\Barak013\fts.exe< this one & whatever else is in the same folder with it please.

Post new log with the info & also what the virus scan found.

0

The virus scan found:
DOS AGOBOT.HM NonCleanable C:\WINNT\system32\drivers\etc
TROJ HIDEWND.A NonCleanable C:\WINNT\Fonts\Fonts\sox.exe

should I delete these files?

Barad013 is my network connection. What kind of info do you need?

Logfile of HijackThis v1.97.7
Scan saved at 15:01:39, on 26/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Barak013\fts.exe
C:\WINNT\system32\msmsn.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Barak013\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\Run: [Distributed Transaction Coordinator System] svchoct.exe
O4 - HKLM\..\Run: [Microsoft MSN Service] msmsn.exe
O4 - HKLM\..\Run: [boy] c:\winnt\fonts\fonts\Windows.exe
O4 - HKLM\..\Run: [w0ndz] C:\WINNT\system32\f4k3\kolder.exe C:\WINNT\system32\f4k3\dirote.exe
O4 - HKLM\..\RunServices: [Microsoft MSN Service] msmsn.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.413587963
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 212.150.48.169 206.49.94.234

0

Yes, delete the files. The info you gave is sufficient thanx. I wasn't sure what that Barad013 was.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop). Close all (browser) windows & have HJT fix these entries by placing a check in the appropriate box=

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [Distributed Transaction Coordinator System] svchoct.exe
O4 - HKLM\..\Run: [Microsoft MSN Service] msmsn.exe
O4 - HKLM\..\Run: [boy] c:\winnt\fonts\fonts\Windows.exe
O4 - HKLM\..\Run: [w0ndz] C:\WINNT\system32\f4k3\kolder.exe C:\WINNT\system32\f4k3\dirote.exe
O4 - HKLM\..\RunServices: [Microsoft MSN Service] msmsn.exe

Reboot into safe mode following the instructions here & navigate to & delete

c:\winnt\fonts\fonts\Windows.exe< this one
C:\WINNT\system32\f4k3< this folder

Reboot normally after doing the above then post a fresh log plz.

0

done :)


Logfile of HijackThis v1.97.7
Scan saved at 19:03:56, on 26/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Barak013\fts.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Barak013\FWPortal.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il/home/0,7340,L-8,FF.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [%FP%Barak013 fts.exe] "C:\Program Files\Barak013\fts.exe"
O4 - HKLM\..\RunServices: [Microsoft MSN Service] msmsn.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38094.413587963
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D788EA0-403D-4FEE-A520-95B2284A14B0}: NameServer = 212.150.48.169 206.49.94.234

How does it look?

0

Thanks a lot
It was a real pleasure
and I realy appriciate your help

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.