Spyware and cannot run regedit, nortons etc

Fr Dougal

Not sure if this is in the right forum. Mod, feel free to move if necessary.

I'm trying to fix a friends PC, several problems. Running XP Prof.
1. On startup get error message trying to load bridge.dll.
2. Every address I type in the browser web bar gives message, address cannot be found. However, I can search using the google toolbar.
3. Also, browser keeps going to page "http://nkvd.us/1526/"
4. Have Norton's antivirus but it won't run, nor can I run msconfig or regedit. I can run them in safe mode only.
5. Downloaded hijackthis but it won't run either.
Have run Spybot and Adaware and cleaned any problems found.

Mr. Presentable

You have spyware.

http://www.iamnotageek.com/a/bridge.dll.php

Mr. Presentable

This may help remove it

The Bridge.dll is a known spyware component, which is called Adware.WinFavorites at Symantec’s Security Response Web pages. Norton AntiVirus would detect it as such, but even if you don’t have this on your PC you can get rid of the remaining elements manually. To do this, we suggest booting into Safe mode. Once there, perform a search for the following files and delete them if you find them: bridge.exe, winfavorites.exe, bridge.dll, and bridge.inf.

Now click Start -> Run, type regedit and press [Return]. First browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ Browser Helper Objects \ {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}. Right-click the {9C691A33...} entry in the left-hand pane and select Delete. Now browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ bridge. Again, right-click the bridge entry and select Delete.

Finally, browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. In the right-hand pane you’ll see a value called systray: right-click this and delete it. This should remove all trace of the adware from your PC and get rid of the message at startup.

Fr Dougal

Thanks spanner. Going to print this and log off to try. I'll let you know how I get on.

Is it the spyware that's stopping Regedit, nortons, msconfig etc from running?

Mr. Presentable

If exes are not running you may also have a virus.

This indicates that the .EXE file association in the registry is corrupt. This behavior is generally caused by viruses; one of which is SirCam virus, which modifies the .exe file association in registry. To launch applications, you may need to reset the .exe file association using any of these methods:

Solution 1:

Click Start, Run and type Command
Type the following and then press Enter after typing each one:

cd\windows
copy regedit.exe regedit.com
start regedit.com [or regedit.com]

Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

Exit the Registry Editor and restart Windows.

Fr Dougal

spannerhead wrote:

Once there, perform a search for the following files and delete them if you find them: bridge.exe, winfavorites.exe, bridge.dll, and bridge.inf.

Now click Start -> Run, type regedit and press [Return]. First browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ explorer \ Browser Helper Objects \ {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}. Right-click the {9C691A33...} entry in the left-hand pane and select Delete. Now browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ bridge. Again, right-click the bridge entry and select Delete.

Finally, browse to HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. In the right-hand pane you’ll see a value called systray: right-click this and delete it. This should remove all trace of the adware from your PC and get rid of the message at startup.

Tried all of the above to no avail. Only found "bridge.dll_tobedeleted" and I deleted it. Didn't find any of the other files.
Nor did I find any of the entries in HKEY_LOCAL_MACHINE........

Copied regedit.exe to regedit.com and ran it. current value in Default was already "%1" %"
I deleted this value and typed it in again.

Rebooted PC but still have same problems

conor-mr2

try looking here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

Make sure the (Default) is a REG_SZ and the value is set to http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefix

Make sure the (Default) is a REG_SZ and the value is (Value not set).
It could be set as http://nkvd.us/1526/ at the moment. to reset the value you simply highlight (Defalut), click delete, are you sure->yes. this will reset the value to the (value not set).

for the other values like ftp (ftp://), gopher (gopher://), home (http://), mosaic (http://), www (http://) make sure they are set correctly. The correct values are in the brackets beside each so I hope that doesnt confuse you. This should let you run regedit and maybe search pages. Let me know

Fr Dougal

Thanks Conor.

I'll try this evening and let you know.

zekiel

I've found this an excellent webbased app at removing hard to reach spyware.. I'd run it after using spybot.

http://www.spywareguide.com/txt_onlinescan.html

Fr Dougal

Conor, Tried suggestions to no avail.
gopher (gopher://), home (http://), mosaic (http://), all had some web site www.heretofind.....
Changed them all to http://

Ran adaware and spybot in safe mode and deleted any problems found.

Ran Nortons in safe mode and found Trojan.StartPage in file mtwirl.dll.
Went to Symantec security response, followed instructions but Nortons would not delete the file mtwirl.dll.

Logged in in safe mode, moved the file to the desktop and ran scan on it but still could not delete it manually, even with system restore switched off.

Also tied to delte it in DOS but got "Access Denied" message
Anyone reccomend a good way, to tool to remove this file?

Fr Dougal

Conor, your advice enabled me to run Nortons.

Then, strangest thing, Nortons AV ran on start-up, found the file with Trojan and deleted it.

All working fine.

Also downloaded trojan remover, which is set to run on stratup so hopefully will stop from happening again, if he's careful what sites he goes onto.

Thanks folks, for all of your advice and help.

conor-mr2

Hey great stuff Fr. Dougal.

Glad to hear you got rid of it!!