HijackThis Log :/

Hi there, I was already interrupted by the trojan/worm/whatever during my first try to post here, so to make a long story short:

As far as I found out i got "Revop.C", "Bridge.A.2", "Dryfuca.AC.down" and "IstBar.U" on my computer.

I already tried out "AntiVir", "BPS Spyware Remover" and "NOD32", but nothing realy fixed the problem for a longer time.

The only effect of the trojans (?) I noticed, is that every ~60 minutes several IE windows are opened. Most of them with XXX content..

For step 1 I used "Ad-aware 6.0".

Thanks for any help and sorry for the bad English.
*newbie

Log:

Logfile of HijackThis v1.97.7
Scan saved at 19:56:08, on 24.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Progs\Security\Virus\AVGNT.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
D:\Progs\Security\Virus\AVGUARD.EXE
D:\Progs\Security\Virus\AVWUPSRV.EXE
D:\Progs\Security\NOD32\NOD32\nod32krn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Eigene Dateien\Downloads\Progs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "d:\progs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Progs\Brennen\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] D:\Progs\Security\Virus\AVGNT.EXE /min
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Eigene Dateien\Downloads\Treiber\SB live.\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [nod32kui] D:\Progs\Security\NOD32\NOD32\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [Anot] C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -trayboot

Sorry, forgot a part, here is the full log:

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 19:56:08, on 24.04.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Progs\Security\Virus\AVGNT.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
D:\Progs\Security\Virus\AVGUARD.EXE
D:\Progs\Security\Virus\AVWUPSRV.EXE
D:\Progs\Security\NOD32\NOD32\nod32krn.exe
C:\WINDOWS\System32\MsPMSPSv.exe
D:\Eigene Dateien\Downloads\Progs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "d:\progs\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Progs\Brennen\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVGCtrl] D:\Progs\Security\Virus\AVGNT.EXE /min
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Eigene Dateien\Downloads\Treiber\SB live.\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [nod32kui] D:\Progs\Security\NOD32\NOD32\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [Anot] C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\Progs\MICROS~1\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E3EB03-909F-4D06-B4E3-886F68F3337A}: NameServer = 192.168.115.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{56E3EB03-909F-4D06-B4E3-886F68F3337A}: NameServer = 192.168.115.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{56E3EB03-909F-4D06-B4E3-886F68F3337A}: NameServer = 192.168.115.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{56E3EB03-909F-4D06-B4E3-886F68F3337A}: NameServer = 192.168.115.1

[Pieter_Arntz]

Hi newbie,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [Anot] C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe

Then reboot into safe mode and delete:
C:\WINDOWS\System32\services\wmplayer.exe
C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
C:\WINDOWS\System32\wintit.exe

Regards,

Pieter

Thanks a lot Pieter, it worked.

[Pieter_Arntz]

That is good to hear.

Please read How did this happen and can I prevent it?

Regards,

Pieter