HijackThis Log :/

Discussion in 'adware, spyware & hijack cleaning' started by newbie, Apr 24, 2004.

Thread Status:
Not open for further replies.
  1. newbie
    Offline

    newbie Guest

    Hi there, I was already interrupted by the trojan/worm/whatever during my first try to post here, so to make a long story short:

    As far as I found out i got "Revop.C", "Bridge.A.2", "Dryfuca.AC.down" and "IstBar.U" on my computer.

    I already tried out "AntiVir", "BPS Spyware Remover" and "NOD32", but nothing realy fixed the problem for a longer time.

    The only effect of the trojans (?) I noticed, is that every ~60 minutes several IE windows are opened. Most of them with XXX content..

    For step 1 I used "Ad-aware 6.0".

    Thanks for any help and sorry for the bad English. :)
    *newbie

    Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:56:08, on 24.04.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\services\wmplayer.exe
    C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    D:\Progs\Security\Virus\AVGNT.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
    D:\Progs\Security\Virus\AVGUARD.EXE
    D:\Progs\Security\Virus\AVWUPSRV.EXE
    D:\Progs\Security\NOD32\NOD32\nod32krn.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    D:\Eigene Dateien\Downloads\Progs\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "d:\progs\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Progs\Brennen\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [AVGCtrl] D:\Progs\Security\Virus\AVGNT.EXE /min
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "D:\Eigene Dateien\Downloads\Treiber\SB live.\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKLM\..\Run: [nod32kui] D:\Progs\Security\NOD32\NOD32\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [Anot] C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Progs\Chat\ICQLite\ICQLite.exe -trayboot
  2. newbie
    Offline

    newbie Guest

    Sorry, forgot a part, here is the full log:

  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi newbie,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe

    O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
    O4 - HKCU\..\Run: [Anot] C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
    O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintit.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\services\wmplayer.exe
    C:\Dokumente und Einstellungen\Sebi\Anwendungsdaten\smsa.exe
    C:\WINDOWS\System32\wintit.exe

    Regards,

    Pieter
  4. newbie
    Offline

    newbie Guest

    Thanks a lot Pieter, it worked. :)
  5. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

Thread Status:
Not open for further replies.