HijackThis Log

Discussion in 'adware, spyware & hijack cleaning' started by cslice, May 5, 2004.

Thread Status:
Not open for further replies.
  1. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    We have a PC here at work that has a win32/bryss.dll.trojan, and a message that a bridge.dll is missing. Adaware and SpybotS&D don't pick up anything, and CA Etrust antivirus picks up the trojan, but doesn't seem to do anything with it. Is there anything in the log below that can correct this? The PC has been disconnected from the network. This seems to be related to some ad program.

    Thanks,
    Craig

    Logfile of HijackThis v1.97.7
    Scan saved at 2:54:04 PM, on 5/5/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

    Running processes:
    C:\Winnt\System32\smss.exe
    C:\Winnt\system32\winlogon.exe
    C:\Winnt\system32\services.exe
    C:\Winnt\system32\lsass.exe
    C:\Winnt\system32\svchost.exe
    C:\Winnt\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
    C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
    C:\CA_LIC\LogWatNT.exe
    C:\Winnt\system32\regsvc.exe
    C:\Winnt\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Winnt\System32\WBEM\WinMgmt.exe
    C:\Winnt\system32\svchost.exe
    C:\Winnt\System32\igfxtray.exe
    C:\Winnt\System32\hkcmd.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Winnt\System32\ltmsg.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe
    C:\Program Files\Common Files\slmss\slmss.exe
    C:\Winnt\mwsvm.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Winnt\System32\MsiExec.exe
    C:\Winnt\explorer.exe
    A:\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: 172.16.0.65 MQIPR2
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\Winnt\ieasst.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\Winnt\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Winnt\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\eTrust\INOCUL~1\realmon.exe -s
    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\Winnt\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Mwsvm] C:\Winnt\mwsvm.exe
    O4 - HKLM\..\Run: [nfoqtakk] C:\Winnt\System32\eammdaxo.exe
    O4 - HKLM\..\Run: [fash] C:\Winnt\fash.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sanderssaws.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{117D4F37-82DB-4643-BE92-5A0EBE13019C}: NameServer = 206.13.29.12,206.13.28.11
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sanderssaws.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{117D4F37-82DB-4643-BE92-5A0EBE13019C}: NameServer = 206.13.29.12,206.13.28.11
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sanderssaws.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{117D4F37-82DB-4643-BE92-5A0EBE13019C}: NameServer = 206.13.29.12,206.13.28.11
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi cslice,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\Winnt\ieasst.dll

    O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\Winnt\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Mwsvm] C:\Winnt\mwsvm.exe
    O4 - HKLM\..\Run: [nfoqtakk] C:\Winnt\System32\eammdaxo.exe
    O4 - HKLM\..\Run: [fash] C:\Winnt\fash.exe

    Then reboot ande delete:
    C:\Program Files\Common Files\slmss <= entire folder
    C:\Winnt\mwsvm.exe
    C:\Winnt\System32\eammdaxo.exe
    C:\Winnt\fash.exe

    Regards,

    Pieter
     
  3. cslice

    cslice Registered Member

    Joined:
    Feb 10, 2004
    Posts:
    15
    Location:
    South-Eastern PA
    Again, thank you very much. Your advice fully corrected the problem!

    Thanks,
    Craig
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My pleasure. :cool:

    Pieter
     
Thread Status:
Not open for further replies.