Results 1 to 16 of 16

Thread: hijackthis help

  1. #1
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    hijackthis help

    Has anyone used hijackthis? I've downloaded it, but don't know what's good from bad. When I first start the computer up, it brings up an internet explorer page for a gay porn site. Really like to get rid of this, but am not sure how. I've got Spybot S&D, Ad-Aware, Hijackthis, and SpywareBlaster trying to figure this thing out. I'm running Windows XP Home Edition if that helps any. The scan file it brings up is this:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:31:37 PM, on 8/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\System32\wvmgtxagfum.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\svchosts.exe
    C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\puw.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Documents and Settings\Dawg\Application Data\ttuh.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    c:\windows\config\mt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Iomega\Tools\imgicon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Dawg\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1AA43E7A-E849-74B6-DB55-67557CAC2D3D} - C:\WINDOWS\System32\twb.dll
    O2 - BHO: (no name) - {1EFE3420-E810-21BC-D555-67557CAC2D3D} - C:\WINDOWS\System32\ftfwf.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
    O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [WindowsReg% update] wvmgtxagfum.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Microsoft WinUpdate] svchosts.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
    O4 - HKLM\..\RunServices: [WindowsReg% update] wvmgtxagfum.exe
    O4 - HKLM\..\RunServices: [Microsoft WinUpdate] svchosts.exe
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
    O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
    O4 - HKCU\..\Run: [WindowsReg% update] wvmgtxagfum.exe
    O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
    O4 - HKCU\..\Run: [Microsoft WinUpdate] svchosts.exe
    O4 - HKCU\..\Run: [Cghpzsyz] C:\WINDOWS\System32\puw.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dawg\Application Data\ttuh.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Iomega Icons.lnk = ?
    O4 - Global Startup: Iomega QuikSync.lnk = ?
    O4 - Global Startup: Iomega Startup Options.lnk = ?
    O4 - Global Startup: IomegaWare.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.hotmail.com
    O15 - Trusted Zone: http://www.spychecker.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...213.4012731481
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset//...l/gtdowngc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5AFBF55C-D974-49B7-A1B8-003685491BF2}: NameServer = 4.2.2.65,4.2.2.5

    Anything look bad on there??? I'm clueless here. Thanks for any help in advance.

  2. #2
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    I've also got a startup list from Hijackthis if that would help any.

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Location
    Sitting in a tin can. Far above the Earth.
    Posts
    385
    Thanks
    4
    Thanked
    0 times in 0 posts
    I'd suggest Adaware from Lavasoft:http://www.lavasoft.de/software/adaware/

    Give it a try, it's free for personal use..
    Support the OcUK Forum Free Speech Initiative: If you intend to register with the intention of posting defamatory remarks about OcUK, then please click here to return to the index. If you continue to register, and post any complaints or criticisms of OcUK, then your account will be immediately removed.

  4. #4
    Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    4,242
    Thanks
    722
    Thanked
    145 times in 88 posts
    • Apex's system
      • Motherboard:
      • Asus Z87M-PLUS
      • CPU:
      • Intel i5-4670K
      • Memory:
      • 16 GiB
      • Storage:
      • 6.0 TiB
      • Graphics card(s):
      • R9 480X
      • PSU:
      • 750
      • Case:
      • Node 804
      • Operating System:
      • Windows 7 64Bit
      • Monitor(s):
      • Dell U2410 24"
      • Internet:
      • 200Mb nTL Cable
    Code:
    O2 - BHO: (no name) - {1AA43E7A-E849-74B6-DB55-67557CAC2D3D} - C:\WINDOWS\System32\twb.dll
    O2 - BHO: (no name) - {1EFE3420-E810-21BC-D555-67557CAC2D3D} - C:\WINDOWS\System32\ftfwf.dll
    Code:
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    They look a bit sus to me

    Code:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
    Nothing too bad...but doesn not tell us why you get the site you are.

    Can you post what is in your host file ?

    it is located in

    Code:
    C:\WINDOWS\system32\drivers\etc\
    and it's called "Hosts"

    If you carn't view it you might have to turn show "system files" on

    Andrew



  5. #5
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    I've already tried Adaware, doesn't clean my problem up.

    Apex, don't know why, but I tried installing a program with a license on it, and was supposed to be able to get around the licensing issue, but never could. Wound up deleting the program, but ever since, the System32 Folder pops up every time I log onto my account. That may cover your first few concerns. As for the host file, I'll get to it in a couple hours when I go home for lunch.

    Thanks for the help though. I'll get the hosts file at lunch. The next few posts will cover the startup list. Couldn't post it in one shot, too many words. Hope I don't flood everyone with too much info.
    Last edited by carrcn; 19-08-2004 at 06:45 PM.

  6. #6
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    too much info, deleted everything
    Last edited by carrcn; 19-08-2004 at 09:02 PM.

  7. #7
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    too much info, deleted everything
    Last edited by carrcn; 19-08-2004 at 09:01 PM.

  8. #8
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    too much info, deleted everything
    Last edited by carrcn; 19-08-2004 at 09:01 PM.

  9. #9
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    too much info, deleted everything
    Last edited by carrcn; 19-08-2004 at 09:01 PM.

  10. #10
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    okay, here's my Hosts file:

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

  11. #11
    Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    4,242
    Thanks
    722
    Thanked
    145 times in 88 posts
    • Apex's system
      • Motherboard:
      • Asus Z87M-PLUS
      • CPU:
      • Intel i5-4670K
      • Memory:
      • 16 GiB
      • Storage:
      • 6.0 TiB
      • Graphics card(s):
      • R9 480X
      • PSU:
      • 750
      • Case:
      • Node 804
      • Operating System:
      • Windows 7 64Bit
      • Monitor(s):
      • Dell U2410 24"
      • Internet:
      • 200Mb nTL Cable
    so it's not a host hijack........



  12. #12
    dpm
    dpm is offline
    Member
    Join Date
    Aug 2003
    Posts
    115
    Thanks
    0
    Thanked
    0 times in 0 posts
    In addition to the entries Apex has flagged up, it looks like you are infected with (at least) a couple of viruses.

    You've got three run instances of 'svchosts.exe' (as opposed to svchost.exe, which is a legitimate Microsoft process). svchosts.exe is a trojan, and very bad news - your anti-virus should have picked up on it.

    O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
    (also three instances) is also a trojan/worm, and needs to be removed.

    I don't recognize "O4 - HKLM\..\Run: [WindowsReg% update] wvmgtxagfum.exe" , but it looks very suspicious - The registry doesn't need updating every time windows starts, and the randomised file name is a hallmark of viruses.

    If you aren't already running one, you need to run (and keep updated) a good antivirus as well as adaware and spybot. If you are running one then you should check that it has the latest updates.

    If you don't have one then Avast antivirus and AVG antivirus are both good, free, antivirus tools.

    when you've scanned for viruses and removed them, run hijack this again, and post your log

  13. #13
    dpm
    dpm is offline
    Member
    Join Date
    Aug 2003
    Posts
    115
    Thanks
    0
    Thanked
    0 times in 0 posts
    Also,
    O4 - HKCU\..\Run: [Cghpzsyz] C:\WINDOWS\System32\puw.exe
    and
    O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dawg\Application Data\ttuh.exe

    look suspicious. Do you know if either of them are legitimate programmes?

    Further,
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset/...ll/gtdowngc.cab
    and
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
    look like spyware / browser hijackers to me. Do the programme names mean anything to you?

  14. #14
    Monkey Apex's Avatar
    Join Date
    Jul 2003
    Location
    Huddersfield
    Posts
    4,242
    Thanks
    722
    Thanked
    145 times in 88 posts
    • Apex's system
      • Motherboard:
      • Asus Z87M-PLUS
      • CPU:
      • Intel i5-4670K
      • Memory:
      • 16 GiB
      • Storage:
      • 6.0 TiB
      • Graphics card(s):
      • R9 480X
      • PSU:
      • 750
      • Case:
      • Node 804
      • Operating System:
      • Windows 7 64Bit
      • Monitor(s):
      • Dell U2410 24"
      • Internet:
      • 200Mb nTL Cable
    Was going to point them out...but now you have



  15. #15
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    No, neither of these programs mean anything to me, but I'm running Symantec Norton right now to see what it picks up. Spybot does catch the Media Tickets thing, but won't ever remove it permanently.

    That second one you pointed out kind of got chopped up, maybe this will make more sense if you see the whole thing??? Here it is:

    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System
    Administrator Control) -
    http://206.65.172.231/check/netset//...l/gtdowngc.cab

    Well, I can't get this line to come up in full, but the //...ll/ is //install/

    Thanks for all the help. I'll post the hijackthis file again when I track these viruses down.
    Last edited by carrcn; 21-08-2004 at 07:40 AM.

  16. #16
    Registered User
    Join Date
    Aug 2004
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts
    Well, Symantec Antivirus Corporate Edition won't find any viruses. The trojan horse I've got on my computer is even on their website and they have instructions on how to remove it, but it won't even find it. I've done the deep scan with it and everything. Won't find a single thing wrong. My last option is to reformat my hard drive and re-install Windows.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •