hijackthis help

[carrcn]

Has anyone used hijackthis? I've downloaded it, but don't know what's good from bad. When I first start the computer up, it brings up an internet explorer page for a gay porn site. Really like to get rid of this, but am not sure how. I've got Spybot S&D, Ad-Aware, Hijackthis, and SpywareBlaster trying to figure this thing out. I'm running Windows XP Home Edition if that helps any. The scan file it brings up is this:

Logfile of HijackThis v1.97.7
Scan saved at 12:31:37 PM, on 8/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\wvmgtxagfum.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\svchosts.exe
C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\puw.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Dawg\Application Data\ttuh.exe
C:\WINDOWS\System32\RUNDLL32.EXE
c:\windows\config\mt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Iomega\Tools\imgicon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Dawg\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1AA43E7A-E849-74B6-DB55-67557CAC2D3D} - C:\WINDOWS\System32\twb.dll
O2 - BHO: (no name) - {1EFE3420-E810-21BC-D555-67557CAC2D3D} - C:\WINDOWS\System32\ftfwf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WindowsReg% update] wvmgtxagfum.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] svchosts.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
O4 - HKLM\..\RunServices: [WindowsReg% update] wvmgtxagfum.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] svchosts.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [Microsoft DirectX] PDSched.exe
O4 - HKCU\..\Run: [WindowsReg% update] wvmgtxagfum.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Microsoft WinUpdate] svchosts.exe
O4 - HKCU\..\Run: [Cghpzsyz] C:\WINDOWS\System32\puw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dawg\Application Data\ttuh.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Iomega Icons.lnk = ?
O4 - Global Startup: Iomega QuikSync.lnk = ?
O4 - Global Startup: Iomega Startup Options.lnk = ?
O4 - Global Startup: IomegaWare.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.spychecker.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...213.4012731481
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset//...l/gtdowngc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AFBF55C-D974-49B7-A1B8-003685491BF2}: NameServer = 4.2.2.65,4.2.2.5

Anything look bad on there??? I'm clueless here. Thanks for any help in advance.

[carrcn]

I've also got a startup list from Hijackthis if that would help any.

[Nomadd]

I'd suggest Adaware from Lavasoft:http://www.lavasoft.de/software/adaware/

Give it a try, it's free for personal use..

[Apex]

Code:

O2 - BHO: (no name) - {1AA43E7A-E849-74B6-DB55-67557CAC2D3D} - C:\WINDOWS\System32\twb.dll
O2 - BHO: (no name) - {1EFE3420-E810-21BC-D555-67557CAC2D3D} - C:\WINDOWS\System32\ftfwf.dll

Code:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

They look a bit sus to me

Code:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/

Nothing too bad...but doesn not tell us why you get the site you are.

Can you post what is in your host file ?

it is located in

Code:

C:\WINDOWS\system32\drivers\etc\

and it's called "Hosts"

If you carn't view it you might have to turn show "system files" on

Andrew

[carrcn]

I've already tried Adaware, doesn't clean my problem up.

Apex, don't know why, but I tried installing a program with a license on it, and was supposed to be able to get around the licensing issue, but never could. Wound up deleting the program, but ever since, the System32 Folder pops up every time I log onto my account. That may cover your first few concerns. As for the host file, I'll get to it in a couple hours when I go home for lunch.

Thanks for the help though. I'll get the hosts file at lunch. The next few posts will cover the startup list. Couldn't post it in one shot, too many words. Hope I don't flood everyone with too much info.

[carrcn]

too much info, deleted everything

[carrcn]

too much info, deleted everything

[carrcn]

too much info, deleted everything

[carrcn]

too much info, deleted everything

[carrcn]

okay, here's my Hosts file:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

[Apex]

so it's not a host hijack........

[dpm]

In addition to the entries Apex has flagged up, it looks like you are infected with (at least) a couple of viruses.

You've got three run instances of 'svchosts.exe' (as opposed to svchost.exe, which is a legitimate Microsoft process). svchosts.exe is a trojan, and very bad news - your anti-virus should have picked up on it.

O4 - HKLM\..\RunServices: [Microsoft DirectX] PDSched.exe
(also three instances) is also a trojan/worm, and needs to be removed.

I don't recognize "O4 - HKLM\..\Run: [WindowsReg% update] wvmgtxagfum.exe" , but it looks very suspicious - The registry doesn't need updating every time windows starts, and the randomised file name is a hallmark of viruses.

If you aren't already running one, you need to run (and keep updated) a good antivirus as well as adaware and spybot. If you are running one then you should check that it has the latest updates.

If you don't have one then Avast antivirus and AVG antivirus are both good, free, antivirus tools.

when you've scanned for viruses and removed them, run hijack this again, and post your log

[dpm]

Also,
O4 - HKCU\..\Run: [Cghpzsyz] C:\WINDOWS\System32\puw.exe
and
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Dawg\Application Data\ttuh.exe

look suspicious. Do you know if either of them are legitimate programmes?

Further,
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System Administrator Control) - http://206.65.172.231/check/netset/...ll/gtdowngc.cab
and
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
look like spyware / browser hijackers to me. Do the programme names mean anything to you?

[Apex]

Was going to point them out...but now you have

[carrcn]

No, neither of these programs mean anything to me, but I'm running Symantec Norton right now to see what it picks up. Spybot does catch the Media Tickets thing, but won't ever remove it permanently.

That second one you pointed out kind of got chopped up, maybe this will make more sense if you see the whole thing??? Here it is:

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} (Personal System
Administrator Control) -
http://206.65.172.231/check/netset//...l/gtdowngc.cab

Well, I can't get this line to come up in full, but the //...ll/ is //install/

Thanks for all the help. I'll post the hijackthis file again when I track these viruses down.

[carrcn]

Well, Symantec Antivirus Corporate Edition won't find any viruses. The trojan horse I've got on my computer is even on their website and they have instructions on how to remove it, but it won't even find it. I've done the deep scan with it and everything. Won't find a single thing wrong. My last option is to reformat my hard drive and re-install Windows.