Hello all

My internet connection details keep changing. My isp phone number, my password and username. This is becoming very frustrating and I don't know if it might be costing me money as I am not sure at any time which connection I am on. With some fiddling around I can ( I think ) get the isp that I want but even then if I go to my network settings whilst online the da** thing has changed back to the hijack. Can someone please help.

Here is my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 16:35:55, on 14/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\lwbwheel.exe
C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\KbdAp32A.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MARTIN\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DATABA~1\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\lwbwheel.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\Trust\305KS WIRELESS OPTICAL DESKSET\KbdAp32A.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c30 -w
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9348188D-EF04-44D4-B357-16C3E41D1599}: NameServer = 194.168.4.100 194.168.8.100

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\system32\explorer.exe -go -c30 -w

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab


Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\explorer.exe (be careful, the real file is in c:\windows\)

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html

Run HiJackThis again and post a new log in this thread.

Hi lophatphuud

I have done as you suggested. But I'm affraid my bottle went when it come to deleting files from my hard drive. This is what you said :

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\explorer.exe (be careful, the real file is in c:\windows\)

I'm not really sure how to access these files, this is what I did. I went into my computer then to my C: drive, I selected the windows folder and found systems 32 folder amoungst hundreds of others. When I found VTTimer.exe and explorer.exe inside that, they had both been installed before this problem started. The VTTimer.exe is a graphics programme and the thought of deleting explorer.exe and not being able to access the net at all would mean no more contact with yourself and an even bigger problem.
I just need to be sure that I'm doing the right thing.

OK on VTTimer.exe, go ahead and leave it. I seen both good and bad.

Re explorer.exe the file you want to delete is c:\windows\explorer.exe. THe one in the system32 folder is your real windows file. I doubt that windows will let you delete it, but please be careful

Boot into Safe Mode and delete c:\windows\explorer.exe.

THen post a new log in this thread.