Help! Still Hijacked!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nolly

Thread Starter
Joined
Dec 27, 2003
Messages
123
I think that perhaps I didn't remove all the hijackers last time-my browser is still going crazy :( .Can someone help me with my log?

Logfile of HijackThis v1.97.7
Scan saved at 3:14:21 PM, on 21/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Owner\Application Data\ttuh.exe
C:\WINDOWS\System32\wnsapisv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\TEMP\Rem197.exe
C:\Program Files\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.persephones-closet.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sympatico.ca/
O2 - BHO: (no name) - {0B23B513-E52D-7A53-1E99-E7EC7E90F235} - C:\PROGRA~1\ONLINE~2\Beep Real.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: name store - {661F58A6-BE2B-E950-A589-84CDB568FE5E} - C:\PROGRA~1\ONLINE~2\Beep Real.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Pokebarb] C:\PROGRA~1\book two wma\Interplan.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4193981482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA197FEB-DC59-4303-8986-D81FBC57795C}: NameServer = 209.226.175.224 198.235.216.110
 

nolly

Thread Starter
Joined
Dec 27, 2003
Messages
123
Ok. I've run AAW and SS&D and AAW couldn't remove some items. Here is my new HT log:

Logfile of HijackThis v1.97.7
Scan saved at 4:22:30 PM, on 21/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.persephones-closet.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sympatico.ca/
O2 - BHO: (no name) - {0B23B513-E52D-7A53-1E99-E7EC7E90F235} - C:\PROGRA~1\ONLINE~2\Beep Real.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: name store - {661F58A6-BE2B-E950-A589-84CDB568FE5E} - C:\PROGRA~1\ONLINE~2\Beep Real.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38096.4193981482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA197FEB-DC59-4303-8986-D81FBC57795C}: NameServer = 209.226.175.224 198.235.216.110

What should I remove? Should I reboot into safe mode & delete anything? Any help would be appreciated.
Thanks,
Nolly
 
Joined
Dec 9, 2000
Messages
45,855
Perhaps the file has already been removed and only this registry entry remains, check and fix it in HijackThis and verify the file has been deleted:

4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisv.exe

Also, do you know what this BHO and Toolbar entry is? I can't find any curernt hits for it:

O2 - BHO: (no name) - {0B23B513-E52D-7A53-1E99-E7EC7E90F235} - C:\PROGRA~1\ONLINE~2\Beep Real.dll
O3 - Toolbar: name store - {661F58A6-BE2B-E950-A589-84CDB568FE5E} - C:\PROGRA~1\ONLINE~2\Beep Real.dll

If you don't, close the browser and check and fix those as well.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top