Please support our Viruses, Spyware and other Nasties advertiser: 64-bit Windows Community
Views: 6411 | Replies: 12 | Solved
 |
•
•
Join Date: Apr 2004
Posts: 5
Reputation: 
Rep Power: 0
Solved Threads: 0
Newbie Poster
IE is hijacked by http://th.msie.cc/index.php?aid=20035 Hello you great people;
I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.
I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex
I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked
PS you guys are fab for offering this service to us frustrated non-techies
I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.
I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex
I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked
PS you guys are fab for offering this service to us frustrated non-techies
•
•
Join Date: Apr 2004
Posts: 207
Reputation:
Rep Power: 5
Solved Threads: 8
Posting Whiz in Training
•
•
•
•
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
ok go to run type regedit, browse, down to HKCU\Software\Microsoft\Internet Explorer then edit the key for main search bar, and put about:blank in there insted
good luck
•
•
Join Date: Apr 2004
Posts: 207
Reputation:
Rep Power: 5
Solved Threads: 8
Posting Whiz in Training
also wtf is
•
•
•
•
C:\Program Files\NavNT\defwatch.exe, C:\WINDOWS\System32\MsgSys.EXE and C:\Program Files\goodsol99\goodsol99.exe
•
•
Join Date: Apr 2004
Posts: 5
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Hello suRoot;
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)
Thanks for your help and if I could just get a wee bit more
Whicked
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)
Thanks for your help and if I could just get a wee bit more
Whicked
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,121
Reputation:
Rep Power: 23
Solved Threads: 468
That doesn't look anywhere near a full log. Try this anyway.
Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log FULL please.
Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log FULL please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Apr 2004
Posts: 5
Reputation:
Rep Power: 0
Solved Threads: 0
Newbie Poster
Hello Crunchie;
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,121
Reputation:
Rep Power: 23
Solved Threads: 468
That looks like a clean log now. I would advise you to go to the Microsoft site & do a Windows update. That will fix the hole where the CoolWebSearch infection gets in.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 8,121
Reputation:
Rep Power: 23
Solved Threads: 468
I missed one. Please do the following.
Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one
Have only HJT running & fix these entries=
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT...01052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one
Reboot normally & post a new log so I can make sure it's gone.
Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one
Have only HJT running & fix these entries=
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT...01052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one
Reboot normally & post a new log so I can make sure it's gone.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
