 |  |  |  |  |  |  |  |
IE is hijacked by http://th.msie.cc/index.php?aid=20035
Thread Solved |
Hello you great people;
I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.
I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex
I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked
PS you guys are fab for offering this service to us frustrated non-techies
I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.
I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex
I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked
PS you guys are fab for offering this service to us frustrated non-techies
•
•
Join Date: Apr 2004
Posts: 210
Reputation: 
Solved Threads: 9
Posting Whiz in Training
•
•
•
•
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
good luck
•
•
Join Date: Apr 2004
Posts: 210
Reputation:
Solved Threads: 9
Posting Whiz in Training
also wtf is
•
•
•
•
C:\Program Files\NavNT\defwatch.exe, C:\WINDOWS\System32\MsgSys.EXE and C:\Program Files\goodsol99\goodsol99.exe
Hello suRoot;
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)
Thanks for your help and if I could just get a wee bit more
Whicked
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)
Thanks for your help and if I could just get a wee bit more
Whicked
•
•
Join Date: Feb 2004
Posts: 10,112
Reputation: 
Solved Threads: 769
That doesn't look anywhere near a full log. Try this anyway.
Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log FULL please.
Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log FULL please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Hello Crunchie;
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
•
•
Join Date: Feb 2004
Posts: 10,112
Reputation:
Solved Threads: 769
That looks like a clean log now. I would advise you to go to the Microsoft site & do a Windows update. That will fix the hole where the CoolWebSearch infection gets in.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 10,112
Reputation:
Solved Threads: 769
I missed one. Please do the following.
Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one
Have only HJT running & fix these entries=
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT...01052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one
Reboot normally & post a new log so I can make sure it's gone.
Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one
Have only HJT running & fix these entries=
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT...01052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one
Reboot normally & post a new log so I can make sure it's gone.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
 |
Similar Threads
- IE Address Bar hijacked by http://s5.th.msie.cc/ index.php (CWShredder.exe) (Viruses, Spyware and other Nasties)
- PLeeaze help me with this hijacklog (http://th.msie.cc/ index.php?aid=20038 ) (Viruses, Spyware and other Nasties)
- http://www.th.msie.cc/ index.php?aid=579 (Viruses, Spyware and other Nasties)
- Redirection to http://th.msie.cc/index.php?aid=20038 (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: HijackThis log - need to know what to do next
- Next Thread: HijackThis Guide
Views: 7208 | Replies: 12
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit fake fancheckvirus firefox gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch pc pdf phishing police policeprovirusmba-mblockedinternetaccess president pro redirect report research rogueantivirus rootkit samhain sans search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability war warning windows worm yahoo zero-day zeroday
