Hello you great people;

I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.

I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex

I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked

PS you guys are fab for offering this service to us frustrated non-techies

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)

ok go to run type regedit, browse, down to HKCU\Software\Microsoft\Internet Explorer then edit the key for main search bar, and put about:blank in there insted

good luck

also wtf is

C:\Program Files\NavNT\defwatch.exe, C:\WINDOWS\System32\MsgSys.EXE and C:\Program Files\goodsol99\goodsol99.exe

Hello suRoot;
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)

Thanks for your help and if I could just get a wee bit more
Whicked

That doesn't look anywhere near a full log. Try this anyway.
Download CWShredder from http://209.133.47.200/~merijn/files/CWShredder.exe & run it. Select the fix button & it will get rid of everything related to CoolWebSearch. Close ALL other programs including IE before running CWShredder. Reboot after doing this & post another log FULL please.

Hello Crunchie;
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

That looks like a clean log now. I would advise you to go to the Microsoft site & do a Windows update. That will fix the hole where the CoolWebSearch infection gets in.

I missed one. Please do the following.

Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one

Have only HJT running & fix these entries=

O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one

Reboot normally & post a new log so I can make sure it's gone.

I've registered simply to thank and praise crunchie. Far from a competant techie I encountered the same problem raised by this post. You advice helped me remedy the problem. Thanks.

I agree!
Crunchie has been absolutely wonderful in fixing this problem that had me pulling my hair out. In the end it was just a simple download and install that took all of 5 minutes and all the problems were gone. I have since went to Windows update and updated security to help with filling in the hole. Thanks again Crunchie!

You really helped me out!
Whicked

Download and install these two FREE programs to help stop Spyware .


Spywareblaster


SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

Stop it you guys, you're embarrassing me. I'm just glad that I could be of help. Thanx should mainly go to this site for allowing ppl to help each other out.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.