0

Hello you great people;

I have been hijacked by http://th.msie.cc/index.php?aid=20035 and of course am thouroghly annoyed. I have read your previous threads on this issue but would like to be sure that I don't delete something I need.

I have adaware, spyware blaster, spybot and hijack this all downloaded and the print out for the hijack this is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\goodsol99\goodsol99.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nexfcs.t.muxa.cc/s.php?aid=35 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Ex

I would be oh so grateful if you guys could offer a little advice as to what I should do next! I am so frustrated with this and want this page off of my computer for ever!!!
Whicked

PS you guys are fab for offering this service to us frustrated non-techies

5
Contributors
12
Replies
13
Views
13 Years
Discussion Span
Last Post by crunchie
0

also wtf is

C:\Program Files\NavNT\defwatch.exe, C:\WINDOWS\System32\MsgSys.EXE and C:\Program Files\goodsol99\goodsol99.exe

0

Hello suRoot;
Thanks for your input but I am already running into problems. I hit run then type regedit and then browse but the option of HKCU\Software is not an option for me. I don't know if I am browsing in the wrong area or have missed a step or what? Oh and to answer your second post I don't know wtf \nav\nt\defwatch.exe or windows\sys32\msgsys.exe is but I do know that good sol99 is a card game I downloaded a long time ago ( a pretty good game)

Thanks for your help and if I could just get a wee bit more
Whicked

0

Hello Crunchie;
you wonderful human being you!!! It worked!! At first I was skeptical because I downloaded so many spy ware type software programs hoping to fix this thing (hijack this being one of the most informative) so when you recomended another download I was skeptical. Anyway, I downloaded it and ran the program and in a matter of minutes the whole thing was gone. My home page sticks now when I select it and I even went in and updated the other users page too so I or we never had to see that page again. I ran hijack this again and saved a new log which I will print out for you now but I think the problem is solved. Thank-you so much for your help. I have been very frustrated with this stupid page and never visited any of the links on the page just to spite them. Even thought about opening a fake account just to send them nasty stuff but I digress1 Anyway thanks again.
Whicked
Logfile of HijackThis v1.97.7
Scan saved at 9:39:24 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Rhonda\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38068.7812847222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

That looks like a clean log now. I would advise you to go to the Microsoft site & do a Windows update. That will fix the hole where the CoolWebSearch infection gets in.

0

I missed one. Please do the following.

Go to Task Manager & stop this process=
C:\WINDOWS\System32\wuamgrd.exe< this one

Have only HJT running & fix these entries=

O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe

Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 & navigate to & delete
C:\WINDOWS\System32\wuamgrd.exe< this one

Reboot normally & post a new log so I can make sure it's gone.

0

I've registered simply to thank and praise crunchie. Far from a competant techie I encountered the same problem raised by this post. You advice helped me remedy the problem. Thanks.

0

I agree!
Crunchie has been absolutely wonderful in fixing this problem that had me pulling my hair out. In the end it was just a simple download and install that took all of 5 minutes and all the problems were gone. I have since went to Windows update and updated security to help with filling in the hole. Thanks again Crunchie!

You really helped me out!
Whicked

0

Stop it you guys, you're embarrassing me. I'm just glad that I could be of help. Thanx should mainly go to this site for allowing ppl to help each other out.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.