Hey guys I've been infected by what I think is a hijacker. I have run adaware, spybot and nothing has come up. It is affecting everytime I view a webpage in IE or Firefox. Downloading via torrents or flashget is fine as is connecting to msn messenger. I have attached a screen shot and my Hijack THis log. Thankyou to anyone who can help me. Here is a screenshot and this is my hijack this log file Logfile of HijackThis v1.99.1 Scan saved at 6:16:48 PM, on 5/06/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Intel\Wireless\Bin\EvtEng.exe E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\system32\acs.exe E:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe E:\WINDOWS\system32\DVDRAMSV.exe e:\program files\mcafee.com\agent\mcdetect.exe e:\PROGRA~1\mcafee.com\vso\mcshield.exe e:\PROGRA~1\mcafee.com\agent\mctskshd.exe E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe E:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe E:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe E:\WINDOWS\system32\nvsvc32.exe E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe E:\WINDOWS\system32\svchost.exe E:\Program Files\Canon\CAL\CALMAIN.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe E:\Program Files\Toshiba\Windows Utilities\Hotkey.exe E:\Program Files\Synaptics\SynTP\SynTPEnh.exe E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe E:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe E:\Program Files\Synaptics\SynTP\Toshiba.exe E:\WINDOWS\system32\rundll32.exe E:\Program Files\Protector Suite QL\psqltray.exe E:\Program Files\DAEMON Tools\daemon.exe E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\PowerISO\PWRISOVM.EXE E:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe E:\Program Files\McAfee.com\VSO\mcvsshld.exe E:\Program Files\McAfee.com\VSO\oasclnt.exe E:\PROGRA~1\mcafee.com\agent\mcagent.exe e:\progra~1\mcafee.com\vso\mcvsescn.exe E:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe E:\PROGRA~1\mcafee.com\mps\mscifapp.exe E:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe E:\Program Files\iTunes\iTunesHelper.exe E:\Program Files\iPod\bin\iPodService.exe E:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe E:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe E:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe E:\Program Files\Messenger\msmsgs.exe E:\Program Files\TOSHIBA\Bluetooth Monitor\BtMon2.exe E:\Program Files\NETGEAR\WG511v2\wlancfg5.exe e:\progra~1\mcafee.com\vso\mcvsftsn.exe E:\WINDOWS\system32\RAMASST.exe E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe E:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe E:\WINDOWS\system32\wuauclt.exe C:\HijackThis.exe E:\WINDOWS\system32\NOTEPAD.EXE O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - e:\program files\mcafee.com\mps\mcbrhlpr.dll O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - e:\program files\mcafee.com\mps\popupkiller.dll O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - e:\program files\mcafee\spamkiller\mcapfbho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - e:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [ToshibaApp] E:\WINDOWS\SMSC\CIRHID\V1_0_0000_0\ToshibaRC.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "E:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelZeroConfig] "E:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "E:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SmoothView] E:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [PSQLLauncher] "E:\Program Files\Protector Suite QL\launcher.exe" /startup O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [RegKillElbyCheck] "E:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill O4 - HKLM\..\Run: [RegKillTray] "E:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" O4 - HKLM\..\Run: [VSOCheckTask] "E:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] E:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] E:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] e:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MPFExe] E:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [MPSExe] e:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding O4 - HKLM\..\Run: [MSKAGENTEXE] E:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] E:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Phase One Media Reader] E:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxWatchTray] "E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" O4 - HKCU\..\Run: [TOSCDSPD] E:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Bluetooth Monitor.lnk = ? O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ? O4 - Global Startup: RAMASST.lnk = E:\WINDOWS\system32\RAMASST.exe O4 - Global Startup: Service Manager.lnk = E:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - e:\program files\mcafee\spamkiller\mcapfbho.dll O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - e:\program files\mcafee\spamkiller\mcapfbho.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148389409562 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - E:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: psfus - E:\WINDOWS\SYSTEM32\psqlpwd.dll O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - E:\WINDOWS\system32\acs.exe O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - E:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - E:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - e:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - e:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - e:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - E:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - E:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe O23 - Service: RoxMediaDB - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe O23 - Service: RoxUpnpServer - Sonic Solutions - E:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - E:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - E:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
Hi nano31 Please upload this file -> E:\WINDOWS\SYSTEM32\psqlpwd.dll here -> http://www.virustotal.com/flash/index_en.html and send results here.
Complete scanning result of "psqlpwd.dll", received in VirusTotal at 06.05.2006, 10:57:41 (CET). Antivirus Version Update Result AntiVir 6.34.1.37 06.04.2006 no virus found Authentium 4.93.8 06.02.2006 no virus found Avast 4.7.844.0 06.02.2006 no virus found AVG 386 06.02.2006 no virus found BitDefender 7.2 06.05.2006 no virus found CAT-QuickHeal 8.00 06.03.2006 no virus found ClamAV devel-20060426 06.04.2006 no virus found DrWeb 4.33 06.05.2006 no virus found eTrust-InoculateIT 23.72.28 06.04.2006 no virus found eTrust-Vet 12.6.2243 06.05.2006 no virus found Ewido 3.5 06.05.2006 no virus found Fortinet 2.77.0.0 06.05.2006 no virus found F-Prot 3.16f 06.02.2006 no virus found Ikarus 0.2.65.0 06.02.2006 no virus found Kaspersky 4.0.2.24 06.05.2006 no virus found McAfee 4776 06.02.2006 no virus found Microsoft 1.1441 06.05.2006 no virus found NOD32v2 1.1578 06.04.2006 no virus found Norman 5.90.17 06.02.2006 no virus found Panda 9.0.0.4 06.04.2006 no virus found Sophos 4.05.0 06.05.2006 no virus found Symantec 8.0 06.05.2006 no virus found TheHacker 5.9.8.155 06.05.2006 no virus found UNA 1.83 06.02.2006 no virus found VBA32 3.11.0 06.05.2006 no virus found Aditional Information File size: 40448 bytes MD5: 8c337670740f7aee1334aab7b49f442b SHA1: f4c347f992442bcf63eb4e27dab95898a0bec97f
Ok, nothing there: Please download ewido anti-malware it is a free version of the program -> http://www.ewido.net/en/download/ 1. Install ewido anti-malware 2. When installing, under "Additional Options" uncheck.. * Install background guard * Install scan via context menu 3. Launch ewido, there should be an icon on your desktop, double-click it. 4. The program will now open to the main screen. 5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. 6. You will need to update ewido to the latest definition files. * On the left hand side of the main screen click update. * Then click on Start Update. 7. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates -> http://download.ewido.net/ewido-signatures-full-current.exe Make sure to close Ewido before installing the update. Once the updates are installed do the following: Reboot your computer in SafeMode by doing the following: 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the first option, to run Windows in Safe Mode. Then launch ewido: * Click on scanner * Click on Complete System Scan and the scan will begin. * You will be prompted to clean the first infection. * Select "Perform action on all infections", then proceed. * Once the scan has completed, there will be a button located on the bottom of the screen named Save report * Click Save report. * Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. Reboot back to normal mode Send ewido report.
ok here is the report I did a half scan a couple days ago and it cleaned up some crap Its still loading up the hijacker --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:27:52 PM, 9/06/2006 + Report-Checksum: E2E81D6B + Scan result: E:\Documents and Settings\Fernando\Cookies\fernando@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup E:\Documents and Settings\Fernando\Cookies\fernando@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup ::Report End
Is FlashGet a free version? If so, I guess that problem is that. It's bundled with ads. Try leechget instead and uninstall FlashGet -> http://www.leechget.net/
ok i tried that but nothing helped I think the prob might be deeper than a little adware hicup I think maybe a reboot would be all that will help. ANymore help would be much appreciated and a big thanks -kemisti-.
Well, let's try this: You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Then please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
