Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

All URLs are hijacked. Please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: All URLs are hijacked. Please help

Unread postby tan_pang » November 2nd, 2008, 9:23 pm

I can't see the report...

Can you please copy-paste the result again (with no attachment) in next post? :)

If you didn't have the virustotal report anymore, then you may need to upload the file again...
Regular Member
Posts: 959
Joined: August 12th, 2007, 8:04 am
Register to Remove

Re: All URLs are hijacked. Please help

Unread postby jbs444 » November 2nd, 2008, 10:06 pm

Here is the Virus Total file in html

Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File taskmanager17.exe received on 11.01.2008 16:55:29 (CET)
Current status: finished
Result: 1/36 (2.78%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.11.1.0 2008.10.31 -
AntiVir 2008.10.31 -
Authentium 2008.11.01 -
Avast 4.8.1248.0 2008.11.01 -
AVG 2008.11.01 -
BitDefender 7.2 2008.11.01 Dropped:Generic.Malware.SV.D4ADBF63
CAT-QuickHeal 9.50 2008.11.01 -
ClamAV 0.94.1 2008.11.01 -
DrWeb 2008.11.01 -
eSafe 2008.10.30 -
eTrust-Vet 31.6.6185 2008.11.01 -
Ewido 4.0 2008.11.01 -
F-Prot 2008.11.01 -
F-Secure 8.0.14332.0 2008.11.01 -
Fortinet 2008.10.31 -
GData 19 2008.11.01 -
Ikarus T3. 2008.11.01 -
K7AntiVirus 7.10.514 2008.11.01 -
Kaspersky 2008.11.01 -
McAfee 5420 2008.11.01 -
Microsoft 1.4005 2008.11.01 -
NOD32 3575 2008.10.31 -
Norman 5.80.02 2008.10.31 -
Panda 2008.11.01 -
PCTools 2008.11.01 -
Prevx1 V2 2008.11.01 -
Rising 2008.11.01 -
SecureWeb-Gateway 6.7.6 2008.11.01 -
Sophos 4.35.0 2008.11.01 -
Sunbelt 3.1.1767.2 2008.10.31 -
Symantec 10 2008.11.01 -
TheHacker 2008.10.31 -
TrendMicro 8.700.0.1004 2008.10.31 -
VBA32 2008.11.01 -
ViRobot 2008.10.31.1446 2008.10.31 -
VirusBuster 2008.10.31 -
Additional information
File size: 1693024 bytes
MD5...: b72e9c925ffe934593ced3c188c0fe20
SHA1..: 59e6397da7331e38895f75f8e29dbdfdc37f5a82
SHA256: f65d886d8985a8c8a272083dcb737582833f28b26788a327c0565ece6ed81c78
SHA512: 8a181957cc5a0a9f95af3c7ab495fd5103c23ae8179a05da4a94ded06cdc8023
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (46.6%)
Winzip Win32 self-extracting archive (generic) (28.4%)
Win32 Executable Generic (10.5%)
Win32 Dynamic Link Library (generic) (9.3%)
Generic Win/DOS Executable (2.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x407eb8
timedatestamp.....: 0x46ae1d28 (Mon Jul 30 17:17:28 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe6d8 0xf000 6.43 736104b6a1debe1fa88eaeb84aafb5c9
.rdata 0x10000 0x29f2 0x3000 5.18 00413410ee5eb35d444259fb09d642e0
.data 0x13000 0x62e4 0x2000 1.58 f4b85e22d7dea85c2392af15c91b4257
.rsrc 0x1a000 0x9b58 0xa000 5.55 39a46f7a28effc41a7d14dbc2c7e5127
_winzip_ 0x24000 0x17d000 0x17d000 8.00 e91b2d975b413e7f082aecb752601144

( 5 imports )
> SHELL32.dll: SHGetPathFromIDListA, SHGetSpecialFolderLocation, ShellExecuteExA, SHGetMalloc
> USER32.dll: BeginPaint, GetSysColor, GetClientRect, SetRect, EndPaint, LoadCursorA, GetLastActivePopup, ShowWindow, PostMessageA, SendMessageA, EnableWindow, GetTopWindow, SetWindowLongA, GetWindowLongA, SetWindowTextA, SetForegroundWindow, SetActiveWindow, SetDlgItemTextA, CharUpperBuffA, LoadIconA, SetWindowWord, SendDlgItemMessageA, GetDlgItem, InvalidateRect, UpdateWindow, LoadStringA, MessageBoxA, SetTimer, GetMessageA, KillTimer, PostQuitMessage, DialogBoxParamA, GetDlgItemTextA, EndDialog, GetWindowRect, GetSystemMetrics, SetWindowPos, PeekMessageA, TranslateMessage, DispatchMessageA, SetCursor, CharNextA, GetWindowWord, DefWindowProcA, RegisterClassA, GetParent
> KERNEL32.dll: InitializeCriticalSection, LoadLibraryA, GetLocaleInfoA, Sleep, EnterCriticalSection, LeaveCriticalSection, GetStringTypeW, GetStringTypeA, LCMapStringW, MultiByteToWideChar, LCMapStringA, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, VirtualFree, HeapCreate, HeapDestroy, DeleteCriticalSection, GetFileType, SetHandleCount, GetEnvironmentStringsW, WideCharToMultiByte, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStdHandle, GetCurrentThreadId, GetVersionExA, FindClose, FindFirstFileA, SetCurrentDirectoryA, CreateDirectoryA, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, VirtualAlloc, GetDriveTypeA, GetEnvironmentVariableA, DeleteFileA, SetFileAttributesA, RemoveDirectoryA, SetEndOfFile, SetFilePointer, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, GetFileSize, CreateFileA, GetWindowsDirectoryA, MoveFileExA, _lclose, OpenFile, GlobalFree, GlobalUnlock, GlobalHandle, _llseek, _lread, _lopen, GlobalLock, GlobalAlloc, GlobalMemoryStatus, GetVersion, GetModuleFileNameA, WriteFile, GetSystemTime, CreateProcessA, lstrlenA, LocalFree, ExitProcess, GetModuleHandleA, _lcreat, GetVolumeInformationA, GetTickCount, FormatMessageA, GetLastError, WinExec, _lwrite, WaitForSingleObject, SetErrorMode, HeapReAlloc, GetConsoleCP, GetConsoleMode, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, FlushFileBuffers, LocalAlloc, FindNextFileA, RtlUnwind, GetCommandLineA, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError
> GDI32.dll: SetTextColor, SetTextAlign, GetBkColor, GetTextExtentPoint32A, ExtTextOutA, CreateDCA, GetDeviceCaps, CreateFontIndirectA, DeleteDC, SelectObject, DeleteObject, SetBkColor
> COMCTL32.dll: -

( 0 exports )
packers (Kaspersky): PE_Patch
packers (F-Prot): ZIP, Unicode, Aspack

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

And here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:04 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

End of file - 6512 bytes

Please tell me if the other files flagged as possible viruses are safe.

Thanks again for the support.

Active Member
Posts: 9
Joined: October 1st, 2008, 8:40 pm

Re: All URLs are hijacked. Please help

Unread postby tan_pang » November 3rd, 2008, 10:40 pm

the other files can be simply ignore because some is "false positive" by the anti-virus scan, and some have been quarantined.

Please run HijackThis and click "Do a system scan only". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

Now please close ALL open windows except HijackThis and press "Fix checked".

Then please exit HijackThis.


Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.


Now, your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    • Right-click on the My Computer on Desktop, and choose Properties
    • Click on the System Restore tab, and check the box Turn off System Restore on all drives
    • Click Apply
    • Turn it back 'On' afterward by unticking the same checkbox & click OK
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
  5. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    Alternatively, you can enable the automatic update by follow the instruction in here → http://www.microsoft.com/protect/comput ... es/mu.mspx
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.castlecops.com/postlite7736-.html

After doing all these, your system will be optimised against future threats.

Have a safe & happy computing day. Image

Kindly respond to this thread once more so we can mark this thread as resolved.
Regular Member
Posts: 959
Joined: August 12th, 2007, 8:04 am

Re: All URLs are hijacked. Please help

Unread postby NonSuch » November 6th, 2008, 1:07 am

As this topic appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Posts: 27824
Joined: February 23rd, 2005, 7:08 am
Location: California
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 84 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware