March 2nd, 2011 18:00

Search Engine Redirects (Mozilla & IE)

reopening a request from earlier... apologize, was not able to respond in the 3 day.

I have a DELL Latitude D520 which is having a problem with redirects when I click results from search engines.

I typically use Google and Yahoo! search, both exhibit this problem.

I have run SpyBot, but no luck.  I also have McAfee AV with updated signatures.  Have run several times, also no luck.

Here is a fresh HIJACKThis log...

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:00:20 PM, on 3/2/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal


Running processes:











C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe


C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe


C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe


C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE


C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe






C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe


C:\Program Files\Common Files\Java\Java Update\jusched.exe


C:\Documents and Settings\AIRPORTinsight\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe


C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\AIRPORTinsight\My Documents\downloads\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL =

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: Virtual Account Numbers Helper - {17424104-1444-4810-85D7-B4DA413C5A9A} - C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110221233548.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll

O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Citi Virtual Account Numbers] C:\PROGRA~1\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LxrAutorun] C:\Documents and Settings\AIRPORTinsight\Local Settings\Application Data\Lexar Media\LxrAutorun.exe


O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) -

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =,

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =,

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =,

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: McAfee Application Installer Cleanup (0234201298383201) (0234201298383201mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\023420~1.EXE (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe



End of file - 12875 bytes

March 2nd, 2011 19:00

Hello again. I am reposting my first reply so we can continue in this topic.

Please make sure that your logs are posted using Notepad - not Wordpad. Wordwrap should be unchecked in Notepad's Format Menu.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* Have you at any time used Dell's Screen Share program to browse the Dell site?

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. *Please note also that not all of our tools work on 64-bit systems, so we may be limited in our procedures.

* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

If there is a problem after making changes to the system, to restore your registry, go to the folder and start ERUNT.exe

Let me know after you have installed ERUNT.

No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

5 Posts

March 2nd, 2011 20:00

* I don't have any cracking software on the machine -- never have to my knowledge
* I don't have any P2P software on the machine -- never have to my knowledge
* I have never used DELL Screen Share.

I have installed ERUNT and set up the folder and desktop icons ERUNT and NTREGOPT


March 2nd, 2011 21:00

We need to see some additional information about what is happening in your machine.

Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.


  • Copy/paste both logs to your reply on the forum. Do not attach them.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

5 Posts

March 3rd, 2011 18:00

here is the log named DDS.txt


DDS (Ver_10-12-12.02) - NTFSx86  

Run by laptop at 20:40:32.45 on Thu 03/03/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.502.127 [GMT -6:00]


AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled* 


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs








C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe


C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe


C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE


C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter




C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe


C:\Program Files\Common Files\Java\Java Update\jusched.exe


C:\Documents and Settings\AIRPORTinsight\Local Settings\Application Data\Lexar Media\LxrAutorun.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe


C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe



C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe


C:\Documents and Settings\AIRPORTinsight\Desktop\dds.pif


============== Pseudo HJT Report ===============


uStart Page = hxxp://

uSearch Bar = 

uDefault_Search_URL = hxxp://

uSearchAssistant = hxxp://

uSearchURL,(Default) = hxxp://

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85d7-b4da413c5a9a} - c:\program files\virtual account numbers\CitiVANHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110221233548.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Virtual Account Numbers: {7a21a046-b886-4a62-9d69-ef2059b0a27b} - c:\program files\virtual account numbers\CitiVANToolbar.dll

TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [LxrAutorun] c:\documents and settings\airportinsight\local settings\application data\lexar media\LxrAutorun.exe

uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p3 /q c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\t8zn7h4h\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\hcbesnn9\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\hcbesnn9\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\h2fnzv07\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\pi3ejxg0\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\hcbesnn9\! c:\docume~1\airpor~1\locals~1\tempor~1\content.ie5\t8zn7h4h\_TAGTY~1.SH!

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [mcui_exe] "c:\program files\\agent\mcagent.exe" /runkey

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone:

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://

DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://


DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll


================= FIREFOX ===================


FF - ProfilePath - c:\docume~1\airpor~1\applic~1\mozilla\firefox\profiles\ubzx8431.default\

FF - prefs.js: - hxxp://

FF - prefs.js: - Google

FF - prefs.js: browser.startup.homepage - hxxp://

FF - prefs.js: keyword.URL - hxxp://

FF - component: c:\documents and settings\airportinsight\application data\mozilla\firefox\profiles\ubzx8431.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll

FF - component: c:\program files\virtual account numbers\components\SlimOrbAddonCitiVAN.dll

FF - plugin: c:\documents and settings\airportinsight\local settings\application data\google\update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Virtual Account Numbers: citius@orbiscom - c:\program files\Virtual Account Numbers

FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}



FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============


R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-18 386840]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-21 84072]

R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2009-8-22 72672]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-21 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-21 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-2-21 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-21 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-21 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-21 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-21 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-18 152960]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-18 52104]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-21 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-21 88544]

S2 0234201298383201mcinstcleanup;McAfee Application Installer Cleanup (0234201298383201);c:\windows\temp\023420~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\023420~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-5 136176]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-18 203280]

S3 apusbsnt;Sierra Wireless USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2007-12-18 40832]

S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-21 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-21 84264]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-18 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-18 40552]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]


=============== Created Last 30 ================


2011-02-22 05:35:49 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

2011-02-22 05:35:48 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-02-22 05:35:32 141792 ----a-w- c:\windows\system32\mfevtps.exe

2011-02-22 05:35:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2011-02-22 05:35:27 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2011-02-22 05:35:27 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-02-22 05:35:27 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-02-22 05:35:26 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-02-22 05:35:26 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys


==================== Find3M  ====================


2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-13 02:48:19 129536 --sha-r- c:\windows\system32\taskman3.dll

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe


============= FINISH: 20:44:18.15 ===============

here is the log named ATTACH.txt
DDS (Ver_10-12-12.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/13/2007 2:34:42 PM
System Uptime: 2/28/2011 4:01:41 PM (76 hours ago)
Motherboard: Dell Inc. |  | 0PF493
Processor: Intel Pentium II processor | Microprocessor | 1595/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 74 GiB total, 55.235 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
==== System Restore Points ===================
RP1: 12/12/2010 9:31:27 PM - System Checkpoint
RP2: 12/19/2010 11:19:42 PM - System Checkpoint
RP3: 12/20/2010 8:05:47 PM - Software Distribution Service 3.0
RP4: 12/21/2010 9:46:32 PM - System Checkpoint
RP5: 12/22/2010 10:09:35 PM - System Checkpoint
RP6: 12/24/2010 12:36:32 AM - System Checkpoint
RP7: 12/25/2010 3:15:06 AM - System Checkpoint
RP8: 12/25/2010 1:23:44 PM - Software Distribution Service 3.0
RP9: 12/26/2010 2:57:48 PM - System Checkpoint
RP10: 12/27/2010 6:02:00 PM - System Checkpoint
RP11: 12/28/2010 9:25:45 PM - System Checkpoint
RP12: 12/30/2010 5:26:04 PM - System Checkpoint
RP13: 12/31/2010 6:38:41 PM - System Checkpoint
RP14: 1/2/2011 1:41:34 AM - System Checkpoint
RP15: 1/3/2011 4:04:17 AM - System Checkpoint
RP16: 1/4/2011 7:10:59 PM - System Checkpoint
RP17: 1/5/2011 8:09:38 PM - System Checkpoint
RP18: 1/7/2011 1:21:35 AM - System Checkpoint
RP19: 1/8/2011 3:15:40 AM - System Checkpoint
RP20: 1/9/2011 6:18:24 AM - System Checkpoint
RP21: 1/10/2011 8:32:21 AM - System Checkpoint
RP22: 1/11/2011 11:49:40 AM - System Checkpoint
RP23: 1/12/2011 3:43:02 PM - System Checkpoint
RP24: 1/13/2011 10:03:01 PM - System Checkpoint
RP25: 1/13/2011 10:33:01 PM - Software Distribution Service 3.0
RP26: 1/14/2011 11:21:52 PM - System Checkpoint
RP27: 1/15/2011 11:36:56 PM - System Checkpoint
RP28: 1/18/2011 8:27:36 AM - System Checkpoint
RP29: 1/20/2011 3:57:28 PM - System Checkpoint
RP30: 1/22/2011 6:59:04 PM - System Checkpoint
RP31: 1/24/2011 8:40:59 PM - System Checkpoint
RP32: 1/25/2011 11:05:40 PM - Installed SpyHunter
RP33: 1/26/2011 7:30:30 PM - Removed SpyHunter
RP34: 1/27/2011 10:13:10 PM - System Checkpoint
RP35: 1/29/2011 12:02:27 AM - System Checkpoint
RP36: 1/30/2011 11:58:05 AM - System Checkpoint
RP37: 2/1/2011 12:55:15 AM - System Checkpoint
RP38: 2/2/2011 9:09:53 AM - System Checkpoint
RP39: 2/4/2011 9:27:54 AM - System Checkpoint
RP40: 2/5/2011 1:44:56 PM - System Checkpoint
RP41: 2/6/2011 3:16:07 PM - System Checkpoint
RP42: 2/8/2011 9:02:34 PM - System Checkpoint
RP43: 2/8/2011 9:06:23 PM - Software Distribution Service 3.0
RP44: 2/9/2011 9:38:52 PM - System Checkpoint
RP45: 2/11/2011 1:07:49 AM - System Checkpoint
RP46: 2/12/2011 4:35:01 AM - System Checkpoint
RP47: 2/13/2011 8:34:50 AM - System Checkpoint
RP48: 2/14/2011 8:44:30 AM - System Checkpoint
RP49: 2/15/2011 8:47:49 PM - System Checkpoint
RP50: 2/17/2011 12:01:49 AM - System Checkpoint
RP51: 2/18/2011 1:31:37 AM - System Checkpoint
RP52: 2/19/2011 10:54:27 AM - System Checkpoint
RP53: 2/19/2011 3:39:23 PM - Installed Windows Defender
RP54: 2/20/2011 4:52:03 PM - System Checkpoint
RP55: 2/22/2011 12:03:40 AM - System Checkpoint
RP56: 2/23/2011 3:55:33 AM - System Checkpoint
RP57: 2/24/2011 9:19:39 AM - System Checkpoint
RP58: 2/25/2011 12:00:12 PM - System Checkpoint
RP59: 2/25/2011 10:40:42 PM - Software Distribution Service 3.0
RP60: 2/27/2011 12:06:48 PM - System Checkpoint
RP61: 3/1/2011 8:26:44 PM - System Checkpoint
RP62: 3/2/2011 11:14:59 PM - System Checkpoint
March 3rd, 2011 19:00

Let's run a scan with MBAM. * If you are unable to download or install MBAM on your computer, see if you can use a friend's or family member's computer to download MBAM. Use the update link mentioned below to manually update. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "lookinhere.exe". Copy the installer file and the update file to a CD or flash drive. Transfer the files to the infected computer. Install the "lookinhere.exe" file, then run the update so that you will have the current definitions. After that, run a full system scan and select to have the program REMOVE whatever it finds.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates,
manually download them from here
and just double-click on mbam-rules.exe to install.
Alternatively, you can update through MBAM's interface from a clean computer,
copy the definitions (rules.ref) located in
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top.
It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report into your next reply and exit MBAM.

Note:-- If MBAM encounters a file that is difficult to remove,
you may be asked to reboot your computer so it can proceed with the disinfection process.
Regardless if prompted to restart the computer or not, please do so immediately.
Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine.
If you're using other security programs that detect registry changes (like Spybot's Teatimer),
they may interfere with the fix or alert you after scanning with MBAM.
Please disable such programs until disinfection is complete or permit them to allow the changes.


**If you need to re-install MBAM but encounter issue in re-installing, try using the MBAM Cleanup Utility by downloading it from HERE

5 Posts

March 3rd, 2011 21:00

Thank you for the help and advice.

Looks like the Malwarebytes Anti-malware did the trick.

It found several malware files which other tools apparently were missing.


March 4th, 2011 03:00

Please post the requested log. Thanks.

