Tech Support Forum banner
Not open for further replies.
1 - 4 of 4 Posts

2 Posts
Discussion Starter · #1 ·
Hello all,

I am a new member and I have reviewed and followed the steps to post the following information about my problem. My father in laws computer has some kind of Browser Hijack on it and after running spybot, ad-aware, mcaffee virus scan (all with current updates) I cannot find and remove the problem. I am at my wits end and in need of help as I do not know where to go at this point. Here is the log and thank you for any information. :4-dontkno

DDS (Ver_09-12-01.01) - NTFSx86
Run by Guy Anderson at 17:03:37.03 on Fri 12/04/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2511 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Guy Anderson\Local Settings\Temporary Internet Files\Content.IE5\TADGU0WQ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://
uSearch Page = hxxp://
uSearch Bar = hxxp://
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://
uSearchURL,(Default) = hxxp://
mSearchAssistant = hxxp://
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Dell AIO Printer A960] "c:\program files\dell aio printer a960\dlbfbmgr.exe"
mRun: [mcagent_exe] "c:\program files\\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-4 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-9-28 68136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-27 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-27 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-27 34248]

=============== Created Last 30 ================

2009-12-04 21:51:59 0 d-----w- c:\program files\Trend Micro
2009-12-04 21:38:05 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-12-04 21:38:05 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-12-04 21:38:04 0 d-----w- c:\program files\SpywareBlaster
2009-12-04 21:03:47 0 d-----w- c:\program files\CCleaner
2009-12-04 20:21:16 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-04 19:57:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-04 19:54:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-04 19:54:23 0 d-----w- c:\program files\Lavasoft
2009-11-23 22:23:29 0 d-----w- c:\program files\Citrix
2009-11-23 20:38:44 0 d-----w- c:\docume~1\alluse~1\applic~1\63843b4

==================== Find3M ====================

2009-12-04 21:00:43 16608 ----a-w- c:\windows\gdrv.sys
2009-12-04 00:14:35 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-12-02 15:55:15 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-13 23:59:22 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-09-28 11:53:36 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll

============= FINISH: 17:04:28.62 ===============


8,956 Posts

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

2 Posts
Discussion Starter · #3 ·
Thanks for the help and as I mentioned this is my father-in-laws computer so I don't have access to it all day everyday. I will try and get over there today and do these steps and post the log from combofix. I do appreciate the help as I know basic ways to remove spyware and adaware using programs such as spyboy, adaware, antivirus, ect. but this one is above my level of expertise. Thank you again and I will get to this asap!
1 - 4 of 4 Posts
Not open for further replies.