Google Answers Logo
View Question
Q: Search engine hijacking ( Answered 5 out of 5 stars,   0 Comments )
Subject: Search engine hijacking
Category: Computers > Security
Asked by: hatchdaddy-ga
List Price: $10.00
Posted: 15 Nov 2005 21:11 PST
Expires: 15 Dec 2005 21:11 PST
Question ID: 593588
I have a hijack on my computer and have run everything under the sun
to get rid of it. It has now taken over Google, Yahoo, and Ask Jeeves.
I am running Mcaffe, PestPatrol, and Spyware Doctor and have ran
Adware and cannot get rid of it. Google now shows "Unable to diplay

Can I get rid of this without reloading my computer as has been
suggested by my IT guys at work?

I don't know how to price my question because when I click on the
link, the hijack shows up.         m*rwill*earch.*om is my current
Subject: Re: Search engine hijacking
Answered By: livioflores-ga on 16 Nov 2005 21:50 PST
Rated:5 out of 5 stars

This will the first stage of the answer, I will give you some
instructions and some things to download and do, then you will post as
a request for a clarification the results of these instructions and I
will tell you what else you must do to fix your computer, if we are
lucky after you follow these last set of instructions your computer
could be clean.

First thing to do:
Scan your computer online with the following tools from Trend Micro:
(do all the tasks: virus scan, spyware scan and download CWShredder to
remove CoolWebSearch, this is a common pestware that is usually
present on infected computers). Let these tools remove all that they

Second thing to do:
Download and run the following HijackThis autoinstall program. HJT
needs to be in its own folder so that the program itself isn't deleted
by accident. Having the backups could be VITAL to restoring your
system if something went wrong in the FIX process!

Hijackthis is an expert's tool used to remove hijackers and spyware,
but since it works on demand, not automatically, you only need to post
a log here as a clarification and then I will analyze it and tell you
what are the next steps.
To see how to get and post a log here see the following tutorial at; remember to only post the log without fixing
anything, I will tell you which items must be selected to fix:

Note that on Windows NT, 2000, & XP, it requires that you have
administrator privileges.

Please post the scan log from HijackThis' scan and I will tell you
what things must be fixed with HJT. Many other procedures and products
could be suggested to complete the cleaning.

Remember that this answer is not considered ended until you get rid
from the search engine hijacking. Use the clarification feature all
the times needed, I will be glad to give you further assistance in the
cases you need it.


Request for Answer Clarification by hatchdaddy-ga on 17 Nov 2005 22:13 PST
Here is what I came up with as far as a log goes.

Logfile of HijackThis v1.99.1
Scan saved at 12:10:19 AM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
c:\program files\\agent\mcdetect.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\\VSO\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\\VSO\oasclnt.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-\QOELoader.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
- C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Bho - {5D867A01-9CEC-4f2f-8454-AAAB35550396} -
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A}
- C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: PCTools Browser Monitor -
{B56A7D7D-6927-48C8-A975-17DF180C71AC} -
O2 - BHO: EpsonToolBandKicker Class -
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: EPSON Web-To-Page -
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
O4 - HKLM\..\Run: [VSOCheckTask]
"C:\PROGRA~1\\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD
Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON
Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ
Armor\eTrust Anti-Spam\QSP-\QOELoader.exe"
O4 - HKCU\..\Run: [Radio365Agent]
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\swdoctor.exe" /Q
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
O8 - Extra context menu item: E&xport to Microsoft Excel -
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: -
{F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program
O9 - Extra 'Tools' menuitem: -
{F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (
ActionRunner Class) -
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup
Class) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX
Class) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (
Operating System Class) -,0,0,84/
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual
Technician Control Class) -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE
Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) -,0,0,21/
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint
Auto-Pricer Control) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader
Object) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -,1,0,4624/
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) -
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc -
c:\program files\\agent\mcdetect.exe
O23 - Service: McShield (McShield) - McAfee Inc. -
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\PROGRA~1\\PERSON~1\MpfService.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec
Corporation - C:\Program Files\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) -
Symantec Corporation - C:\Program Files\Norton Personal
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools -
C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) -
Symantec Corporation - C:\Program Files\Norton Personal

Clarification of Answer by livioflores-ga on 18 Nov 2005 05:35 PST

Please do the following:
Copy these instructions to Notepad and print them.

Go to My Computer -> Tools -> Folder Options -> View ->  Under the
"Hidden files and folders" heading, select "Show hidden files and
folders" -> Scroll down and uncheck the Hide protected operating
system files (recommended) option.
Click Yes to confirm and then click OK.
Download CleanUp! and install it. Don't run it yet:

CleanUp! will delete your temp/temporary folders, it does not make
backups, so please make a backup of the documents or programs that you
need and are saved in any Temporary Folders before running CleanUp!
(if you are not sure about this probably you don't need to do a
For more info about this program: 

Run CleanUp! and click on the Options button. Uncheck 'Scan local
drives for temporary files'. Also uncheck those two Newsgroup entries
if you don't want to delete them. Click OK and then click on the
CleanUp! button. Let it run. After it's done, choose Yes to Logoff

Reboot your computer in safe mode, if you don't know how, go to:

Make sure to close any open browsers.

Run CleanUp! and click on the Options button. Uncheck 'Scan local
drives for temporary files'. Also uncheck those two Newsgroup entries
if you don't want to delete them. Click OK and then click on the
CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now run HijackThis and press the "Do a System Scan only" button. From
the list select the following items:
O2 - BHO: Bho - {5D867A01-9CEC-4f2f-8454-AAAB35550396} -
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now click the 'Fix Checked' button.

After that find and delete the following file:

Reboot your computer in Normal mode and check its behaviour. Post a
fresh HJT log and tell me how is your computer working.

Hope this helps.


Request for Answer Clarification by hatchdaddy-ga on 18 Nov 2005 22:45 PST
In attempting to run Cleanup! I got an Error message that started with
"Incorrect size........" saying that the file is one size and needs to
be another. It is loaded on my desktop but I get the same message over
and over when trying to run it.

Sorry to make you work so hard for the little that I offered but I had
no idea it would be this difficult.

I apologize.

Request for Answer Clarification by hatchdaddy-ga on 18 Nov 2005 23:50 PST
I started deleting things that were mentioned in your e-mail's and
things that I felt were inappropriate and it seems to have worked. At
least Google is back to normal for the time being.

Without running the program that wouldn't load I did a search for
\repcvbss.dll and renamed it, searched it out, and deleted it, things
were good again. The key is renaming it. That file (it appears) can be
renamed to anything. I made it a .dwg file.

Your help has been greatly appreciated. Your responses have been
timely and informational. Again, I appreciate the help.

Clarification of Answer by livioflores-ga on 19 Nov 2005 02:37 PST

Glad to know that your computer is working well right now. The
CleanUp! file is probably corrupted, it is a good idea to run it
periodically. If for any reason you cannot run it in your computer,
like a strange kind of incompatibility, try the following program to
keep clean your temp folders:

Download it from here:

For guides on how to use it see:
"CCleaner: Get the Crap Out of Your PC - WinPlanet Windows Software Reviews":

"CCleaner - Quick Tour":

"Clean & Protected - CCleaner Scan tutorial":

Good luck and thank you for the good rating and the tip!!

hatchdaddy-ga rated this answer:5 out of 5 stars and gave an additional tip of: $1.00
Bang up job. Much more information than what I thouhgt I would get for
the money. Maintained contact for two days and I really appreciate the


There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy